Audit: VA's Mobile Encryption Compliant

Security of iPhones, iPads Reviewed
Audit: VA's Mobile Encryption Compliant

A federal audit report has verified that the Department of Veterans Affairs is complying with federal encryption requirements in its initial use of iPhones and iPads even though the devices lack the required type of hardware encryption.

See Also: How Tri-Counties Regional Center Secures Sensitive Files and Maintains HIPAA Compliance

The Federal Information Security Management Act, commonly known as FISMA, requires that encrypted government computers use FIPS 140-2 certified hardware encryption. The hardware encryption on the Apple devices has not yet been certified as being FIPS 140-2 compliant. However, the VA is using FIPS 140-2 encryption for all applications on the Apple devices, the audit by the VA Inspector General confirmed.

"We determined that the VA's approach for allowing only FIPS 140-2 certified applications to access sensitive data or storing encrypted data on the mobile devices met FISMA security requirements for data protection," the audit report states.

But the report noted that the VA could improve security controls and systems management by "ensuring an accurate inventory and consistent configuration of the mobile devices."

Roger Baker, the VA's assistant secretary for information technology, concurred with the report's findings.

The audit was triggered by a complaint received on a confidential hotline that the VA was circumventing FISMA and other rules in rolling out the Apple devices. Also, Sen. John Kyl, R-Ariz., requested an inquiry of how the VA was applying encryption to the mobile devices.

Mobile Device Plans

Baker announced last fall that the VA would accommodate the use of as many as 100,000 iPads and iPhones, primarily for clinical purposes, within 18 months as many desktop computers are phased out. And to control costs, many of those mobile devices will be personally owned.

In January, Baker said implementation would not exceed the 1,000 Apple devices rolled out during a pilot project - and would not include personally-owned devices - until a more robust, enterprisewide mobile device management system, using the cloud computing model, is implemented. During an April 25 news media conference call, Baker said the mobile device management system has not yet been selected and likely won't be implemented until later in the summer (see: VA's CIO Provides Mobile Device Update). He confirmed again May 23 that the system acquisition was still pending.


About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.