Veterans' Data at Risk on Shared Network Storage DevicesOIG Report Highlights the Risks; Do Others Face Similar Challenges?
(This story has been updated.)
Inadequately protected shared network storage devices at a Department of Veterans Affairs regional office left veterans' personal and health information vulnerable to identity theft, fraud and other compromises, according to a new watchdog agency report.
The network security lapses discovered at the VA are also common at private sector healthcare entities as well as organizations across other industries, some security experts say.
"The rapid adoption of cloud storage has significantly increased the risk of data compromise," says Clyde Hewitt, executive adviser at security consultancy CynergisTek. "The number one challenge to IT departments is the inherent power of these services, such as Microsoft's OneDrive, Google Docs, Box and Dropbox, because end users have the ability to create shares. Unfortunately, the majority of end users have never been adequately trained in how to set up and share their local shares."
In a report issued Oct. 17, the VA Office of Inspector General says it conducted a review of the Milwaukee, Wisconsin, VA regional office in response to a September 2018 hotline allegation that veterans' sensitive personal information was stored on shared network drives on the VA enterprise network and was likely accessible to unauthorized users.
The VA OIG says it determined that mishandling veterans' sensitive personal information was a national issue because security concerns were not limited to the Milwaukee VA office.
"Senior office of IT representatives said any Veterans Administration benefits user with permission to access VA's network remotely would have had access to the shared drives hosting veterans' sensitive personal information," the OIG writes. "IT operations personnel stated that approximately 25,000 remote access users could have accessed the shared network drives."
In a statement provided to Information Security Media Group, the VA says that it "appreciates OIG's oversight, which in this case uncovered no evidence that any veteran's information was accessed inappropriately. VA has since taken a number of actions to strengthen safeguards regarding veterans' personal information, including removing all such information from shared drives and restricting permissions that prevent the storage of sensitive personal information."
The OIG report notes that accredited Veterans Services Organization officers have access to the network to assist veterans with filing VA disability claims through the Veterans Benefits Management System, the web-based electronic claims-processing system of the Veterans Benefits Administration.
An OIG review of the Milwaukee VA regional office found that veterans' sensitive personal information was left unprotected on two shared network drives, where it was accessible to VA service organization officers who did not represent those veterans.
"Senior office of information and technology representatives told the [OIG] team that other authenticated network users with access to the shared drives also could have accessed that information regardless of their business need," OIG writes.
Three Key Weaknesses
The mishandling of veterans' sensitive personal information occurred for three reasons, the OIG reports.
"First, certain users were knowingly or inadvertently negligent in their use of shared network drives to store veterans' sensitive data despite VA security policy prohibiting such activity," the OIG report says.
"Second, no technical controls were in place to prevent negligent users from storing sensitive personal information on the shared network drives. Third, due to a lack of oversight, office of IT and VA benefits personnel failed to discover and remove any sensitive personal information stored on shared network drives.
Without better protection, veterans and the VA are at risk, the OIG reports. "Veterans are at significant risk of unauthorized disclosure and misuse of their sensitive personal information. This has the potential to expose veterans to fraud and identity theft."
Hewitt of CynergisTek notes that auditing access to shared drives is not easy because IT department staff may lack knowledge to make a "need to know" judgment. "Privacy officials struggle as well because data flow and mappings are not detailed enough to determine what is appropriate," he says. "There are no robust tools that can link the 'need to know' with the technical safeguards, e.g., walls, between shared folders. Ultimately, the lack of implementation standards, and their distribution to all users, is the root cause of these risks."
While the OIG says that the VA's data breach response services determined that the storing of sensitive personal information on the shared network drives did not meet the criteria for a data breach and did not require notifications, "if a breach of sensitive personal information were to occur, VA could incur the expense of notifying and offering credit protection services to individuals whose sensitive personal information was involved. VA could also lose credibility with veterans who trust that their sensitive personal information is being appropriately secured."
The OIG made three recommendations to the VA for mitigating security risks involving shared network storage devices:
- Provide remedial training to users on the safe handling and storage of veterans' sensitive personal information on network drives;
- Establish technical controls to ensure users cannot store veterans' sensitive personal data on shared network drives;
- Implement improved oversight procedures, including facility-specific procedures, to ensure veterans' sensitive personal information is not being stored on shared network drives.
The OIG report notes that VA officials concurred with the recommendations and provided corrective action plans to address the issues.
Hewitt of CynergisTek points out that the OIG report didn't address policies that prohibit users from knowingly accessing PHI outside of their area of responsibility and the supporting training requirements.
"In the end, the three recommendations specifically targeted the assistant secretary of information and technology, but the compliance and privacy officer's responsibility were noticeably absent," he adds.
Not all problems can be solved by technology, Hewitt stresses.
"At some point, we must recognize that a well-trained workforce is the first line of defense. Not all risks can or should be fully mitigated, as emerging risks from new technology will always outpace an organization ability to identify more resources. These resources must compete with other needs to provide better patient care."