On June 4, 2013, the House Committee on Veterans’ Affairs, Subcommittee on Oversight and Investigation held a hearing to review the current state of security pertaining to the VA’s massive collection of electronic files. The Subcommittee called the assistant inspector general for audits and evaluations in the VA Office of Inspector General (OIG) as well as representatives from the VA’s Information Technology Management Team to testify.
National attention was directed toward the VA and specifically this section of the VA’s operations as the result of a data breach incident in 2006. That incident involved a stolen laptop from a VA employee who had improperly taken it home to complete work over the weekend. This stolen laptop contained unencrypted information on over 19 million veterans. As a result of this incident, the VA consolidated several separate functions of its IT network into a single unified IT organization.
The VA’s consolidated IT organization is responsible for protecting veteran information at 153 hospitals, 853 community-based outpatient clinics, 57 benefits processing offices, and 131 cemeteries. Since the stolen laptop incident in 2006, the VA has worked hard to regain the trust of veterans. VA now has a specialized data breach notification process, using a Data Breach Core Team (DBCT), which provides advance planning, guidance, analysis, and direction regarding the potential loss of Protected Health Information (PHI), and Personally Identifiable Information (PII).
The OIG expressed concern that the VA’s IT systems are vulnerable to intrusions by groups seeking to obtain sensitive information, commit fraud, disrupt operations, or launch attacks against other systems. VA has at times been the victim of such malicious intent. In the past, VA has reported security incidents in which sensitive information has been lost or stolen, including PII, potentially exposing millions of Americans to the loss of privacy, identity theft, and other financial crimes. The OIG informed the members that it is a known fact that foreign governments and criminal groups work 24 hours a day to access VA electronic files.
Well-publicized information security incidents at VA demonstrate that weaknesses in information security policies and practices expose mission-critical systems and data to unauthorized access and disclosure. The OIG acknowledged the VA has strengthened its efforts to define policies and procedures supporting its agency-wide information security program. However, its highly decentralized and complex system infrastructure poses significant challenges to implementing effective access controls, system interconnection controls, configuration management controls, and contingency planning practices that adequately protect mission-critical systems from unauthorized access, alteration, or destruction.
In its testimony the VA did not agree with the criticisms and assertions offered by OIG suggesting that VA’s IT systems are full of unsecure internet connections and other shortfalls in their internal network routing systems. They agreed that they could be vulnerable to outside hackers, just as any system could be vulnerable. Unfortunately, these criminal groups are constantly changing their methods and writing new programs to attack US systems. As quickly as the industry reprograms security into their networks, these criminal groups create new programs to break their security.
The Subcommittee was very concerned about the VA’s efforts to protect files. Chairman Mike Coffman (R-CO) acknowledged that the VA has taken positive steps to safeguard personal and proprietary information used by VA employees and hundreds of contractors; however, more needs to be done. He emphasized that the Subcommittee plans on to conduct additional hearings on this issue.
Learn more about the work of Paralyzed Veterans of America on Capitol Hill