Saturday, September 18, 2010

VA's New Security Measures

This article outlines the software applications and data scanning tools the Department of Veteran Affairs is implementing. This comes as an effort to “get visibility on every device on our network” and “have a complete view of the vulnerabilities in our enterprise,” says VA CIO Roger Baker. The systems, which cost about $50 million, will be able to identify laptops that exist on the network that are not encrypted, as well as enable security operations managers to monitor the status of hardware and software patches on all department computers. Additionally, the VA can then obtain electronic evidence when there are security breaches and automatically fix compromises when applicable. There are also increased security measures for contracting companies that help the VA provide healthcare and benefits. These include encryption and other policies that limit who can access veterans’ sensitive data.

The department has been under scrutiny over recent years because of several security breaches. The most notable is the one we discussed in class: in 2006, a laptop theft left the personal information of 26 million veterans in jeopardy. This year, six computers were reported lost in June and July, and in August, ten laptops were missing from the VA’s inventory. A handful of these had been encrypted, but some had not. The number, not to mention severity, of the incidents seems to be a red flag indicating something needs to be done to heighten security in order to prevent future problems. The new security measures that widen visibility in the whole department are steps in the right direction for the VA.

Of course this is easier said than done, but it seems like the VA has taken too long in implementing such measures. It has been four years since we first learned about the department’s vulnerabilities, so it seems like they would have done more to address this issue sooner. After the visibility software is in place, it is also important that managers and department officials monitor and appropriately deal with the software’s findings. It would be useless if the system identifies vulnerable computers, but managers do nothing about the threats. Also, the article suggests that the “sprawling, decentralized structure” of the VA contributes to the difficulty in effectively imposing security across the entire department. We read about the organizational problems of the VA in our case study, and perhaps there is a larger structural issue that the department needs to fix first.



Article cited:
http://www.govhealthit.com/newsitem.aspx?nid=74675


Also used:
http://www.nextgov.com/nextgov/ng_20100917_6367.php?oref=topstory
Posted by epalag at 9/18/2010 05:57:00 PM

4 comments:

  1. Lane C.September 19, 2010 at 7:06 PM

    This comment has been removed by the author.

    ReplyDelete
  2. jkelly16September 19, 2010 at 11:59 PM

    I agree that while it is easier said than done, VA has taken too long in fully implementing further security measures. VA handles extremely sensitive and important information and needs to do a better job now, and in the future, of assessing risk management. Obviously it is encouraging to see them now adding software applications and data scanning tools. 50 million dollars is not chump-change, so it's good to see VA making a worthwhile investment that will make it harder for its information to be compromised. One would think that the incident in 2006 would spark a change in how things are ran, but it apparently did not. Now with these unencrypted laptops going missing, VA has run out of excuses. The threat is real and they are a big target for these kinds of issues. People always say "better late than never", and the same is true of this case. These new implementations seem promising and it's good to see VA making steps in the right direction.

    ReplyDelete
  3. kflynn5September 20, 2010 at 6:30 PM

    All of these issues presented within the article are issues that we discussed in class about a problem that happened over three years ago. I would think by now the VA would have at least been able to encrypt all lap tops, or begin centralizing their authority in a better form. Yes they have taken steps, but I believe that these steps should be much more drastic. The amount of information they are privileged with is immense and how lax they have been with the security around this information is frankly quite scary. Even if implementing some security steps or requirements interrupts the daily flow of the office, its an expense the department needs to take. There is a serious need in this office for stability and security, and has been for sometime. I think the VA office should be embarrassed about the way things have been handled and are continued to be handled. This department has had three years to improve more than minimally, yet that is exactly what they have done.

    ReplyDelete
  4. Mike ChappleSeptember 20, 2010 at 6:34 PM

    I tend to agree with you. When you read the initial IG report we read in class, followed by the testimony before Congress the following year and then this story, it certainly doesn't paint a picture that is favorable of the VA's leadership.

    ReplyDelete

Subscribe to: Post Comments (Atom)