[ISN] VA said lagging on data security improvements

From: InfoSec News (alerts@private)
Date: Thu Mar 01 2007 - 23:03:03 PST


By Mary Mosquera
March 1, 2007

The Department of Veterans Affairs still has not established key 
elements of a comprehensive program to manage data security, according 
to the Government Accountability Office.

The VA has taken steps to reduce security weaknesses that were already 
reported, but the agency has not fully resolved them, said Gregory 
Wilshusen, director of information security issues for the GAO.

Nor has the VA implemented information technology security provisions 
that GAO and the VAs Office of the Inspector General have recommended 
and highlighted since the theft of personal data belonging to millions 
of veterans from an agency employees home last year.

Those provisions include clearly defined security roles and 
responsibilities and regular risk assessments. As a result, the VA 
cannot manage risks on an ongoing basis, Wilshusen said in congressional 
testimony on Feb. 28.

Its efforts have not been sufficient to effectively protect its 
information systems and information, including personal information, 
from unauthorized disclosure, misuse or loss, he said at a hearing of 
the House Veterans Affairs Subcommittee on Oversight and Investigation.

The VA is conducting significant work on advancing data security, said 
VA Chief Information Officer Robert Howard. The agency has a systems 
engineering process in place and is using its Region 4 in the Northeast 
as a test bed.

We have a number of technologies in place working, for example port 
monitoring, network monitoring, encrypting thumb drives in situations 
where downloading is restricted. These things have been implemented but 
only in certain areas, Howard told reporters outside the hearing room.

The VA is focusing on five key areas: moveable media and storage, thumb 
and Blackberry devices, network transmissions, secure remote access and 
e-mail and documents, he said.

The agency also needs more skilled managers and executives; for example, 
the VA recently had completed the process to hire a chief information 
security officer to fill a vacancy, but the individual decided to accept 
another position, Howard said. So VA must return to the hiring process.

Lawmakers criticized agency officials for moving too slowly in 
strengthening the VAs data security. A recent loss of a hard drive that 
may have contained sensitive data is the latest result of the agencys 
slow pace, lawmakers said.

Meanwhile, the VA remains in the spotlight with the loss of a hard drive 
used by an employee at a VA facility in Birmingham, Ala. The hard drive 
may have contained data on 1.8 million persons, including sensitive VA 
data for up to 539,000 individuals.

The VA began notifying veterans in early February. Data for 1.3 million 
non-VA physicians, both living and deceased, may have been stored on the 
hard drive. Most of the physician data may be considered readily 
available to the public, but some of the files may contain sensitive 
information, the VA said.

The agency is working with the Centers for Medicare and Medicaid 
Services, which owns the physician information, to better identify the 
providers and assess risk on that data. Some provider-unique identifier 
numbers may incorporate Social Security numbers. The agency used the 
non-VA physician data to analyze and compare information about the 
health care veterans received from both VA and non-VA health care 

The VA has begun measures to strengthen its information security since 
the theft of personal data belonging to millions of veterans from an 
agency employees home last year.

Among those measures, the VA has encrypted its laptops and has an 
operational security operations center that automatically tracks and 
reports breaches to agency executives.

The operations center has reported hundreds of violations since last 
May, and some include individuals or small numbers of veterans. The 
Birmingham breach is the largest since then, said Gordon Mansfield, VA 
deputy secretary.

Visit the InfoSec News Security Bookstore

This archive was generated by hypermail 2.1.3 : Thu Mar 01 2007 - 23:13:38 PST