The VA Battles ID TheftNew Awareness Campaign Helps Vets Secure Their Data
The Department of Veterans Affairs has launched a new awareness campaign to help veterans prevent, detect and respond to identity theft. The effort is an important supplement to ongoing work by the VA, says Stan Lowe, VA deputy assistant secretary for information security and CISO.
Statistically, veterans are not victims of ID theft at a significantly higher rate than the general public, Lowe tells Information Security Media Group. However, their numbers - there are more than 20 million living U.S. veterans - contribute to them being "easy targets," he says.
It's not uncommon for vets to get phone calls from fraudulent organizations looking for donations. "We take the protection of data seriously on a day-to-day basis, but once [vets' information] is out of our control, that's where we need to educate them about that they can do" to protect their IDs, Lowe says. "It's all about education."
The awareness effort includes a new website containing ID theft information, detection and prevention tips, as well as an ID theft help line.
Among the VA's advice to vets:
- Use strong passwords;
- Secure wireless networks;
- Regularly update anti-malware protection;
- Avoid sending sensitive unencrypted information by email.
But the tips are not just for electronic media and records. In fact, when it comes to breaches involving VA worker mistakes, paper-based incidents make up more than 90 percent of incidents the VA reports to Congress and the Department of Health and Human Services' Office for Civil Rights.
"All my identity issues center around paper," he says. That includes incidents involving mis-mailings, as well as clinicians at VA healthcare facilities unintentionally leaving paperwork containing vets' information out in open areas, he says.
However, unlike breaches involving electronic data, paper incidents tend to be smaller, affecting many fewer individuals, he says. "Paper doesn't have the potential to impact as many people, but it's a constant thing" to pay attention to, Lowe says.
In addition to its awareness campaign for vets, the VA is taking other steps to fight ID theft, Lowe says. That includes ongoing training of VA workers about protecting veterans' personally identifiable information and protected health information.
These measures include offering credit monitoring in the wake of incidents; improving records management, such as secure filing, storing and disposing of records containing sensitive information; and reducing the use of Social Security numbers.
In February, the VA announced it is rolling out new healthcare ID cards to millions of veterans in the effort to combat medical identity theft and fraud (see VA Issuing new ID Cards to Fight Fraud).
Unlike previous ID cards, the new Veteran Health Identification Cards no longer display Social Security numbers and birthdates. Nor is that information contained in the cards' magnetic stripe or barcode. Instead, the new cards display the veteran's unique Electronic Data Interchange Personnel Identifier as their member ID on the front of the card. That Department of Defense internal identification number for veterans is also embedded in the card's magnetic stripe and barcode.
Improving Security Posture
In addition to those efforts to clamp down on ID theft, the VA is also "continually improving our security posture" internally, Lowe says, declining to describe specific technology and process details to avoid informing the VA's data security "adversaries."
Brian Evans, a senior managing consultant at IBM Security Services, says the steps that VA is taking to fight ID theft involving vets are important, but there are other measures that should be considered as well.
"The VA has been reducing the use of Social Security numbers, which is a good thing," he says. "But as America's largest integrated healthcare system, has the VA identified where all of its personally Identifiable Information is used, stored and collected throughout their entire organization?"
Evans says the VA should conduct a remediation program that identifies the business processes that capture and rely on all PII data, mitigate any identified risks and eliminate the use of this data where possible.