No quick fix for government data security

WASHINGTON (Reuters) - The White House has set an early August deadline for government agencies to encrypt sensitive data after the embarrassing theft of millions of veterans' personal information, but experts warn a quick technology fix will not cure security problems.

While encryption and other security technology can help, slipshod handling of data and equipment, poor training and the slow moving government bureaucracy are seen as the main causes of vulnerability.

"The White House directive is a good first step, but we're concerned about the time frame," said John Dasher, director of product management at encryption software maker PGP Corp. "Do they have funds budgeted and allocated? These are the nuts and bolts of the procurement process."

I work in the security field. I know how easy it is to fix these "problems". But the quick fix proposed of denying laptops from leaving the VA premises, does not take into account that the FIRST rule of security is much like medicine... do no harm.

Implementing such a knee jerk solution would create problems and when you are dealing with patient information, possibly life threatening issues can arise.

I will give you a real world example that I had to fix. In an attempt to "lock down" the network from a particular type of traffic, an engineer implemented a rule change that did in fact, stop the network from transmitting that type of traffic. Unfortunately, it also blocked a routing protocol that was used to update the network with information as to what networks are located where in the topology. As a result, some of the networks were not reachable. One of those networks was the patient records and the pharmacy database. For a space of 3 to 4 hrs, the hospital had to resort to a paper system and phone calls to try and find the doctor's orders and get the right drugs, in the right doses, to the people who needed them. Fortunately, the problem was quickly identified and the issue resolved. However, if the issue had not been fixed in such short order, it is highly likely that the limited staff which was already falling behind, would have been overwhelmed in a few hours.

This example illustrates the point. If laptops are allowed out of the network now, they are allowed out to meet a business need. I do not know what that business need is nor do I wish to speculate. However, until you know what that business need is and what the impact that a security measure will have, going around and doing what sounds good can kill a business. Worse yet, since the VA deals with medical information, it just might end up killing a person.

Perhaps the person who is carrying those medical records is attempting to coordinate patient care with local doctor's in that patient's home area. Perhaps they are buying supplemental medication that is not on the VA's base formulary for medical drugs. Perhaps that person needs to be out talking to drug companies or to providers of home oxygen service or perhaps they are VA inspectors enforcing VA outsourced contracts to lab facilities.

Being a veteran myself, I would not want any of these services interrupted because of a policy.

Life, limb, property, reputation in that order.

If someone steals an identity, there is a potential loss of property. Any security measure or policy which would trade lives or limbs to protect property is just simply wrong.

People who do not study the discipline of security, esp IT security, often will shout out with these simplistic "solutions"... not weighing the costs or understanding the ramifications.

My point to all of this is that security measures defiantly need to be taken. Technology exists to allow for laptops to be deployed in a secure manner. This should have been done some time back and it is an extreme lack of professionalism that has allowed this situation to occur. But don't over react. Put a plan in place, upgrade the technology, fix the processes, train the people, implement a means to measure compliance and enable an audit or executive overview. All of these take time. To not do them at all is unconscionable. To do them without forethought is foolish.

You present a well thought out argument - especially the "first do no harm" point. I have long been opposed to knee jerk, zero-tolerance, quick fix policies for other matters and the government data security issue is no exception.

That said, I feel the first step to this problem has to be an evaluation of where the data is located and how it is being handled. The case in point involved such a large diverse number of individuals spanning decades that I can think of no legitimate reason for its presence in a VA employee's home. The security needs for this information have been neglected and one is forced to wonder what else may be happening. Obviously, a call for keeping all the laptops from going home (while understandable) is a greatly over simplified solution and quite impractical.

All too often in the bureaucratic mindset the focus on the primary responsibility blinds the operatives to the unintended consequences. Laptops can be a valuable tool for increasing efficiency and productivity. However, when they are issued without an accompanying implementation of security measures, employees oftentimes take the term personal computer much too literally. In business this can be a very costly mistake. When dealing with the personal date of millions it has a devastating potential.

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.