IG: VA transmitting sensitive data over unencrypted carrier network

Tools

The Veterans Affairs Department was transmitting sensitive data, including personally identifiable information and internal network routing information, over an unencrypted telecommunications carrier network, according to a March 6 VA Office of Inspector General report (.pdf).

Despite VA and federal information security requirements, the department has not implemented technical configuration controls to ensure encryption of sensitive data, found the OIG. In fact, auditors discovered that the VA typically transferred unencrypted sensitive data, such as electronic health records and internal Internet protocol addresses, among certain VA medical centers and community-based outpatient clinics.

VA Office of Information Technololgy management "acknowledged this practice and formally accepted the security risk of potentially losing or misusing the sensitive information exchanged via a waiver; however, the use of a system security waiver was not appropriate," concludes the report.

"Without controls to encrypt the sensitive VA data transmitted, veterans' information may be vulnerable to interception and misuse by malicious users as it traverses unencrypted telecommunications carrier networks," states the OIG. "Further, malicious users could obtain VA router information to identify and disrupt mission-critical systems."

The OIG recommends that the VA chief information officer identify the VA networks transmitting sensitive data over the unencrypted carrier networks and implement configuration controls to ensure encryption of such data. Auditors also say the CIO should also require that OIT personnel complete specialized training emphasizing the importance of encrypting sensitive VA data transmitted across the Internet.

The CIO concurred with the OIG's recommendations.

For more:
-download IG report, 12-02802-111 (.pdf)

Related Articles:
IG: VA faces challenges in moving to paperless claims processing
VA CIO human capital management faulted
VA data exchange practices lack security