VA Takes Initial Steps to Address Security Woes

Agency promises to reform internal policies following massive data breach

The fallout from the massive security breach at the U.S. Department of Veterans Affairs continued last week with the appointment of a "special adviser for information security" at the agency and an announcement that the VA is firing the data analyst who improperly took personal information about 26.5 million veterans home with him.

Beleaguered VA Secretary R. James Nicholson also made several management changes in the VA's Office of Policy and Planning, the division in which the data analyst worked. In addition, Nicholson has ordered all VA employees to complete an annual data privacy and cybersecurity awareness training course by the end of June and directed senior officials at the agency to compile a master list of all workers and contractors who need to access sensitive data.

The moves were triggered by last month's disclosure that a laptop PC and external hard drive were stolen from the data analyst's home, potentially compromising the names, birth dates and Social Security numbers of all veterans discharged since 1975. The theft took place on May 3, but Nicholson wasn't told of it for nearly two weeks, and the VA didn't publicly disclose the breach until May 22.

Security analysts last week said they view Nicholson's actions as a broad sign of the importance that the VA is assigning to information security following the breach. But they questioned the efficacy of some of the steps he has taken.

For instance, the choice of former Arizona county prosecutor Richard Romley for the special adviser's role that Nicholson has created is something of a surprise, given Romley's legal background, said Alan Paller, director of research at the SANS Institute, an IT security and training firm in Bethesda, Md.

"If you're going to change security, bring in a security person," Paller said. "It doesn't make sense to bring in a prosecutor unless you've decided that the people you're working with are all criminals."

Reviewing internal security processes and changing personnel are unlikely to make a big difference at the VA if the agency doesn't devote adequate funding to security initiatives, said David Jordan, chief information security officer for the government of Virginia's Arlington County.

"My guess is somewhere down in the dirt at the VA is a security officer who said, 'We need to secure our PCs, and this is the way we can do it,' and he never got the funding to do it," Jordan said. "It's inconceivable to me to think that an information security officer in a federal agency of this prestige wouldn't have known what to do" to prevent the kind of breach that the VA suffered.

Ongoing Issues Gartner Inc. analyst John Pescatore noted that the VA appears to have had long-standing security problems, considering that the agency has received failing grades on four of the past five computer-security report cards issued annually by the House Committee on Government Reform.

"Somebody should certainly get the blame for this," Pescatore said. "But when you've had problems for such a long time, you can never be sure if the people you're firing are the right ones."

Nicholson said that as a special adviser, Romley "will provide a critical outsider's perspective" as the VA works to reform its security policies and procedures. Romley, who served in the Marine Corps in Vietnam and was the Maricopa County Attorney in Arizona from 1989 to 2004, will report directly to Nicholson at the VA. He is responsible for evaluating its security procedures and recommending ways to improve them.

In addition to bringing in Romley, Nicholson said he has set up a task force of senior VA officials to review all aspects of information security at the agency. One of its first jobs, due to be completed by June 30, is to document all workers who require access to sensitive data. To begin the process, Nicholson ordered all supervisors at the VA to submit lists of their subordinates who can access such information and to include details such as the reasons why individual workers need to see data and the methods by which they access it.

Any review of information security practices at the VA should examine why the agency still doesn't mandate that sensitive data be encrypted by end users, said Howard Schmidt, a former White House cybersecurity adviser and corporate chief security officer who now is an independent consultant in Seattle.

"These sort of compromises are going to happen no matter what you do or what policies you have in place," Schmidt said. So any change that fails to include mandatory encryption of sensitive data is less than complete, he added.

In another development, 30 organizations that are part of the Consumer Coalition for Health Privacy called for Mike Leavitt, secretary of the U.S. Department of Health and Human Services, to order a review of the VA's compliance with the privacy mandates of the Health Insurance Portability and Accountability Act.

Meanwhile, the House Committee on Government Reform asked the VA to provide it with an update on the progress of the agency's security reforms at a hearing that is scheduled to be held on Thursday.

Security Fixes
VA Secretary R. James Nicholson announced the following:

All employees will be required to sign a statement confirming that they understand the agency's security training and the consequences of not complying with internal policies.Supervisors must submit lists detailing the jobs of workers who access sensitive data, plus individual justifications for the access, the type of data being accessed and the method for doing so.The agency has begun implementing the procedures necessary to dismiss the data analyst who violated VA policy by taking home data that later was stolen in a burglary.

Copyright © 2006 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon