Veterans Affairs Department employees could have access to a cloud-based, end-user information sharing solution by the end of this summer, said VA Chief Information Officer Roger Baker while speaking with reporters April 28.

Employee utilization of online information sharing websites such as Google Docs or Yahoo! Calendar has been viewed by the office of CIO as an information security breach when uploaded information includes patients' personally identifiable information.

VA officials caught (.pdf) neurosurgery contract staff in the Indianapolis, Ind. region in March of this year utilizing a spreadsheet uploaded to EditGrid that contained the name, social security number last four digits and diagnosis of 184 patients.

Although access to the spreadsheet was password protected, the website doesn't utilize secure hypertext transfer protocol. Because the information "is outside of our facility and outside of our network, we view [it] as a potential breach," Baker said.

Baker said the VA is in discussions with vendors now on how set up a secure solution according to VA standards. The department doesn't want to develop its own version of cloud information sharing software, Baker added. "I can guarantee you it would not be as good and it would not be as popular."

Those discussions should result in a solution made available by the end of this summer, he added. "Now, remember that summer ends on Sept. 21," Baker said. "And I'm a software guy, which means it might end on Sept. 31 or 32."

Regardless, the pace of electronic data breaches has considerably slowed in recent months, Baker noted. Although information continues to unintentionally leak out, "the substantial breaches that are on this report are because of paper," he said, referring to the most recent monthly catalog of data breach incidents.

For example, a  human resources employee in the Ann Arbor, Mich., region placed on Feb. 28 sensitive documents in a plastic bin underneath her desk for future secure disposal. The next day, she arrived at work to find that the bin had been emptied, likely by custodial staff.

Efforts to control data breaches now need to focus on making policy easier to implement in the physical world, Baker said. "A simple thing--is there always a shredding bin within your line of sight if you're in a patient care areas? So it's easier to throw things in the shred bin than to throw them into the trash. Fairly simple, but we think it would make a large difference."

For more:
- listen to Baker's latest monthly call with reporters
- download the most recent VA data breach report, covering the period from Feb. 28 through April 3 (.pdf)

Related Articles:
Baker questions staying power of VA accountability system 
VA looks for open source 'custodial agent' 
VA dismisses SAM contractors, suspends project