The State of Florida is a top target for cybercrime, especially when it comes to health care records and other sensitive data. According to two different rankings released earlier this month, Florida ranks 2nd in the nation in total number of data security breaches, and third in the nation in the total number of citizens whose data may have been compromised.

Ranking second only to California, which suffered from 39 successful cyber attacks that resulted in the loss of sensitive and highly personalized health care information, Florida reported 28 breaches of information that should be protected under federal Health Insurance Portability and Accountability Act (HIPAA) guidelines. HIPAA laws restricting access to private information are some of the strictest in the nation. But even so, more than 2.8 million records were stolen from data centers in Florida during 2016. The numbers include both private and public sector data breaches.

This year, Governor Rick Scott has proposed spending as much as $6.6 million on cyber security risk assessments and audits designed to identify vulnerabilities within state government and plug those holes. Two-thirds of his budget request would fund ongoing risk assessments and digital security audits. The bulk of the remaining budget proposal would be spent on shoring up existing data security and designing a comprehensive plan that would protect state mobile devices, printers and other potential access points used by cybercriminals.

“We have seen Florida take some important steps in quantifying risks and establishing mitigation priorities across several state agencies. Our team got a first-hand look at the State’s cyber risk assessment tool developed by AST and were very impressed in the level of detail, functionality, and reporting capabilities of the assessment tool”, said Dave Simprini, a Senior Manager with Grant Thornton, which is among several firms conducting IT security risk assessments for state agencies. “Key to the cyber risk assessment process is the follow-up. Agencies should not consider these risk assessments as a ‘one-and-done’ exercise, but instead as a first step in an ongoing process. Cyber risk should be continuously monitored and remediation efforts pursued accordingly.” 

A comprehensive report from those audits will be made public later this year, according to Florida’s Agency for State Technology.

“Agencies who were appropriated funds during the 2016 Legislative Session (16 agencies) are currently undertaking independent IT security risk assessments to identify potential areas of risk and ways to remediate where needed,” says Erin Choy, spokeswoman for the Agency for State Technology. “The assessments must be completed by the end of the fiscal year.  Once all the assessments are completed, we will compile the information to create a statewide heat map to provide to the Legislature so they can decide where they want to make IT security investments. Cyber threats will continue to evolve and AST is committed to protecting the state’s data by enhancing security awareness and strengthening agency’s critical systems.”

Those investments can’t come soon enough. Already this year, more than 7,700 personal financial records were stolen from the Manatee County School Board as a direct result of a cyber attack where a thief used a fictitious email to pose as an IRS agent to gain access to the school district’s financial records of employees. The IRS is now investigating.