Report: VA Needs to Improve InfoSecGAO Study Unveiled as House Committee Drafts VA InfoSec Bill
The Department of Veterans Affairs has a list of long-standing information security issues that need to be addressed, including those related to the protection of veteran's health information, according to a new report issued by the Government Accountability Office.
The GAO report was released in conjunction with testimony provided by Gregory Wilshusen, GAO director of information security issues, during a March 25 hearing of the House Committee on Veterans Affairs' Subcommittee on Oversight and Investigations. The panel is considering draft legislation aimed at improving the VA's information security.
"Information security remains a long-standing challenge for the department," Wilshusen said in his written testimony. "Specifically, VA has consistently had weaknesses in major information security control areas. For fiscal years 2007 through 2013, deficiencies were reported in each of the five major categories of information security controls as defined in our Federal Information System Controls Audit Manual."
VA information security control areas that have ongoing weaknesses include access control, configuration management, segregation of duties, contingency planning and security management, according to the GAO report.
In a statement provided to Information Security Media Group, the VA noted: "VA takes seriously its obligation to properly safeguard any personal information in our possession. VA has a strong, multi-layered defense to combat evolving cybersecurity threats. We are committed to protecting veteran's information, continuing our efforts to strengthen information security and putting in place the technology and processes to ensure Veteran data at VA are secure."
The draft legislation being considered by the subcommittee addresses governance of the VA's information security program and security controls for the department's information systems.
The draft bill would require the Secretary of Veterans Affairs "to improve the transparency and coordination of the information security program and to ensure the security of the department's critical network infrastructure, computers and servers, operating systems, and Web applications, as well as its Veterans Health Information Systems and Technology Architecture system, from vulnerabilities that could affect the confidentiality of veterans' sensitive personal information," Wilshusen noted in his testimony. "For each of these elements of VA's computing environment, the draft bill identifies specific security-related actions and activities that VA is required to perform."
In its statement, the VA said: "VA is currently reviewing draft legislative language recently received from the House Veterans Affairs committee and will communicate its views on the legislation with the committee once this review is complete."
Wilshusen's testified that based on the GAO's evaluation of the draft bill, "many of the actions and activities specified in the proposed legislation are sound information security practices and consistent with federal guidelines, if implemented on a risk-based basis." The provisions in the draft bill "may prompt VA to refocus its efforts on actions that are necessary to improve the security over its information systems and information," he said.
The GAO official noted that there are already several federal laws and policies, including the Federal Information Security Management Act, that lay out information security responsibilities of government agencies.
Additionally, he reminded the subcommittee that Congress enacted the Veterans Benefits, Health Care, and Information Technology Act of 2006 "after a serious loss of data earlier that year revealed weaknesses in VA's handling of personal information."
Wilshusen was referring to a breach that occurred in May 2006 that affected 26.5 million individuals. It involved the theft of an unencrypted laptop and external hard drive from the home of a contracted VA data analyst (see VA Breach Blasted by Congressman).
Under the Act, VA's CIO is responsible for establishing, maintaining and monitoring departmentwide information security policies, procedures, control techniques, training and inspection requirements as elements of the department's information security program, he noted.
"It also reinforced the need for VA to establish and carry out the responsibilities outlined in FISMA, and included provisions to further protect veterans and service members from the misuse of their sensitive personal information and to inform Congress regarding security incidents involving the loss of that information."
But despite the legislation and regulations, the VA continues to have information security challenges, Wilshusen testified. He noted that in a fiscal 2013 report, the VA's independent auditor found that while the agency had made improvements in some aspects of its security program, it continued to have control deficiencies in security management, access controls, configuration management, and contingency planning (see Agencies Uneven in PII Breach Response).
"In particular, the auditor identified significant technical weaknesses in databases, servers, and network devices that support transmitting financial and sensitive information between VA's medical centers, regional offices, and data centers. According to the auditor, this was the result of an inconsistent application of vendor patches that could jeopardize the data integrity and confidentiality of VA's financial and sensitive information," Wilshusen testified.
Other Security Issues
GAO's report also notes that in fiscal year 2013, the VA reported 11,382 security incidents to US-CERT, up from 4,834 in fiscal year 2007. "These included incidents related to unauthorized access; denial-of-service attacks; installation of malicious code; improper usage of computing resources; and scans, probes and attempted access, among others," Wilshusen testified.
"In a dynamic environment where innovations in technology and business practices supplant the status quo, control activities that are appropriate today may not be appropriate in the future," Wilshusen noted.
Emphasizing that specific security-related actions should be taken based on risk could help ensure that the VA is better able to meet the objectives outlined in the draft bill, he testified. "Doing this would allow for the natural evolution of security practices as circumstances warrant and may also prevent the department from focusing exclusively on performing the specified actions in the draft bill to the detriment of performing other essential security activities," he said.
In an interview with ISMG, Wilshusen also noted that the VA "is working on several other initiatives that could also help improve its information security, and address some of the ongoing data vulnerabilities identified by the GAO." That includes a continuous monitoring initiative. But, he added: "VA management needs to make sure information security is given its due attention."