VA Defends Its Security PoliciesLatest breach details also revealed
Roger Baker, VA assistant secretary for information and technology, says he met one-on-one with Rep. Steve Buyer, R-Ind., to address his concerns that VA security is too decentralized.
"IT security at the VA is centralized and it is my responsibility," Baker told reporters in a May 27 teleconference. "This is a large organization, and there's certainly a lot we still have to do to achieve great information security. But we don't have any lack of authority to do what we need to do to protect the information."
The VA consistently provides members of Congress who are involved in oversight of the department "very early notification that an incident may have occurred" even before all the facts are known, Baker stressed.
At his session with reporters, he also noted that the VA this week began audits of certain contractors to ensure their compliance with VA security policies, including the encryption of laptops.
Baker's remarks came after Buyer voiced his frustrations in a letter to VA Secretary Eric Shinseki, citing "great concern about VA's continuing material weakness in protecting veterans' information from data breaches"
So far, five VA incidents are on the HHS Office for Civil Rights' list of healthcare breaches affecting more than 500 individuals, which only tracks cases since last September. Four of the VA incidents involved paper records and one involved a stolen laptop.
"The bulk of the issues we deal with now are on paper," Baker told reporters, noting that each week, the VA has several small breaches affecting only a few veterans.
The most recent major VA incident reported to OCR involved a binder reported missing May 4 from an outpatient laboratory at VA North Texas Health Care System. The binder included information on more than 4,000 patients, including their Social Security numbers, Baker says. The lab sees about 800 patients a day.
The lab used the binder to "keep track of who was going where and where lab specimens were being drawn," Baker said. At the end of the day, the binder was placed in a locked office. But the next business day, it was discovered to be missing.
The VA notified the 4,000 vets affected by the incident, as required by the HITECH Act Breach Notification Rule, and offered them free ID theft protection for a year.
In the wake of any breach incident, the VA facility involved conducts a root cause analysis and then makes policy changes as needed, Baker said. In the North Texas case, for example, the lab likely is considering specifying how long information should be kept in the binder before shredding it and changing physical security measures, he explained.
In March, the office of the VA inspector general announced it was investigating a potential breach involving a former employee's laptop with information on patients at the Atlanta VA Medical Center. Baker said that investigation is continuing.
The VA changed its security policies, including mandating encryption of laptops, in the wake of a 2006 incident when a VA analyst conducting research downloaded information on 26.5 million veterans and active duty personnel to his personal laptop, which later was stolen and recovered.
The FBI determined that no personal information was inappropriately accessed, but the VA agreed to pay $20 million to settle a lawsuit filed by veterans over the incident.