Cloud technology, smaller electronic devices present security challenges at VA


Two data breaches, announced in a Dec. 22 Veterans Affairs report (.pdf), are the result of new technology being mismanaged or used without authorization by clinicians at VA health facilities.

Medical practitioners at a Chicago VA facility used a cloud-based program, hosted by, to store information on staff shift changes and patient data outside of the VA firewall. As a result, 878 patient records may have been compromised. In September, a similar incident was reported when physicians used Google (NASDAQ: GOOG) Docs as a collaborative platform for viewing patient information.

"The government by itself can't keep up with Yahoo!, Google, Apple (NASDAQ: AAPL) and others who are creating great applications for medical usage," said Roger Baker, VA chief information officer during a press call on the report.

"We have to figure out how to embrace those and at the same time ensure that we are providing privacy and health information protections that we are committed to doing," he said, adding that "these are great tools for patient care, and right now, as the CIO, my position has to be, ‘you can't use them.'"

In another breach, fifty-two veteran health records were put at risk, when a digital camera went missing at a Tampa, Fla. facility. The camera contained images, patient names and Social Security numbers to be stored in VistA health records. Standard procedure requires images on VA cameras be wiped off of memory cards every 24 hours. The report cites employee turnover as the reason for non-compliance.

"We use a lot of tools for patient care. I'm sure you can picture why digital cameras have been a boon to organizations like the VA," said Baker. "Because we don't have encrypted storage on the camera, the procedure has to be pretty solid."

The VA may be looking into encrypted image storage on cameras going forward, said Baker. He added that the challenge with digital cameras is indicative of the larger problem of controlling small devices, containing sensitive information, distributed throughout the enterprise.

Baker's data breach report was the last of such monthly reports to Congress for 2010. Reflecting on the past year, Baker said VA is constantly improving in IT security and is better this year than it was last year. However, he said, there is clearly room for improvement. Baker said VA is on track to wrap up guidance for securing medical devices on the network by Dec. 31.

Looking to 2011, Baker noted tight budgetary constraints at VA, as it is likely Congress will cut the agency's budget by $200 million. In the coming year, VA will build upon its progress with agile development and launch more projects utilizing the strategy, said Baker.

"We've learned a lot about it, we like it, we embrace it, but it's not the only way to develop," said Baker.

VA will proceed with agile development, despite some criticism earlier in the year from the Government Accountability Office. Baker said agile projects have been a huge success at the agency. Now, he said GAO and VA are in "strong agreement" on agile development and it is a strategy "GAO wants to see us continue to use."

For more:
- listen to the press call
- see VA's November data breach report (.pdf)

Related Articles:
Audio: VA CIO Roger Baker's December IT report
Audio: VA CIO Roger Baker's November IT report
Q&A: Roger Baker on the future of VistA and VLER
Audio: VA CIO Roger Baker's September IT report

Audio: VA CIO Roger Baker's August IT report