Veterans Affairs CIO: We're more secure

The breach was a 'real eye-opener,' and 'we're encrypting everything in sight,' says Robert Howard

WASHINGTON -- The U.S. Department of Veterans Affairs is "pretty confident" the agency will not have another large data breach like the one in May that could have exposed the personal records of 26.5 million military veterans and family members, the agency's CIO said today.

The VA has taken several steps to improve its security since the breach, said Robert Howard, who was appointed the VA's assistant secretary for information and technology just days before a VA laptop and hard drive were stolen from an employee's home.

"There really is an increased awareness throughout the VA," Howard said. "We still have a lot of work to do in that area, but we've clearly improved the awareness of folks with respect to treating information the same way they'd want their information treated."

Howard, speaking before the American Council for Technology and Industry Advisory Council in Washington, also talked about the VA's IT reorganization, which started in March and was accelerated by the data breach. The VA is moving to centralize its IT staff instead of having divisions within the agency control their own IT functions, addressing a longtime criticism from Congress and government auditors.

A major cybersecurity concern is employees "not thinking" about risks, and the VA is working to educate workers, Howard said. "What leaps right out at you is employee carelessness," he said. "We've all been there."

Howard, a former major general in the U.S. Army and a former vice president at defense and transportation technology vendor Cubic Corp., called the changes to the VA's IT organization "very dramatic." Along with the reorganization, Howard now has authority over the VA's entire IT organization, he said.

"No more excuses," he said. "We've got everything we need. We've got the organization, we've got the authority, we've got the money."

Among Howard's goals are standardization and interoperability of IT systems within the VA, as well as a strengthened focus on security, Howard said. The ultimate goal is to use IT to better serve VA customers, he added.

Part of the reorganization is focused on creating the "gold standard" for data security, Howard said. He was appointed to his position May 1, and the breach happened May 5. The VA announced the breach May 22.

"I didn't find out about [the breach] until the 16th of May," he said. "That tells you something about our process."

Police recovered the laptop and hard drive in late June, and computer forensics experts determined the personal data had not been accessed. But the VA has made several changes, including encryption on laptops not directly used for medical procedures, Howard said. The breach "was a real eye-opener, for government and probably for industry as well," he said. "We're encrypting everything in sight."

Howard said he believes the VA should improve the annual grade it receives in IT security given by the House of Representatives Committee on Government Reform. The agency has received a failing grade in four of the past five years.

When a reporter noted the agency's score had not been very high in recent years, Howard responded, "It is now."

But Howard said he expected the agency's grade wouldn't be perfect either. "This stuff's not going to happen overnight," he said.

Copyright © 2006 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon