VA Tries to Polish Its Image
On May 27, Roger Baker, VA assistant secretary for information and technology, held the first of what he said would be monthly teleconferences with news reporters on the VA's security efforts. He explained some new policies and committed to sharing more information.
This apparent increase in transparency is good news.
The real proof of the VA's commitment to security will be whether its facilities continue to show up on the federal breach list again and again.
The VA is still rebounding from a huge 2006 incident when a VA analyst conducting research downloaded information on 26.5 million veterans and active duty personnel to his personal laptop, which later was stolen and recovered.
The FBI determined that no personal information was inappropriately accessed, but the VA agreed to pay $20 million to settle a lawsuit filed by veterans over the incident. And, to its credit, the VA also took many new security steps, such as mandating encryption of all laptops.
But this year, the VA has had its share of bad news.
Back in March, the office of the VA inspector general announced it was investigating a potential breach involving a former employee's laptop with information on patients at the Atlanta VA Medical Center. That investigation is continuing.
At a recent contentious Congressional hearing,the department was called to task for healthcare security lapses. The HHS Office for Civil Rights' new list of security breaches affecting more than 500 individuals includes five VA incidents. Four of the cases involved paper records and one involved a stolen laptop.
A report from the Government Accountability Office said the VA has "made limited progress in resolving long-standing deficiencies in securing its information and systems."
Faced with these developments, Baker made an effort in his press briefing to outline the steps the VA is taking to maintain the security of healthcare information.
For example, he noted that the VA had begun audits of certain contractors to ensure their compliance with VA security policies, including the encryption of laptops.
Baker also stressed that in the wake of any VA breach incident, the facility involved conducts a root cause analysis and then makes policy changes as needed.
The VA consistently provides members of Congress who are involved in oversight of the department "very early notification that an incident may have occurred" even before all the facts are known, he added.
Reacting to Congressional concerns that VA security is too decentralized, Baker told reporters: "IT security at the VA is centralized and it is my responsibility. This is a large organization, and there's certainly a lot we still have to do to achieve great information security. But we don't have any lack of authority to do what we need to do to protect the information."
But if VA breaches keep showing up on the Office for Civil Rights' tally, you can bet Congress will be asking the VA for more evidence that it's taking the necessary preventive steps.
Baker's monthly teleconferences with the media are a good step toward providing some transparency on security issues.
But the real proof of the VA's commitment to security will be whether its facilities continue to show up on the federal breach list again and again.