Report on VA Contractor Security Weaknesses Offers LessonsWhat Others Can Learn from Risks Identified
A watchdog agency report highlighting data security violations by a Department of Veterans Affairs medical contractor offers a reminder to all healthcare organizations about similar risks their business associates can pose - especially if BAs are inadequately monitored.
In its Sept. 7 report, the VA Office of Inspector General notes that a review of Anchorage, Alaska-based ProCare Home Medical Inc. was prompted by a tip received on the OIG's hotline. The tipster complained that ProCare, a supplier of home oxygen services to the VA, was allegedly improperly storing and sharing sensitive data on contractor personal devices in violation of federal information security standards, the OIG says.
"More specifically, the complainant alleged that ProCare was allowing its employees to use personal computers and phones to access the company computer system and download VA sensitive data, including veterans' personal health information," according to the report.
The OIG's subsequent review of ProCare confirmed those allegations and identified a number of other security deficiencies at the company that were putting veterans' personal information at risk. The watchdog agency notes, however, that it found no evidence that veterans' sensitive information was compromised.
Vendor Management Struggles
The types of security problems cited in the report on ProCare are similar to issues that all healthcare sector organizations that rely on business associates can face.
"While there was no material breach in this [ProCare] case, the risk likelihood in this scenario for one to occur is definitely escalated to a far greater level than if the data had been properly secured in alignment with the many regulatory requirements the VA falls under in accordance with federal government standards," notes Thad Phillips, principal consultant at tw-Security. "Both public-sector and private-sector covered entities may face these same types of problems depending on the vendor they are working with and, most importantly, how they initially set up their contractual arrangements and business associate agreements."
The OIG says it substantiated the allegation by the hotline tipster that ProCare employees accessed veteran's sensitive electronic data with their personal computers from home through an unauthorized cloud-based system that lacked encryption.
The OIG also noted that ProCare employees or malicious users could potentially use personal devices on an unauthorized wireless network to access sensitive veteran information. "In addition, we determined that ProCare was storing sensitive hard copy and electronic veteran information in an unsecured manner at their facility."
ProCare could not provide evidence that its personnel had completed VA-required security awareness training or signed the VA's "contractor rules of behavior" prior to receiving access to VA sensitive data, the OIG report notes.
"These security deficiencies occurred because VA did not provide effective oversight of ProCare personnel to ensure the appropriate protection of veteran information at the contractor facility," the report notes. "As a result, veterans' sensitive information was vulnerable to loss, theft and misuse, including identity theft or fraud."
The report recommended the VA Northwest Health Network management provide specific oversight of Alaska VA healthcare system contractors. "We also recommended the VA Northwest Health Network management, in conjunction with the assistant secretary for information and technology, conduct a site assessment of ProCare information security controls to ensure compliance with VA information security requirements," the report notes.
The VA concurred with the recommendations and provided an appropriate corrective action plan, the report notes. It conducted a site assessment to evaluate the security controls at the ProCare facility and confirmed corrective actions had been implemented. For example, it confirmed:
- Email for transmitting VA information is encrypted and used by limited staff.
- All electronic VA patient information is stored in an appropriate password-protected system.
- Hard-copy files are stored in a locked file cabinet in a secure area when not in direct use.
- Areas containing VA information are secure and require sign-in and a visitor pass.
- Shred bins are locked and in secure areas.
ProCare did not immediately respond to an Information Security Media Group request for comment on the OIG report.
The security weaknesses identified at ProCare are similar to the common deficiencies that many healthcare organizations find at their business associates, notes Mac McMillan, CEO of security consultancy CynergisTek, and a former Department of Defense information security leader.
"Certainly there are instances of this, particularly with smaller vendors who may have less sophisticated or poorly articulated security controls/programs," McMillan says. "The 'why' is similar - [covered entities] fail to assess their contractors' ability to secure their information properly."
As a contractor to the VA, however, ProCare and similar vendors handling veterans' healthcare data are expected to take extra precautions, he notes. "As a government contractor handling federal employees' health information, they should be compliant with both Federal Information Security Modernization Act and HIPAA, which begs the question: Who conducted their FISMA assessment and who reviewed it? Clearly from the [VA OIG] write-up, they were aware of certain security requirements and failed to observe them - probably because no one was looking."
Phillips of tw-Security says all HIPAA-covered entities need to learn a valuable lesson from the OIG report: Make sure they conduct security reviews of their business associates.
"CEs and BAs alike must understand what they are signing up for on the front end in terms of regulatory requirements and their associated responsibilities," he says. "CEs must keep an eye on their BAs by periodically monitoring and auditing them to ensure their data is protected."
It's also important for BAs to hold any of their subcontractors to the same scrutiny when evaluating their security practices, Phillips stresses.
"CEs are dealing with a range of vendors from small, to medium to large, and so, depending on the service and budget allocations, they want the best bang for their buck and may choose the least expensive vendor to carry out the business needs, while not looking closely at how their data will be maintained," he adds.
"Likewise, the BAs are playing the same game and trying to find ways to fulfill their contractual obligations, but sometimes doing so by cutting corners on the technology front by using 'freeware' forms of cloud storage, email, messaging and the like, [as well as] unencrypted USB devices and minimally managed patched hardware/software in their companies because they don't have robust IT departments."