Improve Cybersecurity with Continuous Monitoring

Cybersecurity has now superseded terrorism as our country’s #1 threat. Can continuous monitoring save the day?

The Future of EHR Security: Good and Bad News

The future of Electronic Health Records (EHR) security will be impacted by the findings of several studies conducted in the past year. From what I can tell, these studies bring with them both good and bad news.

HHS Privacy and Security Tiger Team Findings Part 2

Last week, I summarized the Health and Human Services Health Information Technology Policy Committee Privacy and Security Tiger Team (Tiger Team)’s findings.

As a reminder, their charge was to “make short-term and long term recommendations to the Health Information Technology Policy Committee (HITPC) on privacy and security policies and practices that well help build public trust in health information technology and efficiency, particularly as related to the  American Recovery and Reinvestment Act (ARRA) of 2009 and the Affordable Care Act (ACA) which mandates a number of duties to the ONC relative to privacy and security.”

Their findings were put out for public comment April 11 –May 11, 2011. Below is a series of excerpts from the comments which represent the major points of discussion. The full set of comments can be viewed on the HHS Federal Advisory Committee Blog.

There should be a health industry discussion on general tracking and accounting of disclosures.  ARRA-HITECH proposed rules have not been released and there has been little industry discussion regarding how disclosures can be tracked especially in larger organizations where disclosure may occur. This is both a policy and a technology issue.
Methods for tracking exchange partners need to be developed.  Web site info with the ability for the patient to print should cover it, and maybe an annual signoff indicating they know where to find it if they want it. A NwHIN participant will have difficulty keeping track of all the potential indirect participants. If the level of HIEs gets to 225-250-plus keeping a list of the possible exchange partners becomes overwhelming and probably complicated for the individual to understand.
Confidentiality is crucial to reducing barriers to care for adolescents. It has long been recognized that if adolescents do not believe […]

Keeping Electronic Health Records Safe

Surveys have shown that the majority of Americans are “very concerned” about identity theft or fraud (80 percent), the use of their medical information for marketing purposes (77 percent), and that their data might become available to employers or insurance companies (56 and 55 percent, respectively).  At the same time, 89 percent of respondents say that they want their physicians to be able to communicate with one another, while the majority support the development of Health Information Technology as a whole and believe that it will improve care and reduce costs1.

According to a current listing on, four of the ten major data security breaches on the list involved medical records getting into the wrong hands.  The VA experienced one of the top ten data security breaches of all time (over 26 million records).  Patient records contain information that can be used to steal a person’s identity or help criminals pinpoint vulnerable targets. Medical information can be used to discriminate unfairly because it is often beyond what the payors and others are allowed to know. Employers and insurance companies can discriminate based on past health issues if given access to these records.

Initiatives for a standardized Electronic Health Record (EHR) are gaining acceptance. As these standards are developed, the government and industry should look to the Purchase Card Industry Data Security Standard (PCI DSS) standard for eCommerce security. Under PCI DSS, compliant systems require sensitive information to be separated from non-sensitive data within the system and to be encrypted both in transit and at rest. This prevents hackers from reading the information even if they manage to break into the system or steal a computer. While PCI DSS compliance has helped prevent security breaches in […]

Will the Government go Mobile?

With everyone using smart phones for personal use, will the government be forced to accept them in the work place? According to Cisco data traffic numbers, global mobile data traffic will increase by a factor of 26 by 2015. With all those phones in service, there will be overlap with the workplace.

Linda Cureton, the CIO of NASA, recently stated in a January 11, 2011 Blog Post, “CIOS need to remember that people in their organizations – their customers – are all consumers. CIOs shouldn’t be content in their ability to rule their worlds as expectations of consumers continue to creep into the workplace.”

A Global Business Center Survey in November 2010 showed that people in Federal Agencies use a variety of devices when working outside the office.

59% use agency issued laptops
28% use personal laptop
25% use agency issued smart phone
17% use personal smart phone

A few years ago, it would have been unheard of for an agency to sanction the use of personal devices for work, though a lot of people were doing just that. In a March 10, 2011 GovLoop Training session, Gary Galloway, Deputy Director of the Office of Information Assurance, Bureau of Information Resource Management, U.S. Department of State, commented that use of personal smart phones and laptops was increasing and frequently used to support Telework. He stated that the Department of State has all but stopped using laptops.

The biggest concern with “Going Mobile” in the government is security, but there has been a recent paradigm shift from risk avoidance to risk management.  The DOD is using Common Access Cards (CACs) to secure laptops, but these are expensive and require additional equipment like card readers. 2011 will see the advent of security devices for […]

DOD Security Needs are both Internal and External

Security has been a top priority for DOD in 2010. On November 3, 2010, the Department of Defense announced that U.S. Cyber Command had achieved Full Operational Capability (FOC).  The mission of Cyber Command is to keep intruders out of government websites. This has been a primary focus of security personnel over the past several years with the alarming increase of attacks on government websites.

In November, the Defense Information Systems Agency (DISA) announced the development of an application that provides smart phone users with a secure way to access DOD networks. Designed by Good Technologies, Go Mobile is intended to allow DOD end-user employees to use their smart phones in a secure way. It uses a plug-in, called a dongle, to connect via Bluetooth to a Common Access Card (CAC). A personal identification number ensures the physical security of the phone. When Go Mobile is active, it disables other features on the phone to secure data storage and provide safe data transfer. The application supports DOD security policy management, enforcement and compliance while providing a secure web browser and a secure apps container. The application is still under testing and evaluation but should be available sometime in 2011.

While these efforts are extremely important and help safeguard external access to government networks and websites, a bigger threat may come from government personnel working within the highly-secure government network. WikiLeaks is a prime example of this internal threat where a single rogue U.S. Army Private was able to download thousands of secret cables and hand them over to Assange’s fledgling organization. No matter how secure a network is, there is always the possibility of a breach from the inside.

Just weeks after the Wikileaks initial release of information, […]

By |December 14th, 2010|General, Security|0 Comments|

DLA Team Investigates Security Measures

Agencies across the Federal Government are increasing efforts to identify and fix security flaws. These programs are probing both IT Security and Physical security in an attempt to measure the effectiveness of current security measures.

One of the agencies testing the effectiveness of current security measures is the Defense Logistics Agency (DLA). A recent article published by the DLA News Center, titled Investigative team uncovers security flaws, details the work performed by members of the DLA Accountability Office. The team scrutinized screening and property pick-up procedures at several DLA Disposition Services facilities. Because the investigation included members of law enforcement, many details of the operation have not been released. However, it was reported that the team was able to identify weaknesses and take corrective actions.

Proactive efforts like this are a good way to ensure the effectiveness of current security measures–and with the success of the investigation–it is likely that similar investigations will be conducted in the coming months.