Government Technology Magazine October 2016

TM INSIDE: Solutions for state and local All Together Now: government. New partners round out the security team. Cyber and the Law Do elected leaders grasp the size of the threat?

OCTOBER/NOVEMBER 2016

OUT OF THE

CYBERSECURITY CLAIMS ITS RIGHTFUL PLACE AT THE CENTER OF THE CONVERSATION.

How to survive when you can’t PLUS: aff ord a CISO.

VOL 28 ISSUE 7 / A PUBLICATION OF e.REPUBLIC / GOVTECH.COM

GT10_Cov.indd 26 9/20/16 12:41 PM

Learn more by downloading a complimentary copy of the cybersecurity policy guide at: governing.com/cyberguide

Produced by:

Vol 29 | Issue 7

COVER STORY 18 / Massive Connectedness Public safety now sits alongside IT as formal structures emerge to take on cyberthreats. By Adam Stone 24 / Cyber Exposure More governments are protecting their IT assets with cyberinsurance. Here’s what you need to know when considering a policy. By Robert Lemos

30 / Legislating Cybersecurity State lawmakers begin to Blue Ravine Rd, Folsom, CA 95630. Periodical Postage Paid at Folsom, CA and additional offices. POSTMASTER: Send address changes to: Send address changes to: at Folsom, CA and additional offices. POSTMASTER: Paid Postage Periodical Folsom, CA 95630. Rd, Blue Ravine NS: Subscription inquiries should be directed to Government Technology, Attn: Circulation Director, 100 Blue Ravine Rd, Folsom, CA 95630, CA 95630, Folsom, Rd, 100 Blue Ravine Attn: Circulation Director, NS: Subscription inquiries should be directed to Government Technology, recognize their responsibilities with cyberthreats. By David Raths

36 / Scaling Down Security A smaller staff and a smaller budget don’t lessen the cybersecurity burden. Here’s how cyberleaders at the local level are approaching today’s threats. MIKE GERAGHTY, DIRECTOR, NEW JERSEY By Lisa Kopochinski CYBERSECURITY AND COMMUNICATIONS INTEGRATION CELL. 42 / Erasing Human Error Can security awareness training change behavior and reduce risk? By Tod Newcombe

DONNELLY MARKS / COVER IMAGE BY DONNELLY MARKS Government Technology (ISSN# 1043-9668) is published monthly except February, May, August, and November by e.Republic Inc, 100 and November by e.Republic August, May, February, (ISSN# 1043-9668) is published monthly except Government Technology Inc. All rights reserved. SUBSCRIPTIO Copyright 2016 by e.Republic Folsom, CA 95630. Rd, 100 Blue Ravine Government Technology, 916-932-1300. www.govtech.com // October/November 2016 3

GT10_03.indd 3 9/22/16 11:05 AM

DESIGN Chief Design Offi cer: Kelly Martinelli, [email protected] Graphic Designer Pubs: Kimi Rinchak, [email protected] Senior Designer Custom: Crystal Hopson, [email protected] Production Director: Stephan Widmaier, [email protected] Production Manager: [email protected] PUBLISHING VPs OF STRATEGIC ACCOUNTS: COLUMNS NEWS Kim Frame, [email protected] Stacy Ward-Probst, [email protected] Arlene Boeger, [email protected] Shelley Ballard, [email protected] 5 Point of View 6 govtech.com/extra Karen Hardison, [email protected] Cybersecurity remains a top Updates from Government Technology’s SALES DIRECTORS: Melissa Sellers, [email protected] priority for CIOs nationwide. daily online news service. Tracy Meisler, [email protected] Audrey Young, [email protected] Lara Roebbelen, [email protected] 8 Becoming Data Smart 14 Big Picture Carmen Mendoza, [email protected] Deanne Stupek, [email protected] A ﬁ ve-point plan to cultivate Key trends from the Digital States Survey. Lynn Gallagher, [email protected] citizen support. Kelly Schieding, [email protected] ACCOUNT EXECUTIVES: 50 Products Paul Dangberg, [email protected] 10 Four Questions InFocus Corp.’s Mondopad Christine Childs, [email protected] Rebecca Regrut, [email protected] Benny Chacko, CIO of the Ultra, Spectra Logic’s BlackPearl BUS. DEV. MANAGER: Lindsey Albery, [email protected] Los Angeles County Probation P storage, Xerox WorkCentre 3345 Printer Kathryn Nichols, [email protected] Department, on understanding your SR. SALES ADMINISTRATOR: Kelly Kashuba, [email protected] agency’s unique business needs. 53 Spectrum SALES ADMINISTRATORS: More research, more science, Alexis Hart, [email protected] Jamie Barger, [email protected] 48 Cybersecurity Strategies more technology. Jane Mandel, [email protected] Morgan Rothenbaum [email protected] Data can help public agencies Ashley Flynn, aﬂ [email protected] predict the future. Sr. Dir. of Sales Operations: Andrea Kleinbardt, [email protected] Custom Media 52 Data Points Managing Editor: Jeana Bigham, [email protected] Dir. of Web Marketing: Zach Presnall, [email protected] The U.S. must take action before it falls too Web Advertising Mgr: Adam Fowler, [email protected] far behind in the race to build smart cities. Subscription Coord.: Eenie Yang, [email protected] CORPORATE CEO: Dennis McKenna, [email protected] 54 GovGirl on Social President: Cathilea Robinett, [email protected] CAO: Lisa Bernard, [email protected] Tips for making social media a team eff ort. CFO: Paul Harney, [email protected] Executive VP: Alan Cox, [email protected] Chief Content Offi cer: Paul Taylor, [email protected] Dep. Chief Content Ofc.: Steve Towns, [email protected] VP Research Todd Sander, [email protected] FOLLOW Government Technology is published by e.Republic Inc. Copyright 2016 US ON by e.Republic Inc. All rights reserved. Government Technology is a registered trademark of e.Republic Inc. Opinions expressed by writers are not necessarily those of the publisher or editors. Article submissions should be sent to the attention of the Managing Editor. Reprints of all articles in this issue and past issues are available IN OUR NEXT ISSUE: (500 minimum). Please direct inquiries for reprints and licensing to Breaking Down 2016 Who Went Where? Data Dive Wright’s Media: (877) 652-5295, [email protected]. A look at the most impactful Key personnel changes Highlights from the Center Subscription Information: Requests for subscriptions may be directed to Subscription Coordinator by phone or fax to the numbers below. tech stories and trends of and how they aff ected for Digital Government’s You can also subscribe online at www.govtech.com. the year. the public sector. 2016 surveys. 100 Blue Ravine Rd. Folsom, CA 95630 Phone: (916) 932-1300 Fax: (916) 932-1470 Printed in the USA.

WWW.GOVTECH.COM

4 October/November 2016 // www.govtech.com

GT10_03.indd 4 9/20/16 12:57 PM

Holding Steady at No. 1

ne major takeaway from this year’s securing needed funding. But the grow- Digital States Survey was nearing chorus of organizations making the Ouniversal agreement that cyberse- case for investments in cyber (e.Republic’s curity is the top priority for CIOs. It was No. Center for Digital Government, the Na- 1 on their minds when the Center for Digi- tional Governors Association, the National tal Government last conducted the survey Conference of State Legislatures, NASCIO, in 2014 too. That’s why we devote this issue etc.) along with more concerted eff orts to covering several aspects of cybersecurity, by state IT leaders to bend policymakers’ and how state and local governments are ears on the subject is having an impact. working to get a handle on it. It’s no longer In Indiana, a $15 million budget allocation necessary to prove that it’s important. Ev- was tied to cyberinitiatives, some of which erybody knows. Here are a few highlights went toward the state’s Information Sharing from the stories in the pages that follow, and Analysis Center, a Security Operations easily supported by what’s happening in so Center and a risk and compliance program. many other jurisdictions across the country. Minnesota Gov. Mark Dayton made a $46 million budget request this year for agency- You can’t (and shouldn’t) do it alone. level security upgrades, breach response Much of our reporting underscores the fact guidance and activities like tabletop exer- that successful eff orts stretch far outside cises. This evidence is far from isolated. of the offi ces of IT staff , even outside of government. Cyber and physical security Help is out there. As the ﬁ eld and the continue to come together under the same threats mature, so has development of umbrella, uniting a bigger group of stake- standards and best practices for cybersecurity. holders than in years past. Multifaceted co- The NIST framework is helping jurisdictions alitions are cropping up across the country. assess their cyberstatus using a common Colorado’s planned National Cyber frame of reference, and CIOs have told us that Intelligence Center, announced last year federal standards like FISMA and FedRAMP by Gov. John Hickenlooper, is just one of ease the vetting burden when considering many great examples. Partners include the security of cloud technologies. higher education, private industry, govern- In addition, the Multi-State Informa- ment and the military. CIOs and CISOs tion Sharing and Analysis Center has RAISE YOUR in broad endeavors like this now rou- branches in every state, off ering help to VOICE tinely sit across the table from emergency governments at all levels, while regional management staff and other law enforce- collaborative groups abound — an espe- Your opinions matter to ment representatives — recognition that cially valuable resource to smaller gov- us. Send comments about traditional one-dimensional approaches ernments that lack the resources to fully this issue to the editors at aren’t eff ective against today’s threats. prepare for threats on their own. See Who [email protected]. You Gonna Call? on page 40 for a more Publication is solely at the It takes money. Executive support is complete list of ideas for cybersupport. discretion of the editors. critical to any jurisdiction’s cybereff orts. There’s much more to cover than this Government Technology If the governor/county executive/mayor column or this issue of the magazine could reserves the right to edit doesn’t understand why cybersecurity possibly address. But it’s encouraging submissions for length. deserves his or her attention, good luck that we’re all on the same page.

www.govtech.com // October/November 2016 5

GT10_05.indd 5 9/22/16 11:01 AM

______Designer ______Creative Dir. 100 Blue Ravine Road Folsom, CA 95630 916-932-1300 ______Editorial ______Prepress www.erepublic.com CMY grey T1 T2 T3 5 25 50 75 95 100 5 25 50 75 95 100 5 25 50 75 95 100 5 25 50 75 95 100 Page # ______Other ______OK to go BLACK YELLOW MAGENTA CYAN govtech.com/extra: reader/comments: Updates from Government Technology’s daily online news service. The statement ‘Sometimes civic “tech comes straight from the people,’ while accurate, should also stipulate Laying the Foundation that all civic tech should involve the Kansas is joining the growing ranks of states people, and that goes beyond simply employing a modular approach to developing being the recipient of the technology, Medicaid Management Information Systems (MMIS). such as in the case of Code for Amer- In August it was announced that Hewlett Packard ica’s CalFresh Balance app. It doesn’t Enterprise will upgrade the Kansas Department lessen the fact the Balance app of Health and Environment’s MMIS and deploy provides an excellent public service. the system in modules over the next three years. My point is we need to be sure we are The $215 million project, which began earlier this not labeling everything government year, refl ects the trend of states moving away from does with technology that benefi ts citi- massive custom-developed systems that tend to run % zens to automatically attach the ‘civic over budget and past deadlines. The upgrade will tech’ label if we have not engaged give the state a new foundation for Medicaid, said citizens to exercise their rights, duties, department Secretary Susan Mosier, and provide privileges and obligations of citizen- government leaders with information in near real 25 ship to participate in that technology’s time that allows for better decision-making. The decrease in inception to its completion. the Bexar County, Dbevarly in response to What Is Civic Tech? Texas, Jail’s inmate population thanks The most important observation is “the last one, that fi ber isn’t necessarily to the addition of the end game. In the overall scheme of data analytics to the things, consumers would rather have decision-making 50-Mbps mobile networks that reach process. everywhere than an arbitrarily fast wired network that only reaches their Embrace Your Inner Mouse home and their offi ce. Fiber is a neces- Ottawa County, Mich.’s employees have been getting schooled on a type of training sary component of mobile networks, not typically found in government’s halls. Over the course of more than two years, The but it doesn’t need to go everywhere. Disney Way author Bill Capodagli worked with the county to guide employees through The best networks are combinations a multiday training based on Disney’s customer service vision. Of the roughly 1,000 of the best available tools. county employees, almost all have experienced the training, including the county’s 28 IT RichardBennett in response to Municipal staff members. “Part of it is to understand that IT is not a department that works behind Broadband? Federal Court Tells FCC ‘No’ closed doors,” said David Hulst, the county’s innovation and technology director. “We’re accessible. It’s all a part of building relationships between IT and other departments.” I was interim city manager in “California when we had a controversial development project. Despite WHO SAYS? having a ‘rumor page,’ which we MOST READ STORIES ONLINE: called our ‘Frequently Asked Ques- “We can see clearly Better Mapping Helps 4 Ways Self-Driving Trucks tions’ page, we still couldn’t overcome now, thanks to Federal, State, Local Could Improve Transportation the misleading information of the plan’s Pokemon Go, what Governments Fight Zika 1,532 VIEWS opponents. It was easy for opponents 1,610 VIEWS the rules of the road The Pokemon Go Eff ect: Why to gain support for rumors like ‘the Cyberattack Augmented Reality Is Finally project will contaminate water,’ and we are. The challenge Compromises Taking Hold in Government came off as defensive big government, on the table right now Unknown Number of 1,371 VIEWS even when we could point to studies Voter Records in Illinois California Lt. Gov. Gavin is how simple and 1,595 VIEWS showing that the water wouldn’t be Newsom Talks Transparency, contaminated. While we had some fast can you make Millennials in Government Civic Tech, State IT Reforms control over Facebook, rumors were [augmented reality] — or Not? 1,310 VIEWS information appear.” 1,574 VIEWS rampant on sites like Nextdoor where our access was limited. Kathy in response to 3 Major Concerns govtech.com/quote-Oct16 About Facebook Comments — and How to Address Them SHUTTERSTOCK.COM 6 October/November 2016 // www.govtech.com

GT10_08.indd 6 9/20/16 1:03 PM

INSPECTION DATA

TRAFFIC DATA

CRIME DATA PERMIT DATA

Turn Data into Action Building a System of Insight

Who are the decision-makers in your organization? Field workers, analysts, data scientists, or government executives? All of the above? Smart communities move from siloed data to a hub of information to be shared with others—a system of insight. Esri’s ArcGIS® platform provides the tools to quickly analyze information, communicate it to stakeholders, and move to effective action. As the expectation to make quicker decisions grows, empower your organization to build a complete data strategy. To learn about what Esri can do for your community, visit esri.com/DataDrivenDecisions.

Civic Engagement A ﬁ ve-point plan to cultivate citizen support.

tech champion in a government is involved, the issue of trust must start resident concerns about how data is entity needs to cultivate allies, by addressing privacy and security, or handled in new innovative ventures. A especially when the innovation else the new initiatives will prematurely Fourth, transparency around how a city presents transformative opportunity. end. Residents want to know exactly plans to use the data will not only build In my last column , I wrote about the what city hall is doing with personal data, support but also dampen anxieties. Chicago importance of obtaining buy-in from how it is being handled and the lengths worked hard to ensure citizens’ voices departments when launching new tech offi cials are going to in order to protect it. were heard in its Array of Things sensor initiatives — a key way to ensure initiatives As cities continue to pursue more project. The city partnered with the Smart fully take hold and revolutionize city expansive data projects that more directly Chicago Collaborative to inform residents hall. But another crucial stakeholder aff ect citizens, such as the Internet of about the project and garner feedback must be engaged as well: the public. Things (IoT), the opportunities and about proposed plans and policies. They An intentional approach to cultivating risks related to data aggregation and held a series of neighborhood meetings citizen support would incorporate several mining will increase exponentially, where, beyond simply asking for feedback, threads. First and most obvious is the as will the risk of having to cancel, city offi cials sought input and advice on quality, quantify and usability of open data. delay or substantially modify a new sensor locations, privacy and security Usable open data includes ease of use and project, all of which can be costly. plans, and how residents want IoT and high-quality visualization, which allow the Seattle addressed many of these concerns similar initiatives to be used to improve casually interested resident to track his or with its citywide digital privacy initiative, city life in the future. Chicago can now her service request to see both the response launched in fall 2015. Led by CTO Michael use the results of these meetings to better time for that request as well as how the Mattmiller, Seattle worked with citizens guide its Array of Things implementation, city is doing over time on various metrics. to develop a list of principles and an ethical pre-emptively ease residents’ worries and The second element of citizen framework to guide city departments on develop stronger IoT plans for the future. stakeholder management includes creating data usage and privacy matters. The policy Fifth, any process of collaboration the conditions for advancing citizen requires departments to complete annual requires a city to ﬁ nd a way to curate and collaboration, from crowdsourced traffi c online privacy and security awareness use the information it receives and to ﬁ nd patterns to apps and algorithms built by classes to stay up-to-date on the latest ways to use social media and even SMS civic tech community groups. Whether the practices. It will also provide them with texting to improve the way it involves and city organizes big app contests a Privacy Impact Assessment protocol responds to those who often are ignored.

Stephen Goldsmith with prizes or simply adopts that requires departments collecting Collaborating with citizens to gain is a professor at the apps, utilizing residents as new types of data, embarking on new buy-in on new initiatives can be a Harvard Kennedy School and director co-developers of knowledge programs or introducing new technologies much larger task for a city than gaining of the Innovations in and co-developers of apps to go through a process to self-assess any internal support, but doing so is critical Government Program and Data-Smart City will produce support as well privacy risk that innovation may entail. to ensure new technologies are being best Solutions. The former as improve the quality of life. By partnering with residents to leveraged to improve civic life. Including mayor of Indianapolis, his latest book is Third, any eff ort to build develop these policies and continuing residents throughout all stages of a The Responsive City: community support for digital to actively inform citizens of how the project can help cities prevent disputes, Engaging Communi- ties through Data- advancements must start city is using and protecting their data, implement smarter policies and better Smart Governance. with trust. When technology Seattle can alleviate and pre-empt future solve pressing civic problems.

8 October/November 2016 // www.govtech.com

GT10_10.indd 8 9/20/16 1:16 PM

A quick, hone st & fun must-re ad for anyone who live s in a city or works in an organization! Theresa Reno-Weber, Chief of Performance & Technology, Louisville, Ky.

Order today at governing.com/ peakperformance Also available on amazon.com. Bulk discounts available.

What are the most important skills a public-sector CIO needs beyond an 2understanding of technology? It’s really understanding business process, engaging with the executives, and at the same time coming back and translating strategy and vision from the executive team to the IT team to actually execute and drive projects forward to completion. So it’s deﬁ nitely people skills and communication skills, whether it’s written or speaking skills. Those are absolutely critical, and then engaging not only with the executive team but also your own team … looking for solutions based on problems that you observe, whether that’s walking through a facility or observing someone do a certain business process. It’s being able to bridge the gap and look for a solution that can help make their job easier.

What are some disruptive technologies that are impacting 3your work? Data overall has been a challenge because we collect pieces of data in every form or fashion and it’s spread out through the entire department. It’s disruptive in the sense that we need to make something meaningful out of it. It’s collecting data — whether it be video footage or actual text information

JONAH LIGHT PHOTOGRAPHY within a database — and being able to quantify certain values of our service and provide metrics to our executives to make decisions. Benny Chacko We’re in the beginning phases of that. CIO, Los Angeles County Probation Department Can you apply that data toward Understanding the more technical aspects of the job of a public-sector IT professional is just reducing recidivism? the beginning. Modern CIOs bring a very diverse set of backgrounds — educational and 4Absolutely. Our goal in the organiza- professional — to their positions, and the agencies they work for reap the benefits. CIO Benny tion is to reduce recidivism within our client Chacko, of the Los Angeles County Probation Department, supplemented his bachelor’s population. We don’t want repeat off enders. degree in computer science with an MBA in finance to broaden his skill set, and had a number So we need to determine what services of private-sector jobs before joining the county workforce. We caught up with Chacko recently we’re providing to that juvenile that are hav- at the Los Angeles Digital Government Summit, where he talked about the importance of ing the biggest impact so they don’t come understanding your agency’s unique business needs and thinking beyond technology. back through our system and they’re able to sustain a life on their own without going By Noelle Knell, Editor through the system again .

10 October/November 2016 // www.govtech.com

GT10_10.indd 10 9/20/16 1:14 PM

GovTech Today Original and breaking technology news for state and local Sign up today at government readers. www.govtech.com/newsletters

GT16 AD Newsletters Full.indd 1 9/15/16 9:24 AM

t’s the stuff of sleepless nights: percent between 2014 and 2015.2 Part of According to a Ponemon Institute study The security team is hunched the reason for the inﬂ ux of threats is the of data breaches, the average cost per lost over a spreadsheet that lists simplicity in coordinating and launching or stolen record for public sector agencies security alerts and incidents attacks. Toolkits now allow even unskilled is $68.3 Multiplying that amount by the from dozens of sources. The individuals to execute distributed denial- number of Social Security numbers, credit team is copying and pasting as fast as it of-service attacks and other cyber crimes. card accounts or medical records stored can to consolidate incidents and notify the within an agency highlights the magnitude appropriate asset owners. There is no way of potential risk and creates even more to track what has been done, when and by The Causes and Cost of impetus for rapid resolution of incidents. whom, increasing the chance that alerts Poor Coordination The following challenges contribute to will slip through the cracks. Every moment Organizations have a limited window poor coordination and prevent response of delay in threat detection and response of time to patch serious vulnerabilities and teams from moving quickly. increases the risk of breaches, data theft act on high-priority incident alerts before • Too much data with no context. Agen- and downtime. damage is done, but poor coordination often cies deal with an overwhelming number State and local governments can be in- delays response time and impairs decision- of tools generating thousands of unpri- undated with alerts about security incidents making. In many cases, alerts are overlooked, oritized alerts without context; it’s nearly and vulnerabilities, especially as they open ignored or improperly categorized. Time impossible to process all of these alerts their networks to provide new citizen ser- spent on low-priority alerts translates to and know which ones need immediate at- vices, modernize operations and collaborate precious hours or days lost in resolving more tention. IT and security teams use diff erent across agencies. To accelerate resolution critical threats. It also drains staffi ng budgets tools, further exacerbating the problem. In time and enhance decision-making, they and opens the door to costly data losses. one study, respondents said the top inci- need a clear, orderly incident response plan. dent response challenge was coordinating between security and IT teams.4 From 2014 to • Poor visibility. It’s diffi cult to under- Desirable Targets stand an agency’s overall security State and local government websites 2015, the number posture when it is managed via mul- and other internet-connected resources of zero-day tiple siloed products. are prime targets for attack as they increas- • Lack of automation. Security teams ingly provide critical services and handle vulnerabilities must rely on emails, phone calls and sensitive citizen information. These attacks increased by spreadsheets to document alerts and are increasingly more sophisticated, persis- assign next steps. Manual processes tent and stealthy, and motivated criminals waste time and introduce errors. are on the hunt for vulnerabilities and zero- • Ineffi cient use of talent. Security day exploits that allow them to sabotage, analysts can be bogged down with ad- steal, extort and defame. ministrative tasks such as copying and From 2014 to 2015, the number of pasting incidents to consolidate them. zero-day vulnerabilities increased by 125 • Approval delays. Diffi culties in identi- percent.1 Meanwhile, spear-phishing and fying and tracking down decision-mak- other email exploits that plague state ers in the escalation process delays and local governments are rampant. A response time. recent cross-industry study found that 2014 2015 • Unenforceable policies. Although spear-phishing campaigns increased 55 state and local governments may have

GT16 BRIEF ServiceNow.indd 26 9/20/16 3:18 PM

a standardized security runbook, they Responding with Agility: platform, organizations can automatically don’t always have a way to guarantee The Three Pillars of Success import and prioritize security information employees are following it. Lack For a more agile and eff ective response, and event management (SIEM) system alerts, of standardization leads to gaps in state and local governments must be able respond to potential email phishing scams, incident resolution. to visualize the security posture of their criti- address high-profi le vulnerabilities and more. • No end-to-end tracking. Organiza- cal services and IT infrastructure, unify and tions cannot easily follow through on streamline tools, and automate response. An incidents to ensure they are resolved integrated response platform provides a and data collection for post-incident robust foundation for the three pillars of reviews can take hours. successful security response. With the right Automate Security Response Automated, predefi ned Security Response: incident response workfl ows ensure consistent remediation and support compliance with security Maintain, Unify, Automate policies and regulations. They also allow junior staff to track the workfl ows of routine incidents so senior analysts can focus on more Unify Security and complex issues. When automating IT Tools — Without security responses: Sacrificing Control • Prioritize systems and resources Maintain a Definitive, Use a common platform. Doing so based on their criticality to the Real-Time View of Your allows IT and security staff to access organization Security Posture the same sets of data and thereby • Determine which systems are Accuracy is critical when prioritizing coordinate and unify their response. aff ected when an incident occurs and responding to events. To get a The platform should also allow the • Automate incident response/use clear view of your security posture, response team to: predefi ned workfl ows based on use a system with visibility across • Control access to sensitive data the criticality of each resource multiple products. Consider using a via roles and access permissions • Automate the approval process customizable dashboard that displays • Track each item to ensure the for patches and changes incidents and vulnerabilities, and incident is remediated correctly • Automatically correlate threat correlates response data to quickly • Maintain mechanisms to send intelligence data show whether assets are secure. To reminders, escalate items • Document and time-stamp maintain security, be sure you can tai- and hold staff accountable all activities and approvals lor the dashboard view in accordance throughout the incident to support auditing, process with the role of the employee. response life cycle improvement and accountability

Produduced by: For:For:

ENDNOTES

1. https://www.symantec.com/security-center/threat-report

2. https://www.symantec.com/content/dam/symantec/docs/ infographics/istr-attackers-strike-large-business-en.pdf The Center for Digital Government, a division of e.Republic, is a ServiceNow is changing the way people work. With a ser- 3. https://securityintelligence.com/cost-of-a-data-breach-2015/ national research and advisory institute on information technol- vice-orientation toward the activities, tasks and processes 4. Enterprise Strategy Group. Status Quo Creates Security Risks: ogy policies and best practices in state and local government. that make up day-to-day work life, we help the modern The State of Incident Response. February 2016 Through its diverse and dynamic programs and services, enterprise transform the delivery and management of the Center provides public and private sector leaders with services. ServiceNow provides service management for This piece was developed and written by the Center for decision support, knowledge and opportunities to help them every department in the enterprise including IT, human Digital Government custom media division, with information eff ectively incorporate new technologies in the 21st century. resources, facilities, ﬁ eld service and more. and input from ServiceNow. www.centerdigitalgov.com. www.servicenow.com/products/security-operations.html

GT16 BRIEF ServiceNow.indd 27 9/20/16 3:18 PM

The Automated Criminal History System integrates with ﬁ ngerprinting devices to provide instant information Digital about an individual’s background. States at a Glance 17 23 10 Ohio A trending up* consistent* trending *Since the 2014 survey down* The state’s cloud-ﬁ rst policy expedites project deployment timelines, while a mobile platform strategy ensures devices are considered from a project’s outset. Dedicated Staff Here’s the percentage of respondents with employees devoted to these areas.

Utah A

91% 66% 60% By tracking traffi c signal metrics, the Transportation Department has reduced the odds of getting stopped Data Analytics/ Performance at a red light by 28 percent. Cybersecurity Business Intelligence Metrics

51% 49% 45% Virginia A

A new case management system has processed more than 900,000 Medicaid Open Data Innovation Privacy applications since October 2014.

14 October/November 2016 // www.govtech.com

GT10_14.indd 14 9/20/16 1:18 PM

93% 91% 72% 72% 72%

Business Application Cybersecurity Intelligence and Building, Integration Vendor-Managed Shared IT Data Analytics and Modernization IT Services Services

Almost Ubiquitous Top Tech Most states are on board with: Priorities

1. Cybersecurity 2. Shared or Collaborative Services 3. Cloud Computing Agile Multiagency Server Wireless Development Application Virtualization Infrastructure 4. IT Staffi ng 80% Development 85% 98% 96% 5. Budget and Cost Control

The Curve Still Catching On

A’s Business A-’s Intelligence/ Software- Advanced Next-Generation Participatory Deﬁ ned Analytics LTE Networks Budgeting Data Centers B+’s 67% 57% 30% 37% B’s B-’s

C+’s C’s C-’s

www.govtech.com // October/November 2016 15

GT10_14.indd 15 9/20/16 1:18 PM

State and local governments have more internal data is a necessary condition for security, it data at their disposal than ever before. is not sufficient to provide a complete picture, so the Firewalls, intrusion detection systems and analytics platforms pull external data from black lists, other tools constantly monitor the condition the dark web and websites and maps it against what of government networks, and they can your network is telling you. This added capability can track millions of potentially suspicious help your agency predict attacks or breaches. The incidents every day. Real-time monitoring service operates 24/7 every day, which is very difficult is fundamental to modern information and expensive to do with in-house government staff. security in an era where threats grow more numerous and more sophisticated at an Q: How does a cloud-based analytics platform ever-increasing rate. help preserve network performance? But monitoring is only effective if Encinias: Network performance is a big issue as agencies Tony Encinias, Vice governments can get context for this add cybersecurity tools. On-premises tools often have a President of Public Sector Strategy, ViON data, analyze it and take action based significant presence on the network — taking resources away on their findings. Cyber analytics is the from what that server was intended to do. State and local next big opportunity and the next big governments may not need or want another on-premises challenge for governments as they address the risk to valuable systems solution and many don’t have the budget or staff to support and information. Many government agencies lack the skills and financial it. Because Ascolta’s cyber analytics platform is offered as a resources to implement and operate cyber analytics on their own. Tony cloud-based service, there is zero footprint on the network. Encinias, Vice President of Public Sector Strategy at ViON and former CIO of Pennsylvania, provides insight into how cyber analytics delivered as a Q: What best practices can you offer decision-makers service can help agencies cost-effectively secure their networks. regarding cybersecurity and cyber analytics? Encinias: Before investing in analytics, agencies should: Q: How are the security needs of government agencies evolving? Explore as-a-service solutions. ViON and Encinias: Now that agencies have put cybersecurity tools Ascolta’s cyber analytics platform is subscription based. in place, they can receive alerts and begin the remediation If you want to have the services of a data scientist, process. These tools are really the first steps to “triage” the security professional and analyst, you can do all of network. Then “treatment” for breaches and compromises that through managed services as a single contract. can be implemented. But they are struggling with the Review the cyber readiness of your cybersecurity. volume and velocity of data these systems generate. To conduct cyber analytics you must have, at a minimum, They don’t have the time or the resources to create a foundational defense-in-depth presence as outlined context from the data to increase network security. in the NIST Cybersecurity Framework. Once you have mechanisms in place like firewalls, malware detection and Q: How can cloud services help agencies use SIEM to generate, collect and manage that data, you can this data to strengthen cybersecurity? perform analytics to identify vulnerabilities. Encinias: ViON’s cyber analytics platform takes security Be vigilant 24/7. What happens when an attack occurs at data from an agency’s network, ingests and analyzes it 3 a.m. on a Saturday? Without 24/7 monitoring, chances are based on specific algorithms, and displays the information you won’t know about the attack until Monday morning — on a dashboard. The platform could be cloud based and that’s too little too late. An alert sent to you via a mobile or on premises. Ascolta, a wholly owned subsidiary of phone, tablet or text message allows you to see what’s going ViON, delivers cyber analytics using the AWS GovCloud, on from an analytics perspective, determine the potential which can give agencies real-time data analysis. While impact of the issue and take proactive steps against it.

To learn more, visit: www.ascolta.io

GT16 QA Vion.indd 2 9/16/16 10:39 AM

Create knowledge and actionable solutions from data in context and data in motion • Advanced analytics • Cyber readiness • Risk assessment

Learn more: www.ascolta.io

196 Van Buren St | Herndon, VA 20170 | P: (866) 901-8155

GT10_30.indd 18 9/20/16 1:05 PM

GT10_30.indd 19 9/20/16 1:05 PM

Even as Texas’ chief information security offi cer (CISO), with the full weight of the state’s IT apparatus at his disposal, Edward Block has a limited range of vision when it comes to cybersecurity. “We don’t see everything that is out there. We see a lot of stuff , and we tend to see things pretty early in their evolution. But we don’t see everything. So collaboration is really critical,” he said. To succeed in cyber, the state’s 160 distinct agencies have to pool their resources. “The bad actors out there are happy to share information with each other all day long. If we don’t do the same, we are letting them have a distinct advantage.” Given the unheralded complexity and severity of the threat, some say cyber is going to have to be a team eff ort. “There may be times when assets or authorities from one agency are needed to help another work its way through cyberproblems. And indicators of compromise in one system may indicate or presage indicators of compromise in other systems,” said Martin Libicki, a RAND senior management scientist who works extensively on government issues. This way of thinking increasingly typifi es the government approach to cybersecurity — and necessarily so, said Steve Spano, president and chief operating offi cer of the Center for Internet Security, which operates the Multi-State Information Sharing and Analysis Center on behalf of the U.S. Cybersecurity Review Board to be headed good data that shows us exactly where Department of Homeland Security. up by the state CIO, with members to we are,” Butterworth said. “It is defi - “Any government agency can connect include the adjutant general of Georgia and nitely a good push to get us started.” to 15 other government agencies,” he said. the leader of the Georgia National Guard, The eff ort is already having a direct “One system services health care, but the commissioner of the Department of practical impact. State agency IT health care ties to other state services. So Administrative Services, and Jim Butter- leaders have been emboldened to get once an adversary gets into one agency, worth, director of the Georgia Emergency more aggressive on cyber, knowing they it isn’t hard to go from there to see what Management Agency/Homeland Security. have a larger body backing them. Take other agencies you can get into.” “With everything going more the ransomware attacks, for instance. In response to this emerging land- and more to the cloud, it is quickly “Because of some of these conversa- scape, government IT executives, emer- becoming obvious that any network that tions and because we have empowered gency planners, security agencies and is connected to other state networks these agency CIOs, they are beginning other key players across the nation are could be vulnerable,” Butterworth said. to back up systems more and more, forming alliances. They’re putting in “That means we need to create the secu- so when these ransomware demands place formal structures to ensure that rity across the entire infrastructure.” pop up — and they have been — we when new cyberthreats emerge, all The group’s fi rst act was to request don’t give in,” said Butterworth. “We relevant players can be prepared to act. a self-assessment from agencies. Based don’t pay, and so far, we have been able on a December report, the state Legisla- to successfully stop those eff orts.” ture approved $3 million over the next The actual mechanics of collabora- Connected Networks three years to fund a deeper study of tion are still a work in progress. Everyone In Georgia an executive order in mid-2015 Georgia’s cybersituation. “That is going says they want to work together; no one established the State Government Systems to get us out of the gate and get us some wants to be told what to do, and not

20 October/November 2016 // www.govtech.com

GT10_30.indd 20 9/20/16 1:05 PM

no to that system. If they are in the conversa- of Maine, I consider it my sacred duty to tion, we can help them understand the needs inform the fusion center, and they then for certain protections,” Butterworth said. up-channel it to DHS and FBI,” Chakra- varty said. “If the university sees some variant in the malware, or if we see some- Taking Center Stage thing in the state networks, we all consider “The thing about cyber is, it is truly world- it our immediate responsibility to share wide and it is instantaneous. So it requires that. It is in my best interests to contribute massive connectedness to combat it.” to that sum total of community wisdom.” That’s Victor Chakravarty, an enter- At the same time, the group takes a prise architect in the Maine Offi ce of bigger-picture approach. Members share Information Technology. Like Georgia, best practices among one another, and they Maine has in place a formal body designed are building cyber-recommendations to to take cyber out of the IT closet and help guide the governor’s offi ce, the Cabinet Mike Geraghty wants the put it smack in the center of the room. and Legislature. “Part of our mission is to New Jersey Cybersecurity and The Maine State Information Protection educate them,” he said. “And we also would Communications Integration Working Group is chaired by the state like to up the profi le of cybersecurity, so Cell to be a one-stop shop for CIO and includes the Offi ce of Infor- that potentially they can help us overcome the state’s cybereff orts. mation Technology, Maine Emergency burdens we ourselves cannot overcome.” Management Agency, Maine Informa- tion and Analysis Center (MIAC, or the fusion center), Maine National Guard, ‘Body Armor’ U.S. Department of Homeland Security, Mike Sena literally helped write the the University of Maine, and IT direc- book on cybercollaboration. As execu- tors of the cities of Auburn and Bangor. tive director of the Northern California Diff erent players bring diff erent exper- Regional Intelligence Center (NCRIC) tise. Some on the team look at cyber as he helped develop a toolkit on the topic, a law enforcement or national security the Bureau of Justice Assistance Guide: issue. Chakravarty just wants to be sure Cyber Integration for Fusion Centers he can keep the lights on — like last year, from the U.S. Department of Justice. when hacking group Vikingdom struck With Silicon Valley in the region, it is state and local agencies in 27 states with a perhaps not surprising that the NCRIC everyone likes to make it known when denial-of-service attack. “My job is service fusion center has become a hub of cyberac- a problem has impacted their systems. restoration,” he said. “The most important tivity. Partners in the eff ort range across the These early days require fi nesse. thing I care about is that the state of Maine state and federal gamut: The highway patrol “We have to make it clear that we are services remain up and my customers’ and state justice department stand shoulder not beating them over the head: ‘We have services are not aff ected. But when you look to shoulder with representatives of DHS, the clout of the governor’s offi ce and we at the fusion center, they are focused on DEA, FBI and local law enforcement. are throwing this in your face.’ So we say public safety, so they are more interested The primary mission is defensive, up front that if an agency comes up red in in the forensics and the prosecution.” with planners utilizing FireEye software some area, we aren’t going to publish the Having that plurality of interests at the to continuously monitor participating name of that agency. This is not a puni- table works to everyone’s benefi t. “That is networks. “When one group is being tive eff ort,” said Butterworth. “Our philos- what makes it a rich, symbiotic relation- attacked by an actor, and that attack fails, ophy is that a rising tide raises all ships. ship,” said Chakravarty. “I personally do that actor is likely to go on to the next We are simply here to empower them not have the wherewithal to do foren- person. So the goal is to be able to collect in what they are already trying to do.” sics and prosecution, but there are others and share that information in real time, While the state CIO and security chiefs who do. Because we meet and spend time to create the body armor as best we can make an obvious fi t on the board, some might together we have evolved these patterns of for disparate networks,” Sena said. wonder why Administrative Services is at the information sharing that play off of each NCRIC does outreach too, engaging state table. Simply put: These are the folks who other’s skills, and that is something that can agencies in cybertraining and readiness ultimately purchase the systems. If there only come through a long partnership.” activities. Sena’s team has gone spearfi shing are going to be security concerns around IT In practical terms, the relationship is among critical infrastructure stakeholders, purchases, best bring them in early. “They very much about responding to immediate sending out bogus messages to ensnare have the control to say yes to this system and threats. “If new ransomware hits the state sloppy users in a mock security breach,

www.govtech.com // October/November 2016 21

GT10_30.indd 21 9/20/16 1:05 PM

and they usually get a bite. “The last time shop for cybersecurity,” Geraghty said. information, we will not disclose anything we did this, 7 percent of the folks clicked “That may be information on current about you or your systems,” he said. on the link,” he said. “My advice to the threats, it may be best practices to imple- In the drive toward cybercollabora- organization is you only need one person.” ment cybersecurity, or the current state of tion, this appears to be the big looming Sena is angling to position the 80-person cyber. We are also doing a lot of analysis, hurdle: the need to drive cultural change NCRIC as the go-to source for government looking to see what a viable threat is and in an IT environment that tends to IT when cybertrouble occurs. To that end, making sure we can articulate the nature play security issues close to the vest. in addition to sending out a steady stream of of that threat and why it is important.” In Texas, agencies are required to warnings and updates, the center also has That’s a lot to bite off . Automation report cyberincidents to CISO Block, produced a mobile optimized application helps: A security information and event “but they are really uncomfortable doing to help people report incidents and threats. It also mounts a 24/7 response team. When an incident or threat is reported, “we have the ability to reach out to that “Any government agency can agency, to reach out to law enforcement, to connect to 15 other government reach out to the IT folks. From there we can agencies. One system services send a team out, to have a human body out health care, but health care there working with them,” said Sena. “We ties to other state services. So don’t have enough bodies to send someone once an adversary gets into every time, but if it is a priority issue we one agency, it isn’t hard to go will have somebody on the ground.” from there to see what other Why the pressing need for collaboration? agencies you can get into.” Because, as Sena puts it, cyber is not like Steve Spano, president and chief operating other threats. offi cer, Center for Internet Security “We come together on a unifi ed message for physical threats. ‘If X happens you do Y.’ But when we get to cyber it isn’t the same,” he said. “With cyber, if A happens, management system deployed across state so, because they don’t know where that you can either do B, F-l, M or 3. That’s not networks records up to 2 billion events a information is going to go. Will it go to the the best thing. We need to be able to say, day. Operations and analysis teams track people who manage their budget? Will it ‘This is the way we handle cyberevents that feed; communications professionals get go to the Legislature? Will it end up in a in America. This is the way we handle the word out to more than 1,500 members. report that is available to the public?” cyberinvestigations.’ We are not there yet.” The cell gets regular alerts from outside Texas law says everything is public sources like DHS and FBI. The art here lies knowledge unless specifi cally exempted. in taking all that information and lining Block will go to bat to shield agency The Virtual Threat it up against what’s happening inter- IT leaders from the spotlight, but only Mike Geraghty joins with Sena and nally. “Others can receive the same sorts to some extent. “If it is just something others in government in wanting to of external information from the same embarrassing, if it is just the news of a change that status quo. As director of the sources. Our secret sauce is in comparing breach, that is not something I would try New Jersey Cybersecurity and Commu- that to what we see on our network,” he to protect” from disclosure, he said. “But nications Integration Cell, he oversees said. “We vet that information so that what how it happened? If showing that would a collaborative eff ort intended to forge we provide our members with what is most put that system or another in jeopardy, a common front against the cyberfoe. relevant. We strip out the noise. Other- that is something I would try to protect.” “No one agency has all the answers wise you are just opening a fi re hose.” Experts across government say IT or is even capable of keeping up with While agencies are generally leaders will need to fi nd a way to walk information security on the neces- cooperative, Geraghty admits encountering this fi ne line. With collaboration virtu- sary scale,” he said. “When you have a the occasional “reticence to disclose” — ally the inevitable next step in govern- threat that is physical and local, you can IT leaders shy about lifting the covers ment cyber, they will have to construct protect against that. But this is a threat on their systems’ vulnerabilities. His not just the technical mechanisms to that is virtual, that can happen anywhere promise: Tell us your troubles, and we’ll anonymize breach reports, but also the against anything, and the only way to keep it anonymous. “Even if you don’t trust and relationships that will make protect against that is cooperatively.” strip it out and sanitize it before you it possible for all players to feel secure To get at it, the cell embraces a broad give it to us, we will do that on our end in putting their cards on the table. mandate. “We want to be the one-stop so that when we do make use of that

22 October/November 2016 // www.govtech.com

GT10_30.indd 22 9/20/16 1:06 PM

In a 2016 Governing Institute survey of 103 In the 2016 state elected and appointed ofﬁ cials, Governing Institute survey,

94% 5 REASONS CYBERATTACKS POSE A 72% REAL THREAT

TO GOVERNMENT SAID THEIR STATE’S CURRENT OF RESPONDENTS LEVEL OF CYBER RISK AGREED HACKERS ARE IS MODERATE TO HIGH. GETTING SMARTER.

BUDGETS & THE HACKERSH CKERS THREATS ARE ECONOMY TAKE WANTWANT PUBLICPUBLIC INCREASINGLY 3 A BIG HIT. 4 SECTORS CTOR DATA.DATA. 5 TTARGETED.

The Ponemon Institute’s 2015 Of all cyberattackscyber cks in 2015, A surveyy ofof 500 security lleadersea from Cost of Data Breach Study found the average countriesries around the world ffoundo that total cost of a data breach increasedeas

2015

23% 53% 2013 1/3

FROMF 2013 TO 2015 TO HAVE EXPERIENCEDNCED AAN INCREASE IN $3.79 MILLION. WEWERERE AIMED AAT GOVERNMENTGOVERNMENT.RNME . CYBERATTACKS AAGAINST CRITICAL INFRASTRUCTURE SINCE 2014.

For more information, download the “Guide to Cybersecurity as Risk Management: The Role of Elected Ofﬁ cials” at: www.governing.com/cybersecurity-guide

GT16 AD CGI.indd 18 9/20/16 3:32 PM

KELLY GORHAM

24 October/November 2016 // www.govtech.com

GT10_12.indd 24 9/20/16 1:12 PM

More governments are protecting their IT assets with cyberinsurance. Here’s what you need to know when considering a policy. By Robert Lemos

www.govtech.com // October/November 2016 25

GT10_12.indd 25 9/20/16 1:13 PM

In 2014, a contractor for the and local governments have a partner to government of Montana noticed signs work with during an incident, Pizzini said. of hacking on a server belonging to the “The fact that insurance provides all state’s Department of Public Health those things that you need in the time of and Human Services. an incident, and they are automatically in The incident — which state offi cials place and you can utilize them, is huge,” do not classify as a “breach” as no data she said. “We had forensics capability was thought to be lost — put millions of immediately, and we had counsel. They citizens’ records at risk. While investi- had a communications plan we could gators found no signs that the data had utilize and a call center — all of those been leaked, state offi cials triggered their things you need in the time of an incident.” 6-year-old cyberinsurance policy to help The insurance industry is looking at in notifying 1.2 million past and present a tremendous demand for cyberinsur- Montana residents and providing a call ance. Increasing concerns about breaches A 2014 hacking center to answer questions, said Lynne and cyber-risks drove a 27 percent annual incident proved the Pizzini, chief information security offi cer increase in the purchase of cyberinsur- value of cyberinsurance (CISO) and deputy CIO of Montana. ance policies, according to insurance to decision-makers “We have 1 million residents and we broker Marsh. Across the industry, about a in Montana. sent 1.2 million letters, so that kind of tells quarter of insurance brokers’ clients have you that we were right at the edge — this purchased some form of cyberinsurance, is one of the largest incidents we will see,” a signifi cant proportion given that only she said, adding that the state’s cyberinsur- 35 percent of clients have an information selves against breaches, according to a ance policy was invaluable. “People ask if security program in place, according to the survey conducted by the Ponemon Insti- you need to pay for cyberinsurance, and Council of Insurance Agents and Brokers. tute. In 2015, only 20 percent of state CIOs I think you do, because we all know that More than 60 diff erent insurers now had purchased cyberinsurance, according it is not if, but when, you have a breach.” have insurance products aimed at off setting to a survey conducted by the National Asso- The state has to date put no price tag on cyber-risk. ciation of State Chief Information Offi cers. the incident, which is still being investi- Yet government agencies have been “If everyone in the private sector is gated, but it likely could have cost Montana among the slowest adopters. While 37 buying cyberinsurance, why is the govern- millions of dollars. Yet, while the insurance percent of fi nancial services fi rms and 29 ment not doing the same thing?” asked coverage for monetary damage is impor- percent of retail companies had a cyberin- Jake Olcott, vice president of business tant to protect taxpayers, a more signifi - surance policy in 2013, only 19 percent of development at BitSight Technologies, cant value of cyberinsurance is that state government agencies had insured them- which rates the security of companies

Buying the Right Policy Because there are no standard policies, getting cyberinsurance can be a lengthy process for any government agency. Here are some tips:

✗ Get enough construct breach scenarios to estimate coverage the insurance limits needed. The city of The cost of breaches can be Phoenix, for example, bought $10 million astronomical. Following its breach in in insurance to cover potential losses. 2013, retail giant Target has incurred more than $291 million in costs ✗ Beware of exceptions associated with the compromise, only When Georgia looked at initial policy $90 million of which was covered by proposals, there were too many insurance. Government agencies should exemptions. The biggest differentiator

26 October/November 2016 // www.govtech.com

GT10_12.indd 26 9/20/16 1:13 PM

Nichols, CTO of the Georgia Tech- nology Authority, which manages information technology for the state. San Diego has 1.4 million citizens and 24 diff erent networks that connect city bureaus and departments, more than 400 applications, numerous smart devices, a ﬂ eet of police cars and point- of-sale systems. The sheer variety of systems means that a breach could cost anywhere from tens of thousands of dollars to, in an absolute worst case, a half billion dollars, said Gary Hayslip, deputy director of the Department of Informa- tion Technology and CISO of San Diego. Having cyberinsurance means not only off setting the monetary risk, but also better responding to the breach, he said. “It is one of the things that you hope

KELLY GORHAM KELLY you never have to use, but in today’s environment and with the technolo- for insurers, among other clients. “As far cyberinsurance. Government networks gies that we are moving into — we as I know, there is no governmentwide are so varied, linking citizen data and are moving to the cloud and we have policy about insurance that government operational infrastructure networks, smart city initiatives — you need to agencies are supposed to buy or take that a breach could be very serious and have cyberinsurance as the security out. … This is an area where the govern- responding to one can be complex. blanket behind the scene,” he said. ment is behind the private sector.” To off set the risk, governments are Hayslip and other state and munic- increasingly looking at cyberinsurance. ipal CIOs and CISOs agreed: While the Beyond compensation The state of Georgia, for example, is coverage for damages is an important While large government agencies currently in the process of purchasing it. part of cyberinsurance, the most valu- can, and often do, self-insure, dealing “If you start contemplating a breach able aspect is the expertise that insur- with the monetary losses surrounding of tens of millions of dollars, that’s a big ance companies and their partners can a breach is only part of the value of hit for even a state to take,” said Steve provide to agencies dealing with a breach.

for many insurers is what incidents and ✗ Test all scenarios different types of scenarios: how bad triggers they exempt from coverage. Some To check policies and prepare could it actually get, how will you companies exempt breaches involving for possible breaches, govern- respond and what kind of damage you unencrypted data, while others require ment agencies should regularly run would take,” he said. “Then you start that USB drives must be barred from use. incident-response exercises. Such taking a look at what you can handle in When the Georgia Technology tabletop exercises are particularly house, what you have to outsource and Authority looked for a policy, it had to important when evaluating insur- what would be covered by an insur- sift through them and decline those ance policies to make sure common ance policy. By doing that, you can with too many exemptions, said CTO incidents are covered, said Gary fi gure out whether the insurance policy Steve Nichols. “In one case, they basi- Hayslip, San Diego CISO. is worth the paper it’s written on.” cally wanted to exempt lost laptops, and “You do incident-response tabletop that does not help us at all,” he said. exercises where you go through

www.govtech.com // October/November 2016 27

GT10_12.indd 27 9/20/16 1:13 PM

No standard policy infrastructure that states and municipalities Good security remains key As the ninth-largest U.S. state, Georgia manage can be more varied and more crit- Finally, security and risk experts under- has faced a long process to fi nd an appro- ical than the average company, said Denise score that having cyberinsurance does not priate insurance policy. Because the state Olson, chief fi nancial offi cer of Phoenix. mean that companies and government has so many diff erent departments and “We, as a government agency, have to agencies can neglect their information bureaus — not to mention state universities be more cautious,” she said. “We do have security program. Cyberinsurance needs and colleges — fi nding a solution to insure systems related to the water department to be part of a comprehensive informa- much of the infrastructure against breaches and we have information on citizens. I tion security program, not a way to absolve and cyber-risk has taken a long time. think municipalities need to take addi- the IT department of responsibility. “The underwriters have trouble tional means to protect our systems.” As part of the insurance process, getting their head around that there Phoenix bought a policy for $10 insurers will hammer the lesson home. are diff erent agencies, each with their million with a $500,000 deductible “Sometimes, organizations think that own security processes,” said Nichols. for a $200,000 annual premium. insurance can take the place of what you The complexity, uneven security are doing, but that is not the case at all,” controls, and the fact that agencies have said Montana’s Pizzini. “You have to have a access to comprehensive information on Complexity grows lot of things in place just to get the insur- citizens often means that insurers are leery Insurers continue to evolve and under- ance. Just like to have insurance on your about underwriting policies for states, he write more complex policies. Many carriers vehicle, you have to have a good driving said. In addition, added complexity means have loss-control services that can be record. You need to have good security a higher premium rate: While an industry added onto a policy to give risk manage- processes in place to get cyberinsurance.” norm is a $10,000 annual premium for $1 ment advice, set up tabletop incident In the end, cyberinsurance is about million in coverage, Georgia has to deal response exercises, and fi nd other ways to off setting risk, but also about preparing with quotes much higher than that. help clients gauge and prepare for risks, for a breach. For government agencies, the “The industry is realizing that these said Jon Neiditz, partner in the Atlanta ability to tap into a knowledgeable partner things can run way past the policy practice of law fi rm Kilpatrick Townsend. in a time of crisis is invaluable, said Pizzini. limit; that can happen very easily,” said “The most important thing for any entity “I do not have the resources to go out Nichols. “So everyone is gun-shy about is to understand the likely risk that it is and get contracts in place with a forensics taking on a policy for a state. We were scared about, and make sure that they are service, a call center and credit reporting, taken aback by the number of compa- covered,” he said. “What are the biggest and maintain all those contracts,” she nies that don’t underwrite this domain.” risks? Is it breach of unencrypted infor- said. “They have all those contracts While government has many of the same mation, or is it not a confi dentiality issue, in place for you to utilize. I would say threats as private-sector companies, the but an integrity or availability issue?” that is the greatest advantage.”

28 October/November 2016 // www.govtech.com

GT10_12.indd 28 9/20/16 1:14 PM

Working in public service takes more than strong policies, staff and elected ofﬁ cials — it takes reliable connectivity to protect your mission-critical data. With Government Solutions from Time Warner Cable Business Class, you can rely on a credible and trusted connectivity partner to meet the unique needs of state and local governments.

To learn more, visit or call us at business.twc.com/government | 888.638.1791

Not all products and services are available in all areas. Subject to change without notice. Some restrictions apply. All trademarks remain the property of their respective owners. Time Warner Cable Business Class is a trademark of Time Warner Inc., used under license. © 2016 Time Warner Cable Enterprises LLC. All rights reserved.

LEGIS CYBE

GT10_24.indd 30 9/20/16 1:21 PM

FLICKR/JACQUI IRWIN FLICKR/JACQUI www.govtech.com // October/November 2016 31

GT10_24.indd 31 9/20/16 1:21 PM

Privacy and security are the main IT tors who are prosecutors and defense issues that rise to the policy level, Kirk RECENTLY attorneys who grasp the concepts quickly noted. People are trying to make appro- SIGNED because they are in the legal system every priate laws, but it is such a complex issue LEGISLATION day. “Cyber as a technology is a little and only one of the many that legislators REQUIRES more diffi cult,” she admitted. “Unless need to address, so it is diffi cult to make you have somebody who spends a lot good laws, she said. After the cyberse- CALIFORNIA of time in the environment, it is diffi - curity and privacy summit, she met with TO PERFORM cult to keep up with. We don’t have one legislators, and in the most recent legis- A MINIMUM OF constant cyberchampion in either party lative session they created a state data 35 NETWORK who is always the go-to person. It is privacy offi ce and a cybersecurity jobs more spread out based on committee.” act. “They had a better understanding of SECURITY the issues and they worked with us on ASSESSMENTS those. It was an opportunity to collabo- PER YEAR ON BREACHES GRAB rate on getting good policy into law.” STATE AGENCIES, LAWMAKERS’ ATTENTION One way Kirk reaches out is to hold One thing that tends to get legislators’ tours of the Security Operations Center for DEPARTMENTS attention is a high-profi le data breach. “My legislators. “They can see in real time what AND OFFICES. philosophy is, never waste a data breach, is happening,” she said. “They can see all and hopefully, it is not one of ours,” said these attacks coming in. I can talk more Kirk. “You always want to take advantage of specifi cally about the types of attacks we are somebody else’s breach to educate. It does seeing right then, and what would happen if evolved very quickly,” Irwin said. bring home the fact that you either invest we weren’t protecting our network the way Karen Jackson, secretary of technology in front of the problem or you are investing we are. That gives them a real-life view.” for Virginia, headed up a state cybersecu- by trying to clean up at the back end of the Legislators who focus on cybersecurity commission over the last two years problem. It is a tough job to fi nd out where rity tend to be people who have some and turned to the Legislature to pass seven that balance is. It is important to me that technology or legal background. For bills related to cybersecurity and cyber- we don’t spend our tax dollars cleaning up instance, Irwin’s training was in systems crime. In the last session the Virginia something that could have been avoided.” engineering, and she worked at the Johns legislature also invested more than $20 In fact, it often takes a data breach Hopkins University Applied Physics Lab million in cybersecurity for training, hiring for lawmakers to pass signifi cant legis- and Teledyne Technologies. “I think and shared services for state agencies. lation around cybersecurity, said Doug that gives me a little more comfort with Jackson said that when it comes to Robinson, NASCIO’s executive director. the issue, because cybersecurity has cybercrime legislation, there are legisla- For instance, after a high-profi le breach

NCSL TASK FORCE ALLOWS LEGISLATORS TO SHARE BEST PRACTICES Besides leading the charge on cybersecurity in the California Legislature, Rep. Irwin is co-chairing a cybersecurity task force recently created by the National Conference of State Legislatures (NCSL). “We just had a conference call on the new federal data-sharing legislation,” she said. “My hope is to produce a working product that would be a list of recommendations or best practices for states. We all know the important thing is to get the word out and tell legislators about their responsibility for oversight. It can’t just be the executive branch that is worried about this, so we want to come up with a list of questions legislators should be asking.” Jeff McLeod, director of the Homeland Security and Public Safety Division of the National Governors Association Center for Best Practices, said there is a crucial role for legislators to play in terms of investing in workforce training and oversight. “The biggest thing is at the policy level, making sure the state is organized eff ectively in terms of governance, and making sure the state is taking a risk management approach and using resources where they can have the biggest impact in addressing or reducing the threat.” Susan Parnas Frederick, NCSL’s senior federal aff airs counsel, said her organization had been tracking cybersecurity activity at the state level for several years, and it seemed like a good time to form a formal body to create a work product to inform legislators who may sit on technology and appropriations committees. “This task force gives those people with expertise an opportunity to work with colleagues in other parts of the country to share information on what they have done in their state,” she said. The task force, which also includes Rhode Island’s state Sen. Louis DiPalma and state Rep. Stephen Ucci as members, has a two-year time limit, but Frederick said it could be extended. “What we found was that as soon as it was announced to the membership, we got lots of requests to join. There is a lot of interest out there.”

32 October/November 2016 // www.govtech.com

GT10_24.indd 32 9/20/16 1:22 PM

in 2012, the South Carolina Legislature CIOs and CISOs need to communi- Francesca Spidalieri, a senior fellow passed a bill that made the CISO and cate with legislators in terms of busi- for cyberleadership at the Pell Center for chief privacy offi cer positions a legislative ness risk to state government, Robinson International Relations and Public Policy, requirement. The number of conversa- stressed. Unfortunately in many states, a think tank at Salve Regina University tions between state CIOs and legislators it is seen as being all about technology, in Newport, R.I., authored a 2015 report is increasing, said Robinson, “but there is so legislators defer to the CIO. “When called State of the States on Cybersecu- so much more for CIOs to do in terms of I talk to legislators I try to characterize rity, which found that most states lack communicating to stakeholders, including this as just another business risk that the strong cybersecurity measures, leaving legislators. Too much of that is ad hoc state has to address. The digital world is themselves largely unprepared to respond and not formalized.” NASCIO’s research now part of the fabric of government, and to cyberthreats. (Her report identiﬁ ed notes an increase in the level of commu- risks are associated with that. It is not a eight states with strong approaches to nication on cybersecurity with policy- project or an initiative. It is not going to cybersecurity, including Virginia.) “Few makers, but also that less than half of end. They have to become comfortable states are considering the exposure and states are engaged in the conversation. with that, and it is very new to them.” costs of less resilient critical services,

www.govtech.com // October/November 2016 33

GT10_24.indd 33 9/20/16 1:22 PM

data breaches, theft of intellectual property and sensitive information, and the impact of e-fraud and e-crime, all of which lead to a weaker economy and unstable national security,” her report noted. “Most legislators are poorly educated on these issues and very few have taken the time to understand how this helps a state CONNECTICUT REP. CAROLINE economically or from a security stand- SIMMONS point,” she said. “We see the same issues in state legislatures that we see in the U.S. Congress. Although it is a bipartisan issue, the reason so many cybersecurity bills are stalling in Congress comes down to those who have taken the time to educate themselves and those who haven’t.” Legislators want to promote digital “NONE OF US IS the most dangerous and diffi cult national connectivity and extend broadband capa- AN EXPERT ON security threats we face. States have an bility to remote areas of their state, Spidal- THE TECHNOLOGY, increasing role to play, given the sophisti- ieri noted. “What they don’t understand cation and evolving nature of the threat.” is that cybersecurity is the other side of BUT I THINK ALL With two colleagues, Simmons intro- the same coin. If you encourage people to OF US RECOGNIZE duced a bill that became law, directing connect more of their sensitive information THE INCREASING the creation of a state cybersecurity task to services and you don’t protect it, you are THREAT WE ARE force co-chaired by the Department of actually making your state more vulnerable.” Administrative Services and the Depart- In her own state of Rhode Island, Spidal- FACING.” ment of Emergency Services and Public ieri noticed that the data breach laws had not Protection to conduct an in-depth study been updated since 2005, and she reached out and assessment to identify the main cyber- to two legislators she knew had an interest in threshold. We had businesspeople who security issues facing Connecticut and the topic, state Sen. Louis DiPalma, D-District saw it as a burden on them. It was a tug of to develop specifi c actions the state can 12, and state Rep. Stephen Ucci, D-42nd war around what you disclose, how you take to improve its defenses and better District. Both had an interest in cybersecurity disclose it, and to whom and in what form.” protect state infrastructure, utilities, busi- because of their day jobs: DiPalma works as The bill passed because they brought nesses and the public from cyberattacks. a technical director at Raytheon, and Ucci is the stakeholders together with the The administration’s department heads an attorney who works on privacy issues. legislators upfront to address issues were supportive about the creation of the Spidalieri brought them together with and reach compromise, Spidalieri said. task force, she said, but the legislation executives from law enforcement, the “That same year 31 states proposed couldn’t call for a big investment. “There health-care and fi nancial sectors, and updates to the data breach notifi ca- is a diffi cult fi scal environment here in other stakeholders. “Together, in a few tion law, and only two passed.” Connecticut because we were facing a weeks of hard work, we came up with a defi cit going into the 2015 session,” she new draft of the legislation that was not said. “The only diffi culty I faced was that it only updating the old law, but off ering LEGISLATORS BALK couldn’t have a large fi scal note on the bill, a clear course of action for businesses AT FISCAL COST so we decided to start with an assessment.” and agencies that might get breached.” Although she is new to the Legislature Simmons said she believes other Ucci said it was tough to get consensus in Connecticut, Rep. Caroline Simmons, legislators are grasping the importance on the bill. “I have been in the Legisla- D-Stamford, took the lead in co-intro- of cybersecurity, because of high-profi le ture for 12 years, and there is a diff erence ducing cybersecurity legislation. “I have incidents, particularly the Anthem of opinion on everything, but with this some experience working at the federal breach, which happened in Connecticut particular piece of legislation, every piece level on this issue at the Department of while they were debating this legisla- of the bill was a bone of contention,” he Homeland Security,” she said. “That is tion. “None of us is an expert on the said. “There were some folks who thought what fi rst got me interested in it and I technology, but I think all of us recognize every single possible breach should imme- think that having strong cybersecurity the increasing threat we are facing.” diately be reported to the police, whereas laws at the state level is critical to our others said you should have a very high national security fabric, and this is one of [email protected]

34 October/November 2016 // www.govtech.com

GT10_24.indd 34 9/20/16 1:22 PM

YOU’RE REQUIRED TO KEEP RECORDS FOR UP TO 10 YEARS. BUT DON’T WORRY. WE GOT YOUR BACK.

archivesocial.com

36 October/November 2016 // www.govtech.com

GT10_20.indd 36 9/22/16 11:02 AM

www.govtech.com // October/November 2016 37

GT10_20.indd 37 9/20/16 1:24 PM

______Designer ______Creative Dir. 100 Blue Ravine Road Folsom, CA 95630 916-932-1300 ______Editorial ______Prepress www.erepublic.com CMY grey T1 T2 T3 5 25 50 75 95 100 5 25 50 75 95 100 5 25 50 75 95 100 5 25 50 75 95 100 Page # ______Other ______OK to go BLACK YELLOW MAGENTA CYAN “They must be educated enough about technology to understand the THE CYBERSECURITY risks they accept when they make a LANDSCAPE: business decision that involves tech- THEN AND NOW nology or funding for it,” he said. Some of the precautions taken by the What a diff erence fi ve years makes. Lane County Information Services Depart- When asked how cybersecurity ment are providing core workstation, issues have changed for their network and server security infrastructure departments between 2011 and 2016, that includes antivirus protection, Internet these CIOs off ered their take. proxy services and encryption. These services are managed by the Security and Lane County has recognized two Audit Division, which was re-established in important things. First, the business 2015 after being cut in 2012 for budgetary “must drive the acceptance of risk/benefi t reasons. The division, which is working on when it comes to technology and how it’s implementing a centralized security model, used. Second, our users are our greatest is now focused on secure access principles, asset — and our greatest threat. The incident response and business continuity, diff erence between 2011 and today is a Michael Finch, CIO, among other things. It’s a tall order for a far more mature governance model, as Information Services group of four full-time employees and less well as a focus on training and awareness Department, Lane County, Ore. than 5 percent of the county’s IT budget. for all our users and customers.” Monaghan said that this year, Nevada Michael Finch, CIO, Information Services County is pushing to modernize its IT Department, Lane County, Ore. security infrastructure. And the proof is in the budget. The county CEO and Board of The cloud has had the biggest Supervisors have earmarked $250,000 for impact. Data can live anywhere now, the eff ort. The sum represents about a 5 “and trying to keep a handle on where data percent increase to the annual IT budget, is living, and how employees across the which is used for infrastructure upgrades. enterprise are storing and moving data, is Job No. 1 is to build a countywide culture much more fl uid and complex. Add in data of cybersecurity/IT risk awareness and classifi cations and the regulations around sensitivity. breach notifi cations, and an organization “We are too small to codify this into has more exposure now, and the costs every policy and procedure, so we need of a data breach are much greater.” every county employee — from line staff Steve Monaghan, CIO, Information and General in the customer departments to every IT Services Agency, Nevada County, Calif. employee — to be cybersecurity sensitive,” Monaghan said. “That way, as they take on new projects and implement changes, they are thinking about cybersecurity and IT risk impacts. We are working cyberse- Portability and Accountability Act. Accepting jails to providing health care. This creates curity and IT risk management into our citizen payment for taxes, permits and other an extremely diverse set of technolo- processes such as change management, services administered by local govern- gies and requirements that most busi- project charters and contracting. However, ment also necessitates compliance with nesses don’t have to deal with.” it all has to fi rst have a solid cultural foun- Payment Card Industry standards. Adhering Finch also added that the issues dation across the countywide organization.” to regulations like these (or noncompli- his department faces are very similar ance with them), of course, is costly. to those faced by the state of Oregon, “Additionally local governments face although compatibility between dding to the challenge faced the threat of cyberactivism/hacktivists systems can be a challenge. by local cybersecurity teams that may occur due to an unexpected “That being said, we are also users of is having to achieve compli- local controversial event unfolding,” said many of their systems, so it’s important ance with the many regula- Finch. “While this exists at many levels, that services we are required to use that tory requirements imposed by resources at the local level are far less are provided by the state run on the latest Ahigher governments. Federal rules include than at other levels. Additionally, govern- operating systems and browsers,” he said. CJIS, which governs criminal justice infor- ments must serve a wide array of busi- “Funding is also one of the biggest diff er- mation systems, and the Health Insurance nesses — from building roads to running ences. Counties are very limited on what

38 October/November 2016 // www.govtech.com

GT10_20.indd 38 9/20/16 1:25 PM

______Designer ______Creative Dir. 100 Blue Ravine Road Folsom, CA 95630 916-932-1300 ______Editorial ______Prepress www.erepublic.com CMY grey T1 T2 T3 5 25 50 75 95 100 5 25 50 75 95 100 5 25 50 75 95 100 5 25 50 75 95 100 Page # ______Other ______OK to go BLACK YELLOW MAGENTA CYAN foster care, child support, food stamps city platforms and other new technology — [all of ] which drive cyber-risks.” solutions, new cybersecurity challenges With this in mind, Reneker’s depart- need to be considered,” she explained. ment has tightened email security using “Every discussion about enhancements in Symantec Brightmail, and a sophisticated information and communication tech- fi ve-person cybersecurity team focuses nology should include consideration on additional security tools and remedia- of the potential cybersecurity threats, tion. Their task lacks a clear end game. and plans to address or avoid them.” Reneker said new strategies are needed So, in today’s ever-threatening to adapt to the ever-changing cyberland- cyberworld, what is a local govern- scape and suggested the need for 24/7 ment IT department to do? monitoring and notifi cation systems. Kevin Haley, director of product “We also need more employee training management for Symantec security to protect them at work and home,” he response, said there are two cybersecu- stressed. “We need to invest in dedi- rity issues he thinks will have the greatest cated staff and tools to proactively block impact on agencies in the coming year. and eradicate malware active in place “First, agencies must protect their or attacking systems. We need to create records from targeted attacks, both from a security operation center to actively insiders and hackers outside the agency. monitor threats and show your customers Second, agencies must protect critical fi les that you take these issues seriously and data from crypto-ransomware attacks, and that you have programs in place which according to Symantec’s 2016 to help protect threats from impacting Internet Security Threat Report, grew by 35 day-to-day operations. Annual audits percent in 2015, and are now more focused and penetration tests [are also needed] on enterprises rather than individuals.” to learn best industry practices and to In order to combat these threats, ensure your environment is secure.” Haley said agencies are going to have For Monaghan, Nevada County has to step up to implement best prac- a wide breadth of technology, spanning tices to keep their data safe. 25-plus business lines. “We have very “It is also important that they under- specialized and critical technology that stand where their critical data is, and needs to operate fl awlessly 24/7/365, such back it up,” he said. “Finally, if an agency as 911 dispatch, mobile offi cer data systems, has never tested its backup strategy jail control systems, suicide hotlines and and processes, now is the time to do wastewater treatment plants,” he said. it, before an attack takes place.” Finch made a good point when he said that security and — in particular — breaches, elani Newton, director of survey need to be treated more like a public research for the International health outbreak instead of a blame game. City/County Management “Currently whenever a large breach they can tax or derive revenue from, Association, echoed a common occurs, it’s often a game of victimizing where the state has far more options.” concern among public-sector IT the victim and fi ring people instead of Riverside County, Calif., CIO Steve Jprofessionals at all levels: Local govern- going after the bad guys who broke the Reneker said his department invests ments are having diffi culty off ering cyber- law and stole data,” he said. “This does not about 3 percent of its IT budget on secu- security professionals salaries that are foster a collaborative approach between rity, such as staff , tools and services. The competitive with the private sector. The all organizations in going after the law main cybersecurity issues unique to local organization is currently studying the breakers. Instead, attacks should be government, from his perspective, are issue in conjunction with the Univer- treated more like an outbreak in health, impacts to emergency services and targets sity of Maryland, Baltimore County. where people are free to share informa- as a result of providing public safety Newton said cybersecurity is tion without fear of retribution to ensure services (offi cers, jails, public records). becoming increasingly important an informed, collaborative approach to “Local counties keep records of resi- as more local governments seek to ending the problem. This must change dents on welfare, unemployment, [who] use technology to improve service before any organization can hope to owns property, [have] committed a delivery and operating effi ciency. overcome this threat permanently.” crime, medical records, who is in jail, “As jurisdictions increasingly rely on who is in the hospital, criminal history, social media, cloud-based solutions, smart [email protected]

www.govtech.com // October/November 2016 39

GT10_20.indd 39 9/20/16 1:25 PM

InfraGard National Guard A partnership between the The National Guard is FBI and the private sector, installing cyberprotection InfraGard is dedicated to information teams throughout the U.S., with sharing and relationship building across plans to have them in 23 states by organizations including with state and the end of fi scal 2019. Collectively local law enforcement agencies. While the deployments are geared toward it also has a physical security focus, the a federal eff ort to protect against program started with a cybersecurity mounting cyberthreats. The teams case in 1996. Its 85 chapters hold will run simulations and share meetings and training sessions around contacts, information and resources topics that benefi t members and develop with local organizations to help special interest groups to address thwart and prevent attacks. topics like cybersecurity in-depth. National Governors InternetI Crime Association CComplaint Center The association’s Resource TheT center has been receiving Center for State Cybersecurity complaints from the public since aims to provide governors with 2000 about cybercrime issues like resources and tools for implementing hacking and fraud. Analysts review eff ective policies and practices on and research the complaints, and work the topic. Launched in 2012 , the with the appropriate government or initiative’s primary goal is for states to law enforcement agency as necessary. develop strategies for strengthening The center does not investigate cybersecurity practices as they relate complaints, but is a helpful resource to IT networks, health care, education, for citizens who don’t know how to public safety, energy, transportation, respond to a potential online crime. critical infrastructure, economic development and the workforce. Multi-StateM IInformation Sharing aand Analysis CtCenter (MS-ISAC) As part of the Center for Internet Security, the MS-ISAC off ers free managed security and advanced monitoring services to state, local, tribal and territorial governments. As of 2011, the center was working with all 50 states and was home to a fi rst-of-its-kind facility that’s staff ed 24/7 to guard against electronic attacks on government systems and information.

40 October/November 2016 // www.govtech.com

GT10_38.indd 40 9/20/16 1:28 PM

CJIS The FBI’s Criminal Justice Information Services security policy provides guidance on the lifecycle — creation, viewing, storage, etc. — of National Institute law enforcement data. of Standards and Technology’s DoS and DDoS FrameworkF for Improving A denial-of-service (DoS) Critical Infrastructure attack makes websites Cybersecurity and other online resources Acting as a how-to guide for the critical unavailable to users, and infrastructure community, version 1.0 a distributed denial-ofof the framework was released in in service (DDoS) attack makes 2014 in compliance with President services unavailable through Obama’s February 2013 order directing a fl ood of access attempts its development. The framework is from many IP addresses. a living document of best practices that users can reference to establish FedRAMP a risk-based approach to improve The Federal Risk and cybersecurity. It provides a series of Authorization Management actions to anticipate and respond to Program is a cloud- attacks on systems. If the majority of specifi c standard created organizations adopt the framework’s to streamline security principles, they’ll be speaking the auditing across multiple same language and have an easier federal agencies. time contracting with one another and protecting against cyberthreats. FISMA The Federal Information Security Management Act United States outlines a framework for Computer protecting government Emergency information and assets ReadinessR di Team (US-CERT) from natural or man-made As part of the U.S. Department of threats, and requires agency Homeland Security, US-CERT runs a leaders to conduct annual 24-hour operation to provide intrusion reviews of information detection and prevention for federal security programs. agencies; analyzes data about and responds to emerging threats; and PCI distributes actionable information to all The Payment Card Industry levels of government, the private sector Data Security Standard and international organizations. When the outlines encryption rules Confi cker worm was infecting millions of for credit card payments. computers in 2009, US-CERT developed a tool that state and local governments PII could download to detect and remove Personally identifi able the worm from their systems. information is one of the targets of many data breaches and its use can lead to identify theft.

www.govtech.com // October/November 2016 41

GT10_38.indd 41 9/20/16 1:28 PM

BY TOD NEWCOMBE DAVID KIDD DAVID

42 October/November 2016 // www.govtech.com

GT10_30.indd 42 9/20/16 1:05 PM

www.govtech.com // October/November 2016 43

GT10_30.indd 43 9/20/16 1:05 PM

n 2014, a Durham, N.H., police offi cer Despite investments in intrusion detec- opened what she thought was a “THE tion software, fi rewalls and a host of other digital fax attached to an email about EFFECTIVENESS cybersecurity tools, attacks, breaches and an investigation she was working OF EMPLOYEE extortions continue to plague states and on. Earlier this year, an employee AWARENESS localities. A chief reason why security fails Iat the Lansing Board of Water and Light is the human factor, say experts. “Over in Michigan opened what seemed to be a TRAINING IS SO 95 percent of all incidents investigated legitimate email attachment. In both cases, HIGH THAT IT recognize ‘human error’ as a contrib- the government employees were victims WOULD BE ONE uting factor,” according to a 2014 analysis of a type of phishing attack known as OF THE LAST of cyberattacks from IBM’s worldwide ransomware, which encrypted the victims’ security services operations. “The most computer fi les and sent them a digital THINGS TO GO IF commonly recorded forms of human error ransom note, demanding money to decrypt WE HAD TO CUT.” include system misconfi guration, poor them. Both agencies were able to resolve patch management, use of default user the issue without paying any ransom, but Intelligence Index. And the attacks are names and passwords or easy-to-guess not before dealing with a costly cleanup. becoming more frequent. In 2015, govern- passwords, lost laptops or mobile devices, State and local governments continue ment joined the ranks of four other and disclosure of regulated information to be victims of data breaches and cyber- industries — health care, manufacturing, via use of an incorrect email address.” attacks, with unauthorized access to fi les fi nancial services and transportation — Thanks to personal information avail- and data as the most persistent problem, as the most frequently attacked sector able on the Internet and via social media, according to IBM’s 2016 Cyber Security in the world, according to the report. hackers and data thieves have become extremely sophisticated at sending what look like emails from colleagues or businesses with the goal of gaining victims’ trust and having them open an attachment or click on a link that installs malicious software on a government agency’s server. The technique is called social engineering, and over the past three years, most major cyber-

MICHAEL ROLING, attacks on U.S. corporations have included CISO, MISSOURI it, according to The Washington Post. CIOs and CISOs in both the public and private sectors realize that human error is perhaps the biggest weakness in any information security program. Not surprisingly, a fast-growing business has sprung up to deal with changing human behavior. Called security awareness training, the aim is to condition employees not to click or open anything that looks remotely suspicious.

ichael Roling, CISO of Missouri, reported that every tax season, the state’s email M system sees a spike in W-2 phishing campaigns. “They go through the roof,” he said. Data thieves, hoping to gain a crucial bit of personal information that can be used to ﬁ le fraudulent tax returns, try to trick employees into sharing information. “Sometimes the only thing that is suspicious might be a misspelled name,” said Roling. Since 2009, Missouri has used awareness programs to train employees what DAVID KIDD DAVID

GT10_30.indd 44 9/20/16 1:06 PM

training focuses on changing human behavior and making security part of the workplace culture. “It’s all about changing

VENNARD WRIGHT, behavior as it is about actual security CIO, PRINCE GEORGE’S training,” said Lea Deesing, chief innova- COUNTY, MD. tion offi cer of Riverside, Calif. “Aware- ness is key because it’s the users who can put the integrity of our network at risk.” Riverside used to perform awareness training as a classroom exercise, but this year the city began using an online program from the SANS Insti- tute called Securing the Human. The training is now mandatory; if employees don’t take and complete the one- to two-hour course within the designated time frame, they are locked out of the city’s network. The training is modular and can be tailored to the type of data the employee works with, such as legal documents or Health Insurance Porta- bility and Accountability Act forms, for

DAVID KIDD DAVID example. Deesing described the training as interactive, and should an employee to look for in a suspicious email, how to fail the short test at the end of the course, work with two-factor authentication or “AWARENESS he or she must take it over again. how to create strong passwords. The initial TRAINING IS ONE Another program is Managed Online programs weren’t that eff ective, according OF THE MOST Awareness Training from Awareity, which to Roling, but recently the state switched to IMPORTANT is used by Loudoun County, Va. Wendy its latest training program, an online service Wickens, the county’s IT director, said all from Security Mentor. Roling described COMPONENTS OF employees must take the training once a it as more educational than past eff orts, OUR SECURITY year; the session lasts 30 to 90 minutes and as well as interactive and consumable. POSTURE. ALL is also interactive, with videos, test ques- Security Mentor is one of a burgeoning THE SECURITY tions and a review of the county’s security number of fi rms that specialize in aware- policies. The program costs $39,000. ness training. It’s a business worth $1 TOOLS OUT THERE Along with awareness training, the billion a year and growing 13 percent annu- WILL NEVER BE county has ratcheted up security by turning ally, according to Gartner, the technology AS SHARP AS THE off employee access to personal email on research fi rm. Other fi rms in the market HUMAN MIND.” the county’s network. “That has drasti- include the SANS Institute, MediaPro, cally reduced the instances of ransom- Wombat Security, Digital Defense and ware, which has become rampant,” said BeOne Development, to name just a few. The awareness program costs the Wickens. However, the county off ers public Missouri’s program is delivered online state $4.68 per user, per year, but it’s Wi-Fi (separate from the county network) monthly and is taken by 40,000 end users well worth the investment, according to to employees who have a personal device in 14 state agencies. Each lesson lasts Roling. “The eff ectiveness of employee and want to access personal email when 10 to 15 minutes and covers a specifi c awareness training is so high that it they’re not working. “Since we insti- security issue. In addition to explaining would be one of the last things to go if tuted that policy, we haven’t seen any about phishing, authentication and we had to cut,” he said. “Not only does instance of ransomware [on the county passwords, the program also teaches it raise awareness, it keeps the security network], which is signifi cant,” she said. employees about physical security, data culture alive that we struggled to get Not all state or local governments loss prevention, what’s acceptable to send going fi ve years ago. Even cabinet-level are investing in cloud-based awareness over the state network and even how to offi cers have to take the training.” training programs from third parties. keep data secure while traveling. “The Unlike security training, which focuses In Prince George’s County, Md., the program also includes games and puzzles on teaching employees and testing their 6,500 government employees receive to keep it interactive,” Roling said. knowledge on a set of rules, awareness their awareness education through a

www.govtech.com // October/November 2016 45

GT10_30.indd 45 9/20/16 1:06 PM

Exposed: THE STUPID THINGS WORKERS DO

13% 20% One let their colleagues of employees share use a device that their work email password; in ﬁ ve can access their 12 percent share pass- employees do not employer’s network; words to other work appli- have any security 9 percent allow cations. Nearly half of all software on their mobile their partners employees are unaware work devices, beyond to access such of any company policy what ships with the a device. around password sharing. operating system.

SOURCE: INFORMATIONWEEK; RESEARCH CONDUCTED BY ARLINGTON RESEARCH IN 2016 ON BEHALF OF ONELOGIN

custom learning management solu- Online awareness programs need to be that explains what has happened and tion that has been crafted by the county, part of a broader, more holistic approach what they should have been looking for. according to CIO Vennard Wright. The toward security, according to Winkler. Roling keeps track of which agency training takes place annually and is both Making awareness ubiquitous requires a makes the lowest number of mistakes online and offl ine for certain workers broad array of tactics, including pervasive and which makes the highest. The rank- who don’t have access to a computer. messaging to workers through posters, ings are posted, and agencies that struggle Wright also has seen a big drop in newsletters, message boards, events and are encouraged to improve and increase employee-triggered malware attacks contests. “It’s up to CISOs to create a secu- their awareness ranking. It’s part of a since the county made the awareness rity culture, an environment where people broader set of metrics Roling keeps on how training mandatory, and bars employees do the right thing,” he said. employees fare with awareness training, from the county network who haven’t Awareness experts criticize the approach and it’s considered an eff ective way to taken the training or failed to pass the where security awareness training takes measure what’s working and what isn’t. course. “The fi rst year we made it manda- place once a year, with a short quiz at the By mixing gamifi cation, a little competi- tory, there was a lot of pushback, but end. “That’s compliance and checking a box, tion and metrics with the overall awareness now the training is accepted,” he said. not true awareness,” said Winkler. program, Roling said that state employees see In Missouri, making security aware- the monthly exercises as less of a burden and ness part of the employee culture includes understand that it is a regular component of ot all security awareness the use of gamifi cation techniques to work. “Awareness training is one of the most programs are foolproof when it maintain interest. Roling said his depart- important components of our security posture,” comes to changing behavior in ment will also periodically test employees he said. “All the security tools out there will N the workplace. The programs by sending out fake phishing attacks, never be as sharp as the human mind.” can fail to perform as expected for a usually tied to a theme around a current It’s a point that more government CISOs variety of reasons. Ira Winkler, presi- event. Employees who fail to identify agree with and has made them realize just dent and co-founder of Secure Mentem, the fake phishing email and click on the how critical security awareness has become. a consulting fi rm that focuses on security link will fi nd themselves at a website In Riverside, security awareness has broad- awareness, said problems can start with ened into a larger education program for the basic objective. “There’s a diff erence city workers, according to Deesing. “We between awareness and training, and most are educating our people about how to people are providing training, not aware- “AWARENESS IS handle diff erent types of data and whether ness,” he said. “Training is putting a fi xed KEY BECAUSE IT’S or not they should even be storing diff erent body of knowledge on employees and THE USERS WHO types of data. We are also scanning our testing them. Awareness is about changing data to ensure there aren’t any human behavior. But most people don’t know that. CAN PUT THE errors that could put the city at risk.” Showing employees a video is not going INTEGRITY OF OUR to work as far as changing behavior.” NETWORK AT RISK.” [email protected]

46 October/November 2016 // www.govtech.com

GT10_30.indd 46 9/20/16 1:06 PM

re:thinkedu

Inside: Can analytics get an A grade?

The yellow school bus goes wireless.

How good is virtual reality?

Rhode Island’s chief innovation officer wants to bring new ideas Richard Culattas to education. CRUSAD’ E

To download a free copy, visit: www.centerdigitaled.com/magazines

Converge_Ad.indd 29 9/15/16 12:10 PM

Predicting the Future Data can help governments solve speciﬁ c problems and prepare for major events.

ayne Gretzky once said, “A specifi c project assumptions. Do this One way to make your vision a reality good hockey player plays by picking a government business area is to build scenario-based alternative W where the puck is. A great and assessing where you are regarding futures for the service being provided. hockey player plays where the puck is innovation compared to industry norms For example, your team can explore what going to be.” But how can government and best practices. Ask: What data are we can be done given various situations or leaders move from good to great with collecting? How is the data shared? What assumptions in the year 2020. Answer technology and security? Where will are the privacy implications? Look at the set questions for each alternative path. the “puck” be for your business area? data management guidance provided This approach is similar to the way that As we address these questions, there by the National Association of State fi rst responders and others in government are new industry tools to consider and Chief Information Offi cers (NASCIO). prepare for emergency management new ways to predict the future more Second, ask, “What if?” Imagine an scenarios such as fi res, fl oods, tornadoes accurately using available data. alternative future in your particular area or even cyberattacks. Tabletop exercises Just as many people have moved of interest. Start by examining technology can help you ask the right questions from relying on traditional radio traffi c trends. Utilize prediction reports from about what data is needed by various reports describing road congestion Gartner, Forrester and others that have functions, who will communicate with to real-time warnings and alternative crunched the data and checked the forecast whom and which metrics are important. routing from smartphone apps, there are percentages. Analyze and learn from the Some skeptics may ask, “But how now thousands of new tech tools that free end-of-the-year summaries as well can my government prepare for major incorporate real-time data to improve as New Year predictions from media unpredictable events like the United productivity and eff ectiveness. The sources and vendors. We are seeing more Kingdom leaving the European Union?” opportunities to use big data analytics to technology and security predictions in My answer is that even major events are solve specifi c problems are expanding every area of life, and you can benefi t not unpredictable. There will certainly rapidly in virtually every area of life. from this analytical trend. Look at award- be times when circumstances on the For example: How does Chicago know winning projects and best practices from ground bring surprises, but we can have which trash bins need to be emptied NASCIO and the National Association scenarios to plan for a wide variety of today? How can law enforcement use of Counties to inspire your teams. potential outcomes in any area — including advanced analytics to predict, And third, build project road maps that defending against cyberattacks, business Daniel J. Lohrmann anticipate and prevent crime? use this updated or real-time data. Re- disruptions or technology breakthroughs. is the chief security The answer is that an examine tactical and strategic plans based Like Gretzky, we can be at the right place officer and chief strategist at Security algorithm is mining big data on this new data-centric world. Forbes at the right time by knowing the data. Mentor. He is an or using new data that’s magazine reported that “fast data” and internationally recognized cybersecurity available via sensors as part “actionable data” will replace big data, so leader, technologist of the Internet of Things. companies should focus more on asking and author. From 2002 to 2014, So where can you start the right questions and making use of the Lohrmann led to better predict the future data they have. Also look outside your Michigan’s award- winning technology in your enterprise? organization to gain access to specifi c and cybersecurity First, examine your data needed to improve your customer’s programs, serving as CSO, CTO and CISO. current program and experience. This is an ongoing process.

48 October/November 2016 // www.govtech.com

GT10_30.indd 48 9/20/16 1:12 PM

Upcoming Locations: Atlanta / Nov. 2 Nashville / Nov. 3 San Francisco / Dec. TBD

800-820-5592 Reference the event date and location www.oracle.com/events CLOUD

GT10_AD_Oracle_Cloud.indd 2 9/22/16 11:35 AM

Work Together InFocus Corp. announced its 70-inch Mondopad Ultra touchscreen collaboration system, an all-in-one video- conferencing, interactive whiteboarding, presentation and data-sharing display for teams. Mondopad allows team members in multiple locations to see and hear one another while brainstorming on a shared whiteboard, and to collaboratively edit documents and draw directly onscreen. Documents can be saved to the system, stored to the network or emailed to anyone directly from the device. The 4K high-deﬁ nition screen resolution provides four times the detail of a 1080p HD display. The Mondopad features a sixth-generation Intel Core i7-6700T processor and Q170 chipset, 8 GB memory, and a 256 GB solid state hard drive. www.infocus.com

Print Pro Xerox introduced the WorkCentre 3345 Multifunction Printer (MFP), which operates at up to 42 pages per minute and 1200 x 1200 dots per inch. Users can scan to email or print, from the cloud or USB memory drive right at the MFP. The printer carries Apple AirPrint, Google Cloud Print, and the Xerox Print Service Plug-in for Android and Mopria, a set of standards that enable printing from a mobile device to printers from diff erent manufacturers or brands. The 3345 features a monthly duty cycle of up to 80,000 prints. www.xerox.com

Storage Sense Spectra Logic expanded its BlackPearl P Series of storage, which more than triples the throughput and number of tape drives managed compared to the standard BlackPearl S Series. The P Series can store more than 1 billion objects, transfer up to 3,000 MBps sustained to disk or tape, and manage 20 or more linear tape-open (LTO)-7 tape drives, paving the way for future generations of LTO and TS tape drives. The P Series off ers a 10-serial-attached-SCSI solid state drive with 960 GB SSD cache. www.spectralogic.com

For more product news, log on to explore Government Technology’s Product Source. govtech.com/products

50 October/November 2016 // www.govtech.com

GT10_50.indd 50 9/20/16 1:29 PM

STOP other people from accessing your information by using strong passwords. THINK before you download apps you aren’t familiar with. CONNECT with friends safely online by checking your privacy settings regularly.

Visit www.dhs.gov/stopthinkconnect for more information on how to get involved with the Stop.Think.Connect. Campaign.

Smarter Together If only one U.S. city wins the smart city race, the whole nation loses.

any governments around the to nearly $7.5 billion in technology Atlanta and Albuquerque to Albany, the world are working diligently investments over the past three years. USDOT received a total of 78 applications Mto build smart cities — those One of the single largest investments in representing 85 cities in 36 states. Many that use sensors, data and analytics to smart cities in the United States occurred of these proposals identifi ed important tackle important urban issues such as this past June when U.S. Department of challenges facing municipalities and how to better manage sanitation systems, Transportation (USDOT) Secretary Anthony proposed novel solutions that leveraged improve transportation networks and Foxx announced that Columbus, Ohio, technology to improve the community. deliver government services more had won the Smart City Challenge — a $50 For example, Boston outlined its plan to effi ciently. For example, cities can install million federal prize awarded for a single integrate additional sensors, data and sensors in water mains to detect leaks city to address important issues such as analytics with other government systems or conduct computer-based analysis on safety, mobility and climate change through to combat injuries and fatalities among real-time video feeds to combat crime. better use of data and technology. This pedestrians and bicyclists, address disparities Unfortunately the United States has in its transportation system, and more. woefully underinvested in smart city eff orts Unfortunately the Smart City Challenge compared to other leading countries. To The U.S. government has only funded one city’s proposal, even address this shortcoming, federal, state and committed approximately though many more were also deserving. local governments should come together $160 million over the This is an inadequate approach for to create a new stream of funding for U.S. next fi ve years to support funding critical digital infrastructure. cities to increase investment in the digital smart city initiatives. Just as it would not make sense to only infrastructure they need to ensure they are fund bridges and highways in one city modern, sustainable and competitive. in the United States, it makes no sense The U.S. government has committed to limit investment in the sensors, approximately $160 million over the next systems and networks needed to build fi ve years to support smart city initiatives. is an important milestone because most smart cities to a single location. Instead, This is a pittance compared to some smart city projects in the United States, policymakers at the city, state and federal of the investments other countries are like Chicago’s eff orts to build the Array of levels should be working together to fund making to develop smart Things — a network of sensors that collects promising proposals and develop strong cities. For example, in India, “real-time data on the city’s environment, partnerships with the private sector. Daniel Castro is the vice president Prime Minister Narendra infrastructure and activity for research This could take the form of new grants or of the Information Modi announced a $7.4 and public use” — have mostly been small- repurposing existing funding for physical Technology and Innovation Foundation billion initiative last year scale projects focused on a particular infrastructure to include digital initiatives. (ITIF) and director of to launch 100 smart cities application or problem rather than the While there is enormous potential to the Center for Data Innovation. Before in the country by 2020. broad integration of sensors, data and leverage data-driven innovation to improve joining ITIF, he worked And in Singapore, Prime analytics across virtually all public services. the quality of life in urban environments, at the Government Accountability Office Minister Lee Hsien Loong The most impressive aspect of the the United States will need to take action where he audited launched the Smart Nation Smart City Challenge is that so many cities soon if it does not want to fall too far IT security and management controls. initiative, which has led responded to the call. From Anchorage to behind in the race to build smart cities.

52 October/November 2016 // www.govtech.com

GT10_48.indd 52 9/20/16 1:12 PM

MAKINGG DATDATAA INTEROPERABLERABLE PULLING DATA ISN’T EASY, BUT TAKING THE RIGHTGHT FIRST STEPS CAN HELP STATES THROUGH THE TOGETHER PROCESS. INTEROPERABILITY:RABILITYY: HAHARDARD WWORK,ORKK, BBUTUT WWORTHORTTH TTHEHE EEFFORTFFORT had plans to phase in a number of assistance programs in the The holyl grailil off ththeh bibig ddatat era iis an itintegratedt d ddatat next few years.2 architecture that allows government enterprises to integrate siloed data to help make better decisions for themselves and WHY DATA INTEROPERABILITY SHOULD BE TOP OF MIND their citizens. The timing is right for states looking to make their data interoper- For health and human services agencies in particular, able. The extension of the enhanced 90/10 federal funding match interoperable data is the foundation for several important initia- for Medicaid system modernization, along with the current waiver tives, including integrated eligibility programs. It also provides of OMB A-87 cost allocation rules, help states integrate Medicaid caseworkers with a better view into how well those programs are data with insurance exchanges. These federal rules also help with providing assistance. integration of data from other human services programs such as the In addition, state leaders can more easily apply analytics to Supplemental Nutrition Assistance Program (SNAP, formerly known integrated data to see which programs are succeeding and as the Food Stamp Program), Temporary Assistance for Needy where money could be better spent. For example, if data Families (TANF) and the Special Supplemental Nutrition Program for showed a large number of babies with low birth weight in a Women, Infants and Children (WIC). Funding might also be used to particular region within a state, decision-makers could target integrate corrections or education department data, so long as the that area for additional outreach by maternal health services. data sharing can be shown to add value to the Medicaid program. Better prenatal services could, in turn, improve birth outcomes The Centers for Medicare & Medicaid Services (CMS) isn’t and reduce Medicaid spending in the future. alone in off ering incentives. The Administration for Children and In both the private and public sectors, it’s been a heavy lift to Families and the Food and Nutrition Service, among others, are also pull together a fully integrated data architecture. A recent study working toward interoperability and off ering assistance for federal found that although it is a priority for corporations, 79 percent of and state data exchange projects. private organizations have not yet integrated their data sources.1 However, even with additional funding, states face many chal- State governments are making some progress: As of early lenges. Along with technological change, this eff ort requires a culture 2015, 19 states had interoperable data platforms that they used shift that can be diffi cult for agencies to implement. But the payoff is to develop integrated eligibility programs and12 indicated they worth the eff ort. For those states that have not yet started down the

GT10 Optum TLP.indd 1 9/14/16 12:14 PM

______Designer ______Creative Dir. 100 Blue Ravine Road Folsom, CA 95630 916-932-1300 ______Editorial ______Prepress www.erepublic.com CMY grey T1 T2 T3 5 25 50 75 95 100 5 25 50 75 95 100 5 25 50 75 95 100 5 25 50 75 95 100 Page # ______Other ______OK to go BLACK YELLOW MAGENTA CYAN road toward data interoperability, here are four guidelines for laying STEP 3: ENGAGE LEADERSHIP the groundwork: As a data interoperability eff ort moves forward, it’s important to fi nd executive sponsorship within the agency — someone 4 STEPS TOWARD MAKING DATA INTEROPERABLE who can both infl uence people within the agency and go to the legislature for guidance or funding when the program grows beyond the STEP 1: INVENTORY ASSETS department’s span of control. Agency or departmental leaders often Before starting a data initiative, a state or locality needs spearhead integration eff orts within their own departments, and then to inventory its data to determine where the information seek broader support based on their success. resides, and who has access to and control of it. Many states and As the program expands into multiple agencies, it becomes localities struggle with this step. Most agency programs operate more important to have the support of the governor and the legisla- in silos, and each is likely to have distinct data security and ture. Laws and rules will need to be updated, changed or written. access policies. In addition, the owners of the data can be wary Leadership for that should come from the top. of giving up control of their information. When integrating HHS programs and data sources, it is advis- STEP 4: ADDRESS PRIVACY HURDLES able to implement an organizational change management (OCM) Those in charge of data tend to point to the Health strategy to educate staff on the value of creating the inventory Insurance Portability and Accountability Act (HIPAA) and to ensure that all stakeholders are aware of their respon- and other privacy laws and say, “My data is protected; I can’t share it.” sibilities and understand the need to participate. Employees These fears and concerns need to be addressed and should be assured that creating a data inventory can help identify discussed. In general, staff members need to be reassured that opportunities for process and data quality improvement, which the new system will take into consideration HIPAA and other data will in turn benefi t their individual program areas. Understanding protection rules and still allow for sharing. the inherent value in this process helps uncover hidden gaps States that have moved ahead with interoperable data have and inconsistencies while building trust among groups around found workable solutions to the legal issues raised by privacy laws. security, processes, ownership and disposal of data. For instance, California’s Healthcare Eligibility, Enrollment and Retention System (CalHEERS) is an integrated system that deter- STEP 2: THINK SMALL mines eligibility and helps with enrollment in insurance exchange While the overall goal is to one day integrate data from health plans and Medi-Cal (the state’s Medicaid program). It has multiple agencies, it helps to start with one small, legal documents in place that spell out who can use the data and manageable project. Find a program and gain experience by for what reasons. HIPAA guidelines are followed in the sharing of integrating its data sets. This helps employees gain confi dence data for specifi c purposes.3 and builds support for larger eff orts. For example, two of Michigan’s early interoperable projects CONCLUSION were vital statistics and immunization records, both of which can Integrating data is hard work, but the payoff is worth it. For feed into a larger system. Similarly, Illinois started with WIC and instance, after making its health and human services data family case management data and then integrated vital statistics interoperable, Utah went on to develop a data warehouse that and immunization records with Medicaid data. Since many of the collects, compiles and standardizes information from diff erent same recipients spanned multiple programs, there was a solid state and federal data sources (such as quarterly wage, business case to use the integrated data for program analysis. unemployment insurance and Social Security). The integrated Medicaid data is at the heart of any eff ort. Once a state makes data gives decision-makers a holistic view of all citizens and its Medicaid databases interoperable, integrating with other enables them to suggest appropriate services accordingly. programs becomes easier. This piece was developed and written by the Government Technology custom media division, with information and input from Optum.

Endnotes 1. http://ebooks.capgemini-consulting.com/cracking-the-data-conundrum/ 2. http://kﬀ .org/report-section/modern-era-medicaid-eligibility-and-enrollment-systems/ 3. http://www.calpirg.org/reports/caf/calheers-protecting-consumer-data-developing-and-implementing-strong-physical-technical

BY: FOR: FOR MORE INFORMATION, go to optum.com/government or call 866-223-4603.

GT10 Optum TLP.indd 2 9/13/16 11:54 AM

The number of people % who ignore security warning messages on their computers or mobile devices. 90Researchers from Brigham Young University in collaboration with Google Chrome engineers found that messages that appear while users are focused on a task like typing or 50 billion watching a video are usually disregarded. Timing security devices will be connected to each warnings to pop up after users watch a video, while they’re other by 2020, according to the waiting for a page to load or after interacting with a website proposed Developing Innovation and can enhance their security behaviors. SOURCE: PHYS.ORG Growing the Internet of Things Act, which could give the IoT a boost in the form of federal assistance. SOURCE: FUTURESTRUCTURE

PARTNERING FOR ENERGY: Nest, the maker of smart thermostats, is partnering with a California utility in an eff ort to get 50,000 participants in an energy conservation program. Following a massive natural gas leak in 2015 that has restricted supply, the company wants to encourage enough Southern California Edison customers to participate by next summer to reduce energy demand by 50 megawatts, or the amount produced by a small natural gas plant. Demand-response programs automatically curb energy use during times of peak use to help

avoid blackouts. SOURCE: BLOOMBERG

Ready, Set, Sun A solar-powered car built by students at the University of Michigan won the American Solar Challenge, an eight-day race that began July 30. Powered by a 65-square-foot solar array, the university’s car, called Aurum, stores energy in a lithium-ion battery pack and can reach speeds of up to 80 mph (although the race limits the vehicles to 65 mph). Twenty-four teams of college students participated in the biennial competition in which Aurum beat the pack by 11 hours, ﬁ nishing the trek from Ohio to South

Dakota in 48 hours, 26 minutes and 46 seconds. SOURCE: NEW ATLAS

Send Spectrum ideas to Managing Editor Elaine Pittman, [email protected], twitter@elainerpittman

www.govtech.com // October/November 2016 53

GT10_49.indd 53 9/20/16 1:33 PM

Make it a Team Effort How to get all staff members involved in your agency’s social media eff orts.

ost of your agency’s employees departments at this stage ensures that the community about alternative mobility are not directly involved in the high-level goals of your organization options. Be creative and get agency staff Mmanaging social media or as well as departments are considered involved in social media goal-setting. even contributing content. That’s not and incorporated from the beginning. necessarily a bad thing (managing Social media strategies should be Empower staff members to monitor 1,000-plus contributors is tricky), but unique to each organization — what works social media. A best practice I like to you should consider the benefi ts of for one city or county does not necessarily teach is empowering agency staff to getting all staff members involved with work for another. A comprehensive social monitor social media for citizen activity your agency’s social media presence. media strategy is guided by a number of related to the programs and projects Why bother? It’s really hard to present variables, ranging from the high-level that directly relate to their role. Several a united front when most of your staff mission of the agency, to the strategic free online tools can easily allow staff to members are unaware of your agency’s goals for key departments, to the city’s monitor keywords and hashtags while also social media strategy. Department communication goals. Setting social media keeping track of conversations and posts representatives might not even know what goals that complement the government’s related to a specifi c subject matter. Free profi les your agency maintains on various platforms. They might also be unaware that they can contribute content (can they?) Here’s a pro tip: Many department goals can be found and the process they can use to do so. in annual budget documents. While some of them will There are likely a large number of staff be very project specifi c, the higher-level goals may be a members who work for your agency, but perfect fi t to incorporate into your social media strategy. don’t work with programs that traditionally have public-facing social media content because they are an internal-facing division, guiding principles will help ensure a tools available today include setting up such as auditors or fl eet maintenance. But consistent and meaningful message. Google alerts or using Twitter advanced there are still opportunities to get them Here’s a pro tip: Many department search and social mention services. involved with your agency’s social media goals can be found in annual budget presence. This leads me to documents. While some of them will be Ensure the availability of ongoing my fi rst recommendation, social media training. Kristy is known very project specifi c, the higher-level goals Off er regular as “GovGirl” which speaks to how you may be a perfect fi t to incorporate into your social media training agencywide for all in the govern- develop the social media social media strategy. Better yet, talk to ment technology staff , leadership and elected offi cials — industry. A former strategy in the fi rst place. department representatives and ask them not just for social media content authors. city government what the long- and short-term goals are. Web manager with Consistent training helps employees a passion for social Get departments involved For example, if the public works division and electeds stay up-to-date about the media, technology in social media goal-setting. has a priority over the next couple of years and the lighter side policy, rules and legal aspects of posting of government life, A good social media strat- to conduct major traffi c fl ow infrastructure on social media, as well as stay informed Kristy is the CEO improvements, that can evolve perfectly of Government egy starts off by identify- as to why certain social media platforms Social Media. ing goals. Involving other into a new social media goal: educating were selected for an agency presence.

54 October/November 2016 // www.govtech.com

GT10_50.indd 54 9/20/16 1:25 PM

Secure your network. Protect your data. And rest assured your IT infrastructure is cared for by a leader in the business. We’ll work with your IT team to handle the day to day network tasks, so they can focus on the big picture. From reliable bandwidth to accountability and cost GHƁEKGPEKGUPQDQF[MPQYUPGVYQTMUCPF[QWTPGVYQTMPGGFUNKMGYGFQ

1-877-900-0246 brighthouse.com/enterprise

MANAGED SECURITY | MANAGED NETWORK | MANAGED WIFI

VARIDESK® sits on top of your existing desk and lets you switch easily between sitting and standing whenever you like – and it only takes 3 seconds! It ships fully assembled and sets up in minutes with no tools required. Order online or call 877-629-1462.

Pricing and product availability are subjected to change. Taxes will be added for delivery into California, Texas, and Nevada. For patent and trademark information, visit VARIDESK.com/patents ©2016 VARIDESK®. All Rights Reserved.

What’s Happening. Who’s Doing It. Why You Care.

A supplement to Government Technology/Governing

GOV16 HHS SR.indd 1 7/29/16 9:13 AM

Association of Administrators of the Interstate Compact on the Placement of Children Establishing Uniform Legal and Administrative Procedures American Association of SNAP Governing the Interstate Directors Placement of Children Strengthening Long Term Family Health and Well-Being IT Solutions Management for Human Services Sharing Innovative Solutions, Connecting IT Professionals, Collaborating with Private Sector Partners National Association of Public Child Welfare Administrators Developing Public Child Welfare Agencies to Improve Performance and Consumer Outcomes National Association for Program Information and Performance Measurement Enhancing the Integrity and Outcomes of Human Service Programs National Association of State Child Care Administrators Focusing on the State, Affordable, High-quality Care National Association of State of Children TANF Administrators Providing Expert Support and Consultation on TANF and Human Service Program Issues

National Staff Development and Training Association Sharing Ideas and Resources on Organizational Development, Staff Development and Training

Creating Strategic Directions in the Transformation of Health and Human Services www.APHSA.org @APHSA1

Health & Human Services // Special Report INTRODUCTION 04 INTO THE GREAT UNKNOWN

06 SOCIAL ISSUES DEMANDING YOUR ATTENTION The Opioid Epidemic 06 America Ages 07 Complexities of Mental Illness 08

12 HOW YOU’RE DRIVING DOWN COSTS – AND IMPROVING LIVES Focusing on Outcomes 12 Getting Smarter with Data 13 Changing Tactics 16 6 23

HOW YOU’LL MODERNIZE HHS SYSTEMS 20 Why You’ll Build Differently 21 30 The Challenges You’ll Face 26

HOW YOU’LL SHARE Simplifying the Regulatory Maze 30 DATA SAFELY 28 Going Mobile, Securely 32

Health+Human Services Special Report 3

GOV16 HHS SR.indd 3 7/29/16 9:14 AM

THE WAY OUR NATION DESIGNS AND RUNS HEALTH AND HUMAN SERVICES (HHS) PROGRAMS is in the midst of MULTIPLE FORCES ARE PUSHING HHS unprecedented change. Spiraling demands, evolving policies and PROGRAMS TOWARD AN INTEGRATED new technologies are pushing the HHS ﬁ eld into uncharted waters. For agencies in this space, the AND DATA-DRIVEN FUTURE, THE ULTIMATE future looks like this: There will be growing pressure to inter- connect separate beneﬁ ts programs FORM WHICH REMAINS TO BE SEEN. into something that works better and more cohesively for citizens. UNKNOWINTO THE GREAT

GOV16 HHS SR.indd 4 7/29/16 12:10 PM

There will be a push to under- still more uncertainty into the mix. easily. And second, privacy and security stand how factors such as where Experts say growing integration of concerns — real or imagined — tend citizens live impacts their health HHS programs and greater use of data- to be a drag on innovation in this area. and well-being. And there will driven decision-making are here to stay, Almost all survey respondents told be an expectation that agencies regardless of the election’s outcome. us they have technology that needs to analyze data to measure the eff ec- But a new administration certainly will be replaced, with 25 percent saying tiveness of the programs they run. bring its own nuances and priorities. anywhere from a quarter to half of all Behind the scenes this will drive “I think there are a number of their systems require modernization. big changes in the technology systems factors that have come together that Sixty percent also said increased that support HHS programs. Indi- are triggering changes across the entire data sharing brings with it greater vidual systems will need to integrate sector — both in health programs security and privacy challenges. more tightly than ever before; they’ll and in human services,” says Tracy need to share and consume data in Wareing Evans, executive director Seizing the Opportunity innovative ways; and they’ll need to of the American Public Human Still, we think all of this means off er new levels of mobility and other Services Association (APHSA).1 HHS agencies are on the cusp of great user-friendly features. Sophisticated “Funding available through the opportunity — but one that can’t be data analytics and visualization tools Aff ordable Care Act is helping to realized without a massive culture will take on more prominence, too, modernize technology on the health shift and a great deal of hard work. as agencies seek to turn mountains of side and maximize the opportunity Policy innovations are driving information into actionable insights. to bring integration and interoper- HHS programs toward a more holistic Even the way HHS systems are ability to human services systems,” view of citizens and more compre- deployed is undergoing a seismic shift. she adds. “Beyond the technology, hensive program off erings. Funding In an eff ort to reduce the cost and there’s also a compelling need for streams are evolving as well, allowing risk that are inherent in the modern- more evidence-based work, both dollars to be spent more fl exibly on ization of large computer systems, from a fi scal standpoint and to simply integrated approaches and better the federal government is incenting do what’s right for families that are data tools. As our research shows, an approach known as modular served by these systems. We need to agencies are beginning to adapt development. The approach envi- know what works and what doesn’t.” their thinking, but will need to sions breaking big complex systems react with even more agility and into smaller logical components. In Feeling the Strain innovation to make the leap. theory, this makes modernization Our annual health and human Luckily, technology has evolved easier since systems can be deployed services survey — conducted in part- to the point where systems more one piece at a time. But it also nership with APHSA — refl ects the easily support the development of demands that agencies develop new pressures HHS agencies are feeling. tightly interconnected platforms that skills around how to plan for these Respondents ranked better data serve multiple HHS functions. And upgrades and fi t the pieces together. sharing among agencies as their top growing acceptance of off -the-shelf As if that weren’t enough, the priority, followed by closer integration software packages and cloud-based looming presidential election injects of services and technology systems, services mean agencies no longer and adoption of analytics tools. They need custom developed software also told us they’re busier than ever. — or to even own software at all. Seventy-fi ve percent of respondents However, agencies will need to think said demand for HHS services has diff erently to exploit these changes. increased over the past year, with 20 Pushed by new policies and percent estimating workloads grew powered by modern technology, HHS anywhere from 25 to 50 percent. is in the midst of dramatic change, Although 70 percent said their the ultimate form of which remains agencies are moving in the right somewhat uncertain. This report maps direction, respondents were less the forces that are driving this trans- confi dent in their ability to use formation, both to build understanding data to drive better results. of the current environment and to That pessimism may stem from a push toward a markedly diff erent couple of factors: First, HHS is still — and more eff ective — approach rife with clunky old computer systems to serving the people and commu-

WN that neither integrate nor share data nities that rely on these services. SHUTTERSTOCK.COM

GOV16 HHS SR.indd 5 7/29/16 12:10 PM

The shifting HHS landscape A LOOK AT is being driven by several social issues: The U.S. population is aging, the opioid epidemic is spreading at an alarming rate and THE SOCIAL mental health issues are becoming more complex. All Tof these issues are causing HHS agencies to take notice and take action. As a result, ISSUES governments across the country are refocusing their eff orts on coordinating care and ﬁ nding innovative DEMANDING solutions. YOUR ATTENTION

What You’re Doing:ng: THE OPIOID EPIDEMIC GETTING THE WORD OOUTUT

What once may have been a silent epidemic is now impossible to ignore. Earlier this year, ViVirginia i i unveiledil d itits Killing more people than automobile accidents, opioids are the leading “Sink or Swim” campaign with a cause of accidental death in the U.S. According to the Centers for website (www.drugfreeva.org) and Disease Control and Prevention (CDC), fatalities from opioids more than app. The website creates a one-stop quadrupled between 1999 and 2014, crossing all socioeconomic groups shop for addiction resources — in urban, suburban and rural areas. It is estimated now that 78 Americans users can enter their ZIP code fatally overdose on opioids each day. to find nearby treatment 18,893 centers and support groups. FATALITIES BY OPIOID PAIN RELIEVERS NATIONWIDE 15,597

4,030

1999 2009 2014

Source: Centers for Disease Control and Prevention, 2015 6

GOV16 HHS SR.indd 6 7/29/16 9:16 AM

AN AGING AMERICA DESIGNING SENIOR-FRIENDLY COMMUNITIES To prepare for its aging baby-boomer The graying of the baby-boomer generation — combined with longer population (by 2030, the over-65 population lifespans — means that individuals aged 65 and older will comprise is projected to double), Arlington County, about 22 percent of the U.S. population by 2030. According to the U.S. Va., is making senior-friendly improvements. Census Bureau, the 65-and-over population is projected to double over The county offers a door-to-door the next three decades to about 88 million by 2050. Since the majority transportation service for individuals with of older Americans express a desire to age at home, these changes will disabilities and passed a zoning ordinance drive spending on long-term care and technologies to allow them to live that allows some homeowners to build independently. “granny flats.”3

What You’re Doing: DELAYING NURSING HOME PLACEMENT TAPPING TECHNOLOGY To lower Medicaid expenses, many states are trying States can educate their to delay or prevent unnecessary nursing home communities about available placements, which account for some of the highest technologies to help seniors Medicaid costs for long-term care. For example, maintain their independence. in Nebraska, the average cost of nursing home For example, pill dispensers can care is $75,000 per person. Conversely, home and send voice or text messages to community-based services (HCBS) cost significantly seniors when it’s time to take their less — home care is roughly half the cost of a medication and include alerts when nursing facility and community-based care is roughly pills are missed. Shoes with GPS one-quarter of the cost. By taking advantage of federal trackers can provide real-time funding and partnering with organizations such as Area location mapping. If a senior leaves Agencies on Aging, governments can offer HCBS to the pre-determined zone, the their communities and lower the Medicaid burden.2 caregiver receives an alert.

SHARING DATA PUTTING TECHNOLOGY TO WORK

Washington is one of the Every state except Missouri now has a prescription monitoring few states that gives public database. Last year, Ohio became the first state to link its agencies — including law prescription monitoring database with the electronic medical enforcement, corrections, records already maintained by doctors and pharmacists. social services, labor and industries, and more — LIMITING PRESCRIPTIONS FINDING BETTER TREATMENT access to its prescription monitoring system. This This March, Massachusetts began The Centers for Medicare and allows the Department of limiting initial opioid prescriptions to a Medicaid Services (CMS) advocates for Labor and Industries, for seven-day supply, except those for medication-assisted treatment (MAT), example, to closely monitor chronic or cancer-related pain or which is treatment that uses medication workers who were already palliative care. To prevent addicts from as well as counseling and other support. chronic opioid users before doctor shopping, practitioners must After using MAT for opioid-addicted filing an injury claim, and check the state’s prescription monitoring Medicaid patients, California cut to flag doctors who may be database before prescribing certain drugs. its medical costs by one-third over prescribing too many drugs In July, governors of 45 states signed on three years, including hospital, or potentially dangerous to “A Compact to Fight Opioid Addiction” emergency room and outpatient combinations of drugs.4 based on the Massachusetts law.5 clinic expenditures.6 SHUTTERSTOCK.COM

GOV16 HHS SR.indd 7 7/29/16 9:17 AM

THE COMPLEXITY OF MENTAL HEALTH ISSUES STATE MENTAL HEALTH CARE BUDGETS States and localities are FISCAL YEAR 2015-2016 struggling with how to address mental health issues. According to the National Alliance on Mental Illness (NAMI), 1 in 5 adults will experience a mental illness in a given year Sand nearly 10 million Americans live with a serious mental illness such as schizophrenia or bipolar disorder.7 However, only 24 states increased mental health funding from 2015 to 2016, while 11 states and the District of Columbia cut their budgets. Mental illnesses are also taxing America’s correction systems. According to a 2012 Treatment Increased Maintained Advocacy Center Decreased Pending report, U.S. prisons Source: National Alliance on Mental Illness and jails housed over 356,000 inmates with severe mental illness —10 times the number What You’re Doing: of mentally ill patients TAKING ADVANTAGE OF FEDERAL HELP in state psychiatric hospitals in the same In March 2016, the Obama Administration released its final rules for Medicaid’s mental health year.8 Incarcerating coverage, which aim to strengthen the 2008 Mental Health Parity and Addiction Equity Act individuals with mental that requires health insurers to offer the same level of benefits for mental health as they do illnesses is not only for physical health. To help states comply, the federal government offered $94 million in new expensive, it produces funding for community health centers and $1.4 million for education projects in rural areas poor outcomes. focused on health and safety.9

GOV16 HHS SR.indd 8 7/29/16 9:18 AM

OFFICERS IN MIAMI-DADE COUNTY RESPONDED TO OVER 10,000 mental health calls IN 2013 — AND ONLY MADE 9 arrests.

DECRIMINALIZING MENTAL ILLNESS USING TECHNOLOGY AS A SOLUTION

Miami-Dade County in Florida has a mental illness Telemedicine can be a game changer for rural rate that is approximately three times higher than states such as Alaska, which has the nation’s the national average. To address this, the county second-highest suicide rate. It can be extremely offers a continuum of services to combat the difficult to find adequate mental health care in criminalization of mental health problems. Led by remote areas — one study found for every 10 Judge Steve Leifman, the county launched a post- miles you move from a city, it becomes 3 percent booking diversion program that offers individuals more difficult to find a behavioral health worker. the option to undergo treatment instead of The use of telemedicine, however, breaks down SHUTTERSTOCK.COM receiving a jail sentence. Approximately 80 percent these barriers and easily connects patients to of the individuals who are eligible to participate mental health facilities despite distance. Experts do in the program enroll, and recidivism rates are caution that telemedicine should be implemented just 20 percent. The county also trains all of its in conjunction with initiatives to attract more mental police departments in the Crisis Intervention Team health workers to rural areas until high-speed (CIT) program, which teaches them to distinguish internet access is pervasive.11 between different types of mental illness and respond accordingly. In 2013, officers responded to over 10,000 mental health calls, but only made 9 arrests, which allowed the county to close 1 of its 5 corrections facilities.10

GOV16 HHS SR.indd 9 7/29/16 9:20 AM

Opioid Abuse: An Escalating Problem Raising Awareness and Targeting Resources In 2014, nearly 19,000 people died from prescription Geraghty points to the power of mapping to help leaders opioid-related causes – a 16 percent increase from 2013.1 make strategic decisions regarding plans for prevention and Killing more people than automobile accidents, approximately intervention. Perhaps most importantly, visualization tools allow 78 Americans are fatally overdosing on opioids each and governments to raise awareness and make the epidemic real every day, according to the CDC. to their communities.

One of the most devastating aspects of opioids is their ability to “Simple resource maps can be just the start in helping others cut across all socioeconomic classes and demographics. “This understand addiction and ﬁ nd help,” says Jeremiah Lindemann, is not a problem that is only impacting people who have gone a solution engineer at Esri who lost his brother, J.T., to a astray and break the law,” says Dr. Este Geraghty, chief medical prescription drug overdose and who has since become an offi cer and health solutions director at Esri. “This is a problem activist for increasing awareness and using maps to help that aff ects a lot of people and it could be your neighbor, your solve the problem. mother — people you might not have initially expected.” “Visualizing trends provides a deeper understanding of the Across the country, state and local government leaders are factors that may contribute to opioid use in a given area and grappling with how to get ahead of the problem, including the resources available to prevent and treat addiction,” limiting painkiller prescriptions and launching prescription drug says Lindemann. monitoring programs. In July, President Obama signed the Comprehensive Addiction and Recovery Act of 2016 (CARA), Sometimes, simply putting a face to the problem makes the which increases the availability of naloxone, strengthens biggest impact in rallying a community to battle prescription monitoring and expands educational eff orts. drug abuse.

But funding is an issue. While Obama had asked Congress for $1 billion for CARA, the Act included a fraction of that at $181 million. Advocates say funding to address prevention and early treatment of opioid abuse is critical. “Simple resource maps can be just the start in helping “We know that public health is traditionally under-funded and resources are always limited,” says Geraghty. “And so you others understand addiction need to use resources in the best way possible. You need to get to smaller, neighborhood-level analysis so you are target- and ﬁ nd help.” ing your interventions where they are needed the most.” — Jeremiah Lindemann, Solution Engineer, Esri

1. http://www.forbes.com/sites/cjarlotta/2016/07/23/obama-signs-opioid-legislation-despite-funding-concerns/#577fe58134e6

GOV16 SS HHS ESRI.indd 1 7/29/16 12:07 PM

B Iowa maps out the location of drug D Jeff erson County, Colo., uses a How Maps drop boxes so residents can safely visualization map to show where dispose of prescriptions and prevent prescription drug and heroin them from getting into drinking water deaths have occurred to help raise Make a or the hands of others. awareness and stop the epidemic. Diff erence C Massachusetts performs spatial E Celebrating Lost Loved Ones examinations of the opioid addic- is a national map that aims to tion within the state to determine personalize the problem and A DuPage, Ill., maps out where Narcan where to target interventions break down perceptions of – which can reverse the eff ects of an and education. who is aff ected. overdose – has been administered to show where overdoses have been prevented.

B E A D

For more information, visit go.esri.com/Opioid.

GOV16 SS HHS ESRI.indd 2 7/29/16 12:07 PM

TRANSITIONING TO OUTCOME-BASED PAYMENTS

Medicaid has traditionally What You’re Doing: reimbursed providers based only on the services LINKING PAYMENTS delivered, but that is TO HEALTH OUTCOMES changing. Increasingly, states are incenting health New York care providers to meet In the wake of the recession, New performance measures. York State’s Medicaid program was This practice, known as unsustainable, with significant cost paying for performance, increases as state revenues were focuses on producing declining. A Medicaid Redesign better health outcomes Team helped get costs under

for citizens, or put control, and now the state is KIDD DAVID another way, on quality using outcome-based payments rather than quantity of to lock in those improvements. 25 networks that have committed services rendered. In Funded with a $7.3 billion grant to reforms that link payments to the ﬁ scal year 2014-2015, from CMS, the Delivery System health outcomes of network members. 34 states implemented Reform Incentive Payment Program By the end of 2019, 80 percent of quality improvement (DSRIP) provides incentives for provider payments will be value based. initiatives such as hospitals and safety net providers Combining outcome-based adding or enhancing to collaborate and form networks payments and a shared-savings model pay-for-performance that promote integrated and for providers creates incentives for arrangements to their holistic care. Approximately 90,000 efficient, patient-centered care, says managed care contracts.12 providers — including hospitals, New York State Medicaid Director practitioners, clinics and behavioral Jason Helgerson. He uses the example health organizations — are split into of children suffering from asthma: “If

HHS_Section3.indd 12 7/29/16 11:57 AM

GETTING SMARTER WITH DATA

One thing government HHS programs are not lacking is data. The challenge has always been in accessing, sharing and analyzing data to produce better outcomes. Once data is tapped, however, the results can be transformative. Jason Helgerson, A lack of funding for systems investment has largely left HHS behind the New York State curve when it comes to the use of sophisticated analytics, but that is Medicaid Director beginning to change. CMS launched the Medicaid Innovation Accelerator Program (IAP) in July 2014 with the goal of improving health and health care for Medicaid beneﬁ ciaries by supporting states’ efforts to accelerate new payment and service delivery reforms, including the use of analytics.14

What You Told Us: 35 percent of the cost of treating We asked respondents to the CDG/Governing Institute 2016 HHS survey them is the result of preventable if their agency consistently embraces data in new and innovative ways to complications that cost $100 improve program outcomes. million per year, and we cut those complications by half, the provider networks share the savings. It’s a win-win for patients and providers.” 18 The initial results are encouraging. Neither agreed 6 New York’s Medicaid expenditures 17 or disagreed 40 disagreed are no longer the highest in the somewhat 18 disagreedreed somewhatsomewhat agreedagreed country, and the state’s average strongly cost per beneficiary is declining.13 agreed

SHUTTERSTOCK.COM 13

HHS_Section3.indd 13 7/29/16 9:30 AM

What You’re Doing: MAKING BETTER DECISIONS TARGETING INTERVENTIONS

Colorado Los Angeles County Data analytics has been integral to Colorado’s In a pilot conducted from 2012 to 2014, the L.A. County Medicaid reform initiative, the Accountable Care Department of Children and Family Services screened youth Collaborative, which uses coordinated care efforts to to assess their risk of committing a crime and entering produce better outcomes for benefi ciaries, improve the juvenile justice system. Using an actuarial tool and population health and reduce costs. The foundation predictive analytics, the department identifi ed children as of the initiative is a statewide data and analytics high risk by assessing them based on factors associated contractor (SDAC) that centralizes and tracks with criminal behaviors. Caseworkers then connected these Medicaid eligibility and claims data. An online portal children with drug treatment, additional schooling, therapy allows primary care providers, regional collaborative and other services intended to address the problem. organizations and Medicaid offi cials to access Another group of high-risk children being monitored by actionable data on utilization and spending to identify the department did not receive intervention services. areas of high need and improve care management. In An evaluation by the National Council on Crime and fi scal year 2013, the Accountable Care Collaborative Delinquency found that after 6 months, the children who saw a 15 percent reduction in hospital admissions received services had no arrests, whereas 9 percent of the and a 25 percent reduction in high-cost imaging, control group did. For the county, the pilot is a signifi cant contributing to $44 million in savings.15 step toward keeping children out of the justice system.16

COMBATING FRAUD

Florida Florida’s Department of Economic Opportunity (DEO) used a $1.7 million grant to develop its Fraud Initiative Rules and Rating Engine (FIRRE) to help root out fraudulent unemployment insurance claims. The system can almost instantaneously process unstructured data and identify What You Told Us: relationships that trigger early We asked our survey respondents if their agencies had effective detection of fraud. So far it has helped ways of monitoring and abating fraud with their current systems. the state stop 110,000 fraudulent claims and prevent wrongful payouts totaling $460 million. strongly “Businesses pay taxes to fund Florida’s 4 DISagreed unemployment program,” says DEO 14 Executive Director Cissy Proctor. “By 15 somewhat limiting the amount of fraudulent benefits disagreed 8 paid out, we’re able to reduce how much Neither agreed strongly or disagreed businesses have to pay in taxes.” Proctor agreed

says FIRRE could be modified to detect 48 fraudulent applications in other benefits somewhat agreed programs such as SNAP and TANF.17

The percent the federal government conservatively estimates is 9.8% the annual improper payment rate for the Medicaid program.18 SHUTTERSTOCK.COM 14

HHS_Section3.indd 14 7/29/16 9:30 AM

HHS LEADERS KNOW VISUALIZATION BUT DEPARTMENTS DATA & ANALYTICS HELPS WITH LACK THE RIGHT TOOLS ARE IMPORTANT DECISION-MAKING TO GAIN INSIGHTS

82% 77% 83% 74% 33% 47% say analytics are say analytics help say the ability to still use rely on IT or other say current critical to lowering identify fraud visualize data in new spreadsheets departments to create reporting practices costs and improving ways would add value to display data reports, which can be do not meet their health outcomes to the organization a slow process needs1

WE LIVE IN A DATA-DRIVEN WORLD, Tableau can help agencies: and health and human services (HHS) is no different. HHS agencies are Put big data to work. By optimizing resources and more dependent on data now than ever before. Due to the Affordable identifying the most effective health care programs, Care Act (ACA) and Medicaid expansion, the number of people served HHS leaders can make more informed decisions that by HHS is growing every day. have a direct impact on individual outcomes. Lack of access to accurate and comprehensive data can leave Increase accountability and transparency. HHS leaders vulnerable populations unserved, result in duplicative services, waste can analyze data to spot trends and outliers, ultimately reducing funding on fraudulent claims and decrease agency efﬁ ciency. This drain fraud, waste and abuse, and improving transparency. on state and local government budgets is exacerbating an already unstable ﬁ nancial environment. Agencies need a highly available, easy- Utilize advanced analytics. Everyday HHS decision-makers to-use solution to glean insights — that’s where Tableau comes in. shouldn’t have to be statisticians. Visualization can help all stakeholders understand and gain insights from data. Tableau offers on-site and cloud-based solutions to help agencies visualize data — leading to faster, well-informed decisions. The ability to Have access to tools where and when they need them. visualize data -— and prepare and share timely reports — helps improve Data and visualization tools can be available via desktops, health care outcomes while eliminating waste and fraud. servers, cloud, web or mobile devices.

To learn more, visit: www.tableau.com/hhs

1In June 2015, the Governing Institute and the Center for Digital Government conducted a nationwide survey of 285 state and local government leaders about the status of health and human services in their jurisdictions, the challenges they face and how they are working to overcome them.

GOV16 SS HHS Tableau-2.indd 1 7/29/16 12:18 PM

Agencies across the What You’re Doing: What You Told Us: U.S. are taking a new LOOKING AT SOCIAL DETERMINANTS OF HEALTH approach to serve some of the nation’s While habits such as diet and exercise certainly play into a person’s most vulnerable health, there are also a range of social, economic and environmental populations. Instead factors that can impact a person’s well-being. Social determinants of relying on historical of health are the conditions in which individuals are born, grow, 54 data and previous live, work and age, such as their physical environment, employment experiences to draw and social networks. Analyzing social determinants of health can OF RESPONDENTS insights, they are help government officials determine when and where to target TO THE CDG/ GOVERNING turning to factors interventions for the greatest impact. INSTITUTE such as geography, Used wisely, the combination of data, technology and social factors HHS SURVEY SAID income and behavioral can also drive a transformation within health and human services from THEY HAVE OR PLAN responses to identify a system based on outputs to one that is flexible, patient-centered TO INTEGRATE health disparities and and responsive to each individual’s needs. SOCIAL solutions. DETERMINANTS OF HEALTH INTO SERVICE DELIVERY.

We’re not just here to“ identify how our community is ailing. We need to develop The Harlem Children’s Zone (HCZ) solutions. Dr. Betina Jean-Louis, represents an ambitious place-based Harlem Children’s Zone effort to support children from birth ” Director of Evaluation through adulthood. The program EMCF.ORG serves 13,000 children in and around a 97-block area of central Nationally, approximately 8 percent medication. “We’re not just here Harlem that suffers from high rates of children suffer from asthma. HCZ to identify how our community of chronic diseases, infant mortality, officials were stunned to find that is ailing,” says HCZ Director of poverty and unemployment. about 30 percent of children in the Evaluation Dr. Betina Jean-Louis. It provides a range of family and area they cover suffered from the “We need to develop solutions.” social services, including training condition — it was the top cause HCZ tracks metrics across its and education for expectant parents, of children missing school and initiatives. By asking the same full-day pre-kindergarten, after- visiting the emergency room. To questions as the CDC, HCZ leaders school and weekend programs, solve the problem, HCZ partnered were able to match data and nutritional education and access with Harlem Hospital and Columbia determine that their asthma efforts to healthy meals for students. University to visit homes and identify reduced the number of missed One major problem HCZ identified asthma triggers, educate families school days, emergency room visits within its community was asthma. and provide access to preventive and overnight hospital stays.19

HHS_Section3.indd 16 7/29/16 9:31 AM

Convergence is IMPROVING HHS Outcomes

Health and human services is at an inﬂ ection point. Changing demographics, emerging technology and ever-growing ﬁ scal pressures are combining to transform the nation’s priorities: 3 Steps to Convergence

• Medicaid expansion under the Affordable Care Act (ACA) is bringing Step 1: Empower leaders to focus on outcomes. in new populations, leading to a spike in spending. The rate of Engage leadership at the top and ensure high-level decision-makers increase in total Medicaid spending from 2014 to 2015 was nearly provide support for staff to leverage analytics and data-driven decision- double the previous year’s increase (7.8 percent vs. 3.94 percent). making to improve outcomes.

• The population is graying. Individuals aged 65 and up will Step 2: Eliminate silos. Remove barriers to access and break comprise about 20 percent of the U.S. population by 2030, down silos. For statewide initiatives, all impacted state and local and the 65-and-over population is projected to double to about agencies should have the opportunity to provide input and collaborate 72 million over the next 25 years. during the planning phase.

• Advances in analytics and other technologies are leading to more Step 3: Overcome legal challenges. Legal hurdles can preventive and outcome-based care approaches. weaken a transformative effort. For example, one state looking to transform human services delivery had several antiquated and This convergence of economic, technological and social changes is allowing inconsistent laws that made service delivery divisive and ineffi cient. To for more coordinated and data-driven service delivery that can signifi cantly resolve this issue, the state created a protocol that stipulated agencies improve citizen services and ensure better outcomes. HHS agencies can take could work together and share fi nancial resources, data and staff with advantage of this unique environment with the following steps. simple, not legalistic, agreements between them.

Your Qualifi ed Convergence Solutions Provider A leader in helping states on the convergence path, Accenture develops strategies and solutions for coordinated, collaborative and cost-eff ective service delivery to improve health, social and fi nancial outcomes. Accenture can help your agency: • Make transaction-based processes adaptive, effi cient and productive, reducing costs and improving quality fast • Grant citizens easy access to insight-driven services customized to who they are and what they need • Deliver outcomes that matter to people’s lives, and positively impact your mission and business outcomes

To learn more, visit: Accenture.com/HSConvergence @AccenturePubSvc Accenture Public Service

GOV16 SS HHS Accenture.indd 1 7/29/16 12:00 PM

APPLYING BEHAVIORAL SCIENCE

Behavioral science — the study of activities and interactions among humans, including the analysis of relationships through aspects such as biology, geography, law and political science — is becoming increasingly popular as a solution to challenges in HHS. In 2015, President Obama ignited a newfound interest in the science with an executive order encouraging agencies to use behavioral science insights to streamline welfare programs, help citizens find better jobs, improve health care outcomes and increase educational opportunities. Says APHSA’s Wareing Evans: “People are using things like rapid-cycle evaluation and applying behavioral economics and other sciences to understand questions such as: How do you actually best engage with children and families? What works and what doesn’t?”

Indiana group and the treatment Oklahoma Approximately one-third group. Parents in the Thirty-nine thousand Oklahomaklahoma households receive of families in Indiana control group received government assistance for child care,re hohowever,wever, onlonlyy about receive childcare a standard letter and one-third of families renew their benefits on titime.me. DeDelayed subsidies. However, brochure about choosing renewal applications result in interrupted payments to despite a statewide a quality care provider, families and redundant work for caseworkers, who must ranking system to help which the state had re-interview parents and re-verify income information. families find high-quality already been distributing. With funding from the U.S. Administration for Children care, 35 percent still pick The treatment group and Families (ACF), the Oklahoma Department of Human providers who have not received a special Services (DHS) partnered with a social policy research received the state’s seal mailing and a follow-up organization to resolve this issue through the use of of approval. Through an phone call. The special behavioral science. DHS ran an experiment where ACF grant, the Indiana mailing identiﬁ ed that the providers who cared for children participating in the Office of Early Childhood majority of parents use government subsidy program were sent a list of color- and Out-of-School their voucher to pay for coded participants nearing their renewal deadline. Green, Learning partnered childcare providers who orange and red were used to indicate how far families with the same policy participate in the state’s were from missing their renewal deadline. Providers research organization review program, and were instructed to notify their clients about Oklahoma used to included a map of the the upcoming deadline and offer assistance improve participation in highest-rated providers in collecting the necessary documents. This high-quality care through near the family’s intervention resulted in a 3 percent increase of behavioral science. residence. The result on-time renewals, when compared to a control The 12,600 families was a 2.1 percentage group that did not receive the intervention. on the childcare voucher point increase in While the bump may seem small, statewide it’s waiting list were split into the use of high- equal to 1,000 families per year.20 two groups — the control quality providers.21 SHUTTERSTOCK.COM

HHS_Section3.indd 18 7/29/16 11:56 AM

Nearly 40 percent of HHS decision-makers said they needed – one that is more person, family and population need to modernize over half of their agency’s IT systems, centric and takes into account social determinants, such according to the 2016 CDG/Governing Institute survey. as education and economic security, to obtain a more These outdated, siloed systems are a classic example holistic view of a person, family or population. of the traditional agency-centric approach to HHS, Just over half of the survey respondents reported their which makes it costly and time consuming to obtain an agencies have or plan to integrate social determinants of integrated view of constituents. health into service delivery to obtain this more person- To enhance the access, outcomes, accountability and centered approach, but how can they ensure they manage quality of HHS programs and services, a new approach is the transition to a more integrated enterprise successfully?

DEFINE THE HHS ENTERPRISE ARCHITECTURE. This includes determining what outcomes you’re trying TO ACHIEVE to achieve (the business IDENTIFY AND architecture) and the information INTEGRATE FUNDING END-TO-END needed to anticipate, support and validate key decisions. It OPPORTUNITIES. INTEGRATION, also includes deciding how States can take advantage you will facilitate the secure of several federal funding HHS AGENCIES exchange of that information streams and opportunities (information architecture) and such as CMS’ 90/10 funding CAN USE THE the technology investments for MMIS modernization and needed (the technology the State Medicaid Health FOLLOWING & solution architectures). Information Technology Plan and the OMB Circular A-87 ROADMAP: Cost Allocation Waiver to integrate HHS programs on one rules engine platform.

ESTABLISH STRONG CREATE A GOVERNANCE. LOOK TO AGNOSTIC, Executive leadership, such CULTURE OF as the HHS commissioner, MODULAR INFORMATION Medicaid director and/or TECHNOLOGY. SHARING. governor’s offi ce, should Agnostic solutions leveraging Start with the low-hanging spearhead the eff ort. third-party, commercial-off - fruit of aggregate and de- Stakeholders from across the-shelf (COTS) components identifi ed data to build more the full continuum of HHS for gateways, master data robust performance and trend program areas need to management, rules engines, analyses that demonstrate defi ne and agree on the service bus information exchange the benefi ts of data sharing. business imperatives and capabilities and analytic Think about how you can performance indicators. capabilities allow you to build a eff ectively share data without common integrated enterprise compromising privacy, and platform. These agnostic what the program advantages solutions can be leveraged are for sharing that information. across multiple programs – build it once and use it many times.

For more information on how to move from a siloed, program-centric approach to an integrated HHS enterprise, contact Frank Petrus: [email protected]

GOV16 HHS SS Gartner_B.indd 1 7/22/16 12:00 PM

According to the Government Accountability Offi ce (GAO), the federal government spends $80 billion a year What You Toldd UUs:s: on IT, much of which goes toward maintaining legacy IT systems. Decades-old 23% hardware is a major problem 22% 22% for state and local govern- 20% 20% ments as well. HHS decision-makers in our 2016 AHHS survey said outdated 11% IT systems and their corre- sponding issues were one 8% of their most critical chal- 6% lenges — exacerbated by the fact that 75 percent of them reported that demand for their services has increased. But there is some good news. The federal government, recognizing this urgent need for system INFORMATION HEALTH EXCHANGE MEDICAID MANAGEMENT SYSTEM INFORMATION INTEGRATED ELIGIBILITY SYSTEM ELIGIBILITY AND STANDALONE ENROLLMENT SYSTEM CHILD WELFARE SYSTEM CHILD SUPPORT ENFORCEMENT SYSTEM WIC MANAGED SYSTEM INFORMATION PRESCRIPTION DRUG MONITORING SYSTEM modernization, continues to provide enhanced funding OF RESPONDENTS and more ﬂ exibility around TO THE CDG/ how federal dollars can be What IT systems GOVERNING used on systems that support do you plan to INSTITUTE HHS multiple programs. It’s also modernize in the SURVEY SAID OVER 50% OF THEIR adjusting rules to promote next 12 to 18 39 AGENCY’S IT modular deployments and months? SYSTEMS cloud-based approaches. PERCENT NEED TO BE MODERNIZED.

HHS_Section4.indd 20 7/29/16 9:27 AM

WHY YOU’LL BUILD DIFFERENTLY

TheTThe systems usused to support evolving HHS programs will look much different thantthan the technologytechno they replace. Legacy HHS systems typically were custom- developeddeveloped to serve a single program, and they neither share data nor adapt to newnnew processesprocess easily. The next generation of systems will be faster to deploy, moremore interconnectedinterco and easier to update. Here’s why.

MODERNIZATION IS MORE FLEXIBLE systems. The current A-87 waiver lets statess bbypassypass the normal cost allocation methodologies. Instead,ad, they Since 2011, CMS has provided enhanced funding to can charge the initial build to Medicaid — paidaid for wiwithth states for building and maintaining Medicaid eligibility 90/10 funding — and pay for the additional cost undeunderr and enrollment systems. The agency will pay 90 percent the A-87 exception that’s required to make thehe ssystemystem of states’ costs for designing and developing new reusable for other programs. systems (commonly known as 90/10 funding) as well as Together, these changes give states an opportunitypportunity to 75 percent of the ongoing maintenance and operation not only modernize aging HHS systems, but build them in expenses. The federal government also relaxed its a more integrated way. The opportunity may not last cost allocation rules contained in OMB Circular A-87 to forever, though. While CMS has extended 90/100/10 fundinfundingg promote integration between health and human services indefi nitely, the A-87 cost allocation exceptionon only will systems. Previously, the OMB required specifi c cost be in place until 2018, meaning states that want to reap allocations for state programs that shared IT systems, signifi cant cost savings from implementing sharedhared IT which aligned with the proportion of their use of these systems have less than two years to do so.

What You’re Doing: Integrating HHS deep engagement with members income-tested programs,ms, including Programs and Systems of the community who haven’t Medicaid, SNAP and TANF. Washington State used a portion of always been at the table for health “One of the things we tried its $65 million grant from the CMS transformation efforts. Washington’s to do differently was focus on State Innovation Model Initiative approach relies on multi-sector infrastructure changes that result — which has awarded nearly $300 collaborative organizations called in broad impacts across multiple million to 25 states to design or Accountable Communities of Health programs,” says Greg Moody, test innovative models of service for this new form of engagement.22 director of Ohio’s Office of Health delivery and health care payment — Ohio also is testing value-based Transformation. “Broad reforms — to integrate physical and behavioral payment models that rely on provider- like expanding Medicaid coverage health services for its Medicaid speciﬁ c performance reports to and creating online tools to make it population. This particular change expand access to comprehensive easier for citizens to access benefits effort is significant, impacting primary care and reduce the incentive — increase the state’s capacity to how services are administered, to overuse unnecessary services deal with specific challenges, like financed and delivered for Medicaid within high-cost episodes of care. reducing diabetes or infant mortality. beneficiaries, according to Dorothy Ohio has also taken advantage of Almost all of the reforms we’ve done Frost Teeter, director of Washington’s enhanced federal funding to build an are like that. They’re systemic and Health Care Authority. It also requires enterprise eligibility system for most structural.”23

SHUTTERSTOCK.COM

HHS_Section4.indd 21 7/29/16 9:28 AM

BIG BANG IS OUT; MODULAR IS IN Large, complex IT projects have What You’re Doing: a history of missed deadlines, blown budgets and poor results. Taking a New Approach to Child Welfare Systems Therefore, the federal government California’s Department of Social Services (DSS), which is encouraging state HHS agencies runs one of the largest child welfare agencies in the to take a modular approach country, has launched a project to establish what it calls “an where large systems are divided innovative statewide 21st-century information technology into smaller pieces that can application” that improves its child welfare operations. It be deployed one at a time. intends to take a modular approach to procurement and PENNSYLVANIA’S In the Medicaid space, CMS work with multiple vendors. One of the state’s overarching DEPARTMENT OF ﬁ nalized rules in late 2015 that support goals is to create an underlying technology platform that HUMAN SERVICES the modular deployment of Medicaid DSS and its other HHS departments can reuse, while SHIFTED FROM A PROCESS WHERE Management Information Systems continuously improving services for its end users.26 MAINFRAME CHANGES (MMISs). These systems, which pay Other states, such as Pennsylvania, already have moved WERE HARD-CODED claims and collect data for Medicaid in this direction. While updating its existing legacy systems, AND TOOK MONTHS TO PERFORM TO ONE services, are among the largest IT Pennsylvania’s Department of Human Services took the THAT WAS MORE investments for states with price tags opportunity to layer on additional technology — a business AGILE AND COULD ranging from $50 to $150 million.24 rules engine — to improve data collection and automation. PROCESS MORE THAN Critically, the new CMS rules It shifted from a process where mainframe changes were 2.6 MILLION RECORDS IN JUST include changes to the MMIS hard-coded and took months to perform to one that certification process to accommodate was more agile and could process more than 2.6 million the modular deployment model. records in just 43 minutes. This led to improved compliance State MMIS deployments must be and transparency, a reduction in manual processing certified by CMS before they can and better citizen services — including faster eligibility 27 43 begin receiving enhanced federal determination and more self-screening processes. matching funds for operation and MINUTES. maintenance. MMIS projects typically Building Enterprise Platforms to Support Modularity have been certified once the entire The impact of enhanced federal funding and greater flexibility system is complete, but the new rules can be seen in Hawaii where the state’s Department of allow certification of each module Human Services (DHS) deployed an enterprise platform as it’s finished, giving states faster several years ago to support multiple functions. Pankaj access to enhanced funding levels. Bhanot, deputy director of the department, sums up “What modular certification the approach as “buy once, use many times.” means is that states can accumulate Hawaii funded the $144 million project using the quick wins,” says Jessica Kahn, 90/10 federal match. Now the state intends to plug a director of the Medicaid data and growing number of modular systems into the platform to systems group at CMS. “They can support SNAP, TANF and other programs. In addition, the get the enhanced match for the department built a Medicaid application on the platform, operation of those pieces as they laying the groundwork for more integrated services. stand them up, as opposed to a Bhanot says many of these programs have operated five-year build where you have to in silos from a technology standpoint. However, the wait until everything is done.”25 enterprise system will allow them to function with Child welfare systems are more interoperability because the components are undergoing a somewhat similar agnostic. “They are reusable, interoperable, extensible, shift. In 2015, ACF issued a scalable and easily supportable,” Bhanot says. Comprehensive Child Welfare DHS, which is focused on serving families and children Information System (CCWIS) Notice concurrently, also plans to integrate data and analytics into the of Proposed Rulemaking (NPRM), platform to improve service delivery and outcomes. “We want which provides funding for states to be the agency of one, where we will be able to take care to update or implement new case of the needs of our clients through the same system and the management systems that are same processes that we will use across the board,” he says.28

more modular and interoperable. Alex Garcia

HHS_Section4.indd 22 7/29/16 12:02 PM

HHS_Section4.indd 23 7/29/16 9:28 AM

WITH CMS SIGNALING THAT CLOUD-BASED SERVICES CAN BE USED TO MEET MMIS REQUIREMENTS, A NUMBER OF STATES ARE INVESTIGATING THE APPROACH. from commercial insurers. “We think there are a lot of transferable technologies,” she says. “There are things we see in other industries that are moving at light speed. We would love to benefit from that.” In another move to attract new providers for MMIS, CMS is developing a process for pre-certifying MMIS modules. The approach potentially gives states access to a suite of plug-and-play

SHUTTERSTOCK.COM modules that are pre-tested to meet CMS requirements. That stamp of INNOVATION IS IN DEMAND approval could be important for systems. Besides potentially lowering vendors new to the Medicaid market. The federal government is trying to the cost of MMIS replacement, this “[States] would feel more spark innovation within Medicaid shift is being driven by a desire to comfortable knowing that a particular IT. Included in the new CMS rules pull innovative ideas from other set of software they might choose around MMIS modularity, for sectors into the MMIS space. has already gone through a level instance, is clarification that the For instance, Kahn says there’s of scrutiny to make sure it works,” agency encourages the use of potential to adopt best practices Kahn says. “On the vendor side, off-the-shelf software and cloud- for information security from it’s hard to get your foot in the door based services. This is a sea change commercial health care providers when people have never heard of for a sector that’s been dominated or the banking industry, as well you. Pre-certification, in a way, will by custom-developed software and as claims processing innovations give you some free marketing.”

What You’re Doing: Moving MMIS to the Cloud With CMS signaling that cloud-based services can be used to meet MMIS requirements, a number of states are investigating the approach. Wyoming may be the first to make the shift. The state is launching procurements for services-based MMIS modules that include core benefits management; business intelligence; and fraud, waste and abuse detection. A systems integrator was hired to combine multiple services modules, share technical expertise and oversee contractor performance, and the state is using multiple vendors to avoid over-reliance on one company. Leaders there are deploying a state-owned data warehouse and leveraging what’s already in the market rather than building something similar from the ground up, which can be costly and time consuming. Wyoming also is working closely with CMS to ensure its technology investments meet the agency’s standards. The state’s Medicaid population is small — only 90,000 enrollees and 3 million claims processed annually — but its approach could serve as a model for other states.29

HHS_Section4.indd 24 7/29/16 9:29 AM

In a recent Governing Institute of respondents said OUTDATED IT SYSTEMS IS survey of 320 health and human ONE OF THE MOST CRITICAL CHALLENGES services (HHS) decision-makers, nearly 1/3 their agencies will face over the next year.

According to Software AG, SHARE there are ﬁ ve ways HHS INFORMATION. agencies can modernize of HHS decision-makers in 63% the Governing Institute survey for relatively quick return said INCREASED DATA SHARING AMONG on investment: AGENCIES WOULD IMPROVE SERVICE DELIVERY. 1 HHS agencies can also share data to gain a more holistic view of a citizen’s health and detect fraud. For example, Pennsylvania’s Department of Labor & Industry – which also TAP REUSABLE oversees unemployment payments – leveraged the state’s database of incarcerated SERVICES. residents to ﬁ nd out which prisoners were Existing mainframe and other legacy systems 2 collecting unemployment, which helped contain valuable information and data that can uncover millions of dollars in related fraud. be harnessed. Smart approaches to digital business transformation can help organizations convert existing business, presentation and data logic as reusable services. TAKE ADVANTAGE OF STREAMING 3 ANALYTICS. Monitoring data in real time, rather than looking BUILD AND for trends after the fact, allows HHS agencies MANAGE SELF- to take a more preventative approach to citi- SERVICE APPS. zens’ care. For example, leveraging streaming analytics helps agencies determine health of respondents in the 4 trends within their communities so they can 72% Governing Institute survey provide more targeted services and education. said DEMAND FOR HHS SERVICES HAS INCREASED IN THE LAST 12 MONTHS.

Providing self-service options for citizens can help meet this demand. HHS agencies can also ADD STORAGE. beneﬁ t by letting third parties securely access 5 Modernizing systems can help agencies take government data via application programming advantage of big data and analytics. By also interfaces (APIs). Private citizens or developers adding “big memory,” they can ensure the new might then use the data to create beneﬁ cial functionality doesn’t slow backend system mobile apps. performance and delay citizen services.

Software AG provides industry-leading digital business transformation solutions that help HHS agencies provide better services, be more For more information, visit http://government.softwareag.com/ agile and innovative, and drive down costs.

GOV16 SS HHS SoftwareAG.indd 1 7/29/16 9:26 AM

______Designer ______Creative Dir. 100 Blue Ravine Road pecial eport Folsom, CA 95630 S R 916-932-1300 ______Editorial ______Prepress www.erepublic.com CMY grey T1 T2 T3 5 25 50 75 95 100 5 25 50 75 95 100 5 25 50 75 95 100 5 25 50 75 95 100 Page # ______Other ______OK to go BLACK YELLOW MAGENTA CYAN Section Four The Election’s Impact THE CHALLENGES With a new president entering the White House in January, there’s no certainty that the current funding YOU’LL FACE landscape will remain the same. Still, experts and industry observers say the U.S. Department of Human Services’ ✓Modularity is move to focus on technology as an still emerging innovation driver is the best strategy Because the concept is new, there’s it has had in the last 20 to 30 years. no standard way to break MMIS into APHSA’s Wareing Evans expects modules. Different states are taking oriented architecture (SOA) will be current trends around program different approaches. Arkansas, for the glue that holds modular MMISs integration, the use of data analytics for example, broke its system development together. SOA is the foundation for validating program performance and into three parts, using three different the Medicaid Information Technology greater focus on social determinants vendors. At the same time, CMS is Architecture, which CMS developed to of health to remain in place regardless still working out the details of modular serve as a pathway for implementing of who is president next year. certifi cation. The agency is putting interoperability and service orientation “This notion that we really need the fi nishing touches on formal across the Medicaid enterprise. SOA to understand what works and hold guidance for how the certifi cation skills will be at a premium as modularity ourselves accountable for ensuring process will operate. However, CMS moves forward. that government dollars are going to already has released a good deal of programs that are effective — I don’t see information on how states should plan that as particular to one administration for and implement modular MMISs, ✓Agency culture or one party,” she says. “We have a including an enterprise certifi cation must adapt lot more information knowledge and toolkit published in April 2016. Modularity and broader integration capacity to do that kind of thing now, of programs across the HHS and I don’t think that’s going away.” enterprise are big changes for But states also must be prepared for ✓Planning and procurement agencies accustomed to traditional changes in policy details and emphasis are even more important development techniques and siloed as a new administration implements States will need to fully define their program models. Government leaders its HHS philosophy. Perhaps the Medicaid ecosystem before they shouldn’t underestimate the amount best advice comes from Washington begin procuring MMIS modules. That of change management needed to State’s Dorothy Teeter who says states will require rigorous internal review evolve HHS organizations toward need to deeply understand their own to clearly understand their business these new models. Agency workforces requirements and take a long-term view. needs and the technology solutions will need to share more data, change “What’s most important for states, that can address them. Agencies their business processes and create fi rst and foremost, is to identify a should consider a draft RFP that new ones for shared services. fi ve-year technology and infrastructure includes an extensive inventory of their data and analytics plan,” she says. available data and resources — and “What are their business intelligence require input from key stakeholders ✓Stronger governance needs? What does this imply for the — before they solicit vendors. Bottom will be needed infrastructure that they need and line: Although deployment can be Rigorous IT governance processes where they stand now? Asking these done module-by-module, planning will need to be in place, especially questions gives them both a very clear cannot. Developing a clear idea of as more pieces are introduced into business case and a technical solution what your Medicaid enterprise will the system. This process should that matches up going forward.” look like — both now and in the define responsibilities for tasks and Teeter adds: “The work of building future — will be a critical fi rst step. data, policies for making changes to out this infrastructure is legacy work. systems and compliance standards Whatever we build has to last well across the enterprise. Putting beyond those fi ve years, but you have ✓Interoperability is critical these measures into place will help to build it in a way that you can continue As states implement modular MMISs, ensure state agencies don’t create to enhance it and not have to throw all of the pieces will need to fit more challenges for themselves as it all away and start over again.” together seamlessly. Service- they move toward modularity.

HHS_Section4.indd 26 7/29/16 9:33 AM

INTEGRATED ELIGIBILITY Optum™ Integrated Eligibility solution helps agencies meet the challenge by automating PROVIDES CITIZENS THE the administration of social programs, which adds client convenience and frees caseworkers to handle CUSTOMER EXPERIENCE other important duties. Optum’s integrated eligibility THEY DESERVE. services can allow HHS agencies to: Streamline operations — A modular integrated platform allows HHS agencies to determine client eligibility for Medicaid, SNAP, TANF, CHIP and other beneﬁ ts programs based on a single client application. Client updates and changes can be applied across all programs automatically, saving time and reducing human error.

Centralize case management — Caseworkers across all services can see a consistent, holistic view of each client to instantly understand which programs each participant qualiﬁ es for or is enrolled in.

Know the “truth” — Master data management allows agencies to reconcile complex client identities – many of them with similar names – across multiple systems and databases. It can serve as a single point of truth spanning all HHS programs.

Gain deeper insight — Cross-program analytics assist administrators in identifying potential fraud, waste and abuse; forecasting caseloads versus actual participation; and understanding eligibility compared with enrollment. Analytics help agencies make smarter decisions to improve services and drive customer satisfaction. A LEADER IN LARGE SYSTEMS INTEGRATION FOR HHS Optum is a health services and innovation company focused on making the health system work better for everyone. In addition to providing world-class analytics and systems integration, Optum off ers program and policy consulting, and technology development, implementation, maintenance, operation and security — as well as hosting on the Optum cloud. It serves a majority of the nation’s Medicaid agencies, and integrates data sources across many public HHS programs.

To learn more about Optum’s integrated eligibility services, visit www.optum.com/solutions/government, or contact Optum at [email protected] or 1-800-765-6092.

GOV16 SS HHS Optum.indd 1 7/29/16 9:25 AM

HOW YOU’LL SHARE DATA SAFELY

SHUTTERSTOCK.COM

HHS_Section5.indd 28 7/29/16 9:24 AM

TheThe trendtrend towardtoward more data sharing both within and among statess will drive moremore attentionattention toward information securitysecurity and privacyprivacy protection.prote The regulatory landscapelandscape aroundaround these issues is complex. The move toward mobilitym adds another layerlayer ooff cconcernoncern as HHS agencies seek to make caseworkers aand others more effeff eectivective bbyy ggivingiving themthem accessaccess toto datadata andand decision-sudecision-supportpport ttools in the ﬁeld.

HHS_Section5.indd 29 7/29/16 12:00 PM

SIMPLIFYING THE REGULATORY MAZE

HHS agencies must balance within their own agencies. instance, the Texas Medical the need for greater data And HIPAA is impacting more Records Privacy Act is broader sharing with their fundamental agencies as HHS programs than HIPAA and requires responsibility to protect become more integrated covered entities — health care sensitive citizen information. and health data fl ows into providers, insurers, claims The regulatory environment social services programs that processors and others — to often doesn’t make this easy. typically haven’t dealt with obtain patient consent for most State offi cials say a patchwork HIPAA-protected information. types of information sharing. of federal laws meant to protect In addition, some states However, states are fi nding confi dential data can hinder have their own privacy laws ways to clarify privacy and data sharing. “Federal law has all that may be broader or more protection rules to facilitate these requirements that are narrow than HIPAA. For safe information sharing. siloed because they run their own programs their own way,” says Hawaii’s Bhanot. “Food and Nutrition Service (FNS), the ACF for TANF and Child Welfare Services, and Medicaid What You’re Doing: all have their own rules.” Reconciling State Laws with HIPAA HIPAA adds another layer of Ohio has made state law consistent with the HIPAA privacy rule. Ohio’s Moody complexity. The law is often says the state had multiple, separate privacy laws. “It created a non-standard misinterpreted to be more environment where people could then say, ‘We can’t share because of the restrictive than it is, which privacy considerations,’” he explains. In response, Ohio clarified its health- prevents states from sharing related privacy laws and adopted HIPAA as the state standard. “That single data with each other — or even action eliminated many of those barriers to data sharing,” Moody says.

HHS_Section5.indd 30 7/29/16 9:26 AM

I am a strong believer that if we have“ client consent to use their data for a speciﬁ c purpose for a speciﬁ c period of time, we should be able to take care of our families in the most expedited and effi cient manner.

Pankaj Bhanot, Hawaii Department” of Human Services Deputy Director

Passing Data-Sharing Legislation Support from the top levels of data sharing among state government can drive more 60 programs in 9 HHS data sharing, too. In Washington agencies. However, existing Getting Smarter State, the legislature passed a state regulations required About Consent law that required all health plans identity information be Getting information to the in the state to contribute claims stripped from the data, right people at the right time is data with pricing information to a making the process fundamental to improving care. claims database. The move will more cumbersome and Experts say consent is the key to enable more price transparency for the data less useful. In giving HHS programs the information consumers, help them make more response, Illinois passed they need to take a holistic view informed health care decisions a new state law that of individuals and families. “I am and could improve the state’s established a framework a strong believer that if we have value-based payment efforts, for the development of client consent to use their data for Washington’s Teeter says. open data platforms a specific purpose for a specific Illinois recently launched a and an architecture for period of time, we should be able wide-ranging project that involved regulatory compliance.30 to take care of our families in SHUTTERSTOCK.COM the most expedited and efficient manner,” Hawaii’s Bhanot says. States should consider including Taking Advantage of Co-Location a consent registry in any enterprise Ohio is considering, as an extension of value-based payment reforms, or integrated eligibility platform they providing additional financial support for primary care practices that work build. But consent should be for a with schools to give children better access to care and improve academic clearly defined period and purpose. performance. Co-locating primary care and schools has the potential to For example, agencies could ask make life easier for parents and also presents data-sharing opportunities. for a 12-month period of consent to For example, having parents sign a consent form at the beginning of the share protected health information school year could allow the clinical care site and the school to share to support population health or information that may lead to more effective intervention. pay-for-performance efforts.

HHS_Section5.indd 31 7/29/16 9:26 AM

Florida has given its more than There are several resources 2,300 available for help agencies implement secure mobility. For foster care caseworkers smartphones instance, the Healthcare Information and laptops with built-in cameras to capture images with time and location and Management Systems Society information that they can upload to the offers a mobile security toolkit state’s online database. at HIMSS.org. And the HHS provides extensive information on mobile privacy and security at HealthIT.gov. Both HealthIT.Gov MOBILIZING and the HIMSS Mobile Security Toolkit provide a helpful checklist that agencies should keep in SECURELY mind when they deploy mobile technology. Key steps include:

Mobile technology is a key tool for making field Determine how your organization will use staff more effective. It’s also becoming the mobile devices, whether it be to access, favored communication channel for clients of receive, transmit or store health information. HHS programs. But security and privacy will be more complex as mobility is widely deployed. Assess the threat and vulnerabilities that mobile devices present to your organization and its data.

Require passwords, passcodes, PIN numbers What You’re Doing: or other forms of authentication. Equipping Caseworkers with Mobile Devices In health and human services, we’re already seeing Make sure mobile devices lock after how agencies are leveraging this technology. a specified period of inactivity. New York’s Office of Children and Family Services allows caseworkers and staff to use laptops and Ensure mobile devices either have built-in other mobile technology to access information encryption or that encryption capabilities and assist clients when conducting their field can be installed on the device. work.31 Florida has given its more than 2,300 foster care caseworkers smartphones and laptops with Disable or don’t install file-sharing built-in cameras to capture images with time and applications. location information they can upload to the state’s online database, along with the caseworker’s Install security software and firewalls on notes from site visits and interviews. The new all devices and task your IT department with approach has led to a 30 percent increase in ensuring this software is regularly updated. home visits, better reporting on child welfare cases and more compliance in Miami-Dade County.32 Train employees, via required self-directed learning modules or in-person sessions, on how to protect privacy and data security. MORE THAN MOBILE HEALTH APPS ARE Develop a legal user agreement for AVAILABLE FOR DOWNLOAD employees who intend to use their personal SHUTTERSTOCK.COM IN THE ITUNES AND ANDROID STORES. ONE STUDY ESTIMATED devices for work-related tasks. THAT 500 MILLION PEOPLE WILL 165 HAVE USED THESE APPS BY 2015. K

HHS_Section5.indd 32 7/29/16 9:26 AM

A SMARTER WAY TO SERVE Mediware SaaS solu ons allow HHS agencies to cost eﬀ ec vely monitor and provide high-quality, person-centered care.

Individuals with physical and developmental disabiliƟ es, substance abuse issues, and/or mental illnesses will all require an increasing number of public health and human

F services as they age. Services to people with these special needs E D ConnecƟ ng the E and older Americans are o en delivered at home or within R Human Services A L community se ngs. To meet this increasing demand for services, Ecosystem agencies must con nue to stretch budgets further through IT Mediware solu ons empower administrators,

moderniza on projects that drive business eﬃ ciencies and S caseworkers, providers, T

mobile solu ons that support ﬁ eld-based caseworkers. A caregivers and consumers T E to work collabora vely within integrated systems Mediware, an industry leader for more than 20 years, helps HHS — providing all

agencies and managed care organiza ons work smarter with proven par cipants

L with real- me, cloud-based so ware-as-a-service (SaaS) solu ons that beneﬁ t O role-based caseworkers and administrators: C A visibility into

L • Connect payers, providers, caregivers and consumers within I the en re T I a fully integrated system, and provide a global client record E con nuum S of care. that follows each user through the con nuum of care • Conduct remote client assessments to reduce duplicate entry

and human error, while freeing caseworkers to work with P R

more consumers O

• Manage person-centered services to adults, seniors, clients with I D

E disabili es and others at home and within community se ngs to R maximize resources and improve outcomes S • Analyze consumer and program data to provide insights into overall program eﬀ ec veness via powerful dashboards, and guide future service improvements and program development

CONSUMERS & CAREGIVERS Today, more than 1,000 HHS organiza ons across 40 states rely on Mediware solu ons to be er coordinate and manage delivery health, adult protective services, homelessness and more. across the spectrum of care. Mediware’s SaaS options provide access anywhere, anytime via the web or mobile devices, reducing IT infrastructure Mediware modules support costs and implementation times – and its highly configurable programs in aging, intellectual and options let agencies apply changes across many systems as developmental disabilities, behavioral their requirements evolve.

To learn more, visit www.mediware.com/human-services/ or simply dial 888-633-4927.

GOV16 SS HHS Mediware.indd 1 7/28/16 1:32 PM

and fuzzy feelings to everyone,” says Kahn. “We need to listen to them. A TRANSFORMATION What are the challenges? What would make it a more hospitable business model? We need to work with the states to balance the risk.” IN PROGRESS None of this, of course, will be easy. It will demand massive changes in how HHS agencies work internally, how they interact with other departments and programs, and how they plan and deploy critical technology systems. “Part of the reality right now is that HHS POLICIES AND giving agencies a new option for folks are discovering how much it SYSTEMS MAY BE IN A modernization — one that reduces the takes to move the culture in these big STATE OF TRANSITION, but risk of cost overruns and deployment institutional areas,” says Wareing Evans. we can see which way they are delays while enhancing the fl ow of “Even with all that’s going on with headed. Individual programs data among related programs. technology, how do you make it happen — and the technology behind But the technology transformation from a service delivery perspective? them — are becoming more won’t stop there. Infl uential federal We’ve operated in these silos for so integrated as policymakers agencies like CMS are supporting long — you cannot underestimate Hseek to treat individuals and greater use of standard off -the-shelf the scope of cultural shift required families more holistically. software and cloud-based services to shift long-standing approaches.” At the same time, the fi eld is instead of traditional custom-developed Yet you can see the future taking becoming more science- and systems. The goal is to help agencies shape. New York State is using evidence-based. Advances in reduce their focus on technology outcome-based payments to incent neuroscience are reshaping how development and have the fl exibility hospitals and safety net providers programs interact with clients, to iterate with their technology as the to collaborate and provide more and better data analytics tools policies and business needs evolve. integrated and holistic care. Colorado is are giving policymakers quick “Looking at quality and access; giving primary care providers, regional feedback on the eff ectiveness that’s where we want states to be,” collaboratives and Medicaid offi cials of their eff orts. In some cases, says CMS’ Kahn. online access to sophisticated data to HHS programs are taking a cue The push toward standardized help them identify areas of high need from national retailers, adopting solutions also includes eff orts to and improve care management. Hawaii techniques developed to entice deepen the pool of vendors selling is building a modular technology shoppers and using them to nudge to the HHS market, particularly by platform that will seamlessly connect citizens toward healthier choices. attracting innovative new fi rms into multiple HHS programs and allow “We’re talking with leaders the sector. In the Medicaid space, them to interact in new ways. And around the country who CMS is establishing a certifi cation Wisconsin is pioneering the use of are seriously exploring how process that will let vendors off er innovative cloud-based services to run behavioral economics can pre-tested solutions to meet the its Medicaid program. play a part in our work,” says agency’s functionality requirements. These are just some of the ways APHSA’s Wareing Evans. It’s also trying to make the market agencies are shifting toward a new HHS As the policy landscape evolves, less intimidating to newcomers. model — one that’s more integrated, technology has never been better “[New companies] have to be data driven, modern and eff ective. The positioned to support it. Platform- willing to work with government transformation isn’t complete, but it’s based and modular systems are and that doesn’t always send warm getting closer every day.

Conclusion_Ack_Back.indd 34 7/29/16 9:21 AM

Helping HHS Agencies Make a Bigger Impact with Vulnerable Populations

odernizing decades-old IT systems can pose Mserious risks for public agencies, but also provides them with opportunities to improve their operations and service to their constituents. Health and human services (HHS) agencies increasingly CHILD WELFARE – A child-centric view helps realize they must make the transition to succeed in agencies coordinate an integrated response. today’s environment. Caseworkers can automatically create and route abuse and neglect cases to supervisors, and send alerts in Microsoft can help lower the risk with fl exible, easily high-risk cases. Online maps and other resources confi gured software-as-a-service solutions that have key enable supervisors to assign investigators based on compliance, regulatory and security requirements built experience, skills and proximity. Mobile functions may in. These solutions can shrink development time and allow employees to access case materials from a

capital costs, delivering quick victories to HHS agencies. laptop and easily dictate notes via a cell phone. These reserved. All rights e.Republic. 2016 © effi ciencies can enable them to spend more time with At the same time, Microsoft health analytics solutions individual at-risk children and families. combine diverse data types in ways never before possible, creating actionable intelligence. Together, WOMEN, INFANTS AND CHILDREN (WIC) – these solutions can help HHS agencies enhance Robust reporting and data-centric insights help services for the most vulnerable populations and offi cials better measure health outcomes as well as improve service delivery and outcomes. prevent fraud, waste and abuse. Caseworkers can gain mobility and scheduling effi ciencies, which allows Following are two program areas where Microsoft them to focus more on one-to-one services and solutions make an impact: nutrition education for clients.

To fi nd out how Microsoft solutions can help HHS local, state and federal agencies reduce IT risk and improve outcomes, visit www.microsoft.com/government.

THE GOVERNING INSTITUTE advances THE CENTER FOR DIGITAL GOVERNMENT better government by focusing on is a national research and advisory improved outcomes through research, institute on information technology decision support and executive education policies and best practices in state and to help public-sector leaders govern local government. Through its diverse more effectively. With an emphasis on and dynamic programs and services, the state and local government performance, Center provides public and private sector innovation, leadership and citizen leaders with decision support, knowledge engagement, the Institute oversees and opportunities to help them effectively Governing’s research efforts, the incorporate new technologies in the Governing Public Official of the Year 21st century. Program, and a wide range of events www.centerdigitalgov.com to further advance the goals of good governance. www.governing.com/gov-institute

FOR A LIST OF ENDNOTES download the special report at Both are divisions of e.Republic. www.governing.com/papers

Conclusion_Ack_Back.indd 36 7/29/16 9:22 AM

IBM Watson Health is pioneering the use of cognitive technologies that understand, reason and learn; technologies that can help Health and Human Services organizations unlock the potential of data and analytics to improve service delivery.

Check us out online at: http://ibm.co/socialprograms to learn how Watson Health solutions are working to help Health and Human Services organizations enhance, scale and accelerate human expertise to transform their programs.

© Copyright IBM Corporation 2016. IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.

CConclusion_Ack_Back.inddonclusion_Ack_Back.indd 3388 7/29/16 12:16 PM

Complex modernization programs require leadership across many stakeholders, experience in navigating requirements and expert integration of data across multi-vendor ecosystems. CGI’s ModernSIHWWYVHJOWYV]PKLZMVYUV[VUS`LќLJ[P]LWYVNYHT management and governance of health and human services IT projects, but the critical work of data integration in an era of modular and agile deployments. With deep expertise in both HHS programs and technology, HNLUJPLZ[Y\Z[*.0[VKLSP]LYTVKLYUILZ[Ä[PU[LNYH[LK systems — and so much more.

cgi.com/hhs

Experience the commitment®