VA said lagging on data security improvements

VA missing another hard drive

The Department of Veterans Affairs still has not established key elements of a comprehensive program to manage data security, according to the Government Accountability Office.

The VA has taken steps to reduce security weaknesses that were already reported, but the agency has not fully resolved them, said Gregory Wilshusen, director of information security issues for the GAO.

Nor has the VA implemented information technology security provisions that GAO and the VA’s Office of the Inspector General have recommended and highlighted since the theft of personal data belonging to millions of veterans from an agency employee’s home last year.

Those provisions include clearly defined security roles and responsibilities and regular risk assessments. As a result, the VA cannot manage risks on an ongoing basis, Wilshusen said in congressional testimony on Feb. 28.

“Its efforts have not been sufficient to effectively protect its information systems and information, including personal information, from unauthorized disclosure, misuse or loss,” he said at a hearing of the House Veterans Affairs Subcommittee on Oversight and Investigation.

The VA is conducting significant work on advancing data security, said VA Chief Information Officer Robert Howard. The agency has a systems engineering process in place and is using its Region 4 in the Northeast as a test bed.

“We have a number of technologies in place working, for example port monitoring, network monitoring, encrypting thumb drives in situations where downloading is restricted. These things have been implemented but only in certain areas,” Howard told reporters outside the hearing room.

The VA is focusing on five key areas: moveable media and storage, thumb and Blackberry devices, network transmissions, secure remote access and e-mail and documents, he said.

The agency also needs more skilled managers and executives; for example, the VA recently had completed the process to hire a chief information security officer to fill a vacancy, but the individual decided to accept another position, Howard said. So VA must return to the hiring process.

Lawmakers criticized agency officials for moving too slowly in strengthening the VA’s data security. A recent loss of a hard drive that may have contained sensitive data is the latest result of the agency’s slow pace, lawmakers said.

Meanwhile, the VA remains in the spotlight with the loss of a hard drive used by an employee at a VA facility in Birmingham, Ala. The hard drive may have contained data on 1.8 million persons, including sensitive VA data for up to 539,000 individuals.

The VA began notifying veterans in early February. Data for 1.3 million non-VA physicians, both living and deceased, may have been stored on the hard drive. Most of the physician data may be considered readily available to the public, but some of the files may contain sensitive information, the VA said.

The agency is working with the Centers for Medicare and Medicaid Services, which owns the physician information, to better identify the providers and assess risk on that data. Some provider-unique identifier numbers may incorporate Social Security numbers. The agency used the non-VA physician data to analyze and compare information about the health care veterans received from both VA and non-VA health care providers.

The VA has begun measures to strengthen its information security since the theft of personal data belonging to millions of veterans from an agency employee’s home last year.

Among those measures, the VA has encrypted its laptops and has an operational security operations center that automatically tracks and reports breaches to agency executives.

The operations center has reported hundreds of violations since last May, and some include individuals or small numbers of veterans. The Birmingham breach is the largest since then, said Gordon Mansfield, VA deputy secretary.