Legacy systems — a costly security liability

March 24, 2012 By Leave a Comment

In my previous post, I discussed a recent Government Computer News article about public sector Web applications.

According to the article, the Web applications being developed for government agencies and entities are less secure than those being developed in private enterprises. In my post, I looked at some of the reasons why they’re less secure and also discussed ways the government could correct the issue.

While I was authoring that post, I started thinking about the systems in use at government agencies in general. Many of these legacy systems were developed years ago and hosted within the agency in dedicated datacenters.

Many of these legacy applications aren’t documented properly. Over time, the programmers who initially developed the applications move on. When it comes to testing and improving the security of these systems, this causes some roadblocks.

With the actual developers gone and the systems poorly documented, a significant amount of additional work is needed to find vulnerabilities and patch them. The cost to investigate, recode, and fully test these programs can be quite high and in some cases cost prohibitive.

But the additional cost of legacy systems doesn’t end at security and testing. Because of the same issue with documentation and missing developers, the cost to maintain legacy systems is very high. In addition, many of these systems are hosted using dedicated and expensive datacenter resources.

That’s a huge, annual cost to the federal government over time, and there are many of these systems across the federal government landscape.

To help to eliminate these expensive and antiquated legacy systems, many government agencies are working to create replacement applications that utilize open-source software and are developed, tested and ultimately hosted in the cloud.

However, this can create some addition security challenges.

In addition to the issues I discussed in my previous post, many developers in the federal government simply don’t conduct the rigid security testing needed during the entire lifecycle of the application development process. Depending on the technical capabilities of the government information system security officer, these steps may or may not be enforced.

As we discussed, the federal government has a huge target on its back do to the sensitive information that it stores and the many enemies that it has. Legacy systems remain a huge cost and security liability for agencies. However, as they look to move forward from their legacy systems and begin to develop new applications, they need to be sure that their security testing is strict and constantly occurring during the entire development lifecycle.

Filed Under: News Tagged With: , , , , , , , , ,

Being proactive about security – how to eliminate less secure government Web applications

March 15, 2012 By Leave a Comment

Government Computer News recently published an article about the security of government Web applications based on Veracode’s semiannual State of Software Security Report. What the report found was that, overall, government Web-based applications were more susceptible to attack than their counterparts in the private sector.

Why are these Web-based applications more hacker-friendly? The article claims that the platform they’re built on and the experience of the developers was to blame. However, there could be other reasons why these sites are less secure, and some simple ways to correct the issue.

The simple excuse could be that the government has a large bull’s eye on it for various reasons. Hackers and terrorists look to deface and embarrass the government for political and financial motives. This means that the government needs to be even more vigilant when it comes to compliance and security issues.

However, there are deeper and more significant problems than the increased attention of hackers. One of these issues is the government acquisition process. Many of the individuals responsible for the creation of RFPs containing software development and security requirements do not possess the requisite knowledge to write those sections. Many of these individuals don’t think to make strict security requirements part of the scope of the project.

Many times, these individuals will rely on Federal Information Security Management Act (FISMA) standards for establishing minimum security requirements for applications. Unfortunately, FISMA standards were created years ago. In the ever-evolving, constantly-shifting security environment, a few years can make a huge difference. Security threats have evolved and FISMA standards are no longer capable of securing against today’s advanced cyber threats.

The contractors that respond to these RFPs with obvious security gaps aren’t required to address the issues. In many cases, the extra time and effort needed to do so would ultimately cut into their bottom line, so they avoid it. And it’s easy to understand why.

Developers aren’t security people by nature. In fact, security is often an afterthought when developing an application. It requires going back through applications post development and testing to identify vulnerabilities. That’s an extra step, potentially extra personnel, and a huge extra cost to the contractor.

The end result? A Web application is developed for the federal government that meets outdated FISMA standards for security, but ultimately is not protected from today’s advanced threats.

This application is rolled out across the agency where it becomes a goldmine of valuable information for hackers. As the application is breached or compromised, the government goes back and improves security. This reactive nature can patch the holes, but not before information has been compromised.

But what could have been done differently?

Once again, it goes back to the acquisition process. By working with an independent subject matter expert in security, RFPs can be written to require the most recent security advancements.

On the contractor side, developers need to be trained on how to develop secure code. In addition, they need to ensure that development teams are doing testing as they create the applications. They also need to start embracing code reviews and having independent quality assurance people conduct testing for vulnerabilities.  It’s also, not uncommon for companies to hire consultants to conduct security coding classes for development and testing staff.

Cyber security threats are real and they’re constantly evolving, becoming more sophisticated and increasing in number. Government agencies, which hold a wealth of information, digital records and files about citizens, are an incredibly attractive target for data thieves. It’s no longer enough to reactively plug holes in applications.

In this challenging cyber security landscape, government agencies need to ensure that applications handling sensitive data are protected against the most advanced threats. Moreover, contractors need to take the next step to educate their developers and test their work to ultimately ensure that a secure product is delivered. If both sides, the government and the contractor, take security more seriously, they can proactively stop attacks, instead of triage the damage.

 

Filed Under: News Tagged With: , , , , , , , , , , , , , , , , , ,

Fairfax County increases efficiency by putting land use data online

January 29, 2012 By Leave a Comment

For state and local governments, the storing and dissemination of records, information and data is an enormous but essential daily undertaking. From birth certificates to driver’s licenses and other important records, citizens, government employees and private enterprises need to be able to access the records that government agencies keep.

Unfortunately, for citizens, county employees and land developers in Fairfax County, Va., the ability to access the land use data that the county had on record was, until recently, a convoluted and difficult process.

This was a problem when you consider just how important land use data can be. From developers looking to identify the overall costs to purchase and develop a piece of land, to potential homebuyers looking for additional information on a home they’re considering purchasing, land use data is vital for many constituents.

The problems accessing land use data stemmed from records being kept in disparate, distributed systems and in a wide variety of formats. According to a recent article in Government Computer News, records were being stored in a variety of Oracle databases, 30-year old mainframe applications, and PDF files. This resulted in government workers and citizens scouring multiple databases and Web sites to find the information they were seeking.

To help alleviate the issue caused by disparate systems filled with a myriad of differing records, the county began creation of a new repository for land use data. This database consolidates all data, and ingests and analyzes both structured and unstructured data, to ensure that all county land use information is entered and stored in one place.

This new online repository also is searchable in multiple ways, including by address or keyword. This makes it significantly easier for county employees to find the information they’re seeking.

So far, the system has been so successful that the agencies are switching over and pulling the plug on existing mainframes months ahead of schedule. In fact, the repository is expected to be made available to the public next month.

By consolidating the existing, mainframe-based and disparate systems storing land use data, Fairfax County has helped to greatly increase the efficiency of their workforce. By moving this information online, they’re also making it easier for developers, builders, homebuyers and other constituents to find the records and information they need.

Filed Under: News Tagged With: , , , , , , , , , , , , , , ,

Wave of healthcare innovation to be followed by tsunami of big data

January 24, 2012 By 5 Comments

For many Americans, the thought of growing old and being unable to take care of themselves is a real and persistent fear.

They worry about being a burden to children or loved ones. Being forced to leave homes bought and paid for with years of hard work and practically painted in memories. Having healthcare bills and frequent doctor and hospital visits drain bank accounts. It’s enough to keep many people awake at night.

However, a wave of innovation has delivered new healthcare technologies that will soon be helping to assuage these fears.

Telemedicine solutions are enabling patients to have instantaneous contact and interaction with doctors, specialists and other healthcare providers without ever having to leave their home. Monitors, sensors and other systems that can identify and report vital signs and other important information to healthcare professionals are now available.

Today’s new technologies are making it so that patients don’t need to be monitored, supervised or otherwise cared for by loved ones or healthcare professionals 24/7. They’re enabling elderly and sick patients to stay in their homes instead of moving to assisted living facilities. It’s eliminating the punishing cost of having home health aides.

Unfortunately, adoption has been slow in the places where the technology currently exists, for example the UK. According to a recent article in the Register, the government purchased advanced telehealth solutions to help reduce healthcare costs, only to see doctors and patients initially shun them.

That’s not entirely unexpected. Older generations currently in need of telehealth and telemedicine solutions aren’t people that have been raised around or otherwise become comfortable with modern healthcare technology. For them, the benefit of not having to leave the house doesn’t outweigh the fear that a video visit to the doctor may be inferior to seeing the doctor in person.

However, as baby boomers and other more tech-savvy generations reach this same point in their life, they will likely be far more open to these healthcare innovations. People who have embraced video teleconferencing in their jobs will be less hesitant to use it for a check-up. Younger generations of doctors and healthcare professionals will also see these technologies as ways to expand their practices and provide better care. These innovations will see increased adoption, and create another problem altogether.

The monitoring and transmission of vital signs, the electronic health records and the rest of the digital information generated by these new healthcare technologies will create a massive tsunami of data. This information will need to be stored, accessed, searched, analyzed and even shared between healthcare providers, government agencies and insurance companies.

This phenomenon is often referred to as “big data.” As an ever-increasing sea of electronic records and data flows into networks from a constantly-expanding number of endpoints, storing, managing, sharing and analyzing the data becomes a major challenge. Also, the sensitive nature of this data means that it needs excellent security.

Although today’s technologies can help to increase access to care while cutting its cost and improving quality of life for patients, they can also create serious problems for the healthcare system. Government agencies and organizations, healthcare providers, payers and other entities involved in the delivery and payment of healthcare services need to begin to prepare for the big data tsunami that is quickly approaching our shores.

Filed Under: News Tagged With: , , , , , , , , , , , , , , ,

Is schedule 70 wasting taxpayer dollars?

January 11, 2012 By 1 Comment

If you’ve had the opportunity to work in the federal government or have to deal with navigating the complicated federal acquisition system, you probably know about Schedule 70. Schedule 70 is a General Services Administration (GSA) acquisition vehicle that streamlines the purchase of information technology (IT) solutions for government entities.

This indefinite delivery indefinite quantity (IDIQ) multiple award schedule allows federal agencies and other government organizations to access and purchase IT products from over 5,000 certified industry partners. Unfortunately, the process of qualifying for Schedule 70 is a long and arduous one. It could also be wasting taxpayer dollars.

As announced on its corporate Web site, Edaptive was recently granted its IT Schedule 70. This is great news for Edaptive and its customers since it will now be easier for them to purchase the company’s cost saving and productivity increasing services. However, the company also saw a problem that they, and other government contractors, faced when applying for their Schedule 70.

When applying for its Schedule 70, a company must work to establish labor categories and costs. These become the categories of employees that are available when a government entity hires the company and sets the price that the contractor can charge for each type of employee.

To set these labor categories, the GSA asks for invoices from existing contracts. The invoices serve the evidentiary purpose of establishing billed labor categories and associated burdened rates that include profit (fee). By comparing the categories and rates on those contracts to what the company is proposing to the GSA, the GSA can ensure that the agencies that utilize the Schedule 70 contractor are getting a better deal. Unfortunately, the GSA will only accept certain types of contracts as proof; established commercial price lists, time and materials (T&M) contracts, and/or fixed price contracts. And this is where the problems begin.

With T&M contracts, government agencies pay monthly for a contracted employee at an agreed upon rate proposed by the government contractor. There’s little transparency to the agency and they could be grossly overpaying for that individual’s services. However, government contractors prefer these kinds of contracts since they can generate larger profit margins since the fee component is hidden within the rate.

Fixed price contracts are better for government agencies, but still not perfect. Although the potential for cost overruns is eliminated since a firm price is established in advance, the price being charged to the government for each individual contractor can be inflated, costing the government more than it should.

By only accepting these kinds of contracts for establishing labor categories and costs in the Schedule 70 application process, the GSA is establishing its prices on potentially inflated costs. This means that agencies electing to release contracts via Schedule 70 may be overpaying for the services they receive.

This doesn’t have to be the case. The contract type not currently being accepted as evidence by the GSA is cost reimbursable contracts. These contracts offer the best value and most transparency because the government pays for the contracted employee at their base salary, plus a burden multiplier to recover indirect costs, and finally a small fee to compensate the contracting company. This is extremely transparent to the agency and ensures that they’re not paying inflated prices with huge profit margins to government contractors. Unfortunately, the GSA doesn’t utilize cost reimbursable contracts in the Schedule 70 application process.

Part of the argument against cost reimbursable contracts is that companies are selling a person, not a labor category.  I argue companies are selling both.  GSA should allow 3 cost reimbursable invoices as evidence that show the labor category being billed, and agree to a discount off of the lowest rate.  Why can’t that be acceptable?

With cost reimbursable contracts being prevalent within some government agencies, it’s only going to become more difficult for small, innovative companies entering the marketplace to be granted their IT Schedule 70 if they only have cost reimbursable contracts. By not considering these contracts in the application process, GSA will ultimately hinder competition and waste taxpayer dollars via inflated contracting fees.

Considering today’s difficult budget situation and the Obama Administration’s executive order to cut government waste, it may be time to reconsider cost reimbursable contracts as legitimate supporting evidence when applying for the Schedule 70.

Filed Under: News Tagged With: , , , , , , , , , , , , , ,

What’s ahead for 2012? Even more government online!

December 28, 2011 By Leave a Comment

This past year was an exciting one for fans of a more digital, transparent and efficient government. As we’ve discussed on Gov Online, federal, state and local governments are all embracing Web-based applications, cloud services and other advanced technologies that are delivering significant benefits.

Here is just a small sample of recent government online initiatives, and the benefits that they’ve brought to the agencies and their constituents:

· Online systems that are enabling federal agencies to increase information and data sharing are helping to fight fraud and save the government money.

· Analytics software run on data being shared between law enforcement agencies is helping to make a historically reactive criminal justice system more proactive and citizens safer.

· Virtual data centers are helping to eliminate the ever-increasing flow of data and information entering agencies without forcing the government to assume additional risk and purchase extraneous hardware.

· Online registries are helping citizens prepare for emergency medical situations and online systems are even helping constituents access government records and data.

And with the calendar flipping to 2012, the movement of systems and applications online is not expected to slow or stop. In fact, there are many trends and initiatives that we’re seeing that will make the movement online mission-critical in 2012.

Tablet computers and other mobile devices, as well as continued calls for telework and workplace flexibility, will require the mountains of paper records and data at agencies to be digitized and made available online. Mandates to cut costs, identify wasteful spending and fight fraud will continue to drive a need for information sharing and analysis. Federal data center consolidation initiatives and mandates to share services will continue to drive agencies to look to cloud-based services.

Overall, it’s safe to say that the future of government, in 2012 and beyond, is online. The end result can only be a more effective and efficient government moving forward.

We at Edaptive Systems and the Gov Online blog have been happy and honored to cover the movement of the government online in 2011. To our readers, the IT decision makers in government and those working for a better government through technology, we want to thank you for reading and wish you a happy holiday season. We look forward to following the government’s steady march towards the future with you in 2012.

Filed Under: News Tagged With: , , , , , , , , , , , , , , , , , , , ,

Online registry helps prepare people for healthcare emergencies

December 14, 2011 By Leave a Comment

The thought of going through a healthcare crisis, whether it be something like a tragic accident or serious illness, is never something fun to consider. Unfortunately, it’s something that everyone eventually will face and that requires planning, so that loved ones, doctors and others are aware of an individual’s requests and wishes.

Despite the need to consider these things and plan according, most people don’t. It could be that many people, especially young people, think that they’ll never be in that situation. Some would just rather not think about something so depressing. And even if individuals do take the time to reflect and plan upon these things, they often don’t share their wishes and preferences with others.

Now, in an attempt to make these plans easier to create and share for all the citizens, the Commonwealth of Virginia has launched a new online registry. This online application is a statewide initiative that allows citizens to store information about their preferences and wishes should they experience a medical emergency. This information can then be accessed should the individual be unable to express their wishes due to the emergency.

According to an article in Government Computer News, the registry, which is free for citizens to sign up for and use, is designed to accommodate medical power of attorney, do-not-resuscitate orders and other health care documents authorized by the patient.

The system is linked to the Commonwealth’s Health Information Exchange, which connects patients, health care providers and insurance payers and allows them to exchange important health and medical data.

Each individual that registers receives a card with unique registry information and a personal identification number. Should a health or medical emergency occur, healthcare providers or family members can utilize that information to access the individual’s preferences. This ensures that, even during a healthcare emergency, individuals suffering trauma or illness can have their wishes fulfilled.

Online applications such as Virginia’s electronic health care registry are making it easier for citizens to share important healthcare and medical information with healthcare providers and insurers. It’s also providing citizens with the ability to make and share the difficult plans that everyone should consider…but don’t.

Filed Under: News Tagged With: , , , , , , , , , , , , , , , , , , , , , ,

Data sharing and analytics driving improved law enforcement

December 7, 2011 By 1 Comment

Law enforcement agencies are under extreme pressure to solved crimes, protect citizens and otherwise apprehend individuals who skirt or directly violate the rules which govern our country. Unfortunately, the nature of law enforcement makes it an extraordinarily reactive undertaking. After all, you can’t exactly know when and where a crime is going to be committed. Or can you…?

According to a recent article in Government Computer News, local law enforcement agencies are starting to utilize advanced technologies and systems to consolidate, analyze and interpret the mountains of data that they and other state and local agencies collect.

The data is shared between agencies, such as prison systems, police forces, departments of motor vehicles and others, and is then analyzed to help identify trends that allow police to better distribute their resources. This is extremely important in today’s economic environment where state and local governments are fighting to make ends meet and often have to cut already limited police forces.

In addition to saving money, these systems can help to better protect citizens. According to the article, these systems are enabling police to track individuals that are of interest to the police. Should they be arrested in other regions, be released from prison or otherwise have a change in their status, the local authorities are notified.

Utilizing this technology, police can even analyze whether particular kinds of crime increase or decrease when individuals are incarcerated or released. If a particular type of criminal activity increases when an individual is released, there could be a correlation.

And these Web-based applications are working. In Santa Cruz, Ca., a program designed to predict which geographic region is susceptible to criminal activity at a particular time is enabling police to alter their patrols accordingly.

The system is helping the police determine the kind of crime and potential target so they know where to look and what to look for. As a result, they’ve seen a significant decrease in crime in those areas, and in the immediate surrounding areas. That’s important since it means that the criminal activity wasn’t simply displaced.

When it comes to law enforcement, it appears that the more data that local authorities have and the more they can analyze it, the more likely they are to prevent crime, instead of just react to criminal activity. But that’s not only true in law enforcement. Analyzing and sharing data via Web-based applications is helping government agencies avoid other forms of criminal activity.

In a previous post, we discussed a program that the Centers for Medicare & Medicaid Services (CMS) runs that assigns star ratings to health plans and rewards the plans with the highest ratings financially. By creating a Web application where health plans are required to upload patient-level data about the services they are providing, CMS is ensuring that the information they provide is accurate and that the ratings aren’t fraudulently inflated.

Web-based applications are enabling civilian and law enforcement agencies to properly aggregate, share and analyze utilize the mountains of data that they are perpetually storing. When utilized properly and shared between agencies, this data can help to ensure that criminal activity is reduces, fraud is eliminated and citizens are protected, proactively.

Filed Under: Business Intelligence, News Tagged With: , , , , , , , , , , , , , , , , , , , , , , , , , ,

Online system driving better preventative care for Medicare subscribers

November 22, 2011 By Leave a Comment

There’s an old saying that people tell others when something goes wrong or things aren’t going well. They say, “Well, at least you still have your health.” Ultimately, it never makes anyone feel better, but the thought is that people need to put things in perspective. Money, material processions, none of these things are as important as being vital, healthy and alive.

People shouldn’t mess around when it comes to their health, and the government isn’t either. In an effort to ensure that health plans were offering quality service to their members, the Centers for Medicare & Medicaid Services (CMS) introduced their star rankings for health plans. These ratings are designed to rank health plans based on the quality of care they provide for their members and areposted on Medicare.gov so that Medicare members can reference them when selecting a plan.

How are the star rankings calculated? Well, health plans are required to submit Healthcare Effectiveness Data and Information Set (HEDIS) information, which measure care and service. This information is then carefully vetted by the National Committee for Quality Assurance (NCQA) for accuracy and passed on to CMS, whose vendor partners, like Edaptive Systems, utilize algorithms to assign the star ratings.  Other measures of health care are also included in the final analysis.

Although this system has been in place for years, the stakes have recently been upped to drive health plans to embrace higher-quality care. CMS has instituted bonuses to provide an incentive for health plans to improve their star ratings thus improving the quality of care that they offer to their members.

Obviously, with budgets being tight and government spending being slashed due to the ongoing economic downturn, it’s important to ensure that these bonuses are truly going to health plans that are providing the type of quality service and preventive medicine that is reflected in their submitted HEDIS information. Checks and balances have to be in place to ensure that this information is accurate and true-to-life.

To help provide an additional layer of analysis in addition to the rigorous systems in place, CMS is working to establish a Web application where health plans will be required to submit patient-level data which is checked for accuracy. Essentially, they’re being required to provide the actual data about the patient, the tests or treatments they received and other information that can back up the summary data that they submitted originally. By analyzing this patient-level data against the summary data, CMS can better analyze the information they receive from health plans and ultimately ensure that the star ratings that they’re assigning are accurate.

This results in two very positive outcomes. First, the bonus incentives being given to health plans with high star ratings are accurate and the government is giving money to plans that are truly working to deliver high quality of care and preventive medical tests and procedures. Second, by eliminating any waste and providing a tough set of checks and balances, the program can truly drive lower performing health plans to improve their quality of care.

One shouldn’t mess around with their health, and a big part of preserving health is high quality healthcare. CMS’s star ratings can ensure that people are receiving quality care and the preventive medical tests and procedures that ensure they’ll stay vital and healthy. By creating this online system, CMS is enabling an incentive program that will drive improved care for Medicare patients. They’re also simultaneously preventing inaccurate claims by health plans and working to reduce government waste.

Filed Under: News Tagged With: , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Getting the government online and ready for tablets

November 18, 2011 By Leave a Comment

Tablet computers, like the Apple iPad, Samsung Galaxy Tab, Motorola Xoom and Kindle Fire, are all of the rage in households across America. With a wide range of applications, from games to video communication, available in online app stores, tablets are ushering in a new age of advanced capabilities, connectivity and mobility.

It was only a matter of time before these tablets began to find their way into the workplace. As employees began demanding the same advanced, mobile capabilities on the job as they did in their homes, government agencies began to look at tablets and identify ways that they could be utilized to increase efficiency and help accomplish their mission more effectively.

In fact, it was recently reported that the VA would acquire up to 100,000 tablet computers for use in their health centers. Also, according to a Nextgov article that was published today, the Android operating system that runs on tablets and other mobile devices is expected to win approval for use on military networks by April 2012. All proof that mobile devices and tablets are coming en force to the federal government.

However, the mobility and flexibility that mobile devices, such as tablets, bring to the federal government is wasted if the information and data that agencies need isn’t available outside of the office.

For many government agencies, records are stored either physically as paper, or in secure networks. This makes it impossible to access the data stored within unless one is physically in the office. If agencies are going to truly take advantage of the mobility that tablets provide, Web applications that make data available from anywhere are essential.

The ability to pull up records and requisite information from anywhere is one of the largest draws of tablets. By moving records and data into systems where they can be accessed online, and requiring authentication to ensure only government employees can access them, government agencies can bring everything an employee needs right to their tablet, regardless of their location.

Whether it is Department of Agriculture employees in the field, or Veterans Affairs doctors in examination rooms, the applications are almost limitless.

There’s no doubt that tablets are making a huge push into government agencies. The mobility and advanced capabilities that tablets can deliver are certainly worth the investment, but to truly make tablets a mission-critical technology for agencies moving forward, government records and data need to be available and need to be online.

Filed Under: News Tagged With: , , , , , , , , , , , , , , , , , , , , , ,
« Older Posts