CIO: VA is working toward gold standard in IT security

CIO: VA is working toward gold standard in IT security
CIO: VA is working toward gold standard in IT security 

By David Hubler
Dec. 11, 2006

A new day is dawning at the Department of Veterans Affairs, said Bob 
Howard, the VAs assistant secretary of information and technology and 
chief information officer, explaining the departments major information 
technology reorganization and its plans to strengthen data security.

Life changed big time, he said, in May, when a VA laptop computer and a 
hard-disk drive with about 26.5 million veterans personal records were 
stolen from the home of a department employee. It was a wake-up call for 
us and a wake-up call for all of government.

Howard said the departments determination to become the gold standard of 
data security is on its way to becoming a reality. Were encrypting 
everything in sight, he said.

He outlined the VAs five-step plan at an executive session of the 
American Council for Technology/Industry Advisory Council today at the 
National Press Club. A high-performing IT organization has got to happen 
or we will not be able to achieve some of the other objectives we have 
on the table, he said.

The VA is the only agency that has a separate appropriation for IT, 
Howard said. Its $1.2 billion and growing, he said. Management of that 
appropriation is also a very important priority, he said, adding that 
the final three priorities come under Data Security Assessment and 
Strengthening of Controls, an internal VA program.

In March, VA Secretary Jim Nicholson began to centralize the agencys IT 
and strengthen the departments security controls, Howard said. We want 
to move ourselves from a very narrowly focused organization in terms of 
IT to a more process-based organization oriented on the customer, he 

Since the May laptop theft, improving data security has become a major 
focus within the VA, and Howard views his life now in two phases: 
prebreach and post-breach. I didnt even find out about [the theft] until 
the 16th of May, which tells you a little bit about our [security] 
process, doesnt it?

He said encryption, education and training, and background 
investigations can help prevent data losses, but they are not a panacea. 
The bottom line is people, he said. What leaps out at you is employee 
carelessness and all the training in the world wont ensure that there 
wont be other data breaches.

The dilemma is how far do we go in technologically trying to protect 
ourselves, and at the same time not shut the house down, he said. Many 
devices used at VA medical centers that are linked to IT networks cannot 
be encrypted, he added.

The VA has completed its assessment of how to deal with the problem, 
Howard said. We looked internally at ourselves and also at what the 
contractor community is doing. He cited three main areas designed to 
strengthen controls: technical solutions such as encryption, better 
management through clear directives and improving operational methods.

As an example of the latter, Howard said a laptop that was chained to a 
desk in a locked room on a secure floor was stolen a few weeks ago from 
a VA hospital in Brooklyn, N.Y. It contained information about veterans 
who had been at the medical facility, but the data could not be 
encrypted because the computer was linked to a pulmonary device.

Erasing the data of the previous patient before each use would have 
prevented the problem. "You dont need [to keep personal data] on the 
machine. Thats an example of a methodology that needs to be put in 
place, Howard said.

Were trying to get a much better handle on how we manage these things, 
to focus in on what happened, what occurred, what are we doing to close 
these incidents out and any remedial actions that need to take place, he 
said, but added that vulnerabilities will always remain.

Subscribe to InfoSec News 

Site design & layout copyright © 1986-2014 CodeGods