COLUMBIA — The Medical University of South Carolina wants to opt out of information security guidelines that a new state official would develop under a proposed bill in the state Senate, school officials told a panel of senators Thursday.
The measure introduced by Anderson GOP Sen. Kevin Bryant calls for the establishment of a Division of Information Security that would be dedicated to the protection of the state’s information and cybersecurity infrastructure.
The legislation, which also would provide a decade of state-paid credit monitoring to taxpayers, additionally would create two new boards to create a statewide technology plan and suggest changes as technology changes.
Bryant is the chairman of a panel investigating the massive breach discovered in October at the S.C. Department of Revenue. The breach compromised sensitive information for millions of consumers and businesses.
Bryant’s bill would require all agencies, which include state departments, boards, universities, school districts and the like, to adopt the policies and guidelines developed by the leader of the proposed new security division.
The Senate committee examining the hack met to discuss the bill and hear from cybersecurity officials at MUSC and the University of South Carolina, among others.
Kurt Nendorf, MUSC’s director of information technology, told senators the prolonged breach at the Revenue Department that saw hackers probe the agency’s systems for weeks couldn’t happen at MUSC.
That’s because the university’s security systems provide immediate alerts of suspicious activity, systems are quickly shut down and problems addressed, Nendorf said.
He said MUSC spends about $2 million on cybersecurity annually.
Adapting to new state guidelines that would follow passage of the Senate bill could cost MUSC more and force the school to divert funds, making its systems less secure, Nendorf said.
He said MUSC hasn’t suffered any major information breaches, leading Ware Shoals Republican Sen. Billy O’Dell to suggest the state look at how the university handles cybersecurity for ideas on improvement.
Officials from USC, who said the school has suffered six cyberbreaches in the past three years, did not ask senators for a waiver.
The bill does not currently exempt any state agencies from the proposed requirements.
But Bryant said senators will consider requests for waivers from MUSC and others.
He said he’s not sure it makes sense to exempt institutions or agencies from new guidelines because they have effective cybersecurity.
“I think including them might help us figure out how to treat everybody else,” Bryant said.
“Every single agency could come before us and give us a really good reason why they should be exempted, except for maybe DOR.”
Reach Stephen Largen at 864-641-8172 and follow him on Twitter @stephenlargen.