[ISN] VA IT security gaps extend to contractors

InfoSec News isn at c4i.org
Thu Jun 15 02:26:09 EDT 2006


By Mary Mosquera
GCN Staff

The Veterans Affairs Department said today that it has been
investigating allegations that an offshore medical transcription
subcontractor last year threatened to expose 30,000 veterans'
electronic health records on the Internet in a payment dispute with a
VA contractor.

The VA assistant inspector general referred to the investigation
during questioning in a congressional hearing on VA's data security
environment in the wake of the theft of sensitive data of 26.5 million
veterans, active duty military and reserves officers.

The medical transcription incident highlights how gaps in information
security also extend to contractors, said Michael Staley, VA's
assistant inspector general for auditing. Some VA medical
transcription contractors have used offshore subcontractors in India
and Pakistan without VA's approval and without adequate controls to
ensure veterans' health information was secure under the Health
Insurance Portability and Accountability Act, according to an audit
released today.

"Contracts do not specify criteria for how to protect information,"  
Staley told the House Veterans Affairs Committee.

Staley enumerated audits of information management security under the
Federal Information Security Management Act, the Consolidated
Financial Statement and Combined Assessment Program that revealed
significant vulnerabilities. These include VA not controlling and
monitoring employee access, not restricting users to only the data
they need and not terminating accounts of departing employees in a
timely manner.

In last year's FISMA review, the IG provided 16 recommendations,
including addressing security vulnerabilities of unauthorized access
and misuse of sensitive information and data throughout VA
demonstrated during its field testing. All 16 recommendations remain
open, he said.

Audits also found instances where out-based employees send veterans'
medical information to the VA regional office through unencrypted
e-mail; monitoring remote network access and usage does not routinely
occur; and off-duty users' access to VA computer systems and sensitive
information is not restricted.

"VA has implemented some recommendations for specific locations
identified but has not made corrections VA-wide," he said.

 From fiscal years 2000 to 2005, the IG identified IT and security
deficiencies in 141, or 78 percent, of 181 Veterans Health
Administration facilities reviewed, and 37, or 67 percent, of the 55
Veterans Benefits Administration facilities reviewed.

"We recommended that VA pursue a more centralized approach, apply
appropriate resources and establish a clear chain of command and
accountability structure to implement and enforce IT internal
controls," Staley said.

The underlying situation is the VA's department CIO does not have
authority to enforce compliance with data security and information
management and recommendations from GAO, said Veterans Affairs
Committee chairman Steve Buyer (R-Ind.).

Buyer traced problems in security enforcement to a memo dated April
2004 from the general counsel that said the department CIO did not
have enforcement authority.

The CIO, undersecretaries who lead VA's benefits, health and burial
administrations, and the VA secretary share responsibility for
enforcement, said Gregory Wilshusen, director of information security
issues for the Government Accountability Office.

"Information security is a governmentwide problem, and we have talked
with OMB about that," said Linda Koontz, director of GAO's information
management issues.

Buyer expressed frustration that there are no consequences for
"recalcitrant" agencies that do not correct problems that GAO has
repeatedly highlighted. He cited the Privacy Act, which has been
strengthened with consequences.

"If you have a bureaucracy so strong in the department that the
secretary or political bodies are unable to act, don't you think the
president or vice president or OMB needs to know that because there
are monetary consequences behind that inaction? I'm bothered that GAO
doesn't have the higher authority to which they can turn," Buyer said
after the hearing.

After several more hearings this month, Buyer and his committee will
make recommendations or craft legislation. He suggested that Congress
consider looking at strengthening FISMA.

"We can even come up with that in our language, but we're not going to
have jurisdiction over that. We'll have to work with Mr. Davis [House
Government Reform Committee chairman Tom Davis (R-Va.)] and his
committee. I'd be more than happy to do that," he said.

More information about the ISN mailing list