Closing the Loop

Agencies still struggle to hold on to sensitive data.

Losing 26.5 million personal records when a Veterans Affairs Department laptop was stolen in May 2006 should have been a wake-up call for federal agencies. It was an unprecedented loss of personal information-on active-duty military personnel and veterans-and it prompted an Office of Management and Budget mandate in June 2006 requiring agencies to launch new security procedures by Aug. 7, 2006.

But by all accounts, agencies have failed to comply fully with the order. Indeed, nine months after VA's massive data breach, the agency lost another hard drive, this one containing sensitive information on physicians who have submitted bills to Medicare and Medicaid. Medical data on 535,000 VA patients was included in the hard drive that went missing from a Birmingham, Ala., facility. Dozens of agencies have lost sensitive information.

Some agencies say they lack money to secure their electronic records, but critics disagree. Like homeland security funding after the Sept. 11 terrorist attacks, money for data security has increased steadily. In fiscal 2006, agencies received $5.5 billion for cybersecurity-nearly 10 percent of the entire information technology budget. Agencies have yet to break down their IT security funding for fiscal 2007 and fiscal 2008, but security experts don't believe the percentage will shrink.

Agencies that haven't promised to pony up bigger dollar amounts for cybersecurity are encouraged to hold back on new projects to fund that critical need, according to Karen Evans, OMB administrator of e-government and information technology. Agencies are supposed to "live, eat and breathe" cybersecurity, she says. In a March 20 memorandum to chief information officers, Evans required agencies to move to a standard desktop configuration for Windows operating systems. The standard is supposed to speed up the installation of security updates. But some security experts, including Purdue University Professor Eugene Spafford, say a standard configuration could make computers more vulnerable. Some operating systems and applications lack security controls, he says.

OMB's mandate urges agencies to encrypt data on remote computers and permit access only with two modes of authentication. But implementation has been spotty. An October 2006 report by the President's Council on Integrity and Efficiency and the Executive Council on Integrity and Efficiency found that three-quarters of all agencies still are trying to assess the vulnerability of the personal information they manage.

Developing enforceable policies on the use of sensitive information remains a challenge, the report says. Agencies also have had difficulties safeguarding their systems, the report says, adding that systematically enforcing computer encryption is critical.

Critics say the new OMB guidelines fail to address conflicting goals. For one thing, it's not in the best interest of federal employees to create a culture of cybersecurity awareness, says Eric Hay, worldwide director of field engineers for Credant Technologies Inc., a Dallas-based mobile data security firm. Clamping down on information can make it difficult for employees to do their jobs when they are in the field or working across agency lines. Organizations evaluate staff performance on productivity, not security, Hay says. Employees are going to choose productivity over security, he says, so "don't let them make the choice."

Scott McNealy, chairman of the board for Sun Microsystems, says government isn't fully adopting readily available information security technology. His solution is to remove data from individual computers and store it on a mainframe server, where it is available for downloads. That way, should someone steal a laptop or other computer device, the data isn't on the hard drive. "I haven't stolen anything . . . there's no data," he says.

Despite movement toward establishing safeguards, the challenge of protecting sensitive data continues to elude agencies, security experts say. Many fear that if agencies don't work faster to tighten controls, the personal information held in their databases could go walking out the door at anytime.

Stay up-to-date with federal news alerts and analysis — Sign up for GovExec's email newsletters.
FROM OUR SPONSORS
JOIN THE DISCUSSION
Close [ x ] More from GovExec
 
 

Thank you for subscribing to newsletters from GovExec.com.
We think these reports might interest you:

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

    Download
  • The Big Data Campaign Trail

    With everyone so focused on security following recent breaches at federal, state and local government and education institutions, there has been little emphasis on the need for better operations. This report breaks down some of the biggest operational challenges in IT management and provides insight into how agencies and leaders can successfully solve some of the biggest lingering government IT issues.

    Download
  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

    Download
  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.

    Download
  • Ongoing Efforts in Veterans Health Care Modernization

    This report discusses the current state of veterans health care

    Download

When you download a report, your information may be shared with the underwriters of that document.