[ISN] VA is slow to upgrade tech security, GAO says

From: InfoSec News (alerts@private)
Date: Wed Sep 19 2007 - 23:03:50 PDT


http://www.govexec.com/story_page.cfm?articleid=38079

By Michael Martinez 
National Journal's Technology Daily  
September 19, 2007

The Veterans Affairs Department has not yet fully implemented 
information security upgrades that auditors recommended after a massive 
data breach last year, according to a report released Wednesday.

The Government Accountability Office said the department is moving 
slowly to address the data security weaknesses exposed by an incident 
that compromised the personal information of roughly 26.5 million 
veterans. GAO found that the department has not fulfilled 20 of the 22 
recommendations it issued along with the VA's inspector general last 
year about how the data system can be strengthened.

"Because these recommendations have not yet been implemented, 
unnecessary risk exists that the personal information of veterans and 
others, such as medical providers, will be exposed to data, tampering, 
fraud and inappropriate disclosure," the new GAO report said.

The breach occurred when a computer drive containing sensitive data was 
stolen from the home of a department tech specialist. It was the largest 
data breach in U.S. government history.

According to GAO, the only two of its recommendations the department has 
implemented in response to the breach involve regular reporting about 
the development of the VA's security plan and developing a process for 
managing an action plan.

When asked Wednesday by Senate Veterans Affairs Committee Chairman 
Daniel Akaka, D-Hawaii, about whether the department is on track in its 
mission to become the federal government's "gold standard" in data 
security, VA Assistant Secretary for Information and Technology Robert 
Howard said he does not know.

"It's a difficult question," he said at a hearing on the department's 
overall IT efforts.

Howard said the department has made significant progress in certain 
areas, particularly with enhancing its system for identifying and 
reporting security gaps. He insisted that 2008 will be an important year 
because the department will be implementing several key contracts.

Lawmakers at the hearing also tried to gauge the department's progress 
toward centralizing its IT system and enhancing its e-health 
capabilities.

VA Secretary Jim Nicholson approved a new organization structure for the 
department earlier this year. Part of that effort involves transferring 
6,000 employees to its technology office. The department's delivery of 
health care is a key part of the realignment plan.

Nicholson told House lawmakers on Tuesday that the department is 
struggling to deal with backlogs in claims for veterans of the Iraq war. 
A recent audit completed by the department's inspector general also 
identified gaps in its e-health system that affected patient data and 
led to long wait times for appointments.

Howard acknowledged the department's struggles to upgrade its e-health 
system. But he said the pressure Congress is putting on both the Defense 
and VA departments is helping the process.

Akaka said the accuracy of the information in the VA system is 
imperative and Congress will not be able to effectively direct resources 
to the department if it cannot rely on the data the department provides.


__________________________________________________________________      
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - www.csiannual.com



This archive was generated by hypermail 2.1.3 : Wed Sep 19 2007 - 23:32:04 PDT