Roughly three weeks after reports surfaced of a Pentagon IT system being hacked, allegedly by the Chinese, DHS is reporting that it too is the victim of an unauthorized network intrusion that allowed the hacker(s) to copy and transfer files to an outside Chinese language Website. The hacks in question accrued over three-month period during 2006.

As reported by the Washington Post, on September 24, 2007, DHS is claiming its vendor failed to install the contracted number of intrusion detection systems, which allowed the network break-in. Moreover, once it was discovered that an intrusion had occurred the severity of the breach was dramatically downplayed.

The process now is centered on determining fault, and truth be told both parties are to blame. Perhaps the contractor did not meet the terms of the contract for intrusion detection services. But, the fact DHS was even unaware that its vendor was not meeting its contract obligations is a problem inherent to fact that DHS, and most federal agencies, lack adequate program management; especially in regards to IT security.

Since its inception, DHS's problems areas have run the gauntlet from the integration of its various network systems to the management of its procurement process. The fact that DHS seems to not know what happened with its own systems is emblematic of an agency that has struggled to blend the remnants of 22 different organizations and failed to provide enough vendor oversight along the way.

It's foolish to believe that such an event could only happen in DHS as a shortage of procurement officials and security program managers exists government-wide. This one event will most likely not prompt other agencies to be more vigilant in auditing their vendor supplied security systems, however one has to wonder how severe of an attack will finally have to occur before agencies get serious about IT security.

Read Washington Post Article "Contractor Blamed in DHS Data Breaches"

On September 28, 2007 New York's Department of Health (DOH) will host an applicant conference to discuss the $105.75 million funding that is available to promote health IT (HIT) community collaborations throughout the state. The DOH recently released a request for grant applications (RGA) for the Health Care Efficiency and Affordability Law for New Yorkers Capital Grant Program (HEAL NY Program) Phase 5 HIT grants.

The HEAL NY Program was established three years ago to invest funding to improve patient care and to create health care efficiencies. To date, over $300 million in awards have been made.

The Phase 5 HIT Grants will provide funding for health information infrastructure projects to build upon the first phase of the HEAL NY program, which awarded funding for regional collaborations to advance interoperability by creating online health networks, web-based Electronic Medical Records (EMRs) and ePrescribing capabilities.

The grants will be awarded for projects that support HIT priorities such as clinical investments and patient care improvements in three categories of applications for New York's HIT framework, including the Statewide Health Information Network for New York (SHIN-NY), Clinical Information Systems (CIS), and Information Tools for Clinicians, Consumers and Community (3Cs).

New York is only looking for Regional Health Information Organizations (RHIOs) and Community Health Information Technology Adoption Collaborations (CHITAs) to submit applications. The RHIOs are required to be non-governmental organizations in New York. The RHIOs will partner with health information services providers (HISP) or vendors for technologies such as software or technical integration services. The CHITAs, or the collaboration of ambulatory clinicians and provider participants, are required to have a participating entity that will act as the lead applicant in contracting with the state.

Awards can range from $1 million to $10 million over a two-year period, with an option to renew the contract for up to two additional one-year periods for project completions. Questions are due October 12th and the deadline for applications is November 19th. It is expected that agreements will begin around the first quarter of 2008.

INPUT's Take:

With the upcoming release of a state strategic HIT implementation plan and this additional big money funding, New York has emerged as an investment leader in advancing HIT adoption. In the Phase 5 HIT grant, the DOH is only inviting two types of eligible applicants to submit applications, the RHIOs and CHITAs. However, vendors in this market space are encouraged to review the state's HIT strategy and activities, and participate where they can. There will be an advantage for the collaborative organizations which have already selected vendors, as the grant evaluation process will take into consideration the applicant's readiness to begin the projects.

The 2007 COVITS (Commonwealth of Virginia Innovative Technology Symposium), hosted by Virginia Secretary of Technology Aneesh P. Chopra, took place September 17th-18th at the Westfields Marriott & Conference Center. In its ninth year and first visit to Northern Virginia, COVITS attracted senior-level executives and decision makers in technology from state and local government, business, and education. This year's conference also served as the venue for a "town-hall" style meeting for the recently announced Broadband Roundtable. The Broadband Roundtable, which is co-chaired by Mark Warner, Former Governor of Virginia, and Secretary Chopra, is divided into sub-committees (Broadband Adoption Measurement, Technology Blueprint, Innovative Applications, Business Models, and Community Outreach) and consists of what most would agree, is a true all-star cast of the public and private sectors. Arguably, the most notable members of the Roundtable are Dr. Raj Singh and Dr. Bob Kahn. The former is a humble billionaire and pioneer of the wireless industry. The latter is widely regarded as one of the founders of the internet. Dr. Ted Rappaport, founder of TSR Technologies, Inc. and Wireless Valley Communications, Inc., and electrical engineering professor at the University of Texas will be the staff advisor to the Broadband Roundtable.

Dr. Rappaport was also present at this Town-Hall Meeting, along with other members of the Roundtable that were there to showcase each of the sub-committee's current efforts and future plans of action, as well as engage all attendees in a discussion about the lack of broadband access in Virginia. During these discussions, the digital divide in the Commonwealth became painfully obvious and very real; as even members of the Roundtable made it known that they found themselves without access to high-speed internet at home. Fortunately, the Roundtable is taking it back to basics, and has charged the Broadband Adoption Measurement sub-committee with first defining the key metrics of which technologies and speeds constitute broadband, for Virginia. According to the Federal Communications Commission (FCC), broadband service is generally defined as "data transmission speeds exceeding 200 kilobits per second (Kbps), or 200,000 bits per second, in at least one direction."

The FCC's definition has been heavily criticized by customer advocacy groups as being "ridiculously low", especially in comparison to other nations of the world. For instance, The National Broadband Task Force of Canada described broadband in its June 2001 report as: "... a high-capacity, two-way link between end user and access network suppliers capable of supporting full-motion interactive video applications" with a "minimum symmetrical speed of 1.5 megabits per second per individual user. It should be no surprise that the United States is ranked 15th in the world in broadband subscribers per 100 inhabitants, according to the December 2006 Broadband Statistics Report from the OECD. In the United States, Georgia is currently leading the way in broadband, with Alaska in the #2 spot (which jumped from 50th in 2002). Still, the Commonwealth of Virginia, which ranks 13th in the nation, remains ambitious in its broadband efforts. In fact, Governor Tim Kaine calls for 20% of eligible Virginia state workers to telework by 2009, and that all businesses in Virginia have access to broadband by 2010.

INPUT's take:

The Broadband Roundtable's ongoing efforts may require future vendor assistance, as they evaluate and empower local partnerships through the Public-Private Educational Facilities Infrastructure Act (PPEA) to meet the Governor's goals and initiatives for high-speed internet in the Commonwealth.

On September 20, 2007 Washington Technology held a half-day event focused on "Moving Forward with Government Health IT". The keynote speaker, Dr. Kevin Stephens, Director, City of New Orleans, gave an engaging speech based on the government perspective of health IT and the need for an electronic patient-centric system. He provided compelling evidence for the need to implement new technologies, such as electronic health records (EHR), through personalized stories of the impact Hurricane Katrina had on the health care delivery system in New Orleans.

The remainder of the event was dedicated to a panel discussion by vendor industry experts, which included Alan Boucher, Director, Healthcare Platform Architecture, Intel Digital Health Group; Mike Cowan, MD, Chief Medical Officer, BearingPoint; Jack Varga, MD, Medical Director, EHR Center for Excellence, EDS; and Robert Wah, MD, Chief Medical Officer, CSC. Each individual presented their take on the health IT market, challenges and next steps. Alan Boucher emphasized how "huge" the health IT market is, commenting that health IT is a "$215 to $300 billion dollar problem". The panel agreed that sluggish at best changes within the system are due to two chief problems, the lack of public policy and opposition from physicians. Physicians are concerned over malpractice, liability issues, costs and sharing information with other physicians they do not know or trust. Mike Cowan highlighted the need to provide incentives to motivate physicians, such as tax credits for software and hardware applications. Several members repeatedly stated that software is not the problem, the problem is inefficient networks. Discussions were wrapped up with talk of states like New York, Florida and California, which are beginning to take a leadership role to provide funding and expedite the process; other states may follow suit.

INPUT's Take:

• States are well-positioned to influence HIT adoption and need to take advantage of their front-seat role in moving forward with attempts at collaborative electronic health information exchange

• States may set aside funding for the adoption of statewide EHR systems

• Public policies, especially the activities of AHIC 2.0, will be crucial to getting all stakeholders on boar

Late last month Virginia's Review Panel released its report findings regarding the senseless tragedy which befell that campus in April of this year. Whether because we are headquartered in Virginia, have several Virginia Tech alumni on our staff, have loved ones attending similar colleges across the country, or simply because we are public safety analysts and these are the types of incidents we study – we've all been riveted by this story and shaken by its closeness to home.

The report included three recommendations about emergency notification systems and reminds the governor, Tim Kaine, that all colleges and universities must comply with the Clery Act, which requires timely public warnings of imminent danger. It's not surprising that INPUT is tracking an increased number of opportunities for campus-wide emergency notification systems. Some examples include:

· University of Colorado – Emergency Notification System (Opp ID 42340)

· Montgomery County School District (Alabama) – Emergency Notification System Rebid (Opp ID 42516)

INPUT's Take

• As many state legislatures were out of session when the Virginia Tech report was released, INPUT anticipates many states will discuss the report findings and how it may apply to their own university and community college systems in upcoming sessions.

• In addition to an increase in the number of emergency or mass notification system acquisitions, INPUT expects many states will choose to more tightly integrate mental health services provided by state and local governments with university health systems. Therefore, we could see future opportunities for data transfer and reporting between these public agencies.

In a review of the progress the Veterans Affairs has made in improving its Information Security, the General Accounting Office (GAO) released a report; Sustained Management Commitment and Oversight are Vital to Resolving Longstanding Weaknesses at the Department of Veterans Affairs. The report concludes that despite efforts to implement initiatives to strengthen its IT security VA remains vulnerable.

As far back as 2005, VA began restructuring its management organization in order to provide better oversight and financial controls when purchasing IT systems. Other improvement efforts include developing an information protection program, improving the agency's incident management ability, and the establishment of an office for IT oversight and compliance. Following the theft of a VA laptop from an employee's home that included personal information on over 26 million active military and retired personnel, VA began an agency-wide effort to add encryption software to required laptops across the agency. However, efforts to secure its IT security have fallen short in many regards and as a result, VA's IT security remains vulnerable.

According to GAO, areas of concern that continue to stall the improvement of security across the VA include the fact that:

• since June 2006, the position of chief information security officer has remained empty. This has left IT security initiatives without an internal advocate making it more difficult to push some initiatives through;

• despite the restructuring of the IT office that has taken place the responsibility for managing and implementing security programs remains decentralized. Additionally, the process guiding coordination of security between VA's officials has never been formally documented;

• VA's Office of IT Oversight and Compliance does not possess an established criteria on which it performs its examinations, thus facilities across the VA may be evaluated with different standards;

• even though VA has been advocating the use of encrypted thumb drives and adding encryption software to laptops, the agency has not established a policy to define which devices require encryption; and

• within its procedures for incident response, VA has not defined the manner in which it facilities can seek advice from other agencies in handling incidents.

Never one to sit idly by while being accused of unethical practices, China is now pointing its finger at the US, claiming that its computers containing political military and scientific secrets were infiltrated by outside sources. In this instance, Chinese officials are claiming that a majority of the computers used in the intrusion were based in the US.

While it is certainly possible that the US simply was "caught with its hand in the cookie jar," another plausible scenario is that China is simply trying to cover its tracks by itself appearing as a victim. After all, intrusions into high-level government computers have also been reported in London, Berlin, France, and New Zealand and while no county has officially accused them, all eyes have initially pointed at the Chinese government.

Realistically, the fact that such attempts at espionage are taking place should not be a surprise to anyone. Since the Internet became such a prominent piece of everyday life, the idea of cyber warfare has been part of military strategy to the point that most developed nations have created distinct commands dedicated to the protection and infiltration of Information systems, such as the creation of the Air Force Cyber Command (AFCC). However, with the advancements in detection technology the ability to track where attacks originate from has significantly improved providing the ability to more easily identify aggressors than was previously the case.

The problem lies in the fact that while the originating country of attack can typically be identified, officials must be careful in making accusations because the technology is not specific enough to identify if the attack originated from government computers, or not. It is becoming more common for vigilante hacking by private citizens and corporations to take place on behalf of governments. Thus, future responses will most likely be dictated by the sensitivity of what, if anything was actually taken and if the origin of the attack can be determined with certainty.

The number of reported instances will only increase globally because despite the fact that sources of attacks can be traced to specific countries, governments have a benefit of deniability by simply claiming the attacks did not originate from government computers. Without the ability to prove otherwise, opposing government leaders will have to temper their response, publicly at least, until there is emphatic proof the intrusion was a case of sponsored espionage.

As technology evolves so too will the face of cyber warfare. It is only a matter of time before an attack of significance happens and based on the current state of IT security in the U.S. federal government, the best the targeted agency can hope to do is detect the intrusion early enough to prevent any significant damage from occurring.

Wisconsin Assembly Speaker, Mike Huebsh (R) created the Speaker's Task Force on State Information Technology Failures, charged with investigating more than $170 million in recent failed/troubled state IT projects. However, the Task Force's final recommendations have gained mixed reviews regarding what should be the leading factor of a reform plan for the state.

Despite conflicting arguments, the recommendations echo positive attempts to effectively and efficiently improve all steps involved in a state IT project lifecycle. Nearly all Task Force members support long-term improvements in project development, procurement and oversight. Acclaimed suggestions include a statewide implementation of uniform IT procedures for projects over $1 million; clear-cut project requirements; smaller project sizes to best manage scope and identify problems earlier; use of off-the-shelf systems when possible; project completion in time and within budget; revision of the procurement process to ensure sucessful project delivery; and partnership with other states to share information and techniques on IT projects.

With $170 million in failed IT projects, the Task Force recommends the creation of an Executive CIO having oversight, accountability and enforcement powers. Enforcement is a daunting task for all states but, as seen in the case of Arkansas, it does not appear to be effective if solely rested under the power of a CIO. If we think of CIO's sitting in a three-legged enterprise IT stool, where enforcement often has the shortest leg, Arkansas CIO sat on a "wobbly stool" until it consolidated and centralized its IT enterprise by eliminating its Executive CIO. Wisconsin could sit on a balanced stool if instead of creating an Executive CIO it only directs oversight and enforcement of IT standards to its Department of Administration and develops long-term improvements in project development, management and oversight.

INPUT's Take

• Over the next couple of weeks, the Wisconsin Legislative Council will develop a report largely reflecting the Task Force recommendations. The report will serve to draft future legislation.
• Vendors should watch closely developments in both reform plans implemented by Arkansas and Wisconsin, which at this point, appear to be taking different approaches to effectively use tax-payer's money.

With all of the discussion about Real ID, there's one major thing that drivers are thinking about – painfully long lines at their local DMV office. As currently proposed, every citizen will need to bring a "photo identity document," which documents their birth date, address, and Social Security number. U.S. citizens will have to prove their status and foreigners will have to show a valid visa. State DMVs will have to verify that these identity documents are legitimate, digitize them, and store them permanently. In addition, Social Security numbers must be verified with the Social Security Administration -- a process that can add several minutes to each transaction.

The good news? Technology is poised to save the day (or at least part of it) by reducing some of the wait time.

Currently, citizens wait in line at the front desk, tell the clerk the type of transaction they need to make, receive a number, and proceed to waiting areas. When the next available clerk is able to handle that specific type of transaction, the customer's number is displayed or the citizens named shouted across the waiting room.

With the new, more technologically-advanced queuing systems, much of this process changes. Many citizens can avoid the front desk clerk and use kiosks to identify their transaction type. With additional efficiencies built into today's queuing systems, including backend reporting, reduced wait times are a reality. And queuing systems are just one of many technologies available to the DMV.

Other solutions include the ability to schedule an appointment time for your DMV business using a web-based scheduling application. Some DMVs recently started allowing customers of some large insurance companies to renew their vehicle registrations online. Voice recognition phone systems that tell customers how long they might expect to wait in line are being tested.

Some states that are currently studying ways to improve DMV technology, business processes, and Real ID compliance include:

• Georgia – Drivers' License Rewrite Study (Opp ID 41750)

• Idaho – DMV Modernization (Opp ID 39790)

• Virginia – DMV Systems Modernization (Opp ID 16082)

INPUT's Take

As Real ID becomes, well, more real – expect to see the demand for technologies to decrease customer wait times. Many states have decided not to ignore Real ID requirements and they'll want to gain back some of the customer service improvements they've made over the last several years.

The September 5, 2007 American Health Information Community (AHIC) technical meeting had a more structured and informative agenda than its predecessor, which was held on August 17, 2007. The central theme revolved around the proposed public-private collaboration, also known as AHIC 2.0. AHIC 2.0 will be the successor of AHIC, the current health information technology (IT) federal advisory committee.

The primary speaker, Robert M. Kolodner, M.D., the National Health IT Coordinator, delved into the AHIC 2.0 vision, membership criteria, eligibility, board member selection, voting rights and the grant process. Attendees and internet-based viewers were presented with visual aids, such as models and diagrams to assist in comprehending the proposed organizational structure and strategic objectives. A sizable portion of the meeting was spent reviewing the various sectors of the health IT community, such as physicians, consumers, and employers, that will be represented via membership in the collaboration. Noticeably absent from the list of potential sectors was the IT vendor community.

During the question and answer period, an individual asked Kolodner the rationale behind the decision to exclude the vendor community. The response was that IT vendors were consciously left out due to their potential to benefit from the activities of AHIC 2.0. However, Kolodner noted that this issue may be reconsidered when the planning board meets to finalize plans and by-laws of AHIC 2.0. Kolodner went on to add that vendors may have the ability to participate on an individual basis as part of the consumer sector or possibly in the employer sector.

The Department of Health and Human Services (HHS) has allocated a $13 million dollar grant to fund AHIC 2.0 over the next two years and an award is expected in November. HHS representatives indicated that the agency is not seeking a technology vendor to lead the effort. The estimated timeline is broken down into two stages; stage one is a 4 month design and establishment period and stage two is the operational, self-sustaining period.

INPUT's Take:

Since the planning of AHIC 2.0 is still in the early stages there is a potential for the planning board to reverse the decision to exclude IT vendors. However, there is no guarantee that such a transaction will take place. In the meantime, invested vendors should continue to follow the AHIC 2.0 activities to determine where they might fit into the grand scheme, whether it is as consumers, employers or directly as vendors. IT vendors are at the forefront of the latest technologies, perform implementation tasks and experience system successes and failures firsthand; so their input could be very valuable to AHIC 2.0.

AHIC will continue to accept public questions and comments until September 10, 2007; interested parties are encouraged to submit.