Defending Data at the Department of Veterans Affairs

What The Scandal Gets Wrong about Cybersecurity

An illustration picture shows a projection of text on the face of a woman in Berlin, June 12, 2013. Pawel Kopczynski / Courtesy Reuters

There is a hilarious scene in the 1991 movie “L.A. Story” in which the protagonist, Harris (Steve Martin, who also wrote the screenplay), is mugged on a busy street as he withdraws cash from an ATM. The cavalier crook happens to be next in an adjacent line of stalkers, and he introduces himself as “your robber today”; Harris hands over some of the freshly delivered bills, as if paying a child an allowance. The exchange is as casual as one between strangers swapping business cards in a coffee shop. Martin could not possibly have anticipated in 1991 how that scene would play out two decades later, with the ubiquitous ATM replaced by an electronic infrastructure that delivers not just cash but information more valuable than money. To a large and disturbing extent, we’re all Harris now.

A similarly surreal scene unfolded recently during the stage-play of congressional outrage about the alleged exposure of electronic patient health records at the Department of Veterans Affairs (VA), which was triggered by the public testimony of a former official who claimed that specific nation-state hackers had had “unchallenged and unfettered access” to VA systems. The problem is not that there are newly discovered security holes in the information infrastructure at VA. Rather, it is that Congress, acting as Harris, has effectively conceded the high ground.

In the specific case of VA, there is no evidence that any patient record was exfiltrated. Of course, it is conceivable that a foreign agent made a digital copy of sensitive health information and secreted it out through the network undetected. If that happened -- and at this point there is only speculation and accusation -- it represents a serious and scaled breach of personal data at the nation’s largest integrated hospital network. The root issue is that network operators and information officers can almost never prove that a data file was not electronically pilfered. The old aphorism “absence of evidence is not evidence of absence” is apt, though “

Loading, please wait...

This article is a part of our premium archives.

To continue reading and get full access to our entire archive, please subscribe.

Related Articles

This site uses cookies to improve your user experience. Click here to learn more.