VA data exchange practices lack security
Veterans Affairs Department medical centers are not effectively or securely sharing data with research and university facilities, according to an Oct. 23 VA office of inspector general report (.pdf).
"VA's data governance approach has been ineffective to ensure that research data exchanged are adequately controlled and protected throughout the data life cycle," write report authors.
The department regularly exchanges medical and patient information with external organizations for healthcare services and collaborative research studies. But auditors say medical centers lack an accurate inventory of research data exchanged, knowledge of where data is housed and assessments of the sensitivity levels of the data.
For example, one university provided teleradiology services to VA without formal documentation establishing a network connection, authorizing the types of data exchanged or defining data security roles and responsibilities, say report authors.
Auditors are particularly concerned that sensitive data is managed in a decentralized way, leading to inadequate oversight.
In an effort to physically separate VA and partner networks, the department began using air-gapped network connections several years ago--a security measure that eliminates the direct connection of computers and networks, forcing users to rely on other media to transfer data.
Rather than limit direct interconnections, the approach increased the use of internal and external hard drives, CDs, DVDs and flash drives, says the report. The use of such unencrypted storage devices for transporting sensitive data is strictly prohibited by VA.
The agency has not safeguarded the sensitive information and data shared with partners, putting it at risk of unauthorized access, loss and disclosure, says the OIG.
Report authors recommend VA Chief Information Officer Roger Baker and the undersecretary for health create a centralized data governance model to better oversee network connections and data exchanges. Baker should also craft formal agreements to ensure research partners implement controls and protect sensitive data in accordance with VA information security requirements, says the report.
VA officials concurred with the report's recommendations.
- download the report, "Audit of VA's Systems Interconnections With Research and University Affiliates," (.pdf)
Improved routine access to health data ensures disaster preparedness
Cyber threat sharing needs guarantees, says Rand researcher
DOJ, DHS officials discuss the 'how' of information sharing