Printer Friendly Page

NEW GAO REPORT SAYS VETERANS' DATA STILL AT RISK --

"...Unnecessary risk exists that the personal information of

veterans and others, such as medical providers, will be exposed

to data tampering, fraud and inappropriate disclosure."

 

 

For more about VA data losses, go to this page...
http://www.vawatchdog.org/va%
20data%20theft%20news.htm

We have a news story that's followed by the GAO report and then GAO testimony.

News story here... http://www.washington
post.com/wp-dyn/content/article/2007
/09/19/AR2007091900542.html

Story below:

-------------------------

Study Says Veterans' Data Are at Risk

By HOPE YEN
The Associated Press

WASHINGTON -- Veterans' personal data and health information remain at risk of identity theft because the Veterans Affairs Department has yet to implement several safety measures, government investigators say.

The report by the Government Accountability Office, released Wednesday, comes more than one year after the VA pledged renewed security efforts after the loss of personal information for 26.5 million veterans and active-duty personnel.

It found that the VA had not yet fully secured access to its computer network and department facilities nor worked to ensure that only authorized changes and updates to VA computer programs were made.

Moreover, the VA has operated without a chief information security officer since June 2006 to oversee changes and still lacks clear and adequate procedures for quickly notifying veterans when their sensitive data is lost, the report said.

"Because these recommendations have not yet been implemented, unnecessary risk exists that the personal information of veterans and others, such as medical providers, will be exposed to data tampering, fraud and inappropriate disclosure," investigators said.

Responding, VA Deputy Secretary Gordon Mansfield said he generally agreed with the findings but insisted the VA's data security was "legally adequate." Many of the recommendations, which were proposed a year ago by the GAO and the VA inspector general, were in the process of being implemented, he said.

"VA has taken aggressive and proactive measures that are, or were at the time, above and beyond legal requirements, such as mandating encryption of sensitive data accessed remotely or used outside VA facilities," Mansfield wrote.

In May 2006, the VA stunned the veterans community when it announced that thieves had stolen a computer hard drive containing millions of names, Social Security numbers and birth dates from a VA employee's Maryland home.

The hard drive was eventually recovered intact, but not until after the VA suffered blistering criticism from Congress for waiting more than two weeks to call in the FBI. VA Secretary Jim Nicholson, who wasn't immediately informed either, said he was outraged and pledged to make the VA the "gold standard" in data security.

"The security regimen at VA has been totally revised," Nicholson, who steps down Oct. 1, reported to Congress this week. "I believe that this reorganization, and the modification and strengthening of our regulations governing IT, its use, and its security will minimize the risk of a significant data loss in the future."

On Wednesday, the GAO said the VA had made progress by developing a plan to correct identified weaknesses in its information technology system, requiring security and privacy training for VA employees, and providing regular reports to the VA secretary.

But significant gaps remain because responsibility for overseeing VA data security is split among several offices and no clear process exists for the officials to work together.

The GAO cited in particular last January's threat of identity theft for 1.8 million veterans and physicians after a backup hard drive with their Social Security numbers went missing from a research site in Birmingham, Ala.

Medical providers involved in the incident were not notified until 85 days after the data loss because the VA did not have clear plans in place for coordinating with other agencies, which in this case was the Department of Health and Human Services.

"Until VA addresses recommendations to resolve identified weaknesses, it will have limited assurance that it can adequately protect its systems and information," the GAO said.

-------------------------

Full GAO report here...
http://www.gao.gov/new.items/d071019.pdf

GAO report highlights here...
http://www.gao.gov/highlights/d071019high.pdf

Highlights below:

-------------------------

Sustained Management Commitment and Oversight Are Vital to Resolving Long-standing Weaknesses at the Department of Veterans Affairs

 

WHY GAO DID THIS STUDY

In May 2006, the Department of Veterans Affairs (VA) announced that computer equipment containing personal information on approximately 26.5 million veterans and active duty military personnel had been stolen. Given the importance of information technology (IT) to VA’s mission, effective information security controls are critical to maintaining public and veteran confidence in its ability to protect sensitive information. GAO was asked to evaluate (1) whether VA has effectively addressed GAO and VA Office of Inspector General (IG) information security recommendations and (2) actions VA has taken since May 2006 to strengthen its information security practices and secure personal information. To do this, GAO examined security policies and action plans, interviewed pertinent department officials, and conducted testing of encryption software at select VA facilities.

 

WHAT GAO FOUND

Although VA has made progress, it has not yet fully implemented most of the key GAO and IG recommendations to strengthen its information security practices. Specifically, VA has implemented two GAO recommendations: to develop a process for managing its plan to correct identified weaknesses and to regularly report on progress in updating its security plan to the Secretary. However, it has not fully implemented two other GAO recommendations: to complete a comprehensive security management program and to ensure consistent use of information security performance standards for appraising senior VA executives. In addition, the department has not yet fully implemented 20 of 22 recommendations made by the IG in 2006. For example, VA has not completed activities to appropriately restrict access to data, networks, and department facilities; ensure that only authorized changes and updates to computer programs are made; and strengthen critical infrastructure planning. Because these recommendations have not yet been implemented, unnecessary risk exists that the personal information of veterans and others, such as medical providers, will be exposed to data tampering, fraud, and inappropriate disclosure.

Since the May 2006 security incident, VA has continued or begun several major initiatives to strengthen its information security practices and secure personal information within the department, but more remains to be done. These initiatives include continuing efforts begun in October 2005 to reorganize its management structure to provide better oversight and fiscal discipline over its IT systems; developing an action plan to correct identified weaknesses; establishing an information protection program; improving its incident management capability; and establishing an office responsible for oversight of IT within the department. However, implementation shortcomings limit the effectiveness of these initiatives. For example, no documented process exists between the Director of Field Operations and Security and the chief information security officer (CISO) to ensure the effective coordination and implementation of security policies and procedures within the department. In addition, the position of the CISO has been unfilled since June 2006. Although, 39 percent of items in the department’s remedial action plan are tasks to develop, document, revise, or update a policy or program, 87 percent of these items have no corresponding task with an established time frame for implementation across the department. VA also did not have clear guidance for identifying devices that require encryption functionality, and it lacked adequate procedures for incident response and notification. Finally, VA’s Office of IT Oversight and Compliance lacks a standard methodology and established criteria to ensure that its examination of internal controls is consistent across VA facilities. Until the department addresses recommendations to resolve identified weaknesses and implements the major initiatives it has undertaken, it will have limited assurance that it can protect its systems and information from the unauthorized disclosure, misuse, or loss of personal information of veterans and other personnel.

 

WHAT GAO RECOMMENDS

GAO is making 17 recommendations to the Secretary of Veterans Affairs aimed at improving the effectiveness of VA’s efforts to strengthen information security practices by developing and documenting processes, policies, and procedures, and completing the implementation of key initiatives. In commenting on a draft of this report, VA stated that it generally agreed with the recommendations and has implemented or is working to implement them.

-------------------------

Full GAO testimony here...
http://www.gao.gov/new.items/d071246t.pdf

GAO testimony highlights here...
http://www.gao.gov/highlights/d071246thigh.pdf

Highlights below:

-------------------------

Progress Made in Centralizing Information Technology Management, but Challenges Persist

 

WHY GAO DID THIS STUDY

The Department of Veterans Affairs (VA) depends on information technology (IT) to effectively serve our nation’s veterans, with an IT budget of about $1 billion annually. However, it has encountered numerous challenges in managing its IT programs and initiatives. To address these challenges, VA is realigning its IT organization and management to a centralized model founded on a defined set of improved management processes. Begun in October 2005, the realignment is planned to be complete by July 2008.

In this testimony, GAO discusses its recent reporting on VA’s realignment effort and its management of other IT programs and initiatives, including ongoing systems development efforts and work to share electronic health information with the Department of Defense (DOD). To prepare this testimony, GAO reviewed its past work in these areas.

 

WHAT GAO FOUND

VA has made progress in moving to a centralized management structure for IT; however, at the time of GAO’s review in May 2007, the department had still to address certain critical success factors for transformation, and it had not yet institutionalized key IT management processes. VA’s plans for realigning the management of its IT program include elements of several of the six factors that GAO identified as critical for the department’s implementation of a centralized management structure, and it had fully addressed one factor—ensuring commitment from top leadership—having obtained the Secretary’s approval of the realignment and the new IT governance structure. However, as of May 2007, the department did not plan to address one of the critical success factors: dedicating an implementation team to manage change. Having such a team is important, since the implementation of the realignment is expected to continue until July 2008. Without a dedicated team, it is less likely that the implementation will be managed effectively. In addition, although the department had begun to take action to establish improved management processes—a cornerstone of the realignment—it had not made significant progress. As of May 2007, it had begun pilot testing 2 of 36 planned new processes. Until it institutionalizes key processes throughout the department, the full benefits of the realignment may not be realized.

At the same time that it is implementing the realignment, VA is managing ongoing IT programs such as information security and inventory control, and it is continuing initiatives to develop IT systems. The department is managing these programs and initiatives using existing management processes, many of which display the long-standing weaknesses that VA aims to alleviate through its realignment. Some progress has been made: for example, the department took actions to improve controls over IT equipment, such as issuing several new policies to establish guidance and controls for information security, but because the realignment was not yet fully implemented, improved processes for inventory control had not been established. In addition, progress on the development of a modernized compensation and benefits system occurred after the project implemented improved management processes, which the department now plans to apply to all its IT projects. VA also achieved a milestone in the long-term effort to share electronic health information with DOD, having begun to exchange limited medical data with DOD (at selected sites) through an interface between the data repositories for the modern health information systems that each department is developing. To achieve their long-term vision, VA and DOD have much work still to do (such as extending the current capability throughout both departments), and the two departments have not yet projected a final completion date for the whole initiative. Further progress in VA’s IT programs and initiatives could be significantly aided by the improved processes that are the cornerstone of the realignment. Until these are fully implemented, the impact of the realignment on these programs and initiatives is uncertain.

 

WHAT GAO RECOMMENDS

In the reports covered by this testimony, GAO made recommendations aimed at improving VA’s management of its IT programs and initiatives.

-------------------------

Larry Scott  --