Watchdog Agencies Report on VA Privacy, Security WoesPrivacy of 'Millions' Potentially at Risk; Security Weaknesses Cited
Two recent reports issued by separate watchdog agencies spotlight data privacy and security challenges at the Department of Veterans Affairs.
Meanwhile, a Nov. 14 report by the Government Accountability Office found that the VA - like many other major federal agencies - had significant security control deficiencies over its financial reporting. For example, for fiscal 2018, there were deficiencies in security management, access control, configuration management, segregation of duties and contingency planning.
"However, VBA reported the redaction requirement was a major contributing factor in its massive backlog of [records] requests. VBA also had plans to provide veterans with online access to their records, which made the policy of redacting third-party PII prior to release infeasible," the OIG report notes.
By May 2019, the VAB records management center reported it had completed about 379,000 records requests since implementing the 2016 policy. "The review team determined disclosures under the May 2016 release policy raised legal concerns, and more importantly, put millions of people at risk of identity theft," the OIG says.
The May 2016 policy change also did not require third parties to be notified when their information was released, meaning individuals at risk of identity theft might not be aware of that risk, VA OIG writes.
"VBA also did not communicate the policy change to veterans and service members. The OIG also found VBA put individuals at risk by not following procedures to encrypt sensitive information on disks mailed to veterans. The review of a random sample of 30 [VBA record] responses found 1,027 unrelated third-party names and Social Security numbers," VA OIG writes.
After being pressured by the VA OIG about the PII privacy concerns, the VBA concluded in June that another policy update was necessary, "and redactions were set to resume again by October 2019," VA OIG notes.
The VA OIG notes that the VBA undersecretary agreed with its recommendations, including updating the VA's website to reflect current policy related to the release of third-party PII and implementing a plan to ensure the VBA records management center complies with requirements for mailings under the Privacy Act of 1974.
In its Nov. 14 report, the GAO says it found that the VA continued to have IT security deficiencies. The report notes that the VA is one of 18 government agencies that were not meeting the goals outlined in the National Institute of Science and Technology Cybersecurity Framework.
For instance, the GAO report notes that in 2018, the VA OIG found that the VA had deficiencies in security management, access control, configuration management, segregation of duties and contingency planning. The GAO notes that the OIG report also found that the VA reported meeting only six of the 10 cybersecurity performance targets set by the Trump administration.
"VA faces several security challenges as it secures and modernizes its information systems," according to the GAO's summary. "These challenges pertain to effectively implementing information security controls; mitigating known vulnerabilities; establishing elements of its cybersecurity risk management program; and identifying critical cybersecurity staffing needs. VA also faces the additional challenge of managing IT supply chain risks as the department takes steps to modernize its information systems."
As with many large federal agencies, the VA has struggled to implement consistent departmentwide security practices, the GAO report notes. For example, when it comes to supply chains, the GAO says the VA is susceptible to buying and installing counterfeit hardware and software from suppliers, which could contain vulnerabilities that attackers could exploit, the report notes.
"VA continues to be challenged in implementing an effective agencywide program and controls for securing its information and information systems," according to the report.
The GAO says that in 2016, it outlined 74 cybersecurity recommendations for the VA. As of October, the VA had not implemented 42 of these recommendations, the new GAO report notes.
The new GAO report also adds four recommendations to that original list, which involve the VA improving its risk management program as well as better identifying IT and security workforce positions within the department.
In response, VA representatives told the GAO that it agreed with all the recommendations, both current and past, and that it planned to implement them, according to the report.
Some experts note that the concerns about the VA including third-party PII in the records of veterans is a problem that's not common in other healthcare sectors.
"In the normal course of events, there doesn't seem to be too much personal information about other people in someone else's medical records, notes privacy attorney Kirk Nahra of the law firm WilmerHale. "I suppose it can happen, but it wouldn't be very typical."
Joe Gillespie, senior privacy and security consultant at tw-Security offers a similar assessment.
"I've never seen where the Social Security numbers of others are ever included in PII/protected health information requests because I've never seen Social Security numbers of others being part of a record/file that might be requested," he says.
Gillespie notes that the inclusion of other individuals' Social Security numbers in the records of other individuals poses additional risks for SSN abuse and identity theft.
"In my experience, the most common place where the identity of others might be recorded is in behavioral health records and I believe there has always been an effort to redact names of others, especially when there is any concern for safety," he notes.
Privacy attorney David Holtzman of the security consultancy CynergisTek notes that in situations where sensitive information of others is contained in a patient's health record, those references usually involve the health status or experience of a family member, which tends to be included in provider notes, he says.
"However, data such as SSN or other PII would not be included in such a note," he says. "The other instances in which third-party PII would be included is if the third party is the guarantor for payment of care or the primary insured on a policy under which the patient is a covered beneficiary. More limited demographic information like name, address, phone number, would be included in the next of kin/emergency contact information."
In the VBA context, the claims reports are detailed and include documentation to support how the service-related disability occurred including battlefield data, service-related accident reports or active duty rosters, Holtzman notes.
"Our armed forces are very, very good at creating reports that include the information of the author and any service member that was serving with or had some direct, or indirect, role in an incident," he adds.
Apurva Venkat, ISMG special correspondent, contributed to this article.