Systems Engineering Solutions (SES) Corporation achieved its first ever ranking on Washington Technology’s annual Fast 50 list of the fastest growing small businesses serving the government market. Based on a compounded annual growth rate of 42.7% over a five year period ending in 2019, SES was ranked by the publication at 30th among the top 50 companies. “This achievement is a reflection of the entire SES team’s outstanding commitment to driving mission success for our customers,” said SES CEO Suketu Sonecha. “Sustained growth over multiple years is no easy task. That’s why it’s extremely gratifying to be recognized for that accomplishment, especially since it would not have been possible without the collective dedication of the entire SES family of team members and partner companies.” SES growth has been fueled by major projects with the U.S. Census Bureau, the U.S. Department of Veterans Affairs, General Services Administration (GSA), US Housing and Urban Development (HUD), among other agencies – all part of a rich past performance archive in Infrastructure, Systems Integration & Test, Program Management, and related services across diverse Government IT environments. Our wins frequently come down to the technical merits, our mission-driven culture, and how we holistically combine the two at the deepest levels of IT systems to unlock value and accelerate mission success for our customers. Washington Technology was founded in 1986 as a source for in depth coverage of government programs, technologies and spending priorities – as well as management issues, case studies, and industry trends that impact the contractor community. A showcase for the government market’s fastest-growing small businesses, the 2020 Washington Technology Fast 50 list ranks organizations by their compound annual growth rate from 2015 through 2019. About SES Corporation Systems Engineering Solutions Corporation (SES) is home to Government IT’s most experienced and dedicated technologists, with core capabilities in Program Management, IT Modernization, Systems Integration & Test, and Integrated Security. Our industry-leading technical credentials allow SES to dive deeper than anyone into Government’s most complex IT architectures – securely, and with a service-driven culture that absorbs the customer mission as our own. The result is better enterprise strategy and execution for our customers, and the assurance that even the most granular decisions around tools, technologies, and processes remain guided by that mission to modernize agency operations and serve citizens. More information at sescorporation.com. Contact: [email protected]
2 Comments
"This article, co-written by SES VP for Growth and Director of Cybersecurity Justin Petitt (with Myriddian LLC's Larry Letow), originally appeared in U.S. Cybersecurity Magazine." The COVID-19 pandemic requires organizations and individuals to embrace new practices such as social distancing and remote working. While the world is focused on the health and economic threats posed by COVID-19, cyber-criminals around the world are actively capitalizing on this crisis. Organizations around the world have instituted remote, work-from-home policies. While some organizations have maintained a robust remote work structure for years, many organizations had few full-time remote workers and typically restricted most employees from working at home. However, even with organizations that had previously maintained a remote workforce, the breadth and depth of remote work have dramatically increased for all parties. Business units and critical functions that have never been done remotely are now required to operate in a fully remote mode. During these rapid changes, security experts are rightly pondering what new risks are being actively introduced. INCREASED SECURITY RISK FROM REMOTE WORKING With large percentages of employees working from home and students learning virtually, enterprise Virtual Private Network (VPN) servers have now become a lifeline to companies and schools. Their respective security and availability will be a major focus going forward. However, there’s a possibility that an organization’s unpreparedness will lead to security misconfiguration in VPNs, exposing sensitive information on the internet, and also exposing the workstations and servers to Denial of Service (DoS) attacks. A lack of IT qualified, secured resources can bite many organizations as they move to enable remote strategies. With large percentages of employees working from home and students learning virtually, enterprise Virtual Private Network (VPN) servers have now become a lifeline to companies and schools. When employees and students are sent outside the normal IT perimeter, managing device sprawl and patching/securing hundreds of thousands of endpoints becomes a much bigger challenge. In addition to this, many users end up utilizing personal computers to perform official duties, and vice versa. This compounds the potential risk to organizations. Organizations should ensure that VPN services are safe and reliable, as there promises to be a lot more scrutiny against these services. Furthermore, employee policies should be both clear and enforced against using personal computers for official purposes. Phishing campaigns related to COVID-19 are increasing. For example, many are well-disguised as reputable health organizations. Cybercriminals are sending emails with malicious attachments or links to fraudulent websites in order to ploy victims into revealing sensitive information or donating to fraudulent charities or causes. Attacks like these can propagate quickly and extensively, impacting an entire enterprise network. Furthermore, these attacks directly contribute to identity theft and submissions of fraudulent claims for payments and benefit programs. DELAYS IN RESPONDING TO CYBER-THREATS The functioning of many security teams is likely to be impaired due to the COVID-19 pandemic and their extra duties. These added pressures make detection of malicious activities difficult at best, while they make responding to these activities even more complicated. Updating patches on systems may also be a challenge if security teams are not operating at typical efficiency. Organizations should evaluate the security defenses they have in place and explore the use of co-sourcing with external consultants. This is especially true for areas where key main risks have been identified. INFLUX OF CYBERCRIMINALS Globally, many companies are downsizing their workforce to cope with the effects of this pandemic. This level of impact can often be an impetus to encourage the growth of cybercriminals. Those who feel attacked or under-valued may see an opportunity to earn money or just extract their pound of flesh by way of this pandemic. Organizations that are considering laying off staff should enforce proper exit plans, with accessibility and infrastructure components clearly tracked and managed. EVALUATING INSIDER THREATS With the rise of employees teleworking, organizations have never before been under such significant risk to ensure the security of their enterprise. The average annual cost of insider threats has skyrocketed in the last two years, rising 31% to $11.45M. Under the new paradigm of telework, there is greater opportunity for security incidents and greater data security responsibility with less oversight. Remote work poses its own challenges for enterprise risk managers as well, such as addressing evolving vulnerabilities and threats unique to new environments. One area that will need to be monitored, now more than ever, is that of the Insider Threat. Risk management and security leaders need to manage the delicate issue of the Insider Threat during a time when many employees have concerns, need support, and require protection. Employees subject to new working arrangements may well react maliciously due to limited hours, lowered compensation, reduced promotion opportunities, and even expectations of redundancy. These concerns at work can be compounded by increased levels of stress outside of the work environment due to worries about the health of their families, livelihood, and uncertainty about the future. Under these conditions, employees might become resentful or disgruntled towards the organization. This could result in occurrences of information leakage as well as the theft of intellectual property. Employees subject to new working arrangements may well react maliciously due to limited hours, lowered compensation, reduced promotion opportunities, and even expectations of redundancy. The most significant complication in addressing the Insider Threat in a COVID-19 remote workforce world is that the security controls designed to monitor and capture activity may not be as capable as they were in the traditional on-premise world. Employees may be connecting from new devices and new networks where the security controls aren’t on par, or sharing a network with compromised equipment. Therefore, organizations should conduct an insider threat risk assessment on their critical business functions: How do employees connect to the applications that are in scope? What types of devices are the employees now using? What security controls are in place to capture activity and alert upon suspicious behavior? In the pre-pandemic world, identifying Shadow IT was easier; outbound web traffic would often be used to identify services procured outside of the IT department. However, that traffic is now being routed through ISPs like AT&T and Spectrum. In response, organizations should work with accounting departments to identify Shadow IT expenses. Once identified, these services and applications should be incorporated into Single Sign-On (SSO) solutions with Multi-Factor Authentication (MFA) enabled. When it comes to identifying insider threats, it is all about visibility. The adage “logs or it didn’t happen” is applicable. Companies must ensure that the tools for monitoring the remote workforce are effectively deployed. POST COVID-19 CYBERSECURITY POSTURE The COVID-19 pandemic has caused a huge strain on the global economy, with some experts predicting a recession as part of the after-effects of the pandemic. Organizing COVID-19 pandemic strategies might include downsizing by cutting off business lines considered non-critical. This may include cybersecurity operations. However, this short-term plan might prove to be “penny wise and pound foolish” in the long haul, as this will further increase the impact of attacks on the organization. Organizations are advised to update their Continuity Plans and remote working policies/practices whilst prioritizing cybersecurity during the post COVID-19 re-strategizing process. These potential threats are placing significant stress on many enterprises, who are already operating on tight financial budgets with respect to IT infrastructure maintenance. Personnel and Systems Administrators, already tasked with tremendous workloads, are having to pivot in real-time to address user concerns related to remote access. This is all while ensuring that the strength of the organization’s security posture is robust and sophisticated to prevent unwanted intrusions. Security teams need to adjust their threat detection and response approach to address new threats to networks and endpoints, as the shift to remote working has created different challenges. But this can come at a detrimental cost that potentially leaves the organization open to exposure. Furthermore, it is becoming increasingly difficult for organizations within the IT realm to provide 24×7 support during this time. Teleworking employees are often challenged to provide the same level of customer support necessary during this period without their full access to infrastructure and resources. This challenge is reflected in the quality of services delivered. Organizations are unable to boost productivity due to constrained budgets and diminishing revenue forecasts. This, in turn, places even greater stress on existing personnel. During this time, it is common that organizations are genuinely re-thinking global operational strategies, including IT policies and procedures. Implementing new guidelines, while essential, requires Systems Administrators to pivot from the help-desk role of assisting employees to focus on longer-term strategies and solutions. With limited funding to augment the workforce, this poses a genuine concern for all organizations. In an era of cyber-everywhere, with more technological transformation, the use of cloud, and broader networking capabilities, the threat landscape continues to increase. Cybercriminals will look to attack operational systems and backup capabilities simultaneously in highly sophisticated ways, leading to enterprise-wide destructive cyberattacks. Organizations can improve their defense posture and attack readiness with good cyber-hygiene, incident response strategy, architecture, and the implementation of cyber-recovery solutions to mitigate the impact of cyber-attacks. A viable cyber-resiliency program expands the boundaries of traditional risk domains to include new capabilities like employee support services, out-of-band communication and collaboration tools, and a cyber-recovery vault. COVID-19 will change our lives forever with new work styles, new cybersecurity issues, new proposed policies, personal hygiene, and more. The fight against this pandemic is not just for the organization, employee, or customer; it requires a joint effort from everyone. It is also apparent that after COVID-19, organizations will need to rethink their cyber-risk management measures. Cyber strategies should converge across business, operations, business continuity/technical resilience, and crisis management functions, as well as employ unique methods that reveal network exposures, detection of advanced threats, and discovering systemic Incident Response process gaps. Organizations should ensure their detection and alerting capabilities are functional while keeping an eye on the impact of having many remote workers. "This article, by SES Chief Operating Officer Seth Hirsch, originally appeared in the online publication HIT Consultant." Just a few weeks ago, the mood among technologists in the Coronavirus pandemic remained cautiously optimistic about reopening society with the help of testing data, contact tracing apps, and other IT-enabled resources. But the recent spike in illness – 1.9 million new US cases in July, more than double any other month – is a sobering reboot on a crisis we now understand needs far more IT and data coordination than previously recognized. The emerging consensus among epidemiologists is that testing and contact tracing alone are no longer sufficient to contain the virus at its current rate of transmission. Instead, many are calling for more coordination and resources to collect and manage disease data on both a national and international level. Let’s take a closer look at the ways IT providers can best support these enhanced requirements – and how success involves nudging Health IT architectures and processes to be more strategic, coordinated, and standardized with data they use in the fight against COVID-19. A “National Weather Service” Model for Data-Driven Disease Surveillance The troubling spike in COVID-19 cases is proof we need more testing, but the challenge has gone far beyond just that. Many contact tracing efforts deployed in conjunction with testing have stumbled; and even though new contact tracing apps continue to hit the market, some experts now view even the best of such efforts as “moot” given the current volume, velocity, and severity of the spread. It’s clear we need a higher level of coordination – something Johns Hopkins University epidemiologist Caitlin Rivers likened in a recent Foreign Affairs article to “the contagion equivalent of the National Weather Service” – to get, and then manage, large sets of public health data streaming into agency servers. It’s an apt analogy, given how each use case involves information that is changeable and geographically disperses; consists of vast amounts of structured and unstructured data; and involves life or death consequences when data is poorly managed. It’s also clear that, while some authoritarian countries can mandate the gathering of personal health information in disease surveillance, any globally-relevant IT strategy will need to rely on buy-in from the public, and do so on an international scale to match the scope of the pandemic. “The winning approaches in technology are going to be the ones that realize the underlying challenge is a cultural one – with your solution designed around the realities of a stressed out, fearful population whose buy-in you’re going to need,” said George Mason University global health expert Gary L. Kreps, Ph.D., FAAHB, in an interview for this article. Dr. Kreps, who also served as founding chief of the National Cancer Institute’s Health Communication and Informatics Research Branch from 1999 to 2004, currently runs an international research consortium that provides 15 different countries with culturally adapted versions NCI’s Health Information National Trends Survey (HINTS). “Especially in a global crisis like this, you need to position health information within an atmosphere of trust and transparency,” he told me. “Show what’s successful, help governments and populations around the world to understand what goes into that success, and then encourage them to model and apply that success in ways that make sense locally to them.” The good news is that, especially when rendered as part of a scientifically sound and culturally sensitive strategy, the right health IT practices and systems can effectively support the new levels of coordination and efficiency we are going to need for advanced COVID-19 disease modeling. Faster, Better, Data-Driven Disease Surveillance As I mentioned, our most immediate and outsized priority is better collection, standardization, and reporting of data. Unfortunately, research led by former CDC Director Thomas Frieden found that states are reporting only 40-percent of the data needed to fight the pandemic in the first place. Further, once data is collected, statisticians claim gaps in data infrastructure present hurdles to its full analysis. Such shortcomings must be addressed to improve standardization and alignment of both the gathering and analysis of data. This will require not just better data standardization, but also improved governance and quality assurance as data courses throughout the entire system or product lifecycle. I’ve often mentioned the ANSI-accredited Fast Healthcare Interoperability Resources (FHIR) framework as a step in the right direction. Process improvement and better IT records management will also help. And we should abide throughout to ensure reproducible research so processes can be repeatable and scalable – especially when large data sets are involved. These improvements in how we collect and manage data will lay a more solid foundation for both basic analysis and more advanced AI and ML applications that power real-time mapping of cases, mobile app interventions, estimates of unreported infections, and other advanced processes. Such capabilities energize people like Robert Jennings, Executive Director of the CDC-affiliated National Public Health Information Coalition. “The more complete and coordinated we can be in the gathering of public health information,” he said in a separate interview for this article, “the clearer the picture we’ll have of the crisis and how to fight it!” A Shared Mission on Data Integrity Against the backdrop of inadequate national and international coordination I mentioned earlier, the takeaway is clear: It’s up to each of us as technology providers to model leading practices on data integrity and harmonization wherever we see an opportunity – to pilot approaches and socialize the success stories. As just one example, you may pilot ways to align various standards and protocols you encounter with a master data management approach that’s enhanced and tailored for COVID-19 analysis. Chief among your goals should be to establish a clear understanding of the core data entities and any relevant context: Is it imaging or genomics data? Is it information about a diagnostic or an antibody test? Was the personal health data collected legally/ethically, and therefore is usable? Grasping these differences will help align our management of data as we navigate the collective, global IT cause against COVID-19 and all future public health threats. The more we as technology providers support this alignment toward our shared mission, the more effective our efforts will be to support the response and save lives. This article, by SES Chief Operating Officer Seth Hirsch, originally appeared in the Journal of the Health Information Management Association. The early months of the COVID-19 pandemic have presented massive societal and technological challenges. In particular, health IT systems everywhere are being tested by increased demand for services and the need for a remote workforce. These challenges will continue as social distancing restrictions loosen and the healthcare system moves to minimize health impacts. Just as anti-lock brakes and traction control systems work together to constantly sense, adjust, and respond to road conditions, our society and technology will need to calibrate as we reopen—take action, observe the impacts, and adjust accordingly. This will be the case for everything—from contract tracing and disease surveillance to health research and shifting medical personnel and supplies to emerging hot spots. To achieve this, current systems need to be secure to help lay the groundwork for new capabilities and innovations. It’s important to remember Hippocrates’s ancient creed--first, do no harm—by honoring all applicable compliance, data security, and privacy regulations. Coping with Immediate, Unprecedented Bandwidth and Capacity Strains With each passing week, the coronavirus pandemic continues to separate the digital wheat from the chaff—especially in government, where the challenges are magnified by the highly regulated nature of the work. Much of the pandemic-related pressure falls especially hard on the public health system—including the US Department of Health and Human Services (HHS), the Centers for Disease Control and Prevention, and the National Institutes of Health, as well as a network of other public and private sector organizations. If bandwidth and capacity issues can challenge Facebook—a company flush with resources and famously proactive about system reliability—they can hobble any organization. Even in the best of times, disease surveillance and mitigation is no easy task, especially when one considers that healthcare lags behind other sectors on infrastructure and security investments. Now the job is even more mission-critical, especially in light of a 15-fold or more increase in telemedicine and crushing new demands for reliable infrastructure and radical innovation. While the scale and impacts may be unprecedented, the solutions involve some basic blocking and tackling, such as capacity planning, performance testing, and vendor management. Whether the system is dealing with a pandemic or a steady state, there still needs to be processes to estimate the need for storage, software, and network connectivity resources over time. Regardless of the scope, the questions are the same for all types of systems:
The same goes for regulatory compliance. Look no further than the rush to embrace teleconferencing platforms; necessity may be the mother of IT adoption, but due diligence can’t be avoided in the process. Otherwise, security and privacy pitfalls can jeopardize user trust. The takeaway is clear: No matter how bright and shiny the object, there needs to be due diligence. Considerations include making sure a system is HIPAA-compliant and determining whether it’s been through a FedRAMP process, which is a federal standardized security assessment. Even in a pandemic, the IT fundamentals must be respected. Emerging Capabilities and New Challenges as Society Reopens Due diligence in basic functionality and reliability of systems will undergird a whole new world of emerging technology and analytics that must be supported as organizations navigate the pandemic. It’s not unlike medical innovation itself, where cutting-edge breakthroughs are built on a solid foundation of basic research. In other words, organizations that address critical vulnerabilities and optimize underlying systems are better positioned to support a juggernaut of new and enhanced capabilities. Researchers, for instance, are already hard at work designing new artificial intelligence (AI) and machine learning applications against COVID-19, for everything from real-time mapping of cases and epidemiological forecasting to mobile app interventions and estimating unreported infections. AI is also helping look backward at what medical research may already have unwittingly uncovered, including a recent project scouring previous scientific literature that isolated a rheumatoid arthritis drug called baricitinib as a possible treatment for coronavirus. The drug has now been accepted for an accelerated clinical trial to gauge its efficacy. Unfortunately, the clock governing even an accelerated clinical trial doesn’t tick fast enough to satisfy some of most immediate health IT needs. Consider the truncated timelines for completion of government RFIs and RFPs that demonstrate the tremendous need for innovation at breakneck speeds. This often means adapting existing technologies in new ways to serve emerging COVID-related health IT needs. For example, the federal government recently released an RFP looking for a new way to combine telemedicine with mobile network capabilities to enable critical care anywhere, including in remote areas and ever-shifting hot spots of infection. The system will need to stay functional whether its users are ingesting the best diagnostic machine data over a high-speed or satellite network or settling for cellphone shots of vital stat monitors texted from an ambulance or rural field hospital. It’s a new capability being created from telemedicine staffing models, mobile connectivity carrier services, critical care domain expertise, and more. Another example of existing technology enlisted in new ways against COVID-19 is the adaptation of beacon technology, which is currently used in retail, law enforcement, and other sectors, to aid in contact tracing. Unfortunately, this is one of those examples where a promising new use case may save lives but raise profound regulatory and privacy concerns in the process. With More Progress, Tougher IT Riddles Bill Franks, former chief analytics officer of Teradata who now works for the International Institute for Analytics, says that technologists must work within the regulatory and compliance lanes laid out by the government even as COVID-19 puts unprecedented need on reaping insights from personal, medical, and other sensitive data. “We’re seeing a lot of requests for analytics custom to the crisis. And for many of the requests, it is necessary to access data at an individual level,” Franks said. “This necessitates policies and procedures to protect the patients and their data while enabling the analysis required to address the problem.” This is especially true in cases where, unlike new mobile apps for self-reporting of symptoms, users are not necessarily opting in to the process. Threading the needle will likely involve enhancing processes for role-based, tiered access to such data on a need-to-know basis. With each threaded needle, of course, there are more solutions to stitch together. For instance, once stakeholders settle on the compliant technologies and policies to work securely with location data, they’ll need to find new ways to correlate that data with other sources. For example, civil records or mapping data can help distinguish—using GPS data—whether a building is hosting a rave or if it’s a building of apartments where people are sheltering in place. Five Ways to Strengthen Health IT for COVID-19 While it’s impossible to predict where the next challenge area and health IT breakthrough will take place, it is possible to lay the groundwork for success by solving some key strategic issues that will improve the overall landscape for a response. Here are five health IT steps that will have an outsized impact:
|
Archives
October 2020
Categories |