VA IT official defends work on data protection

Lawmakers, GAO and IG say VA information not fully protected

Roger Baker, assistant secretary for information and technology at the Veterans Affairs Department, today defended the department’s efforts to protect against data theft and unauthorized access at a House hearing where the VA was criticized for two recent breaches of veterans’ personal data in Texas.

Rep. Harry Mitchell (D-Ariz.), who chairs the House Veterans' Affairs Committee’s Oversight and Investigations Subcommittee that held the hearing, said the panel is evaluating two recent incidents of unauthorized access to VA data. One was this month and involved data about 3,265 veterans at a VA facility; the other took place in April and involved data about 644 veterans contained on a stolen laptop computer used by a VA contractor, he said.

”These recent data breaches are proof that the VA still has a long way to go to ensure veterans that their information is being safely stored and handled,” Mitchell said.

Asked about the breaches, Baker said in the incident that involved data about 644 veterans, the breach was the result of a stolen laptop computer belonging to a VA contractor. The data was unencrypted despite a requirement in the contract that it be encrypted, and despite certification from the contractor that the encryption had been carried out, he said.

To prevent further breaches of that nature, Baker said his staff is auditing all other VA contracts that involve sharing of veterans' data to ensure they comply with encryption needs.

Baker acknowledged that there are still problems in balancing the need for data protection against the need for making critical data available to clinicians. Also, there needs to be cooperation with supply chain partners who exchange data with the VA, he said.

“Over the last four years, we have made quantifiable progress,” Baker said. “Over the next year, we will make greater strides. Am I satisfied with where we are? No. Our goal must be to be the best in federal government, and comparable with good private-sector enterprises, on our information security practices. With your support, we will continue to work very hard at achieving that goal during my tenure as CIO at VA.”

Baker outlined several recent initiatives to enhance computer security, including Visualization at the Desktop, which would provide managers with a view of all systems by Sept. 30. “We will have electronic access to every desktop and verify they are in compliance,” Baker said.

The department also is implementing a program to protect VA medical devices through isolation architecture that should be completed by December, he said.

Representatives from the VA's Office of Inspector General and the Government Accountability Office testified that the VA has had longstanding problems in maintaining secure records and in complying with the Federal Information Security Management Act. The department experienced a major breach of veterans' personal data in 2006.

At the same time, panelists noted that the VA has improved its security posture in recent years after a consolidation of computer security responsibility in Baker’s office.

Rep. Steve Buyer (R-Ind.) praised Baker’s work on security compliance and training since arriving at the VA a year ago and claimed that progress was hampered partly by lack of cooperation within the VA.

“I am not here to beat you up,” Buyer said to Baker. “You have stepped into the breach. I recognize this is a work in progress. You have not always had the most cooperation or the best effort from the Veterans Health Administration. They have done everything imaginable to derail the centralization effort.”

About the Author

Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.

inside gcn

  • power grid (elxeneize/

    Electric grid protection through low-cost sensors, machine learning

Reader Comments

Mon, May 24, 2010

The issue is NOT VHA trying to derail anything. VHA no longer conrols the IT side, the CIO's organization does. VHA no longer does its own security, the CIO's organization does. Failing FISMA for six years straight, and all VA does is reshuffle the same unqulaified people as a "reorganization" is not the solution. These last two breaches are clearly VA employees not doing their job, and NOT the fault of VHA as an organization. The Congressman is ill-informed on the root causes.

Sun, May 23, 2010

I agree, I would not accuse VHA of "derailing" the centralization effort, but they are making it extremely difficult. Totally understanding the "patient care, patient safety" argument (I am a Veteran), I am concerned when VHA uses unsecured systems, unencrypted thumb drives and laptops to analyze and transport MY data. I have heard every excuse in the book about not encrypting laptops or data and the worst is system performance. The degradation of system performance is negligible and inexcusable for these systems to not be encrypted. Instead of REAL security audits, I would love to see REAL accountability.

Sat, May 22, 2010

There are plenty of high and low technology alternatives available to the VA but the entire Information Security Organization prefers to operate with outdated and risky half-solutions. The entire department needs a "house cleaning" from top to bottom to get the do-nothing dinosaurs out and let informed, qualified professionals provide the data security job our Veterans deserve.

Fri, May 21, 2010

Though there is plenty of blame to throw around in these incidents, putting the blame on VHA for "derailing" the centralization effort is ridiculous. If access to data comes down to providing security or providing care to a sick veteran, you provide care to the sick veteran. Period. From my experience, the real issues are inconsistent policies from ISOs and CIOs, unqualified personnel in ISO positions who spend more time shuffling paper than they do looking critically at security issues within their organizations, use of SSN as a veteran identifier in almost all data streams rather than a randomized number, and extremely draconian rules preventing access to necessary data which causes people ot request more data than they need because asking for too little means more delays and paperwork. Rethink how data is structured and handled, hire the right people for the jobs maintaining security, and put in place REAL security audits.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group