[ISN] Auditors can't locate VA computer equipment

From: InfoSec News (alerts@private)
Date: Tue Jul 24 2007 - 22:28:47 PDT


http://www.govexec.com/story_page.cfm?articleid=37563

By Ben Evans
Associated Press 
July 24, 2007

WASHINGTON (AP) -- More than a quarter of the computer equipment at the 
Veterans Affairs Medical Center in Washington could not be found by 
investigators, government auditors reported Tuesday.

Three other VA facilities showed slightly better results but still could 
not locate between 6 percent and 11 percent of their equipment, 
including computers, hard drives, monitors and other devices. In all, 
the four facilities audited by the Government Accountability Office 
reported more than 2,400 missing items originally worth $6.4 million.

Aside from decrying potentially wasted tax dollars, lawmakers said the 
report raises fresh questions about the security of the agency's 
information, including sensitive medical records and Social Security 
numbers.

The audit follows a series of computer data security breaches at the 
agency that exposed millions of veterans and medical providers to 
possible identity theft.

"It has a very corrosive effect on trust in the VA in general," said 
Rep. Tim Walz, D-Minn. "I think all of us up here are sensing the 
frustrations of our constituents and our veterans."

For the audit, the GAO sampled equipment inventories at medical centers 
in Washington, San Diego, Indianapolis and at VA headquarters offices.

The auditors said much of the equipment that could be found was not 
where inventory records said it should be. Equipment often was moved or 
set aside for discard without documentation. As a result, it was 
difficult or impossible to determine what had happened to the missing 
equipment, the report said.

Equipment slated for disposal -- some containing sensitive records -- 
often sat unprotected in storage rooms for months or years, the report 
said.

"Essentially no one was accountable for IT equipment," it said.

The GAO found similar weaknesses in a survey of six VA facilities in 
2004. GAO officials testified at a House hearing Tuesday that the VA has 
made some improvements since then but still has not established 
effective inventory controls or held users accountable for equipment.

VA officials did not dispute the findings, but said they were making 
progress. Since the three-month audit was completed, officials said they 
had located much of the missing equipment or had verified that it was 
sent to surplus.

Robert Howard, VA's assistant secretary for information and technology, 
said he did not believe the agency has enough manpower to keep up with 
the problem.

"It is a situation that we are working hard to remedy," he said.

The VA has been under intense scrutiny in the past year over the quality 
of its care for veterans and a series of information technology 
blunders.

Last year, the VA lost data on 26.5 million veterans when computer 
equipment was allegedly stolen in Maryland. In January, a VA hospital in 
Birmingham, Ala., lost sensitive data on more than 1.5 million people 
when a hard drive went missing. A recent internal review of that 
incident found that the medical center repeatedly failed to follow 
policies and regulations to protect information -- including in storing 
the hard drive.

VA Secretary Jim Nicholson announced his resignation last week.

Copyright 2007 The Associated Press


_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Tue Jul 24 2007 - 22:44:45 PDT