Audio: VA CIO Roger Baker's January IT report
Veteran Affairs Department Chief Information Officer Roger Baker spoke with reporters Jan. 30 about the department's data breach reports from September (.pdf), October (.pdf), November (.pdf) and December (.pdf). Scroll down to the media player to listen to the call in full (approx. 1 hour).
Among the incidents recorded was one Sept. 27 event in which a medical care provider in Charleston, S.C. printed out a needs assessment for 474 patients (23 records had full social security numbers and names attached).
"Somehow, that needs assessment managed to print out on a printer in the library of the Cheyenne, Wyo. VA medical center, a couple thousand miles away," Baker said. "I would have thought it would have been pretty difficult" for a printer in Cheyenne to be on the local Charleston network, he acknowledged.
When it comes to laptop encryption – the hard drives of all 300,000 or so laptops that can connect to the VA are supposed to be fully encrypted – Baker said the compliance stands at about 99 percent. Baker said a field operations manager came up with a way of inducing compliance in the remainder: unencrypted laptops get a pop-up message after 5 minutes and are forced to reboot.
"We determined that would probably encourage people to get their laptop encrypted," Baker said.
Minimization of social security numbers as identifiers is an ongoing effort, Baker said, but added that the department still needs them for patient matching in clinical settings.
"It turns out that having them telling us their SSN tremendously increases the accuracy of the matching…It's very, very difficult for us to completely eradicate [SSNs] out of the environment when patient safety and other issues are also there." Rather than use the numbers as an identifier, the department treats them as a data attribute, he added.