OIG: VA Workers Hid ‘Big Data’ Project Privacy, Security RisksReport on Canceled VA Project Offers Governance Lessons for Others
The Department of Veterans Affairs' watchdog agency alleges that two VA employees “concealed” and “mispresented” the cybersecurity and privacy risks of an ambitious "big data" project that would have analyzed 22 million veterans’ health records dating back two decades.
The VA ended up pulling the plug on the contract with technology vendor Flow Health Inc. before the project launched after news media coverage brought VA leadership’s attention to the initiative’s issues. The case not only spotlights the risks involved in big data initiatives, but also the threats posed by insiders.
In its report – “False Statements and Concealment of Material Information by VA Information Technology Staff” - issued Thursday, the VA Office of Inspector General says it dug into whether two VA employees had financial conflicts of interest in their connection with the Flow Health deal.
The two VA workers were an Office of IT program manager and a Veterans Health Administration health system specialist in the VHA central office, OIG writes.
The VA’s IT leaders requested an OIG investigation into the situation in December 2016 following media coverage of a November 2016 Flow Health press release that alerted senior VHA and Office of IT officials to the project contract.
The VA “unilaterally terminated” the deal about a month later, on Dec. 20, 2016, before any health data was given to Flow Health, the VA OIG report notes.
The VA OIG did not find any financial conflicts of interest involving the two VA employees and Flow Health. The VA OIG also says it referred the matter to the Department of Justice, which declined to prosecute. The watchdog also recommended that the VA determine whether “any administrative action” should be taken regarding the two staff members.
The VA did not immediately respond to an Information Security Media Group request for comment, including whether the two staffers still work at the agency.
In its November 2016 press release announcing the five-year project with the VA, San Francisco-based Flow Health said the objective of the partnership was “to understand the common elements that make certain people susceptible to particular diseases, pinpointing effective treatments and identifying possible side effects in order to inform care decisions.”
The collaboration was aimed at integrating “large volumes of data” to help discover “relationships between genomes and phenotypes to learn what every gene variant actually means, to identify disease risk, to make more precise diagnoses and to suggest individualized treatments,” the vendor said.
Under the deal with the VA, Flow Health said it was building “the world’s largest knowledge graph of medicine and genomics from over 30 petabytes of longitudinal clinical data drawn from VA records on 22 million veterans spanning over 20 years.” It said that “all patient information will be de-identified during analysis to protect privacy.”
Flow Health described the artificial intelligence and machine learning data project with the VA as “a watershed moment for deep learning in healthcare.”
Flow Health did not immediately respond to an ISMG request for comment on the canceled VA project.
Behind the Scenes
The two VA employees involved concealed from the VA official who was to approve the project significant security and privacy concerns raised by subject matter experts, the OIG report says.
The approving VA official requested an explanation of the cybersecurity implications of the proposed project, the OIG writes.
“Over the course of the next month, the OIT program manager and the VHA employee made false statements to the approving official pertaining to the status of the information security and privacy reviews” of the proposed contract with Flow Health, the report notes.
The two staffers also concealed from the approving official significant privacy concerns raised by subject matter experts, OIG writes.
“The evidence indicates that … the OIT program manager and the VHA employee collectively made multiple false statements to the approving official and advocated that he execute the [contract with Flow Health] while concealing from him material information pertaining to the significant unresolved concerns of VA privacy experts.”
The two staffers also never disclosed that multiple individuals had raised privacy and security concerns about the project, the report notes.
In late October 2016, relying on the representations made by the OIT program manager and the VHA employee and believing that the proposed project had been reviewed and that all privacy and security concerns had been resolved, the approving official signed the contract with Flow Health, the OIG writes. But the project was scrapped in December 2016.
Checks and Balances
The situation at the VA spotlights key issues that all healthcare sector organizations should consider when contemplating ambitious big data projects.
“For a project of this nature, there needs to be a data governance committee in place that consists of interdepartmental, multidisciplinary membership beyond only IT and privacy,” says Keith Fricke, principal consultant at tw-Security.
A big data initiative may also need to be reviewed by board members or senior executives, he adds.
“Guiding principles need to be established for who can access which types of data in the dataset, for how long, and for which use cases,” he says.
“A project involving this much data needs to have some checks and balances in place to ensure an accurate portrayal of risk is conveyed. CISOs and privacy officers are generally trustworthy. It is unfortunate that this [VA] situation has individuals that provided misleading information.”
Healthcare sector entities and tech vendors need to take steps to ensure security and privacy risks are properly identified and mitigated before launching ambitious big data projects, he says.
“The first step in identifying the security and privacy risks is to define the parameters involved in this type of initiative,” Fricke says.
For example, several important questions need to be answered, such as where the data will reside, whether vendors or others will have remote access to the data and whether vendors need to have a copy of the data, he says.