Congress, GAO Seek Data Security Improvements at Veterans Affairs Department
Legislators urged tightened security of veterans’ health and financial information at the U.S. Department of Veterans Affairs. In a House Veterans Affairs Oversight Subcommittee hearing Wednesday, Democrats and Republicans grilled department officials on steps they're taking to prevent breaches. Roger Baker, chief information officer of the department, admitted weaknesses but cited progress shifting the department’s culture to preclude future threats.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
The VA “has made limited progress in resolving long-standing deficiencies in securing its information and systems,” said GAO in a report released Wednesday. “VA has also consistently had weaknesses in major information security control areas,” including access control, configuration management, segregation of duties, contingency planning and security management. “Until VA fully and effectively implements a comprehensive information security program and mitigates known security vulnerabilities, its computer systems and sensitive information … will remain exposed to an unnecessary and increased risk of unauthorized use, disclosure, tampering, theft, and destruction."
"Each day, there is the potential for millions of attempts to gain unauthorized access to government computers that hold [veterans'] information through unsecure ports and other means,” said Chairman Harry Mitchell, D-Ariz., at the hearing. “Strengthening interagency network connections, access controls, and improving configuration management are some of the things that will yield positive results in securing VA’s computing network.” Mitchell asked Baker to provide a status report by Oct. 15 this year.
Ranking Member Phil Roe, R-Tenn., is “highly concerned the VA is just not taking information security seriously enough.” Future security breaches are likely “if the VA continues on its current path,” he said. “The VA must take immediate action to secure our veterans’ information and to ensure that all contracts requiring access” to the data “include protections,” he said.
A March report by the Office of Management and Budget ranked the VA “dead last” in several areas among agencies subject to the 2002 Federal Information Security Management Act (FISMA), Mitchell said. He flagged two recent data breaches in Texas, including one earlier this year in which a stolen laptop compromised the records of 644 veterans. “These recent data breaches are proof that the VA still has a long way to go in assuring our nation’s veterans that their most sensitive information is being safely stored and handled."
Rep. Steve Buyer, R-Ind., urged a more centralized approach to information security at the department. The House Communications Subcommittee member isn’t on the Veterans Affairs Oversight Subcommittee, but has been following the most recent data breach at VA. Buyer wants the CIO to “get into people’s business” and ensure security policies are followed throughout the department, he said. Gregory Wilshusen, GAO director of information security issues, suggested making VA officials’ compliance to security policies part of their performance appraisals. “Bingo,” replied Buyer. That’s something the executive branch could order without legislation, he added.
Rep. Tim Walz, D-Minn., cautioned that data must still be reasonably accessible to people using it for good. “We can lock your stuff away in a vault, but if the right people don’t have access to see it, we still cause damage to our veterans."
"We recognize we are far from perfect and we have a long way to go to achieve our information security goals,” said Baker, the department’s CIO. The department has made progress improving security controls, but many breaches are a result of human error and carelessness, he said. To remedy that, the department is teaching staff how to keep information secure, he said. Of 453,000 people the department viewed as needing information security training, VA has certified about 91 percent, he said. Of 417,000 viewed as needing privacy training, the department has certified about 90 percent, he said.
"While VA has made progress defining policies and procedures, implementing effective controls to protect systems and data from unauthorized access, alteration or destruction represents a significant challenge for VA’s highly decentralized and complex infrastructure,” said Belinda Finn, assistant inspector general for audits and evaluations at the department. VA’s systems will remain at “increased risk” until the department addresses the Inspector General’s audit recommendations and acts on key parts of its information security program, she said.
The department must do better to ensure contractors comply with information security requirements in contracts, said Wilshusen. VA should require contractors to certify they are complying, and perform independent audits to verify. If a contractor is not complying, it should be held accountable, he said. Also, laptop computers should be locked with more than a simple password, and their data should be encrypted, he said.