GAO: VA’s IT Security Insufficient, Endangers Veterans’ Health Data
November 19, 2014 in News
The Department of Veteran Affairs has failed to adequately address IT security issues, potentially putting veterans’ sensitive health data at risk, according to a new Government Accountability Office report, FierceHealthIT reports (Hall, FierceHealthIT, 11/18).
VA’s systems include the personally identifiable information of about 20 million U.S. veterans, according to Nextgov (Konkel, Nextgov, 11/18).
Details of Report
According to the report, while VA has made some progress in addressing IT deficiencies previously identified by GAO, the department:
- Could not produce a forensic analysis report of VA’s response to a 2012 data breach to determine if the response had been effective (GAO report, November 2014);
- Has not addressed the underlying vulnerability that allowed the 2012 incident to occur;
- Did not develop action plans or timelines for addressing vulnerabilities identified by the Network and Security Operations Center in two Web-based applications;
- Has failed to provide its NSOC with the authority to access VA network activity logs, harming NSOC’s efforts to determine the adequacy of data breach responses (Nextgov, 11/18); and
- Has been hindered in determining the effectiveness of responses to data breaches by a department policy of disposing of data security-related evidence one month after issuing forensic analysis reports, even though federal guidelines recommend keeping such data for three years (FierceHealthIT, 11/18).
In addition, the GAO report found that VA failed to apply “10 critical software patches,” each of which was meant to address an average of 30 security vulnerabilities (Konkel, Nextgov, 11/19).
VA said that it had decided to hold off on applying three of the patches until conducting testing to determine their effects on the department’s applications. However, GAO found that VA had not documented compensating controls or created plans to transition to IT systems with up-to-date security systems (Nextgov, 11/18).
GAO said, “Collectively, these weaknesses increase the risk that sensitive data — including veterans’ personal information — could be compromised” (FierceHealthIT, 11/18).
The report added, “Until VA fully addresses previously identified security weaknesses, its information is at heightened risk of unauthorized access, modification and disclosure and its systems at risk of disruption” (Nextgov, 11/18).
GAO recommended several ways that VA can address the identified issues, such as:
- Amending its standard operating procedures to require data breach-related evidence to be kept for a minimum of three years;
- Creating timeframes to complete IT security-related initiatives;
- Finalizing and carry out department policy mandating that IT developers conduct scans of source code on key Web applications; and
- Fully implementing the proposed solution to the 2012 data breach; and
- Scanning non-Windows devices on the VA network in authenticated mode.
VA concurred with the recommendations, adding that it had already begun to address some of the suggestions and has plans to address the others (GAO report, November 2014).
Congressional Testimony on VA Data Security
In related news, VA Deputy Assistant Inspector General Sondra McCauley in testimony before the House Committee on Veterans’ Affairs on Tuesday noted that annual Federal Information Security Management Act audits have found VA technology controls to be a “material weakness” for each of the past 15 years.
McCauley noted several areas in which VA has improved IT security via its Continuous Readiness in Information Security Program, including instituting:
- Compliance tools;
- Contingency plan testing;
- Continuous IT system monitoring;
- Employee background check updates for staffers with access to more sensitive data; and
- Training on security awareness (Mazmanian, FCW, 11/18).
However, McCauley added that “[i]t is particularly disconcerting that a significant number of vulnerabilities [VA OIG] identified at VA data centers are more than five years old” (Nextgov, 11/18).
Meanwhile, VA CIO Stephen Warren in a separate testimony before the House panel announced that VA would allocate $60 million to address IT security issues by:
- Enhancing department access privilege approval or removal policies for VA staffers entering or leaving the department; and
- Hiring more than 325 additional staff members to work on IT security (FCW, 11/18).
Warren said that the department would reevaluate its IT security needs in February and “if significant progress is not being made, additional resources will be applied” (Nextgov, 11/19).
In addition, Warren said that VA’s largest data security issue “is not technical” but that physical data exposure “is the most significant risk facing [VA's] information security posture” (Nextgov, 11/18).