Investigators: VA data still at grave risk
Weak security controls have not yet been fixed, officials say
Updated: 10:54 a.m. CT June 14, 2006
http://www.msnbc.msn.com/id/13318229
WASHINGTON - Sensitive information on millions of U.S. military personnel and
veterans remains at grave risk because of weak security controls that have not
yet been fixed, government investigators said Wednesday.
In testimony to Congress, the Government Accountability Office and Veterans
Affairs inspector general detailed ignored warnings, weak management and lax
rules in their review of VA information security following the theft of 26.5
million military personnel’s private data last month.
They found that the Veterans Affairs Department routinely failed to control and
monitor employee access to private information, did not restrict users to
“need-to-know” data and often waited too long to terminate accounts when an
employee quit or was fired.
The investigators also said the VA lacked a clear chain of command in enforcing
security, noting the agency will need dramatically stronger leadership under VA
Secretary Jim Nicholson to force reform after five years of repeated warnings
about security.
“Much work remains to be done,” Linda Koontz, a director on information
management at GAO, told the House Veterans Affairs Committee. “Only through
strong leadership, sustained management commitment and effort, disciplined
processes, and consistent oversight can VA address its persistent, long-standing
control weaknesses.”
Congress is trying to determine whether the VA took proper steps to guard
against the unauthorized disclosure of personal information in what has become
one of the nation’s largest security breaches. The May 3 theft at a VA data
analyst’s home involved names, birth dates and Social Security numbers.
The agency has acknowledged that the longtime midlevel employee — who has since
been fired — improperly took the information home on an unsecured personal
laptop for three years, apparently without his supervisor’s knowledge.
Since then, Nicholson has pledged several security initiatives, including
additional training and a ban on employees using personal laptops to access the
VA network. He also has hired a former Arizona prosecutor, Richard Romley, as a
special adviser for information security, a new three-month post that will make
additional recommendations.
But in their testimony Wednesday, government investigators said the problem was
long-standing and much more widespread.
They pointed to repeated occasions in the last year in which VA employees passed
along veterans’ medical information via unencrypted e-mail or were allowed to
freely log into the VA secure network in their off-duty hours or even after
they’ve been terminated.
In other instances, files were not adequately segregated or password-protected,
making it easy for hackers to access the sensitive information.
When the VA was told of problems over the years, often it would make spotty
improvements but fail to address reform agency-wide. The agency also has yet to
put in place a security response program to monitor suspicious log-on activity,
said Michael Staley, an assistant VA inspector general, in testimony.
“These conditions place sensitive information, including financial data and
sensitive veteran medical and benefit information, at risk, possibly without
detection of inadvertent or deliberate misuse, fraudulent use, improper
disclosure or destruction,” Staley said.
Related Articles:
Top Democrat blasts VA over data theft
VA officials call the obscenity-laden scolding a 'publicity stunt'
(
http://www.msnbc.msn.com/id/13300373 )
VA chief says stolen data may have been erased
Neighborhood where theft occurred saw pattern of stolen computers
(
http://www.msnbc.msn.com/id/13210677 )