By Mary Mosquera
March 1, 2007
The Department of Veterans Affairs still has not established key
elements of a comprehensive program to manage data security, according
to the Government Accountability Office.
The VA has taken steps to reduce security weaknesses that were already
reported, but the agency has not fully resolved them, said Gregory
Wilshusen, director of information security issues for the GAO.
Nor has the VA implemented information technology security provisions
that GAO and the VAs Office of the Inspector General have recommended
and highlighted since the theft of personal data belonging to millions
of veterans from an agency employees home last year.
Those provisions include clearly defined security roles and
responsibilities and regular risk assessments. As a result, the VA
cannot manage risks on an ongoing basis, Wilshusen said in congressional
testimony on Feb. 28.
Its efforts have not been sufficient to effectively protect its
information systems and information, including personal information,
from unauthorized disclosure, misuse or loss, he said at a hearing of
the House Veterans Affairs Subcommittee on Oversight and Investigation.
The VA is conducting significant work on advancing data security, said
VA Chief Information Officer Robert Howard. The agency has a systems
engineering process in place and is using its Region 4 in the Northeast
as a test bed.
We have a number of technologies in place working, for example port
monitoring, network monitoring, encrypting thumb drives in situations
where downloading is restricted. These things have been implemented but
only in certain areas, Howard told reporters outside the hearing room.
The VA is focusing on five key areas: moveable media and storage, thumb
and Blackberry devices, network transmissions, secure remote access and
e-mail and documents, he said.
The agency also needs more skilled managers and executives; for example,
the VA recently had completed the process to hire a chief information
security officer to fill a vacancy, but the individual decided to accept
another position, Howard said. So VA must return to the hiring process.
Lawmakers criticized agency officials for moving too slowly in
strengthening the VAs data security. A recent loss of a hard drive that
may have contained sensitive data is the latest result of the agencys
slow pace, lawmakers said.
Meanwhile, the VA remains in the spotlight with the loss of a hard drive
used by an employee at a VA facility in Birmingham, Ala. The hard drive
may have contained data on 1.8 million persons, including sensitive VA
data for up to 539,000 individuals.
The VA began notifying veterans in early February. Data for 1.3 million
non-VA physicians, both living and deceased, may have been stored on the
hard drive. Most of the physician data may be considered readily
available to the public, but some of the files may contain sensitive
information, the VA said.
The agency is working with the Centers for Medicare and Medicaid
Services, which owns the physician information, to better identify the
providers and assess risk on that data. Some provider-unique identifier
numbers may incorporate Social Security numbers. The agency used the
non-VA physician data to analyze and compare information about the
health care veterans received from both VA and non-VA health care
The VA has begun measures to strengthen its information security since
the theft of personal data belonging to millions of veterans from an
agency employees home last year.
Among those measures, the VA has encrypted its laptops and has an
operational security operations center that automatically tracks and
reports breaches to agency executives.
The operations center has reported hundreds of violations since last
May, and some include individuals or small numbers of veterans. The
Birmingham breach is the largest since then, said Gordon Mansfield, VA
Visit the InfoSec News Security Bookstore