VA disputes charge that it transmits unencrypted personal data over public Internet
Investigation by Inspector General's office finds that VA centers don't encrypt personal data during transmission to other offices
Computerworld - The Office of Information Technology at the U.S. Department of Veterans Affairs has disputed a finding by the agency's Inspector General that several VA centers routinely transmit unencrypted sensitive personal data over the public Internet.
The probe by the IG's office was launched following a complaint last year that three VA Medical Centers in the Midwest Health Care Network were transmitting personally identifiable information over unencrypted telecommunications carrier networks.
The investigation found the allegations to be true, said VA assistant inspector general for audit and evaluations Linda Halliday in a report released this week.
Investigators from the IG's office visited the three VA medical centers cited in the complaint. They centers are located in Fort Meade and Sioux Falls, S.D., and in Omaha, Neb.
The IG's office discovered that unencrypted sensitive information, including names, Social Security Numbers, dates of birth, and protected health information of veterans and their dependents, were sent from the targeted VA centers to other VA facilities, the report said.
In addition, the two facilities in South Dakota regularly used the same unencrypted telecommunications carrier network to transmit sensitive data such as x-rays and other radiographic patient images to external organizations.
IT staff at the VA centers told investigators that sending unencrypted sensitive data to other VA centers and to outside business partners was a common practice at more than just the three centers involved in the probe.
The transmission of unencrypted personal data violates internal VA security rules and does not satisfy Federal Information Security Management Act requirements. "Despite VA and [FISMA] requirements, VA has not implemented a configuration control that would ensure encryption of sensitive data," the report said.
"Unencrypted sensitive VA data could be used to perpetrate various types of fraud, including tax fraud," the report cautioned.
The report called on the VA to immediately implement encryption controls to protect data during transmission.
Roger Baker, VA assistant secretary for information and technology, rejected the IG's assertions.
He contended that personally identifiable information is not transmitted in the clear by any VA center.
Baker said the carrier networks used by the VA to transmit sensitive data to are completely segmented and not exposed to the public Internet. The VA, he said, uses a Multiprotocol Label Switching (MPLS) service from its carriers to ensure it has a private and segmented network for transmitting data.
"These carrier services provide VA with a private network and do not place traffic on the Internet," he said.
Baker conceded that the network links investigated by the IG's office were not using encryption but insisted the data was not traversing the public Internet.
When the complaint reached the VA last year, the agency's IT team inspected the communications circuits that were involved, reviewed all associated network equipment and interviewed network administrators, Baker said. "All of the findings conclusively substantiated that traffic is traversing only VA's private network," he said
Even so, the VA's IT organization has initiated a comprehensive review to ensure that sensitive data is being routed in a secure manner, he noted.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is email@example.com.
- Franken presses Ford on location data collection practices
- Justices let stand appeals court decision on border searches of laptops
- California lawmakers move to bar state help to NSA
- Appeals court again nixes Google's bid to overturn Street View case
- Older Mac webcams can spy without activating warning light
- Update: Judge rules NSA spy efforts may be unconstitutional
- Perspective: Privacy concerns could keep Amazon delivery drones grounded
- NSA collects data from millions of cellphones daily
- Perspective: Curbing data use is key to reining in NSA
- Lavabit-DOJ dispute zeroes in on encryption key ownership
Read more about Government IT in Computerworld's Government IT Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
NSA: Riding on Facebook's horse tail.
The U.S. National Security Agency (NSA) is once again close to denying reports that it is indiscriminately monitoring every computer on planet Earth. This time, the freshest, newest, most recent report of NSA mass-surreptitiousness (courtesy Edward Snowden -- ta) alleges the sneaky agency infects computers with malware via a fake Facebook (NASDAQ:FB) login page.
In IT Blogwatch, bloggers play keep-away with the man-in-the-middle.
- IT Certification Study Tips
- Register for this Computerworld Insider Study Tip guide and gain access to hundreds of premium content articles, cheat sheets, product reviews and more.
- Changing the Way Government Works: Four Technology Trends that Drive Down Costs and Increase Productivity
- This paper discusses four technology-based approaches to improving processes and increasing
productivity while driving down department and agency costs.
- Review: Box beats Dropbox - and all the rest - for business
- Box trumps Dropbox, Engyte, Citrix ShareFile, EMC Syncplicity, and OwnCloud with rich mix of file sync, file sharing, user management, deep reporting and...
- Analyst Report-Mixed All Flash Arrays Delivers Safer Higher Performance
- What is the impact of an all-flash array with enterprise features and reliability on the mainstream data center? In the mainstream environment, storage...
- Embracing Flash Storage Exec Brief
- Flash storage can deliver impressive performance, especially for random I/O, by eliminating rotational and seek latencies that are common in all hard disk...
- Embracing Tiered Storage Exec Brief
- All data is not created equal and thus all data need not be treated the same by the storage system. IT executives must... All Government IT White Papers
- Four Myths of High-Productivity App Dev Debunked Debunk the main myths surrounding high-productivity application development and how both platforms have overcome them.
On-Demand Webcast: 7 Reasons to Choose VoIP
Thinking about a new phone system for your business?
Be sure to watch this informative webcast. Steve Strauss, small business columnist for USA...
- Top 8 Communications Tools for Small Businesses Powerful technology is available to help your small business improve its communications with customers, employees and suppliers. View this free On-Demand Webcast produced...
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- All Government IT Webcasts