Agencies Report Progress, but Senstive Data Remains At Risk

Federal agencies have recently reported a spate of security incidents that put sensitive data at risk. Personally identifiable information about millions of Americans has been lost, stolen, or improperly disclosed, thereby exposing those individuals to loss of privacy, identity theft, and financial crimes. The wide range of incidents involving data loss or theft, computer intrusions, and privacy breaches underscore the need for improved security practices.
As illustrated by these security incidents, significant weaknesses in information security controls threaten the confidentiality, integrity, and availability of critical information and information systems used to support the operations, assets, and personnel of federal agencies. Almost all of the major federal agencies had weaknesses in one or more areas of information security controls (see figure). Most agencies did not implement controls to sufficiently prevent, limit, or detect access to computer networks, systems, or information.
For example, agencies did not consistently identify and authenticate users to prevent unauthorized access, apply encryption to protect sensitive data on networks and portable devices, and restrict physical access to information assets. In addition, agencies did not always manage the configuration of network devices to prevent unauthorized access and ensure system integrity, such as patching key servers and workstations in a timely manner; assign incompatible duties to different individuals or groups so that one individual does not control all aspects of a process or transaction; and maintain or test continuity of operations plans for key information systems. An underlying cause for these weaknesses is that agencies have not fully or effectively implemented agencywide information security programs.
Nevertheless, federal agencies have continued to report steady progress in implementing certain information security requirements. However, IGs at several agencies sometimes disagreed with the agency’s reported information and identified weaknesses in the processes used to implement these and other security program activities. Further, opportunities exist to enhance reporting under FISMA and the independent evaluations completed by IGs.
{Yet another devastating report was issued yesterday by the GAO about the government’s inability to protect Americans sensitive health and other data in electronic systems. At the very same time, the same federal agencies that have failed so abysmally at keeping Americans’ sensitive personal health data safe have wrongly been placed in charge of determining national privacy and security standards for electronic data by this Administration.  Every federal agency that deals with the healthcare system is now lobbying for the extremely wealthy and robust health IT industry. Even that would not be so bad if these federal agencies were urging adoption of HIT with ironclad security and privacy protections, to ensure that Americans get real value and a HIT system that is trusted and workable for their tax dollars. Instead, federal agencies are rushing to vastly expand our current national health IT system, where patients have no control over their personal data and no way to opt-out of these risky massive databases and information exchanges. It’s a sad sight: the federal agencies charged with protecting the best interests of American citizens are dominated by bureaucrats, industry appointees, and multi-million dollar lobby teams promoting corporate welfare for the technology industry instead of promoting ‘smart’ technology to benefit those who are ill while guarding and strengthening their Constitutional, common law, and ethical rights to privacy and blocking access to health data by secondary users and thieves. ~ Dr. Deborah Peel, Patient Privacy Rights}

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>