WASHINGTON, DC—Two recent instances of VA information security breaches have attracted the attention of Congressional overseers who have concerns that the problem of VA data security—one that VA has struggled with for several years—is not being given the attention and resources it needs.

In Texas, the personal data of 265 veterans was compromised when information went missing from a VA facility conducting lab tests. In another data security breach, also in Texas, a VA contracted company had a laptop stolen, compromising the records of 644 veterans. Both incidents occurred within the last couple of months. “These recent data breaches are proof that the VA still has a long ways to go in ensuring our nation’s veterans that their most sensitive information is being safely stored and handled,” declared Rep Harry Mitchell, D-AZ, chair of the House VA Oversight Subcommittee at a hearing last month.

Noncompliance with information security protocols is more widespread than just a few isolated incidents, government reports state. In March of this year, the Office of Management and Budget released its FY 2009 report on the Federal Information Security Management Act (FISMA). The VA ranked last among other FISMA-monitored agencies in areas such as the percent of login users trained on information security awareness, and also in the issuance of personal identity verification. Additionally, the OMB report lists the VA as one of six federal agencies identified as having a material weakness in the field of information security.

A Decade of Problems

According to GAO, VA has faced long-standing information security issues for over a decade. While the department has made some limited progress, large gaps remain. “For the 13th year in a row, VA’s independent auditor reported that inadequate information system controls over financial systems constituted a material weakness,” explained Gregory Wilshusen, GAO’s director of information security issues, at the hearing last month. “Among 24 major federal agencies, VA was one of six agencies in fiscal year 2009 to report such a material weakness.”

Deficiencies were reported in each of the five major areas of security control: access control, configuration management, segregation of duties, contingency planning, and security management. “Access control is intended to ensure that only authorized individuals can read, alter, or delete data,” Wilshusen explained. “Configuration management controls provide assurance that only authorized programs are implemented. And segregation of duties reduces the risk that one individual can perform inappropriate activities without detection.”

Belinda Finn, assistant IG for audits and evaluations, explained that during the VA IG’s investigation of VA security, they found numerous instances of weak password protection. “We found weak or default passwords on application servers, databases, and networking devices at most VA facilities,” she told legislators. “These weak or default passwords can allow malicious users to gain unauthorized access to mission systems.”

IG investigators also found a significant number of external connections to VA’s databases, many of which were not documented or monitored. “There’s a significant risk that a hacker could penetrate a network and systems over an extended period of time without being detected,” Finn said.

Many VA facilities are also deficient in their contingency planning responsibilities, Finn noted. “It was not validated that VA personnel could restore mission critical systems from a remote processing site as planned. Without in-depth realistic contingency plan testing, VA cannot be sure that it can readily restore systems in the event of a disaster or service disruption.”

In September 2007, GAO reported on the shortcomings of VA’s information security practices, filing a report and making 17 recommendations for what VA could do to shore up its data security. GAO has since confirmed that VA implemented five of those recommendations, including developing guidance for the information security program and documenting related responsibilities. VA has efforts under way to address 11 of the remaining 12 recommendations. Those include ensuring remedial action items are completed in an effective and timely manner, implementing guidance on encryption, and developing and documenting procedures to obtain contact information for individuals whose personal information has been compromised in a security breach. 

Simple Thefts, Simple Fixes

The kind of simple, physical theft that occurred in Texas was similar to one that occurred in May 2006, when the personal data of millions of veterans was compromised when a laptop and external hard drive were stolen from a VA employee’s home. “This is, across the entire government, the kind of incident that results in significant data loss,” Wilshusen noted.

But VA can do a number of things to prevent it, including implementing dual security keys. “So someone who steals a laptop would not only need to know a particular piece of information, like a password or pin number, but also possess a token or some sort of biometric that would allow only one user to access and authenticate to that system,” Wilshusen explained.

Limiting the amount of data on any portable device would also limit data theft liability. And if data needs to be transported, it should remain on the device only for as long as it is needed. Other simple methods of protection include keeping virus software up to date and downloading all security patches.

“Another key point is encrypting the data on the laptop,” Wilshusen said. “That’s essential.” On that front, VA has made significant progress. In 2007, GAO tested 248 laptops from eight different VA facilities and found that 244 (98%) were encrypted. “But those were agency laptops. Where they often have issues is where contractors have not encrypted data on the laptops.”

Gaps in Contractor Security

This is where data security intersects with other pressing concerns of legislators and VA officials—the decentralized process by which VA issues contracts and the inconsistency of security clauses in those contracts. The Texas contractor that had the laptop stolen had 69 contracts in 30 VISNS. Investigations have shown that 29 of those contracts did not have security clauses requiring the contractor to follow data encryption and security protocols.

The laptop that was stolen contained information pertaining to a VA contract that did include a security clause. Despite the presence of the clause in the contract, and the contractor’s assurance that the clause was being followed, security precautions were not taken and the information on the laptop was not encrypted.

Wilshusen said that, while GAO has not looked at VA’s activities in this area specifically, contractor security was something that the agency needed to ensure if they want to be serious about data security.

Rep Steve Buyer, R-IN, ranking Republican on the House VA Committee was incensed that something like consistency of contracting and oversight of contracts could not be monitored centrally at VA. “I dislike the decentralized process,” he said. “I detest it.”

VA procurement reform is on the agenda for legislators this season, and Buyer said he hopes that the issue of contracting and contractor security can be dealt with in the process. “When we move into our procurement reform, I am hopeful that we can work together to move to a more centralized model,” he said.

back to June articles