VA Fixing Contracts' Security TermsSome Pacts Lack the Required Clauses
The VA is working with all of its units, including those in healthcare, to ensure all their contracts include clauses specifying that if a vendor receives or produces personal information on veterans, it must follow the same security precautions as the VA, Baker says. Those precautions include encrypting laptops.
No Major June BreachesThe VA had no major healthcare breach incidents from May 31 through July 4 affecting more than 500 veterans that would have to be reported to the Department of Health and Human Services' Office for Civil Rights as required under the HITECH Act's breach notification rule, Baker says. The OCR's list, however, already includes five earlier VA incidents.
But 16 laptops, including five unencrypted devices at healthcare facilities, were discovered to be missing or stolen during the period. For example, one of the healthcare devices was used to program IV pumps while another was used to support hearing tests.
Also reported during the period in various VA units, including healthcare, were:
- 24 lost encrypted Blackberries, compared with 13 in May;
- 74 incidents of internal e-mails that were not encrypted, as required, down from 80 in May;
- 86 information mishandling incidents, up from 74 in May. An example of such an incident is when a patient is given the wrong medication list that contains identifiers for another veteran;
- 119 incidents of mismailings, such as more than one letter stuffed in an envelope. In May, there were 123;
- Eight incidents involving errors in tracking IT inventory, such as failure to confirm disposal, up from four in May.
Even in cases that involve breaches affecting only a few veterans, the individuals receive notification with an offer of free credit protection from the VA, Baker adds.