Personal information at Veterans Administration is high risk for ID theft

US Veterans’ personal data and health information remain at risk of identity theft because the Veterans Affairs Department has only implemented 2 of the 22 security requirements the federal Inspector General made in 2006, according to a Government Accountability Office report released Wednesday.

For example, VA has not completed activities to appropriately restrict access to data, networks, and department facilities; ensure that only authorized changes and updates to computer programs are made; and strengthen critical infrastructure planning. Because these recommendations have not yet been implemented, unnecessary risk exists that the personal information of veterans and others, such as medical providers, will be exposed to data tampering, fraud, and inappropriate disclosure, the GAO report said.

The VA became the poster boy for data breaches last year when it lost the personal information for 26.5 million veterans and active-duty personnel. The data was eventually recovered but not until Congress lashed the agency for its lax network security. 

 Since the May 2006 security incident, VA has continued or begun several major initiatives to strengthen its information security practices and secure personal information within the department, but more remains to be done, the GAO said. Specifically, VA has implemented two GAO recommendations: to develop a process for managing its plan to correct identified weaknesses and to regularly report on progress in updating its security plan to the Secretary.

But big security holes remain. For example, no documented process exists between the Director of Field Operations and Security and the chief information security officer (CISO) to ensure the effective coordination and implementation of security policies and procedures within the department. In addition, the position of the CISO has been unfilled since June 2006. Until the department addresses recommendations to resolve identified weaknesses and implements the major initiatives it has undertaken, it will have limited assurance that it can protect its systems and information from the unauthorized disclosure, misuse, or loss of personal information of veterans and other personnel, the GAO stated.

Responding to an Associated Press story of the GAO’s report,  VA Deputy Secretary Gordon Mansfield said he generally agreed with the findings but insisted that VA’s data security was “legally adequate.” Many of the recommendations, which were proposed a year ago by the GAO and VA inspector general, were in the process of being implemented, he said. “VA has taken aggressive and proactive measures that are, or were at the time, above and beyond legal requirements, such as mandating encryption of sensitive data accessed remotely or used outside VA facilities.”

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:

Copyright © 2007 IDG Communications, Inc.

IT Salary Survey: The results are in