TECHNOLOGY AND THE BUSINESS OF GOVERNMENT

Oh my, when will they ever learn at the Veterans Affairs Department?

I have heard from well placed sources that an employee at the VA medical center in Atlanta downloaded patient clinical data to a personal laptop, and an investigation may be pending.

Details are sparse on this breaking story, but I was told the employee -- a physician assistant nurse practitioner -- downloaded 18 years worth of clinical data on an unknown number of patients to conduct research.

If this all sounds eerily familiar, it is. In 2006 a VA data analyst downloaded information on 26.5 million records -- or practically every living veteran -- onto the hard drive on his personal laptop, which was later stolen.

The good news in the current situation is that the laptop was not stolen. The bad news is that none of the downloaded data in 2006 included clinical information, while all the current case involved a whole mess of medical data.

The timing on this could not be worse. The Obama administration is trying to sell the American public on the need for a national electronic health record system. That's a tough sell if folks find out that their supposedly private electronic records are subject to downloads for research.

Does VA have policies and procedures that bar the download of veteran data to personal laptops? You bet. But the best policies and procedures don't do much in the face of human ignorance.

The U.S. Strategic Command says that military units in Afghanistan soon will start receiving thumb drive kits that meet its >new flash media policy for Defense Department networks and computers.

STRATCOM said on Feb. 18 that flash media such as thumb drives should be used only as a "last resort" to meet operational requirements -- and Afghanistan, where network bandwidth is at a premium, sure meets that last resort requirement.

But it's hard to get an answer from STRATCOM on what exactly is in a flash media kit because it has not publicly released details, a STRATCOM spokesman told me.

Meanwhile, legions of PR folks continue to flood my e-mail with pitches for companies that make stuff they think meets the Defense requirements, even though STRATCOM is mum on the subject.

I think these folks get paid by the number of e-mails they send out.

I woke up today with what can only be described as a bombardment of e-mails from PR folks who had clients panting to give me their views on the U.S. Strategic Command lifting its ban on thumb drives and other flash media, a notion they picked up from stories in Inside Defense, Wired and Government Computer News, which based its story on the Wired and Inside Defense reports.

But, as it turned out, STRATCOM did not repeal its November 2008 ban. Instead, it decided to permit use of flash media only as a "last resort for operational mission requirements," according to Vice Adm. Carl Mauney, STRATCOM deputy commander.

Navy Cmdr. Steve Curry and Air Force Master Sgt. Kevin Allen at the STRATCOM public affairs shop both deserve kudos for turning around a query I submitted on Thursday and providing me with a factual statement overnight that debunked many assumptions about flash media that flooded my inbox this morning.

As Joe Friday, the famed Los Angeles Police Department detective, said in the 1950s, "Just the facts, ma'am."

The New York Times rather breathlessly reported during the past weekend that in 2007 the head of British intelligence warned businesses in England that Chinese intelligence agencies were engaged in a wide ranging effort to hack into their computers.

The Times reported that anonymous sources confirmed the existence of that report, which seems like a needless exercise to me as I reported almost two years ago that our Defense Department highlighted this Brit warning in its annual brief to Congress on mischievous behavior by China in March 2008.

How many days a week do we need Chinese cyber stories? No one would have paid much attention to Paul Revere if he made his ride every day.

The computers onboard Boeing Co.'s newest version of its largest commercial aircraft, the 747-8, could be hacked, according to a little noticed item published in the Federal Register by the Federal Aviation Administration on Jan. 15.

FAA said the 747-8, slated to make its first flight on a yet-to-be-specified date this month, has a network and architecture that could allow external sources to access aircraft systems.

The 747-8 has a network that supports control systems, another that supports safe operations and maintenance and another for passenger information systems.

FAA said the airliner's system architecture "may allow the exploitation of network security vulnerabilities resulting in intentional or unintentional destruction, disruption, degradation, or exploitation of data, systems, and networks critical to the safety and maintenance of the airplane."

FAA said that before it certifies the 747-8 for operation, Boeing:

• must ensure electronic system security protection for the aircraft control domain and airline information domain from access by unauthorized sources external to the airplane, including those possibly caused by maintenance activity.
• ensure that electronic system security threats from external sources are identified and assessed, and that effective electronic system security protection strategies are used to protect the airplane from all adverse impacts on safety, functionality, and continued airworthiness.

Boeing launched development of the 747-8 in 2005 with orders for 10 freighters from Cargolux of Luxembourg and eight from Nippon Cargo Airlines of Japan. Lufthansa placed an order for 20 400-seat passenger versions in 2006, and in December 2009 Korean Air ordered five passenger versions.

I'm not ready to fly on any 747-8 - even as cargo - until Boeing resolves potential hacking problems.

Here are the top 10 most read What's Brewin blog items in 2009, in order:

1. U.S. Cyber Command -- The Wiring Diagram
2. VA Gets Real, Suspends 45 IT Projects
3. Juicy Reports on VA IT Shop Coming
4. The Final Four for VHA Job
5. VA Claim in Appeal? Wait 639 Days
6. Another Stolen Laptop
7. The Three Star Navy Cyber Command
8. Tax-Free Computers For College Students
9. Park Police: Don't Shine That Brass
10. How to Bury $187 Million

One of the best resources for veterans who have problems with the Veterans Affairs Department is the VA Watchdog Web site founded and edited by Larry Scott.

If you visited the site today, you likely only saw a bare bones page that explains the site was hacked and destroyed. Scott told me the hack occurred on Nov. 20, and he has been struggling since then to find a new hosting company that can accommodate his high traffic load.

The hack consisted of a massive denial of service attack, followed by loading of malware onto the server, he said. Scott added it looks like the attack came from hackers in Russia or its one of its former states, searching for Web servers with weak security controls.

Scott says he expects to have a full-fledged site in operation in two to three days.

The last place you would expect to find Hollywood-based TV producers is at a policy wonk-fest held at a Holiday Inn in Southwest Washington.

But then, reality is often stranger than fiction.

Producers from the TV show CSI Miami were at the day-long hearing of the Health and Human Service Department's health IT standards committee conducting research for a possible show on health data privacy, Judy Sparrow, a senior policy analyst at said at the start of the meeting.

I spent most of Thursday listening to a Webcast of the hearing. If the CSI folks lasted all day, they should get a honorary wonk medal for nothing else than hearing the word "implementation" used what it seemed like every five minutes.

I don't know if CSIwill ever produce a show on the hearing, but in the meantime, I ask for your casting suggestions.

Who should play:

• Dr. David Blumenthal, national coordinator for health information technology
• Aneesh Chopra, federal chief technology officer
• Dr, John Halamka, the chief information officer of Harvard Medical School, famed for having an radio frequency identification chip planted under his skin in 2005 so he could test the technology.

Everyone who wears Air Force blue has a role in defending cyberspace, Air Force Chief of Staff Gen. Norton Schwartz said in a service wide message.

"We must all conduct ourselves as Cyber Wingmen, recognizing that our actions and activities on the network affect every other airman and impact our ability to execute the broader Air Force mission," he said.

Schwartz released a checklist that "every airman needs to know and use to secure cyberspace."

Some of the items on the checklist are based on common sense and many can be adopted by anyone who uses a computer:

1. The United States is vulnerable to cyberspace attacks by relentless adversaries attempting to infiltrate our networks -- at work and at home -- millions of times a day, 24/7.

2. Our adversaries plant malicious code, worms, botnets and hooks in common Web sites, software and hardware such as thumb drives, printers, etc.

3. Once implanted, this code begins to distort, destroy and manipulate information, or "phone" it home. Certain code allows our adversaries to obtain higher levels of credentials to access highly sensitive information.

4. The adversary attacks your computers at work and at home knowing you communicate with the AF network by e-mail, or transfer information from one system to another.

5. As Cyber Wingmen, you have a critical role in defending your networks, your information, your security, your teammates and your country.

6. You significantly decrease our adversaries' access to our networks, critical [Air Force] information, and even your personal identity, by taking simple action.

7. Do not open attachments or click on links unless the email is digitally signed, or you can directly verify the source -- even if it appears to be from someone you know.

8. Do not connect any hardware or download any software, applications, music or information onto our networks without approval.

9. Encrypt sensitive but unclassified and/or mission critical information. Ask your CSA for more information.

10. Install the free Department of Defense anti-virus software on your home computer. Your CSA can provide you with your free copy.

A benevolent reader sent along a a high level organizational diagram for the U.S. Cyber Command, which I am going to share with everyone out there in Whats-land.

Click on image for full PowerPoint slide

There are no real surprises in this very busy slide, but it does illustrate clearly that the real work of the new Cyber Command -- which goes into business next month -- will be performed by an Integrated Cyber Center run by a Joint Operations Center, with a lot of help from the Defense Information Systems Agency.