[ISN] VA toughens security after PC disposal blunders

From: InfoSec News (isnat_private)
Date: Tue Aug 27 2002 - 06:00:38 PDT

  • Next message: InfoSec News: "[ISN] The $7 million hack (was re: [dgc.chat] Crowne Gold Update)"

    By Judi Hasson 
    Aug. 26, 2002
    The Department of Veterans Affairs is tightening its policy on the
    disposal of old computers following disclosures that 139 computers
    containing sensitive personal information about veterans, including
    their medical records, were given away.
    Although the VA has had security rules since 1997 on purging sensitive
    data before disposing of old computers, the policy was breached by the
    Indianapolis VA Medical Center. The facility failed to erase personal
    information before giving away the computers to educational
    institutions, the state of Indiana or private individuals.
    The computers' hard drives contained a wealth of personal data,
    including information about a veteran with AIDS and others with mental
    health problems. Some computers also contained the numbers of 44
    government credit cards, according to memos on the incident obtained
    by Federal Computer Week.
    Three of the computers wound up at a local thrift store in
    Indianapolis, where a local TV reporter bought them in May. Those
    computers contained data on seven veterans; the total number of
    veterans whose personal data was on the computer hard drives has not
    been determined. All but 15 of the computers have been recovered.
    John Gauss, the VA's chief information officer, said the agency
    decided to buy an enterprise license for Ontrack Data International
    Inc.'s DataEraser software as a result of the Indianapolis incident.
    "We also examined our overall cybersecurity process and decided we
    were going to strengthen it through the development of a qualification
    and certification program for ISOs," or information security officers,
    Gauss said.
    Bruce Brody, the VA's cybersecurity chief, said the Indianapolis
    incident helped speed efforts to tighten security within the VA.
    Although the VA's new policy has not been formalized, the Office of
    Cyber Security plans to establish a program by Oct. 1, 2003, to train
    and certify all 600 ISOs within the department. Nevertheless,
    information security officials already know about the new policy,
    Gauss said.
    In a letter to Rep. Steve Buyer (R-Ind.), VA Secretary Anthony
    Principi said the Indianapolis incident is an "unacceptable violation
    of VA security policy.... I share your concern over the
    confidentiality, integrity and availability of the sensitive veteran
    data [with] which our department is entrusted."
    He spelled out a new policy that will include random audits and
    inspections by the Office of Cyber Security to make sure policies are
    being followed.
    "The purpose is not to go find people and bust them, [but to] find
    when people make mistakes and talk directly to them," Gauss said.
    VA on guard
    The Department of Veterans Affairs has taken several steps to prevent
    future privacy breaches, such as what recently occurred when the
    agency donated computers to outside organizations without removing
    sensitive data from the hard drives.
    VA officials:
    * Bought an enterprise license for Ontrack Data International Inc.'s
      DataEraser, which overwrites data on a hard drive so that it cannot
      be recovered.
    * Plan to buy electromagnetic wands for deleting information by
      demagnetizing hard drives.
    * Are developing a program for certifying information security
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Aug 27 2002 - 09:06:36 PDT