2006 VA Breach: Assessing the ImpactSignificant Action Taken, Lots More to Do
Six years ago, a watershed healthcare breach helped draw attention to the need to take steps, such as encrypting sensitive data, to help prevent breaches.
In May 2006, the Department of Veterans Affairs reported a breach stemming from a stolen unencrypted laptop that contained information on more than 26 million individuals. Although the device was eventually recovered and the FBI determined that no personal information was inappropriately accessed, the VA agreed to pay $20 million to settle a lawsuit filed by veterans over the incident.
We make certain we create an environment where reporting the problem is viewed as a safe thing to do and is something that we do as a responsibility to veterans.
So what's changed at the VA in the last six years?
Roger Baker, the VA's CIO, points to several important steps:
- Virtually all VA laptops are now encrypted.
- The VA doesn't transmit information about veterans to others unless it's encrypted.
- The VA has an independent privacy breach analysis team that investigates all incidents, no matter the size and scope. The team includes legal, technology, business and privacy officers. "They do an evaluation of how serious is this breach and what should we do about it."
- The VA encourages the reporting of what Baker portrays as "near misses," or incidents that could have breached veterans' information. "We make certain we create an environment where reporting the problem is viewed as a safe thing to do and is something that we do as a responsibility to veterans," he says. Nevertheless, if staff members are involved in an egregious breach or break the law, they are disciplined, he adds.
- Information gathered about security incidents is used to help refine staff training.
- The CIO provides daily information security updates to the VA Secretary. Plus he holds press conference calls to go over the monthly data incident reports the VA provides to Congress. Quarterly reports to Congress provide even more details.
Other organizations can learn lessons from the VA's actions, especially its emphasis on encrypting data and on being transparent about breach incidents.
It should be noted, however, that Congress was an important catalyst for many of the VA's actions. Baker's monthly reports to Congress and press briefings, for example, started back in 2010 after members of Congress expressed concerns about a series of relatively small VA breach incidents.
Knock wood, the VA hasn't had another breach anywhere close to the scale of the 2006 incident.
More Work to be Done
But when it comes to privacy and security, the VA clearly still has a lot of work to do.
An April report from the VA inspector general assessing compliance with the Federal Information Security Management Act noted: "The VA's internal network remains susceptible to attack from malicious users who could exploit vulnerabilities and gain unauthorized access to VA information systems."
Responding to the report's findings, Baker said the VA is working on a "cultural transformation" by implementing a Continuous Readiness in Information Security Program.
Meanwhile, the VA and the Department of Defense expect to spend $4 billion on their efforts to integrate their electronic health records systems by 2017, with pilots starting in 2014. Certainly such a massive effort will require serious security initiatives.
And the VA is holding off on further expanding the use of iPhones and iPads by staff to access clinical information until it invests in a mobile device management system to monitor the devices and help ensure security.
That 2006 VA breach was so huge that it served an important purpose: It put a spotlight on the importance of protecting patient privacy. Let's hope privacy protection remains top of mind as the VA and others continue their efforts to make broader use of electronic health records and ramp up health information exchange.