Archives
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
Categories
- Congress
- Defense
- General News
- Health
- Health IT
- Homeland Security
- IBM suspension
- Industry
- Info Security
- Intelligence
- International
- IT management
- Law
- OMB
- Oversight
- Policy
- Politics
- Privacy
- Procurement
- Program Management
- Project management
- Risk management
- Security
- Spending
- State and Local
- Technology
- Telecommunications
- Tip Thursday
- Virtual World
- Web
- White House
- Wireless
- Workplace
What's happening in the federal IT community
By Wednesday, September 19, 2007 | 5:20 PM
News that a government agency or corporation exposed private information such as Social Security numbers is rather common these days. The public routinely asks, "Why can't organizations take more care in securing my personal information?"
One reason may be that agencies use personal information such as the Social Security number as part of their everyday work in processing information, making it difficult to not expose personal information. For example, the Department of Veterans Affairs recently installed software that scans each outgoing email for Social Security numbers. Under the VA's security policy, servers will block from being sent emails that contain Social Security numbers. In one month, 7,000 emails that the software determined could possibly contain a Social Security number were blocked, according to Robert Howard, assistant secretary of information and technology at the VA, who testified today before the Senate Committee on Veterans' Affairs.
That may seem like a lot. But looking at it another way, it's surprising that only 7,000 emails were blocked (which, of course, most likely includes some false positives.) According to the VA's Web site, the VA has 244,032 employees. If each employee sends on average, say, 100 emails a month (that's about five emails a day), that would mean less than 0.03 percent of all VA emails contained a Social Security number. And that doesn't include emails that VA contractors sent. However, Howard did not tell the committee if all VA emails are scanned, which if not, would increase the percentage of emails containing a Social Security number.
Nevertheless, for those who have their personal information exposed because it was emailed out of an organization's firewall, no solace can be had knowing it was highly unlikely.
Comments
While I am sure there is good reason for someone within the VA system to have the patients SSN, I would agree with the Wise Old Owl in that in-house generated numbers should be wherever possible and limited access granted to the patients SSN. Reducing the compromise to emails may reduce the risk; however, eliminating the access eliminates the risk. Those who have access to the SSN can still use phones, mail, and other means outside of email to deploy someone's personal information. In-house training is also important such that the very staff with access to the patients personal information at least knows when and how to handle a compromise expediantly.
IT Perspective | Tuesday, October 2, 2007 | 7:48 AMAll email is screened and the ones sent inside VA domain, by policy, should be encrypted. If not the message is blocked and ISO are informed.
P | Tuesday, September 25, 2007 | 7:49 AMWe are prohibited by policy to disclose any veteran's first, middle or last name and last four numbers in any email even internal emails. IE. KJ1234 is one example that is acceptable.......
We really do care about privacy issues.
KK
VA Employee | Saturday, September 22, 2007 | 11:35 PMJust counting the agency's total employees and assuming the percentage must be low is misguided. Please note that the VA has sections, such as its procurement groups, who never see patient data such as SSNs. Many of the employees who see patient data rarely use email.
Pat McKay, former VA employee | Friday, September 21, 2007 | 2:58 PMIt’s a nice start for VA to block emails with potential Social Security Number patterns. As I understand the procedure, though, the VA only blocks an email that contains these patterns if the email is going to an address outside the "@va.gov" mail domain. Email traffic from VA employee to VA employee is not screened. The initial comment attempted to place the number of blocked emails into perspective. I thought that this additional clarification might help. I suspect that unencrypted emails from VA employee to VA employees are no more secure that the messages sent outside the domain.
Veteran | Thursday, September 20, 2007 | 11:57 AMVA policy is to encrypt all emails with personally identifiable information such as SSNs, DOB, Name etc... All outgoing emails that are unencrypted are scanned for identifiable information. I would say that they have done a good job with this system/policy. What it has done is made this particular vulnerability a little more manageable. The reality is that doing business puts this information at risk. Anything, that the government does to minimize this risk is commendable. The only true solution is to move away from the use of SSNs.
P | Thursday, September 20, 2007 | 8:34 AMThe ssn issue has historic roots. In the days before the web, the paper heavy time, agencies and business began using ssn's as an alternative to in-house account numbers or customer numbers.
Paper systems were not easy to compromise. Identity theft was limited.
Wise Old Owl | Thursday, September 20, 2007 | 8:24 AM