By Michael Martinez
National Journal's Technology Daily
September 19, 2007
The Veterans Affairs Department has not yet fully implemented
information security upgrades that auditors recommended after a massive
data breach last year, according to a report released Wednesday.
The Government Accountability Office said the department is moving
slowly to address the data security weaknesses exposed by an incident
that compromised the personal information of roughly 26.5 million
veterans. GAO found that the department has not fulfilled 20 of the 22
recommendations it issued along with the VA's inspector general last
year about how the data system can be strengthened.
"Because these recommendations have not yet been implemented,
unnecessary risk exists that the personal information of veterans and
others, such as medical providers, will be exposed to data, tampering,
fraud and inappropriate disclosure," the new GAO report said.
The breach occurred when a computer drive containing sensitive data was
stolen from the home of a department tech specialist. It was the largest
data breach in U.S. government history.
According to GAO, the only two of its recommendations the department has
implemented in response to the breach involve regular reporting about
the development of the VA's security plan and developing a process for
managing an action plan.
When asked Wednesday by Senate Veterans Affairs Committee Chairman
Daniel Akaka, D-Hawaii, about whether the department is on track in its
mission to become the federal government's "gold standard" in data
security, VA Assistant Secretary for Information and Technology Robert
Howard said he does not know.
"It's a difficult question," he said at a hearing on the department's
overall IT efforts.
Howard said the department has made significant progress in certain
areas, particularly with enhancing its system for identifying and
reporting security gaps. He insisted that 2008 will be an important year
because the department will be implementing several key contracts.
Lawmakers at the hearing also tried to gauge the department's progress
toward centralizing its IT system and enhancing its e-health
VA Secretary Jim Nicholson approved a new organization structure for the
department earlier this year. Part of that effort involves transferring
6,000 employees to its technology office. The department's delivery of
health care is a key part of the realignment plan.
Nicholson told House lawmakers on Tuesday that the department is
struggling to deal with backlogs in claims for veterans of the Iraq war.
A recent audit completed by the department's inspector general also
identified gaps in its e-health system that affected patient data and
led to long wait times for appointments.
Howard acknowledged the department's struggles to upgrade its e-health
system. But he said the pressure Congress is putting on both the Defense
and VA departments is helping the process.
Akaka said the accuracy of the information in the VA system is
imperative and Congress will not be able to effectively direct resources
to the department if it cannot rely on the data the department provides.
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques. Register now for savings on conference fees
and/or free exhibits admission. - www.csiannual.com