TRICARE System Security Guide and Unsecure Practices

The TRICARE Management Activity, which manages the Defense Department's health insurance plan and a whole mess of Military Health System computer systems and networks, late last month released a new "For Official Use Only" guide on how to identify, analyze, report and respond to threats to its networks.

The new TRICARE "Information Assurance Implementation Guide" primarily deals with responses to attacks and penetrations of TRICARE computer systems.

It also obliquely addresses mishandling of sensitive and personnel information, such as that found on the computer tapes stolen from the car of an TRICARE contractor employee last September in San Antonio, Texas. This new guide covers "unsecure practices . . . that may put protected information at risk [e.g., transferring storage media in uncontrolled manner. . . ]"

The new TRICARE policy includes timelines to report data breaches to high level network managers, ranging from 15 minutes for an intrusion at the network administrator or root level to what looks like a four-hour reporting requirement for physical theft of data, as in the SAIC case.

One wonders if TRICARE pondered how far a stolen computer tape could travel in four hours -- the time it might take to transfer tapes from San Antonio to Mexico, for example.

I'm probably going to take some flak for posting a link to a document marked with the over-used "For Official Use Only" stamp, but I found the new TRICARE security guide on the open Internet.