Incident & Breach Response , Managed Detection & Response (MDR)

VA Addresses Thumb Drive Risk

Taking Steps to Prevent Use of Devices Lacking Encryption
VA Addresses Thumb Drive Risk
The Department of Veterans Affairs has taken steps to help ensure thumb drives lacking encryption cannot be plugged into its computers. The move comes following the discovery of an unencrypted drive containing personal information on veterans.

A guard at a regional VA office in Nashville recently discovered the thumb drive and took it home, where his wife, who has security clearance from two government agencies, checked it, says Roger Baker, VA assistant secretary for information and technology. She determined the drive contained sensitive information, and the guard returned it the next day.

A VA employee had been using the personal thumb drive to store information on 240 veterans and beneficiaries in violation of VA policy, Baker says. The information included names, Social Security numbers, addresses and health data. Affected veterans are being offered free credit protection because the drive was inappropriately removed from the VA facility, Baker explains.

Breach Prevention Efforts

The VA recently spent $50 million on technology that enables it to identify all computers and other devices linked to its network and determine if they have encryption and other security provisions in place. After this incident, Baker says, the new technology was used "to look for other areas where software that keeps people from plugging unencrypted thumb drives into computers had not yet been turned on." VA officials then made sure the software was properly activated on all devices.

The VA also is using the new technology to verify that its computers that are not encrypted meet the VA's standard for exemption from its encryption mandate, Baker adds. For example, older laptops that run a barcode medication application are not encrypted because no patient data is stored on the devices and encryption would adversely affect the performance of the application.

In addition, the VA is using the technology to make sure all software patches are up to date, Baker says. Next year, the VA will use the technology to check the security provisions of all medical devices linked to its network.

Enforcing Security Guidelines

In his monthly teleconference with the news media, Baker noted that a letter has been mailed to the CEO of every VA contractor to remind them that they must meet VA security guidelines. Plus, an audit of vendor contracts is continuing on a facility-by-facility basis.

Baker also reviewed other details of the VA's October report to Congress on information breaches. For example, 1,950 veterans are being notified of a breach stemming from pages that are missing from a log book at a pulmonary laboratory in Oklahoma City.

The VA has been unable to confirm that the missing pages have been shredded as intended. They contained names, healthcare information and the last four digits of veterans' Social Security numbers.

The incident, discovered Oct. 15, is being reported to the Department of Health and Human Services' Office for Civil Rights and local news media, in addition to those affected. The HITECH Act's breach notification rule requires that action for breaches affecting 500 or more individuals.

The OCR's list of major health information breaches contains five other VA incidents.


About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.