VA IT official defends work on data protection

Roger Baker, assistant secretary for information and technology at the Veterans Affairs Department, today defended the department’s efforts to protect against data theft and unauthorized access at a House hearing where the VA was criticized for two recent breaches of veterans’ personal data in Texas.

Rep. Harry Mitchell (D-Ariz.), who chairs the House Veterans' Affairs Committee’s Oversight and Investigations Subcommittee that held the hearing, said the panel is evaluating two recent incidents of unauthorized access to VA data. One was this month and involved data about 3,265 veterans at a VA facility; the other took place in April and involved data about 644 veterans contained on a stolen laptop computer used by a VA contractor, he said.

”These recent data breaches are proof that the VA still has a long way to go to ensure veterans that their information is being safely stored and handled,” Mitchell said.

Asked about the breaches, Baker said in the incident that involved data about 644 veterans, the breach was the result of a stolen laptop computer belonging to a VA contractor. The data was unencrypted despite a requirement in the contract that it be encrypted, and despite certification from the contractor that the encryption had been carried out, he said.

To prevent further breaches of that nature, Baker said his staff is auditing all other VA contracts that involve sharing of veterans' data to ensure they comply with encryption needs.

Baker acknowledged that there are still problems in balancing the need for data protection against the need for making critical data available to clinicians. Also, there needs to be cooperation with supply chain partners who exchange data with the VA, he said.

“Over the last four years, we have made quantifiable progress,” Baker said. “Over the next year, we will make greater strides. Am I satisfied with where we are? No. Our goal must be to be the best in federal government, and comparable with good private-sector enterprises, on our information security practices. With your support, we will continue to work very hard at achieving that goal during my tenure as CIO at VA.”

Baker outlined several recent initiatives to enhance computer security, including Visualization at the Desktop, which would provide managers with a view of all systems by Sept. 30. “We will have electronic access to every desktop and verify they are in compliance,” Baker said.

The department also is implementing a program to protect VA medical devices through isolation architecture that should be completed by December, he said.

Representatives from the VA's Office of Inspector General and the Government Accountability Office testified that the VA has had longstanding problems in maintaining secure records and in complying with the Federal Information Security Management Act. The department experienced a major breach of veterans' personal data in 2006.

At the same time, panelists noted that the VA has improved its security posture in recent years after a consolidation of computer security responsibility in Baker’s office.

Rep. Steve Buyer (R-Ind.) praised Baker’s work on security compliance and training since arriving at the VA a year ago and claimed that progress was hampered partly by lack of cooperation within the VA.

“I am not here to beat you up,” Buyer said to Baker. “You have stepped into the breach. I recognize this is a work in progress. You have not always had the most cooperation or the best effort from the Veterans Health Administration. They have done everything imaginable to derail the centralization effort.”