No easy solutions for VA information assurance

May 19, 2010 — 9:26pm ET | By David Perera

Tools

Tags
Roger Baker
Department of Veterans Affairs
Information Assurance
Steve Buyer
cybersecurity
VHA
VA CIO

Information assurance isn't as simple as a contract clause requiring safeguards such as encryption and policies limiting access to personal data, Veterans Affairs Department officials told a House panel May 19.

Although such a clause has routinely been included in all VA contracts since November 2008, contractors may not necessarily follow it and even might have legitimate reasons for doing so.

"Many of the medical devices are certified by the FDA, in a particular configuration to operate in a certain way," said VA Chief Information Officer Roger Baker, speaking before the House Veterans' Affairs oversight and investigations subcommittee.

As a result, operating system patches and malware protection updates can't be routinely applied. A patch could also have unknown effects on the performance of medical devices, Baker said.

In his prepared testimony, Baker wrote that more than 122 medical devices have been infected by malware in the past 14 months. The VA mandated in 2009 that medical devices at VA medical facilities connected the VA network do so using a virtual local area network structure.

Much of the hearing was taken up by discussion of the VA's most recent electronic data loss incident, a VA contractor's stolen laptop containing personal data of 644 veterans.

Rep. Steve Buyer (R-Ind.), the senior Republican member of the Veterans Affairs committee and a force behind the 2006 law that gave the VA's CIO operational authority for networks across the entire department, laid at least some of the blame for the event at what he said is still a decentralized department.

The Veterans Health Administration "has done everything imaginable, in my personal opinion, to derail the centralized effort. They also have not been as forthcoming with security compliance and assurance as I think they should," Buyer said.

The VA should tie bonus payments to compliance with cybersecurity standards, Buyer said. "Boy, you can get somebody's attention pretty quick" by doing that, Buyer said. "We don't have to legislate that, the executive branch can lean forward on it," he added.

Some amount of data loss is inevitable, no matter how good cybersecurity standards may be, Baker said. However, he said that more information is now lost through paper documents rather than electronically.

A displaced binder containing records on 3,265 veterans records went missing from a Texas laboratory testing facility on April 24.

"Paper is slower, but paper is also harder to detect from an informational reach standpoint," Baker said.

For more:
- check out the hearing web page, complete with prepared testimony and a video recording

SHARE WITH: