02/01/2022 01:30 PM Senate HEALTH & SOCIAL SERVICES
| Audio | Topic |
|---|---|
| Start | |
| HB168 | |
| State of Alaska It Protocols for Cybersecurity | |
| Adjourn |
+ teleconferenced
= bill was previously heard/scheduled
| += | HB 168 | TELECONFERENCED | |
| + | TELECONFERENCED | ||
| + | TELECONFERENCED |
ALASKA STATE LEGISLATURE
SENATE HEALTH AND SOCIAL SERVICES STANDING COMMITTEE
February 1, 2022
1:32 p.m.
MEMBERS PRESENT
Senator David Wilson, Chair
Senator Shelley Hughes, Vice Chair
Senator Mia Costello
Senator Lora Reinbold
Senator Tom Begich
MEMBERS ABSENT
All members present
COMMITTEE CALENDAR
HOUSE BILL NO. 168
"An Act requiring the Department of Health and Social Services
to provide and allow submission of an electronic application for
certain state benefits; and providing for an effective date."
- MOVED SCS HB 168(HSS) OUT OF COMMITTEE
PRESENTATION(S): STATE OF ALASKA IT PROTOCOLS
- HEARD
PRESENTATION(S): DHSS CYBERATTACK UPDATES
- SCHEDULED BUT NOT HEARD
PREVIOUS COMMITTEE ACTION
BILL: HB 168
SHORT TITLE: ELECTRONIC APPLICATION FOR STATE BENEFITS
SPONSOR(s): REPRESENTATIVE(s) SNYDER
04/09/21 (H) READ THE FIRST TIME - REFERRALS
04/09/21 (H) HSS, FIN
04/13/21 (H) HSS AT 3:00 PM DAVIS 106
04/13/21 (H) Heard & Held
04/13/21 (H) MINUTE(HSS)
04/15/21 (H) HSS AT 3:00 PM DAVIS 106
04/15/21 (H) Moved HB 168 Out of Committee
04/15/21 (H) MINUTE(HSS)
04/16/21 (H) HSS RPT 5DP 1DNP 1NR
04/16/21 (H) DP: FIELDS, SPOHNHOLZ, MCCARTY, SNYDER,
ZULKOSKY
04/16/21 (H) DNP: PRAX
04/16/21 (H) NR: KURKA
04/16/21 (H) FIN REFERRAL REMOVED
04/16/21 (H) BILL REPRINTED
04/28/21 (H) TRANSMITTED TO (S)
04/28/21 (H) VERSION: HB 168
04/30/21 (S) READ THE FIRST TIME - REFERRALS
04/30/21 (S) HSS, FIN
01/20/22 (S) HSS AT 1:30 PM BUTROVICH 205
01/20/22 (S) Heard & Held
01/20/22 (S) MINUTE(HSS)
01/25/22 (S) HSS AT 1:30 PM BUTROVICH 205
01/25/22 (S) -- MEETING CANCELED --
02/01/22 (S) HSS AT 1:30 PM BUTROVICH 205
WITNESS REGISTER
REPRESENTATIVE LIZ SNYDER
Alaska State Legislature
Juneau, Alaska
POSITION STATEMENT: Sponsor of HB 168.
SHAWNDA O'BRIEN, Director
Division of Public Assistance
Department of Health and Social Services (DHSS)
Juneau, Alaska
POSITION STATEMENT: Answered questions on HB 168.
SCOTT MCCUTCHEON, Information Technology Officer
Finance Management Services
Department of Health and Social Services (DHSS)
Juneau, Alaska
POSITION STATEMENT: Answered questions on HB 168.
ALEX FOOTE, Attorney
Legislative Legal Services
Anchorage, Alaska
POSITION STATEMENT: Answered questions on HB 168.
BILL SMITH, Chief Information Officer
Office of Information Technology
Department of Administration
Juneau, Alaska
POSITION STATEMENT: Presented an overview on the State of
Alaskas cybersecurity protocols.
ACTION NARRATIVE
1:32:02 PM
CHAIR DAVID WILSON called the Senate Health and Social Services
Standing Committee meeting to order at 1:32 p.m. Present at the
call to order were Senators Hughes, Costello, Begich, Reinbold,
and Chair Wilson.
HB 168-ELECTRONIC APPLICATION FOR STATE BENEFITS
1:32:34 PM
CHAIR WILSON announced the consideration of HOUSE BILL NO. 168
"An Act requiring the Department of Health and Social Services
to provide and allow submission of an electronic application for
certain state benefits; and providing for an effective date.
CHAIR WILSON stated that this was the second hearing and there
were amendments for the committee to consider.
SENATOR REINBOLD asked if Amendment 1 was W.2.
1:33:38 PM
At ease.
1:37:02 PM
CHAIR WILSON reconvened the meeting and clarified that Amendment
1 was W.4.
13732
SENATOR REINBOLD moved to adopt Amendment 1, work order 32-
LS0639\W.4.
AMENDMENT 1
32-LS0639\W.4
Dunmire/Foote
1/25/22
OFFERED IN THE SENATE BY SENATOR REINBOLD
Page 4, line 3, following "application;":
Insert "the electronic application must inform an
applicant that a false statement made on the
application will be investigated and is punishable
under AS 11.56.210;"
Page 4, line 19, following "website.":
Insert "The electronic application must inform an
applicant that a false statement made on the
application will be investigated and is punishable
under AS 11.56.210."
Page 5, line 2, following "law":
Insert "; the electronic application must inform
an applicant that a false statement made on the
application will be investigated and is punishable
under AS 11.56.210"
Page 5, line 7, following "law.":
Insert "The electronic application must inform an
applicant that a false statement made on the
application will be investigated and is punishable
under AS 11.56.210."
Page 5, line 19, following "law.":
Insert "The electronic application must inform an
applicant that a false statement made on the
application will be investigated and is punishable
under AS 11.56.210."
Page 5, line 31, following "law.":
Insert "The electronic application must inform an
applicant that a false statement made on the
application will be investigated and is punishable
under AS 11.56.210."
Page 6, line 15, following "law;":
Insert "the electronic application must inform an
applicant that a false statement made on the
application will be investigated and is punishable
under AS 11.56.210;"
Page 6, line 30, following "law;":
Insert "the electronic application must inform an
applicant that a false statement made on the
application will be investigated and is punishable
under AS 11.56.210;"
Page 7, line 15, following "eligibility.":
Insert "The electronic application must inform an
applicant that a false statement made on the
application will be investigated and is punishable
under AS 11.56.210."
Page 8, line 7, following "law;":
Insert "the electronic application must inform an
applicant that a false statement made on the
application will be investigated and is punishable
under AS 11.56.210;"
1:37:14 PM
SENATOR BEGICH objected for purposes of discussion.
1:37:37 PM
SENATOR REINBOLD stated that Amendment 1 offers a warning that
falsified information is punishable under statute AS 11.56.210.
SENATOR BEGICH asked the sponsor to comment on Amendment 1.
REPRESENTATIVE LIZ SNYDER, Alaska State Legislature, Juneau,
Alaska, sponsor of HB 168, deferred the question to the
Department of Health and Social Services (DHSS).
SHAWNDA O'BRIEN, Director, Division of Public Assistance,
Department of Health and Social Services (DHSS), Juneau, Alaska,
responded that warning language exists on paper applications and
is intended to be on electronic applications as well.
1:39:24 PM
SENATOR HUGHES asked whether warning language could be omitted
from paper and electronic applications, if not required by
statute.
MS. O'BRIEN replied that state law and federal regulation
require the punishable offense verbiage on electronic and paper
public assistance applications. The language is generic rather
than application specific.
1:40:33 PM
SENATOR HUGHES asked if the warning notice on paper applications
is required by statute.
MS. O'BRIEN replied yes.
SENATOR HUGHES asked if the requirement is by law, not
regulation.
1:41:06 PM
MS. O'BRIEN answered that it is statutory.
1:41:13 PM
SENATOR BEGICH withdrew his objection and stated his support for
HB 168 and Amendment 1.
SENATOR REINBOLD clarified that Amendment 1 applies to state
statute, not federal regulation.
1:41:52 PM
CHAIR WILSON found no further objection and Amendment 1 was
adopted.
1:42:03 PM
SENATOR REINBOLD moved Amendment 2, work order 32-LS0639\W.3.
AMENDMENT 2
32-LS0639\W.3
Dunmire/Foote
1/24/22
OFFERED IN THE SENATE BY SENATOR REINBOLD
Page 1, line 1, following "Act":
Insert "relating to the duties and authority of
the Department of Health and Social Services;"
Page 1, line 7:
Delete "shall"
Insert "may [SHALL]"
1:42:04 PM
SENATOR BEGICH objected for purposes of discussion.
1:42:09 PM
SENATOR REINBOLD stated that Amendment 2 addresses the argument
of "shall" versus "may." She said that changing the language to
"may" allows opportunity and flexibility.
1:42:50 PM
SENATOR BEGICH maintained his objection because changing "shall"
to "may" would dramatically change AS 47.05.010. The only change
needed to AS 47.05.010 for SB 168 is the addition of paragraph
(19) on page 4, line 1. He asked if the sponsor supports a
change from "shall" to "may.
1:44:21 PM
REPRESENTATIVE SNYDER replied that Amendment 2 would create
unintended changes to AS 47.05.010 that are outside the scope of
SB 168.
CHAIR WILSON asked if all Department of Health and Social
Services (DHSS) public assistance programs would become optional
if Amendment 2 were to be adopted.
MS. O'BRIEN stated that Amendment 2 would make it optional for
the division to implement the electronic application.
CHAIR WILSON asked if changing "shall" to "may" in Section 1,
page 8, line 1 would allow DHSS to option of providing public
assistance.
MS. O'BRIEN responded that was her understanding. However,
administering public assistance is not an option for federally
administered state programs.
1:46:03 PM
SENATOR BEGICH offered that Amendment 2 would require a title
change and a concurrent resolution.
SENATOR HUGHES stated that the use of ayto roll back
Medicaid expansion was discussed previously with the sponsor.
She asked where in Alaska statute could "may" be put for that
purpose.
MS. O'BRIEN replied that she was not prepared to answer; "may"
would be needed in several places.
SENATOR HUGHES responded that she was worried about expanding
Medicaid for non-disabled working-age adults. She understands
the intent of Amendment 2. but she would not support it because
it would require a concurrent resolution and is beyond the scope
of SB 168.
1:48:25 PM
SENATOR REINBOLD asked how many public assistance programs DHSS
offers, how many people receive assistance, and the total
budget.
1:48:50 PM
MS. O'BRIEN replied that she did not have the number for the
entire budget. For FY21, about 300,000 recipients were served.
The budget for public assistance was $300 million, and the
budget for DHSS was $3 billion.
1:50:03 PM
SENATOR REINBOLD opined that AS 47.05.010 must change. The
number of people receiving assistance is too high and the budget
too big, putting retirement and infrastructure at risk.
Amendment 2 would allow the state to have increased sovereignty
at a time when federal regulation is controlling Alaska's
decision-making, especially in education and health and social
services. "May" means the state would be able to get people off
dependency and head towards a sustainable future.
SENATOR HUGHES said that some paragraphs within AS 47.05.010
should not be optional, such as DHSS's responsibility to recruit
quality foster parents and provide child insurance. She opined
that she does not want to be pegged as someone favoring Medicaid
expansion because Amendment 2 is not the correct mechanism to
address it.
1:52:37 PM
CHAIR WILSON asked if objection to Amendment 2 was maintained.
SENATOR BEGICH maintained his objection.
1:52:40 PM
CHAIR WILSON asked for a roll call vote.
1:52:50 PM
A roll call vote was taken. Senator Reinbold voted in favor of
the motion to adopt Amendment 2 and Senators Hughes, Costello,
Begich, and Wilson voted against it.
1:53:16 PM
CHAIR WILSON announced that Amendment 2 failed on a 1:4 vote.
1:53:19 PM
SENATOR REINBOLD moved to adopt Amendment 3, work order 32-
LS0639\W.2.
AMENDMENT 3
32-LS0639\W.2
Dunmire/Foote
1/25/22
OFFERED IN THE SENATE BY SENATOR REINBOLD
Page 1, line 2, following "benefits;":
Insert "requiring the Department of Health and
Social Services to follow and comply with appropriate
measures from the catalog of security and privacy
controls for information systems and organizations
published by the National Institute of Standards and
Technology;"
Page 4, line 7, following "website":
Insert ";
(20) follow and comply with appropriate measures from
the catalog of the security and privacy controls for
information systems and organizations published by the
National Institute of Standards and Technology"
1:53:29 PM
CHAIR WILSON objected for purposes of discussion.
1:53:35 PM
SENATOR REINBOLD stated there had been several discussions on
Alaska's cybersecurity. It is the legislature's responsibility
to protect the privacy of individuals. Legislative Budget and
Audit assisted in creating Amendment 3 to require standards to
protect data. Amendment 3 would require DHSS to comply with the
measures set by the National Institute of Standards and
Technology.
1:54:49 PM
CHAIR WILSON stated he supports the concept of statewide
security standards. He opined that HB 3 and the Department of
Information Technology (OIT) would be a better mechanism for
establishing statewide cybersecurity standards.
SENATOR BEGICH stated he supports the concept, but security
standards should be statewide. Adopting Amendment 3 would
require a title change resolution; therefore, he objects to
Amendment 3.
1:56:04 PM
SENATOR HUGHES stated she would support Amendment 3 and a
concurrent resolution for a title change. She expressed her
belief that HB 3 deals with widespread disasters, not
cyberattack security standards. Due to recent security breaches
within DHSS, she favors Amendment 3 until statewide standards
are in place.
1:56:54 PM
SENATOR REINBOLD affirmed that Amendment 3 requires
cybersecurity standards to be established. Protecting data is
the legislature's responsibility.
1:57:30 PM
CHAIR WILSON maintained his objection and asked for a roll call
vote.
1:57:36 PM
A roll call vote was taken. Senators Reinbold and Hughes voted
in favor of the motion to adopt Amendment 3 and Senators Begich,
Costello, and Wilson voted against it.
1:58:10 PM
CHAIR WILSON announced that Amendment 3 failed on a 2:3 vote.
1:58:24 PM
SENATOR REINBOLD moved to adopt Amendment 4, work order 32-
LS0639\W.6.
AMENDMENT 4
32-LS0639\W.6
Foote
1/27/22
OFFERED IN THE SENATE BY SENATOR REINBOLD
Page 1, line 2, following "benefits":
Insert "relating to data obtained through the
electronic application process;"
Page 4, line 3, following "application;":
Insert "data obtained by the department through
the electronic application process must be accessible
only to the department and may not be sold to or
accessed by outside vendors;"
1:58:26 PM
CHAIR WILSON objected for purposes of discussion.
SENATOR REINBOLD read Amendment 4, "data obtained by the
department through the electronic application process must be
accessible only to the department and may not be sold to or
accessed by outside vendors.
1:58:47 PM
SENATOR BEGICH asked what DHSS's statutory authority is to
secure data.
MS. O'BRIEN deferred to Mr. McCutcheon.
SENATOR BEGICH clarified that he was asking for DHSS's statutory
authority over data because federal and state statutory
authority is involved.
1:59:59 PM
SCOTT MCCUTCHEON, Department Technology Officer, Finance
Management Services, Department of Health and Social Services
(DHSS), Juneau, Alaska, stated he does not know off-hand the
statutes. However, DHSS is required by the federal Health
Insurance Portability and Accountability Act of 1996 to adhere
to strict privacy and security laws.
CHAIR WILSON asked if Ms. O'Brien could identify the statutes.
MS. O'BRIEN stated she would provide the statutes to the
committee.
SENATOR BEGICH stated his belief that Amendment 4 is redundant
because numerous confidentiality elements are already in law. He
asked why Amendment 4 creates a title change to include data
when its purpose is to provide and allow electronic application.
2:02:32 PM
At ease.
2:04:19 PM
CHAIR WILSON reconvened the meeting and asked if DHSS uses
outside vendors to help process or maintain its database or
distribute benefits.
2:05:01 PM
MS. O'BRIEN replied that the department does not share data with
outside vendors to distribute public assistance benefits. Some
programs within the division utilize grantees to administer the
benefits portion of the program. For example, the Women, Infant
and Children (WIC) program is administered through grantees. The
grantees do eligibility determinations. They use the state
public assistance system for that program. The state issues
those benefits on behalf of the recipients.
2:05:56 PM
CHAIR WILSON asked if the Childcare Assistance program is within
the Division of Public Assistance.
MS. O'BRIEN replied that Childcare Assistance is the other
program within the public assistance division that utilizes
grantees to determine eligibility and issue benefits on behalf
of the families participating in the program.
CHAIR WILSON asked if outside vendors had access to the
division's software program.
2:06:30 PM
MS. O'BRIEN replied that grantees are afforded funds and operate
a portion of the program on behalf of the state. They are held
accountable to the same standards as a state employee. Business
associate agreements and memorandums of understanding govern the
state's relationship with the grantees.
2:07:10 PM
CHAIR WILSON asked if Amendment 4 would prohibit grantees from
accessing the database.
MS. O'BRIEN opined that the wording would not apply to grantees;
she would confirm with Information Technology.
2:08:05 PM
SENATOR HUGHES asked if Amendment 4 would prevent outside
vendors from reviewing public assistance applications for fraud
prevention.
MS. O'BRIEN replied that contractors must sign confidentiality
documents stating access to information is solely to deliver
state-hired services. Her interpretation of Amendment 4 does not
prevent the department from hiring services. However, it would
be worthwhile to double-check.
2:09:33 PM
SENATOR HUGHES agreed that an attorney should be advised. She
stated her concern that Amendment 4 might prevent outside vendor
fraud assessment.
2:10:06 PM
SENATOR BEGICH asked why a title change is necessary if
Amendment 4 were to pass.
2:10:42 PM
ALEX FOOTE, Attorney, Legislative Legal Services, Anchorage,
Alaska, replied that it was deemed necessary by Legislative
Legal Services.
SENATOR BEGICH stated that in light of the response, he assumes
the title change resolution is not necessary. Legislative Legal
Services' answer would have been more definitive if a title
change were required.
SENATOR BEGICH moved Conceptual Amendment 1 to Amendment 4,
deleting the phrase on page 1, lines 1 and 2.
2:11:45 PM
CHAIR WILSON found no objection and Conceptual Amendment 1 to
Amendment 4 passed.
2:11:54 PM
SENATOR HUGHES asked if Amendment 4 would pose a problem to the
state contracting with outside vendors to do fraud checks on
applications.
MR. FOOTE deferred to DHSS expertise.
SENATOR HUGHES suggested that the language in the bill be
changed so that fraud checks are permitted by outside vendors.
2:13:44 PM
SENATOR BEGICH stated AS 47.05.020(a) addresses regulations
concerning records and the disclosure of information. It
specifically creates exceptions for the investigation and misuse
of public assistance. AS 47.05.030 addresses the misuse of
public assistance lists and records. It explicitly states that
data cannot be sold.
CHAIR WILSON stated he was not concerned about data being sold
or accessed by inappropriate entities. He is worried that a new
statute is being created in conflict with an existing statute.
He requested Director O'Brien investigate whether there is a
conflict and report back to the committee and the sponsor of SB
168.
2:16:17 PM
CHAIR WILSON maintained his objection; he asked for a roll call
vote.
2:16:25 PM
SENATOR HUGHES moved a friendly amendment to Amendment 4. On
page 1, line 7, following "outside vendorsinsert "unless those
vendors are performing duties on behalf of departments.
2:16:45 PM
SENATOR REINBOLD objected to the friendly amendment because it
creates an oxymoron and does not protect data from outside
vendors.
SENATOR COSTELLO objected to the friendly amendment as it
permits access to private information. She stated that current
statutes address the concerns presented in Amendment 4.
SENATOR BEGICH stated current statute addresses the concerns of
Amendment 4 and the friendly Amendment. He is opposed to both.
2:18:59 PM
SENATOR HUGHES withdrew the friendly amendment to Amendment 4
and expressed objection to Amendment 4 because outside vendor
fraud checks should be allowed.
SENATOR REINBOLD stated Amendment 4 seeks to protect the
beneficiary's data, a legislature's responsibility. She
expressed her belief that filing electronically should be
optional.
2:20:38 PM
CHAIR WILSON maintained his objection to Amendment 4 and asked
for a roll call vote.
2:20:44 PM
A roll call vote was taken. Senator Reinbold voted in favor of
the motion to adopt Amendment 4 and Senators Begich, Hughes,
Costello, and Wilson voted against it.
CHAIR WILSON announced that Amendment 4 failed on a 1:4 vote.
2:21:13 PM
CHAIR WILSON solicited a motion to move the bill from committee.
2:21:20 PM
SENATOR HUGHES moved to report HB 168, work order 32-LS0639\W,
as amended, from committee with individual recommendations and
attached fiscal note(s).
2:21:37 PM
SENATOR REINBOLD objected due to lack of Wi-Fi accessibility and
cybersecurity .
SENATOR COSTELLO said that SB 168 states that applications can
be submitted electronically or in writing.
SENATOR HUGHES stated that public members concerned about data
security should submit written applications.
SENATOR REINBOLD expressed concern about using "shall" in SB 168
and stated it is mandating a program.
2:23:23 PM
CHAIR WILSON asked for a roll call vote.
2:23:27 PM
A roll call vote was taken. Senators Hughes, Costello, Begich
and Wilson voted in favor of moving HB 168 as amended from
committee and Senator Reinbold voted against it.
2:23:41 PM
CHAIR WILSON announced that the motion passed on a 4:1 vote.
Therefore, SCS HB 168(HSS) was reported from the Senate Health
and Social Services Standing Committee.
2:23:48 PM
At ease.
^ State of Alaska IT Protocols for Cybersecurity
PRESENTATION(S): STATE OF ALASKA IT PROTOCOLS FOR CYBERSECURITY
2:26:31 PM
CHAIR WILSON reconvened the meeting and announced the Office of
Information Technology presentation. He stated that the
Department of Health and Social Services (DHSS) would present
later.
2:27:14 PM
BILL SMITH, Chief Information Officer, Office of Information
Technology, Department of Administration, Juneau, Alaska, stated
the presentation would provide an overview of the cybersecurity
threat environment and what state government has done and will
be doing to protect data. The single highest priority within the
Office of Information Technology is its cybersecurity posture.
Therefore, significant investment and structural changes are
ongoing.
MR. SMITH stated that cybercrime is a $6 trillion annual
industry; its frequency, complexity, and resourcing continue to
increase. Reasons for its growth include industrialization and
automation capabilities, nation state threats, and supply chain
activity. OIT has noticed an increase in the volume of threats
and defeats these threats daily.
2:31:20 PM
MR. SMITH moved to slide 4 and shared measures OIT has taken to
reduce security threats, such as modernized productivity
applications. Modern applications are built to address current
security threats. Keeping applications up to date benefits
productivity and system security. Security is also increased
through elevated licensing, an example of IT architecture. When
getting licenses for email platforms, the licensing can be
elevated to include advanced security capabilities. Inspections
by external cybersecurity firms have been conducted to identify
residual malware. On-going external scanning is also done to
identify and address external-facing vulnerabilities.
2:34:02 PM
CHAIR WILSON asked if the state carries cybersecurity insurance.
MR. SMITH replied that the state does not have external
cybersecurity insurance.
CHAIR WILSON asked if the Department of Administration is
looking into acquiring cybersecurity insurance.
MR. SMITH replied that a discussion with risk management
regarding cybersecurity insurance occurred. However, the right
course of action for Alaska is still unclear due to the rising
cost of cybersecurity insurance, the failure of insurance
companies to make claim payments, and understanding that
insurance does not prevent incidents of attack.
2:35:21 PM
MR. SMITH advanced to slide 5 and stated that the National
Institute of Standards and Technology (NIST) is the
cybersecurity framework used by the State of Alaska. OIT is
strengthening security in each area of the framework. The state
is implementing multi-factor authentication (MFA) to prevent
username, password, and identity theft. For protection, the
state is making it harder to access environments by staying
current with modern applications, migrating to a secure Cloud
Framework, and increasing employee security training. To improve
detection, OIT increases its network visibility to detect real-
time attacks and block malware and phishing attempts.
2:37:54 PM
CHAIR WILSON asked if all departments in the state use the NIST
framework.
MR. SMITH said that is correct; OIT is responsible for security
across the executive branch using NIST. There are a couple of
departments with internal security capabilities. They are like
NIST, so a cohesive framework is in place.
2:38:35 PM
SENATOR HUGHES asked how monitoring and notification of a
security breach occurs.
MR. SMITH answered that monitoring is a combined approach of
firewalls, evaluation systems, anti-virus protection, and
dedicated staff.
SENATOR HUGHES asked how OIT was notified when DHSS experienced
a cybersecurity breach.
MR. SMITH stated office personnel responded to a system alert
and worked with DHSS to identify, investigate, and isolate the
problem.
2:41:18 PM
SENATOR BEGICH asked what OIT's role is in ensuring a new
electronic application system is secure at startup.
MR. SMITH answered that the Investment Review Board within OIT
must approve when a system is purchased. OIT's Chief Information
Security Officer holds a seat on that board and evaluates
systems from a security perspective. Security planning
documentation is generated and prepared before the software is
brought online. Authorization to operate is issued after
platforms and software have been evaluated for security
concerns. DHSS has a robust security environment that works with
OIT.
2:42:52 PM
SENATOR BEGICH recapitulated that a system does not start unless
it goes through a vetting process to protect the State of Alaska
and its public participants.
MR. SMITH replied that the cybersecurity system was designed
for that purpose; OIT works to ensure procedures and processes
are in place to eliminate gaps, improve visibility and mitigate
exposures.
SENATOR BEGICH replied that the response to cybersecurity is
encouraging.
2:44:36 PM
CHAIR WILSON stated that several IT vendors across Alaska
provide information technology services. DHSS has its own IT. He
asked if the state consolidates vendors and programs to reduce
costs when redesigning or creating systems.
MR. SMITH replied yes. General IT consolidation is impacting the
effectiveness of the state's environment. A lot has been done to
consolidate. A role of the Investment Review Board is to
evaluate potential purchases of IT-related services and
equipment for duplication or commonality across departments. The
review board checks for duplicity and security then decides
whether to acquire an item. This prevents unnecessary spending
and maintains security standards.
2:47:21 PM
SENATOR BEGICH asked if line item requests have the same level
of security scrutiny as non-line items.
MR. SMITH replied that the Investment Review Board checks to
ensure each line item request fits within the environment,
structure, and state security standards. Security features
considered include security credentialing, password, and
identity requirements.
2:49:22 PM
SENATOR BEGICH asked how many of the state standards must an
item meet and can a department purchase an item before board
approval.
MR. SMITH replied that security is not binary; security is a
risk management decision. There is no issue if all the criteria
are met; otherwise, a discussion occurs to determine whether the
need exceeds the risk.
2:51:18 PM
MR. SMITH turned to slide 6 and said most cyber threats are
avoided with basic universal hygiene across an organization. The
basics include password management, multi-factor authentication,
up-to-date software, and visibility.
2:52:36 PM
SENATOR HUGHES asked if the state has achieved 98 percent
security through basic security hygiene and how many attacks the
state deals with in a day.
MR. SMITH answered that 98 percent represents what having basics
in place does for security, not how much it blocks. Threats are
ongoing. Firewalls actively block 2 million attempts per month.
Nine million emails are blocked due to indications of phishing
or malware. Attacks happen every day, so security improvement is
a continuous effort.
2:54:36 PM
SENATOR COSTELLO asked if state statute can be improved or
strengthened to provide the statutory authority to keep the
state government and Alaskan's information secure.
MR. SMITH stated he has not done an extensive study of state
statute and therefore feels unprepared to answer the question.
MR. SMITH explained that the state is also working to simplify
the enterprise security environment, to make identifying and
responding to issues easier. Finding platforms that are capable
of multiple tasks aids in simplification. The state has over
1,700 applications running. Security will improve as
consolidation continues.
2:57:15 PM
MR. SMITH stated that the path forward for security is a concept
called zero trust. Zero trust is treating every activity within
a network as a breach. It will take a few years to achieve, but
OIT has begun taking steps to achieve it.
2:58:27 PM
SENATOR BEGICH commented that zero trust is the opposite of what
the legislature seeks to achieve.
2:58:41 PM
SENATOR HUGHES opined that reviewing statutes to ensure the
state stays current and safe is a good idea.
CHAIR WILSON apologized that the committee would not hear the
DHSS presentation today.
SENATOR BEGICH stated he appreciates committee debates and
dialogues even though he does not always agree with the
outcomes.
3:00:46 PM
There being no further business to come before the committee,
Chair Wilson adjourned the Senate Health and Social Services
Standing Committee meeting at 3:00 p.m.
| Document Name | Date/Time | Subjects |
|---|---|---|
| HB168 Response Follow up Questions DPA 012722.pdf |
SHSS 2/1/2022 1:30:00 PM |
HB 168 |
| DHSS 2-1-21 SHSS Cyber Security presentation-final.pdf |
SHSS 2/1/2022 1:30:00 PM |
|
| AK 092619 FINAL Medicaid-CHIP IEA Renewal 9-18_director-signed (1).pdf |
SHSS 2/1/2022 1:30:00 PM |
HB 168 |
| HB 168 Ammendments 1-4.pdf |
SHSS 2/1/2022 1:30:00 PM |
HB 168 |
| DOA 2022 OIT Legislative Presentation Cyber Security (S) HSS 1.26.2022.pdf |
SHSS 2/1/2022 1:30:00 PM |