VA IT security gaps extend to contractors
Rep. Buyer: Department CIO needs IT security enforcement authority
The Veterans Affairs Department said today that it has been investigating allegations that an offshore medical transcription subcontractor last year threatened to expose 30,000 veterans' electronic health records on the Internet in a payment dispute with a VA contractor.
The VA assistant inspector general referred to the investigation during questioning in a congressional hearing on VA's data security environment in the wake of the theft of sensitive data of 26.5 million veterans, active duty military and reserves officers.
The medical transcription incident highlights how gaps in information security also extend to contractors, said Michael Staley, VA's assistant inspector general for auditing. Some VA medical transcription contractors have used offshore subcontractors in India and Pakistan without VA's approval and without adequate controls to ensure veterans' health information was secure under the Health Insurance Portability and Accountability Act, according to an audit released today.
'Contracts do not specify criteria for how to protect information,' Staley told the House Veterans Affairs Committee.
Staley enumerated audits of information management security under the Federal Information Security Management Act, the Consolidated Financial Statement and Combined Assessment Program that revealed significant vulnerabilities. These include VA not controlling and monitoring employee access, not restricting users to only the data they need and not terminating accounts of departing employees in a timely manner.
In last year's FISMA review, the IG provided 16 recommendations, including addressing security vulnerabilities of unauthorized access and misuse of sensitive information and data throughout VA demonstrated during its field testing. All 16 recommendations remain open, he said.
Audits also found instances where out-based employees send veterans' medical information to the VA regional office through unencrypted e-mail; monitoring remote network access and usage does not routinely occur; and off-duty users' access to VA computer systems and sensitive information is not restricted.
'VA has implemented some recommendations for specific locations identified but has not made corrections VA-wide,' he said.
From fiscal years 2000 to 2005, the IG identified IT and security deficiencies in 141, or 78 percent, of 181 Veterans Health Administration facilities reviewed, and 37, or 67 percent, of the 55 Veterans Benefits Administration facilities reviewed.
'We recommended that VA pursue a more centralized approach, apply appropriate resources and establish a clear chain of command and accountability structure to implement and enforce IT internal controls,' Staley said.
The underlying situation is the VA's department CIO does not have authority to enforce compliance with data security and information management and recommendations from GAO, said Veterans Affairs Committee chairman Steve Buyer (R-Ind.).
Buyer traced problems in security enforcement to a memo dated April 2004 from the general counsel that said the department CIO did not have enforcement authority.
The CIO, undersecretaries who lead VA's benefits, health and burial administrations, and the VA secretary share responsibility for enforcement, said Gregory Wilshusen, director of information security issues for the Government Accountability Office.
'Information security is a governmentwide problem, and we have talked with OMB about that,' said Linda Koontz, director of GAO's information management issues.
Buyer expressed frustration that there are no consequences for 'recalcitrant' agencies that do not correct problems that GAO has repeatedly highlighted. He cited the Privacy Act, which has been strengthened with consequences.
'If you have a bureaucracy so strong in the department that the secretary or political bodies are unable to act, don't you think the president or vice president or OMB needs to know that because there are monetary consequences behind that inaction? I'm bothered that GAO doesn't have the higher authority to which they can turn,' Buyer said after the hearing.
After several more hearings this month, Buyer and his committee will make recommendations or craft legislation. He suggested that Congress consider looking at strengthening FISMA.
'We can even come up with that in our language, but we're not going to have jurisdiction over that. We'll have to work with Mr. Davis [House Government Reform Committee chairman Tom Davis (R-Va.)] and his committee. I'd be more than happy to do that,' he said.