By David Hubler
Dec. 11, 2006
A new day is dawning at the Department of Veterans Affairs, said Bob
Howard, the VAs assistant secretary of information and technology and
chief information officer, explaining the departments major information
technology reorganization and its plans to strengthen data security.
Life changed big time, he said, in May, when a VA laptop computer and a
hard-disk drive with about 26.5 million veterans personal records were
stolen from the home of a department employee. It was a wake-up call for
us and a wake-up call for all of government.
Howard said the departments determination to become the gold standard of
data security is on its way to becoming a reality. Were encrypting
everything in sight, he said.
He outlined the VAs five-step plan at an executive session of the
American Council for Technology/Industry Advisory Council today at the
National Press Club. A high-performing IT organization has got to happen
or we will not be able to achieve some of the other objectives we have
on the table, he said.
The VA is the only agency that has a separate appropriation for IT,
Howard said. Its $1.2 billion and growing, he said. Management of that
appropriation is also a very important priority, he said, adding that
the final three priorities come under Data Security Assessment and
Strengthening of Controls, an internal VA program.
In March, VA Secretary Jim Nicholson began to centralize the agencys IT
and strengthen the departments security controls, Howard said. We want
to move ourselves from a very narrowly focused organization in terms of
IT to a more process-based organization oriented on the customer, he
Since the May laptop theft, improving data security has become a major
focus within the VA, and Howard views his life now in two phases:
prebreach and post-breach. I didnt even find out about [the theft] until
the 16th of May, which tells you a little bit about our [security]
process, doesnt it?
He said encryption, education and training, and background
investigations can help prevent data losses, but they are not a panacea.
The bottom line is people, he said. What leaps out at you is employee
carelessness and all the training in the world wont ensure that there
wont be other data breaches.
The dilemma is how far do we go in technologically trying to protect
ourselves, and at the same time not shut the house down, he said. Many
devices used at VA medical centers that are linked to IT networks cannot
be encrypted, he added.
The VA has completed its assessment of how to deal with the problem,
Howard said. We looked internally at ourselves and also at what the
contractor community is doing. He cited three main areas designed to
strengthen controls: technical solutions such as encryption, better
management through clear directives and improving operational methods.
As an example of the latter, Howard said a laptop that was chained to a
desk in a locked room on a secure floor was stolen a few weeks ago from
a VA hospital in Brooklyn, N.Y. It contained information about veterans
who had been at the medical facility, but the data could not be
encrypted because the computer was linked to a pulmonary device.
Erasing the data of the previous patient before each use would have
prevented the problem. "You dont need [to keep personal data] on the
machine. Thats an example of a methodology that needs to be put in
place, Howard said.
Were trying to get a much better handle on how we manage these things,
to focus in on what happened, what occurred, what are we doing to close
these incidents out and any remedial actions that need to take place, he
said, but added that vulnerabilities will always remain.
Subscribe to InfoSec News