VA to expand encryption to in-house removable storage
- By Mary Mosquera
- Jul 11, 2007
Administrative investigation: Loss of VA information, VA Medical Center, Birmingham, Ala. (.pdf)
The Veterans Affairs Department will now require encryption for portable storage devices used internally effective in December because of a data breach at its medical center in Birmingham, Ala., earlier this year. VA already requires the use of encrypted flash drives, hard drives and other removable devices when employees have permission to take personally identifiable data off site.
Now the agency will coordinate with the Office of Management and Budget and the President’s Identity Theft Task Force to develop governmentwide criteria for determining under what conditions potential identity theft victims should be notified and offered free credit monitoring, said Robert Howard, VA’s chief information officer, in a letter to the agency’s Office of Inspector General in late June.
Howard detailed actions his office was taking in response to the IG’s investigation of the data breach. Until then, VA will continue to determine on a case-by-case basis whether the loss of a single personal identifier, such as a Social Security number, constitutes a risk for identity theft and credit monitoring.
On Jan. 22, an information technology specialist reported that a VA-owned external hard drive he had been using was missing from the Birmingham VA Medical Center’s Research Enhancement Award Program office.
The missing hard drive contained backup data from the employee’s desktop computer and other data he was working on from a shared network. The files likely contained personally identifiable information and health information on 250,000 veterans. The drive also most likely contained information from the Health and Human Services Department on 1.3 million medical providers.
VA offered credit monitoring to 864,000 affected veterans, employees and health care providers whose full Social Security numbers might be at risk to proactively protect them from possible identity theft, Howard said.
To date, the department has not located the missing hard drive, but there is no indication that the data contained on it has been further compromised or used to commit fraud. The criminal investigation by the FBI and VA’s IG remains open.
The actions of the IT specialist initially impeded the investigation. He told investigators that he had deleted multiple files; emptied his computer recycle bin, which removed information about the deleted files; and password-protected two of the files to try to hide the extent and magnitude of the missing data, an IG report states.
The data loss underscores the lack of governmentwide guidance and criteria on how to assess the vulnerability of data. Without guidance, agencies are likely to make inconsistent decisions about what protections to offer affected individuals.
“This is critical in that a very liberal use of high-risk levels can result in spending millions of dollars in taxpayer money needlessly,” the report states.
In April, the Government Accountability Office recommended that OMB develop guidance for federal agencies on conducting risk analyses to determine when to offer credit and other monitoring to individuals at risk of identity theft as a result of a federal data breach.
“The loss of information at the Birmingham Research Enhancement Award Program is a disturbing incident given the Veterans Health Administration’s focus on data security over the past year,” said Michael Kussman, VA’s undersecretary for health, in response to the IG’s report.
At the local level, Birmingham program managers did not ensure that proper security controls were in place to safeguard data, and local policies were not followed in the purchase or use of external hard drives.
“Rather than utilize encryption software to protect data stored on external hard drives, managers instituted a less reliable method of protection by depending on employees not to remove external hard drives from the office and to store them in a safe when not in use — measures which were not adequately monitored by managers to ensure employee compliance,” the report states.
Managers did not take measures to adequately secure the physical office space, and many employees had access to the safe used to secure the external hard drives.
Had they been followed, local policies could have protected the data. The Birmingham program’s data security plan requires that protected health information be stored only on a computer operating within the VA network. Furthermore, the data must be kept on a secure VA drive.
The IT specialist also inappropriately accessed individually identifiable health information from the data warehouse for the Alabama region and the medical center’s Veterans Health Information Systems and Technology Architecture electronic medical records database.
As a result of the breach, VHA conducted a mandatory educational program on data security and privacy policies for all research staff, provided more training for VA information security officers, and developed a privacy review checklist that it distributed to field facilities.
VHA will also re-evaluate sensitive positions for associated risk-designation levels, and VA is taking administrative action against the IT specialist.