The Veterans Affairs Department discovered 10 laptops missing from a VA facility and 12 BlackBerries lost by agency employees in August, said VA Chief Information Officer Roger Baker during a Sept. 17 press call on its August data losses. Only six computers were stolen in June and July; however, the number of missing BlackBerries has continued to decline over several months, Baker said.

"We've got somewhere between 30 and 40,000 laptops in our environment, but we certainly don't like losing those," said Baker. He explained that these occurrences were not a serious problem "given where they were stolen and the fact that when they're issued, they're encrypted."

Still, Baker said the security in the inventory storage areas must be reviewed and will likely need to be ramped up.

Baker later, jokingly added that the decline in BlackBerry incidents was due to "all the attention in the press to our loss of BlackBerries."

One reported incident from August involved a computer at a VA medical facility being left unattended while logged into a third-party site while a patient's medical information was displayed. Baker said such incidents will be a growing problem as patients and doctors are increasingly mobile--working and seeking treatment at multiple facilities and relying on data in the cloud. Baker also alluded to early thinking on a possible VA policy change.

"One of the things that we have found is that one or more of these sites actually has received [Federal Information Security Management Act] review and FISMA approval. It may well be that, in a significant policy change, we may decide that the use of those external websites to allow certain access to information that these doctors have to have is--we may decide to approve that under certain, fairly tight policies and guidelines. It would be a big change for the VA," said Baker. "Our primary focus has to be on patient care and it's going to cause us to rethink our very, very strict guidelines from the past about where information can be stored."

Baker also said that vendors working with the VA will be pressed to meet certification requirements to protect medical information. Although an audit is still underway, he predicted that 10 to 25 percent of the 22,000 vendors working at VA facilities are not compliant and plans to send a letter about certification to the chief executive officers of companies contracting with the VA.

For more:
- listen to the recorded press call
- view the VA's report for this month

Related Articles:
Audio: VA CIO Roger Baker's August IT report
VA mismanaged FLITE contractor, according to IG
VA hopes automation will ease claims-processing woes
Audio: VA CIO Roger Baker and Education Service Chief Keith Wilson on new automation system
VA's Baker: No wholesale dumping of MUMPS