Report: VA Using Unsecure TransmissionsDepartment Offers Contrasting Assessment
Despite government security requirements, the Department of Veterans Affairs has not implemented a configuration control to ensure encryption of sensitive data, including patient records, during transmission, according to a new report by the VA's Office of the Inspector General.
The OIG report, "Review of Alleged Transmission of Sensitive VA Data Over Internet Connections," states that VA IT personnel acknowledged that using an unencrypted telecommunications carrier for transmission of sensitive information - including personally identifiable information such as patient electronic health records data and internal Internet protocol addresses - among VA medical centers and Community Based Outpatient Clinics was common at some facilities.
The report claims that the unencrypted data is vulnerable to hacking, and "VA sensitive data could be used to perpetrate various types of fraud."
But the VA, in its response, says it uses a private network so that data is not exposed to public Internet traffic. "The network links in question are not currently employing encryption, but these transmissions are crossing only the private VA network and are not exposed to or traversing the Internet," the VA says.
The Report's Findings
The report states that the VA's practice of transmitting unencrypted sensitive data was a violation of VA and federal information security requirements, including HIPAA.
However, the unencrypted data was transmitted under a waiver by VA's top leaders, according to the report.
Security waivers were signed by VA CIO Roger Baker and the VA acting under secretary for health, Robert Petzel. Baker resigned last month, and his last day was March 8. Federal regulations state that under certain exceptional circumstances, the heads of federal agencies, or their delegates, may approve such waivers.
"[VA IT] management formally accepted the security risks associated with the potential loss or misuse of the data, as defined within VA systems security waiver documents," the report notes.
The VA developed these system security waivers to delay implementing encryption controls in the near term, while acknowledging the risks associated with the lack of technical configuration controls, according to the report
In its report, the OIG makes two recommendations :
- The VA needs to identify networks transmitting unprotected, sensitive data over unencrypted telecommunication networks and implement technical configuration controls to ensure encryption of such data in accordance with applicable VA and Federal information security requirements.;
- The VA needs to require that its IT personnel complete specialized training emphasizing the importance of encrypting sensitive VA data transmitted across public Internet connections.
In its response to the report, the VA's Office of Information and Technology:
- Notes that it disagrees with the assertion that PII and internal network routing information are being transmitted over unsecured Internet connections;
- Explains that the VA employs service offerings from industry telecommunications carriers that are "privately segmented" from other public traffic and that secure internal routing information from exposure to unauthorized entities. "These carrier services provide VA with a private network and do not place traffic on the Internet. It is necessary, in serving our veterans, to transmit PII. The network links in question are not currently employing encryption, but these transmissions are crossing only the private VA network and are not exposed to or traversing the Internet."
- Contends that the VA requires personnel "complete specialized training" emphasizing the importance of encrypting sensitive data.
"The VA will review and ensure VA networks are not transmitting unprotected sensitive data over public Internet connections and will immediately correct such issues, if found," the department says in its response.
Response to Complaint
The OIG report was triggered by a hotline complaint in May 2012 that certain VA medical centers were transmitting sensitive information over unencrypted telecommunications carrier networks.
In response to that complaint, the VA authorized implementation of a departmentwide encryption solution in fiscal 2013 that will address VA's information security requirements for protecting the transmission of sensitive VA data.
Baker was not available for comment beyond the VA's response in the report (see: VA CIO Roger Baker Resigning.)
The new OIG report also comes about a week after a House subcommittee criticized the VA and Department of Defense leaders' recent decision to change plans related to building an integrated electronic health record system from scratch (see: VA, DoD EHR Project: Security Game Plan).