VA Outlines Two Security InitiativesTracking Computers, Alerting Contractors to Requirements
The VA is spending $50 million this year on technology that will enable it to better identify all the laptops, desktop PCs and other devices linked to its network and determine whether they're encrypted and have appropriate security patches, applications and operating systems, says Roger Baker, assistant secretary for information and technology.
In addition, Baker soon will send letters to all companies that do business with the VA to remind them that if they have access to veterans' data, including healthcare information, they must certify that they meet VA security guidelines, including the encryption of the data.
Pinpoint VulnerabilitiesThe ongoing effort to improve the VA's ability to precisely identify the approximately 1 million devices linked to its network will help it to pinpoint potential security vulnerabilities, Baker says.
"Our network security operation center will be able to see things and work with the CIOs at local facilities to make sure they remediate any security issues," he says.
The $50 million being spent on the project this year does not include staff time, he adds.
Letter to ContractorsBaker estimates that perhaps 30 percent of the VA's 22,000 contractors have access to veterans' data and must comply with security guidelines.
In his letter to the CEOs of all contractors, Baker will point out that if the companies with access to veterans' information fail to prove that they comply with VA security guidelines, they could lose the opportunity to do business with the agency.
"The main intent of the letter is that everyone gets the message that they must protect VA data," he says.
Meanwhile, the VA is continuing its audits of vendor contracts on a facility-by-facility basis, identifying those that lack the required information security clauses. So far, one-third to half the facilities reviewed have had no contracts lacking the clauses. The others, however, have found that 20 percent to 25 percent of their contracts lack the clauses, Baker says.
External WebsitesAddressing another potential security concern, Baker notes that nine VA healthcare facilities have recently reported that residents and others were using external password-protected websites to store certain limited patient information that they entered themselves. These sites were used were for such purposes as change-of-shift reports and tracking lab documents.
As a result, the VA is "looking into whether any privacy issues are involved" and reviewing its policies and guidance about where information can be stored, Baker says.
"This is a good example of having to wrestle with the tough issue of balancing patient care and information protection," he adds.
Statistics for AugustIn discussing the VA's August report to Congress about breach incidents in the healthcare arena and elsewhere, Baker noted a trend involving the theft of several computers from inventory before they have had applications loaded and encryption activated. The VA is investigating whether the thefts resulted from similar security lapses. During August the VA had no healthcare information breach incidents affecting 500 or more veterans that needed to be reported to regulators, as required under the HITECH Act, Baker says. But the Department of Health and Human Services' Office for Civil Rights' list of major breaches already includes five recent VA incidents.
In August, the VA began making its monthly breach report to Congress available to the public online. Baker also has been holding monthly press briefings on the statistics since May.
The VA's transparency efforts came in the wake of a Congressional hearing this spring, when the department was called to task for the breaches reported to the HHS Office for Civil Rights.