Security 'No. 1 Priority' in VA IT TransformationMid-Year Report Spotlights Initiatives to Protect Vets' Data
The Department of Veterans Affairs is in the midst of an IT transformation initiative in which security is a "number-one priority" that includes efforts ranging from enforcing the use of two-factor authentication to reducing privileged access accounts, says a new mid-year report issued by the VA.
The VA's Midyear Transformation Review issued on July 1, provides a status check on some of the VA's IT initiatives and priorities - including cybersecurity, health IT, and infrastructure efforts - over the last year under LaVerne Council, who was named VA CIO and assistant secretary for information and technology in 2015.
The status report by VA comes amidst intense scrutiny by Congress and several government watchdog agencies questioning the effectiveness of VA IT operations to deliver services to veterans, as well as the VA's ability to safeguard veterans' data.
For instance, in March, the VA's Office of Inspector General issued an audit report making nearly three dozen recommendations for how the VA should address "material weakness" in its information security program, ranging from issues concerning identity and access management to incident response.
Also, the Government Accountability Office in recent years has made numerous recommendations to VA to modernize its IT systems, including its electronic health records system to increase interoperability and secure data exchange with Department of Defense's EHR system.
The GAO, in a separate June report, Veterans Affairs: Sustained Management Attention Needed to Address Numerous IT Challenges, notes that CIO Council's transformation strategy, initiated in January 2016, "calls for [VA] to focus on stabilizing and streamlining processes, mitigating weaknesses highlighted in GAO assessments, and improving outcomes by institutionalizing a new set of IT management capabilities."
As part of that transformation effort, Council - shortly after joining the VA last summer - formed an Enterprise Cybersecurity Strategy Team charged with delivering an enterprise cybersecurity strategic plan at the VA (see VA Revamping Cybersecurity Strategy).
Addressing Security Concerns
The overall mission of the VA's office of information and technology, or OI&T - which includes nearly 8,000 employees and an additional 8,000 contractors - is to "enable so much of what VA does to serve our nation's Veterans, including increasing access to benefits, enhancing care with mobile technology, and protecting Veterans' privacy and data," Council writes in a letter contained in the VA's mid-year status report.
Much of the work over the past year at VA has focused on "closing" a list of recommendations by the government watchdog agencies, including addressing a number of security-related issues, the VA mid-year report notes.
"VA OI&T is on track ... to close every one of the Inspector General's recommendations by the end of 2017 ... IT will no longer be a material weakness for VA," the mid-year report says.
"At OI&T, security is the No. 1 priority, and it is everyone's job. Our transformation strengthens this resolve every day," the VA writes.
The VA report notes among accomplishments to "balance business needs with security concerns:"
- Reducing privileged user accounts with access to VA systems by 95 percent;
- Identifying and reducing use of prohibited software by 90 percent;
- Enforcing two-factor authentication for users across VA;
- Mitigating 21 million critical and high-security vulnerabilities, and triaging any repeat IT security audit findings to swiftly eliminate those potential vulnerabilities;
- Blocking 2.6 million malware attempts since December 2015.
In its June report, the GAO noted that the VA budget request for fiscal year 2017 beginning on Oct. 1, included nearly $4.3 billion for IT. That includes approximately $471 million for new systems development efforts, approximately $2.5 billion for maintaining existing systems, and about $1.3 billion for payroll and administration.
In addition, in its 2017 budget submission, the GAO reports that VA also requested appropriations to make improvements in a number of areas, including information security.
That VA appropriation request includes funding of $370.1 million for implementing strong authentication, ensuring repeatable processes and procedures, adopting modern technology, and enhancing the detection of cyber vulnerabilities and protection from cyber threats, the GAO notes.
Obtaining funding to achieve critical security priorities is often a challenge for many institutions - and in the meantime, the lack of resources can also create risk, some experts note.
"If any organization begins to lag in their security control investments, they will be challenged with establishing priorities and justifying 'catch-up' budgets," says Mark Dill, principal consultant at consultancy tw-Security and former longtime CISO at the Cleveland Clinic. "Few can afford to fix all problems at once - so they spread their investments across multiple budget cycles. During this time, a fair amount of risk is often left unmitigated while the absolute emergencies are addressed."
Other privacy and security experts note that many of the challenges being dealt with by the VA are similar to the struggles faced by other healthcare organizations, but on a different scale. The VA's Veterans Health Administration is the largest integrated healthcare system in the U.S., with more than 1,700 sites of care, serving almost 9 million veterans each year.
"Every organization is doing its best to block malware," notes Tom Walsh, CEO of consultancy tw-Security. However, "I believe that the VA would have a slightly different threat profile than most hospitals because the agency serves our veterans, and the motivations for attacks through malware may include political - including nation states that hate the U.S. - and religious groups."
Efforts by the VA, as well as other healthcare entities, "to eliminate elevated user privileges, such as local admin rights and restricting 'write' access while allowing 'read' access, will go a long way to reduce the possible impacts if malware was able to penetrate the perimeter defenses," Walsh notes.
"Most malware needs elevated privileges to do the most harm. This is the recommendation that we have been making to our healthcare customers for some time now."