HOT TOPICS >> Cloud computing | Cybersecurity | Gov 2.0 | Fiscal 2012 | Mobile | Transparency | GAO reports
AGENCY NEWS >> Defense | NASA | Homeland Security | NIST | OMB | Veterans Affairs | NARA | GSA
Latest News
Media Partner
Free Newsletter
FierceGovernmentIT tracks the latest technological developments in the U.S. government. Join more than 17,000 federal/state decision makers and IT executives who get FierceGovernmentIT via email. Sign up today!
About | View Sample | Privacy
Whitepapers
- Migrating enterprise digital communication to the Cloud
- Cloud Computing: Threat or opportunity for VARs and MSPs? Special focus on cloud collaboration and messaging
- End-of-life solution management for mobile devices reduces MNCs' security, compliance and sustainability risks
- IMPROVING THE MANAGEMENT OF FEDERAL GOVERNMENT IT ASSETS THROUGH BETTER COMMUNICATION WITH THE IT INDUSTRY
- Storage Consolidation: Best of Both Worlds
- The Top 4 Reasons Your Telecom Expense Management Provider Shouldn't Manage Your Wireless
Auditors fault VA cybersecurity in teleradiology contracts
A Department of Veterans Affairs inspector general audit of remote radiological patient image analysis practices found several cybersecurity holes in the handling of patient data.
The audit, dated July 20, stemmed from a hotline complaint that contractor Camris International, of Bethesda, Md., did not protect VA patients' data while providing teleradiology services.
VA auditors found that some Camris radiologists and case managers can copy, transfer and store sensitive patient data onto personal computers while interpreting radiology images, when working from home. Although the network connection home workers use to access patient data is encrypted--and auditors did not identify any instance of a remote worker inappropriately downloading patient data--the lack of procedures preventing remote workers from possibly copying patient data puts sensitive information at risk, the audit states.
Camris also lacks procedures to assure that remote workers' home computers don't pass viruses into the VA network, the report states. Camris officials told auditors that they "have limited resources to ensure that VA patient data is not stored on personal computers and appropriate computer security protections are applied," the report adds.
The report also found that some personal identification information, including social security numbers, is transmitted via unencrypted fax from VA medical facilities to Camris.
Auditors also say that neither the VA nor Camris can provide a full list of all hardware and storage devices used to provide teleradiology services. The VA requires that contractors sanitize hard drives that hold patient data at the end of a contract, something made more difficult by lack of a comprehensive list.
As for the cybersecurity clauses embedded in the three contracts the VA currently has with Camris, auditors found wide variation among them. For example, one contract instructs Camris to retain sensitive VA data for 12 months, while another contract requires such data to be purged after 96 hours. The third contract provides no specific information security requirements.
In its recommendations, auditors suggest that the VA require, in future contracts, that remote teleradiology workers utilize only VA or contractor-owned computers. In an official response to the audit, Veterans Health Administration Undersecretary for Health Robert Petzel concurred, but added that "it should be noted that some teleradiology vendors might withdraw because of this requirement." Camris's three teleradiology contracts come to an end over the next several months, the audit states.
Roger Baker, the VA chief information officer, said that the VA will continue to transfer unencrypted fax signals, at least for now. "Although there is a concern that sensitive information may not be adequately protected during transmission, this is a known and accepted risk," he wrote.
For more:
- download the report, 10-03122-198 (.pdf)
Related Articles:
VA cancels financial IT modernization portions of FLITE project
IT projects at VA at risk, says GAO
o easy solutions for VA information assurance
SHARE WITH:
Home
| Subscribe | Advertise | Mobile Edition | RSS |
Privacy
| Site Map
| EditorsTHE FIERCEMARKETS NETWORKFierceEnergy | FierceSmartGrid | FierceFinance | FierceFinanceIT | FierceComplianceIT | FierceHealthcare | FierceHealthFinance | FierceHealthIT | Hospital Impact | FierceMobileHealthcare | FierceHealthPayer | FiercePracticeManagement | FierceEMR | FierceCIO | FierceCIO:TechWatch | FierceContentManagement | FierceMobileIT | FierceGovernmentIT | FierceGovernment | FierceHomelandSecurity | FierceBiotech | FierceBiotech Research | FiercePharma | FierceVaccines | FierceBiotechIT | FiercePharma Manufacturing | FierceMedicalDevices | FierceDrugDelivery | FierceIPTV | FierceOnlineVideo | FierceTelecom | FierceEnterpriseCommunications | FierceBroadbandWireless | FierceDeveloper | FierceMobileContent | FierceWireless | FierceWireless:Europe | FierceCable© 2011 FierceMarkets. All rights reserved. |
 |
