http://www.al.com/news/birminghamnews/index.ssf?/base/news/117274103323890.xml&coll=2 By MARY ORNDORFF News Washington correspondent March 01, 2007 WASHINGTON - Department of Veterans Affairs computer data has been mishandled hundreds of times in the past 10 months and the agency has not followed multiple rules designed to keep personal information safe, according to testimony Wednesday before a congressional panel investigating the security problems. The most recent incident - a missing hard drive from the Birmingham VA Medical Center that contained personal, financial and medical data on about 1.8 million people - is the largest of 46 cases under investigation by the VA's inspector general. Also Wednesday, Birmingham VA officials for the first time said the hard drive was reported stolen from an employee's locked work space, which previously had been inspected and determined to be secure. Wednesday's hearing was hastily arranged because of the Birmingham situation, according to the chairman of the investigations and oversight subcommittee of the House Veterans Affairs Committee. It revealed a widespread and systemic security problem in the federal agency that last year provided health care for more than 5.4 million veterans. "If the Birmingham incident stood alone against a backdrop of a sound information security management program, perhaps we could address a one-time-only incident with more patience," said U.S. Rep. Harry Mitchell, D-Ariz. "However, the record reflects a host of material weaknesses ... and the VA is slow to correct these deficiencies." `Information at risk': The VA has repeatedly failed audits on its computer security systems, and 17 recommendations to fix the problem remain unfinished after several years, according to Maureen Regan, counselor to the VA's inspector general. Her testimony was a blistering account of the agency's shortcomings, such as the lack of basic encryption and the lack of knowledge about how many employees and contractors use non-VA computers to access VA systems, how many external hard drives are used or what data is stored on them. "VA still lacks effective internal controls and accountability which leaves sensitive information at risk," Regan said in her written testimony. Gregory Wilshusen of the Government Accountability Office reached a similar conclusion, calling the breaches "remarkable and stunning in scope and magnitude," but not necessarily unique among federal agencies. VA officials said the Birmingham incident was reported quicker and handled better than the major breach last May of data on more than 26 million people. And while they testified about the work in progress to implement changes, they didn't dispute the dire assessments. "I sincerely wish I could promise that no other incident will occur," said Gordon Mansfield, deputy secretary of the VA. "I can't do that now." Members of Congress from both sides of the aisle were clearly exasperated, in part because the data missing from the Birmingham case could be enough for someone to commit Medicare fraud by filing fake requests for reimbursements. The hard drive still is missing and the FBI has issued a $25,000 reward for its recovery. Rep. Spencer Bachus, R-Vestavia Hills, complained that the data on 535,000 veterans and 1.3 million health-care providers was not encrypted. "That ought to be standard operating procedure." Rep. Artur Davis, D-Birmingham, argued that the VA should have notified veterans and doctors much sooner that their personal information could have been compromised. The hard drive was reported missing Jan. 22, the public learned about it Feb. 3, and letters to the affected people started being mailed out the week of Feb. 12. While veterans are being notified, Mansfield said, the VA is awaiting contact information from the Centers on Medicare and Medicaid Services about the health-care providers. "I have a very strong hunch ... that the only reason the public knows about any of this is simply by pure luck," Davis said. VA officials have said they couldn't disclose the incident earlier because of the investigation. External drives banned: The Birmingham employee who reported the missing equipment is on administrative leave. Two Birmingham VA officials, Y.C. Parris and Warren Blackburn, said Wednesday that the employee reported the hard drive was taken from his desk area in his Five Points South office, where it had been under lock and key. Blackburn said the use of external hard drives is now banned. Parris said the data was not encrypted because staff didn't have the proper computer software to do the encryption. Davis asked Mansfield, the deputy VA secretary, to rate the response of the Birmingham officials to the situation, and Mansfield refused to discuss it publicly. "This is the people's business," Davis said. "It's not a matter of national security. It's something they're entitled to know." Copyright 2007 The Birmingham News _________________________________________ Visit the InfoSec News Security Bookstore http://www.shopinfosecnews.org
This archive was generated by hypermail 2.1.3 : Sun Mar 04 2007 - 22:26:25 PST