VAleat quantum VAlere potest

* Last of a series on the VA data breaches

In this brief series of articles, I’ve been recounting the tale of data losses at the Department of Veterans Affairs (VA). This will close the subject for now.

On Feb. 2, 2007, Secretary of Veterans Affairs Jim Nicholson announced that a VA employee in the VA medical center in Birmingham, Ala., had reported an external hard drive as missing on Jan. 22. According to Rep. Spencer Bachus (R-Ala.), the backup hard drive contained personally identifiable information (PII) on up to 48,000 veterans - and despite VA regulations promulgated in 2006, as many as 20,000 of those records were not encrypted. A week later, the VA admitted that the hard drive actually contained PII for about 535,000 patients and 1.3 million doctors. It was that loss that led to the letter I quoted in the first article of this series.

A few weeks later, the Government Accountability Office (GAO) released the closest thing to an exasperated blast of exasperation I think government workers are capable of: In Feb. 28 testimony before the Subcommittee on Oversight and Investigations, in the Committee on Veterans’ Affairs of the House of Representatives, GAO Director of Information Security Issues Gregory Wilshusen presented a report entitled “Veterans Affairs Needs to Address Long-Standing Weaknesses.” (PDF) The summary on page 2 of the PDF file include this commentary:

“For many years, GAO has raised significant concerns about VA’s information security - particularly its lack of a comprehensive information security program, which is vital to safeguarding government information. The figure below details information security weaknesses that GAO identified from 1998 to 2005. As shown, VA had not consistently implemented appropriate controls for (1) limiting, preventing, and detecting electronic access to sensitive computerized information; (2) restricting physical access to computer and network equipment to authorized individuals; (3) segregating incompatible duties among separate groups or individuals; (4) ensuring that changes to computer software were authorized and timely; or (5) providing continuity of computerized systems and operations. The department’s IG has also reported recurring weaknesses throughout VA in such areas as access controls, physical security, and segregation of incompatible duties. In response, the department has taken actions to address these weaknesses, but these have not been sufficient to establish a comprehensive information security programs. As a result, sensitive information has remained vulnerable to inadvertent or deliberate misuse, loss, or improper disclosure. Without an established and implemented security program, the department will continue to have major challenges in protecting its systems and information from security breaches.”

In early March, the VA reacted to the Jan. 22 loss of the portable hard drive. CIO Robert Howard promulgated a policy restricting the use of portable data storage devices. Only flash drives smaller than 2 GB - and only those issued by the VA’s CIO office itself - would be permitted on the VA network or computers.

Encryption would be used throughout the system, just like the assurance issued in August 2006 about spending $3.7 million on encryption tools. In addition, the CIO announced sweeping changes in security administration, with promotion of five deputy CIOs to the rank of assistant secretaries for the following functions: application development, information security, operations and maintenance, resource management and strategic planning.

The latest news I want to mention is the blinding revelation that has come upon federal agencies as of late May: they will stop storing Social Security numbers and other PII wherever possible.

I tell you, it amazes me sometimes to see the speed with which people can respond to information about security.

[By the way, the Latin title of today’s essay means, “Let it stand for what it is worth.”]


Copyright © 2007 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022