Incident & Breach Response , Managed Detection & Response (MDR) , Security Operations

VA Fixing Contracts' Security Terms

Some Pacts Lack the Required Clauses
VA Fixing Contracts' Security Terms
A U.S. Department of Veterans Affairs audit has determined that 10 to 20 percent of its vendor contracts lack information security clauses, says Roger Baker, assistant secretary for information and technology.

The VA is working with all of its units, including those in healthcare, to ensure all their contracts include clauses specifying that if a vendor receives or produces personal information on veterans, it must follow the same security precautions as the VA, Baker says. Those precautions include encrypting laptops.

No Major June Breaches

The VA had no major healthcare breach incidents from May 31 through July 4 affecting more than 500 veterans that would have to be reported to the Department of Health and Human Services' Office for Civil Rights as required under the HITECH Act's breach notification rule, Baker says. The OCR's list, however, already includes five earlier VA incidents.

But 16 laptops, including five unencrypted devices at healthcare facilities, were discovered to be missing or stolen during the period. For example, one of the healthcare devices was used to program IV pumps while another was used to support hearing tests.

Also reported during the period in various VA units, including healthcare, were:

  • 24 lost encrypted Blackberries, compared with 13 in May;
  • 74 incidents of internal e-mails that were not encrypted, as required, down from 80 in May;
  • 86 information mishandling incidents, up from 74 in May. An example of such an incident is when a patient is given the wrong medication list that contains identifiers for another veteran;
  • 119 incidents of mismailings, such as more than one letter stuffed in an envelope. In May, there were 123;
  • Eight incidents involving errors in tracking IT inventory, such as failure to confirm disposal, up from four in May.

Even in cases that involve breaches affecting only a few veterans, the individuals receive notification with an offer of free credit protection from the VA, Baker adds.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.