VA sets aside $20 million to handle latest data breach
The Veterans Affairs Department has set aside more than $20 million to respond to its latest data breach, the agency's top technology officer said Thursday.
The department does not expect to spend the full $20 million, but designated that much because the breach potentially puts the identities of nearly a million physicians and VA patients at risk, said Bob Howard, the department's chief information officer. Howard spoke at The E-Gov Institute's Government Health IT Conference and Exhibition in Washington.
"We have no evidence that [information is at risk]. None whatsoever, but we don't take the chance," Howard said. "The attitude of the VA right now is if we think we've put anybody's information at risk, then we need to step up to the plate and try to remedy that."
The breach occurred in January, when a hard drive went missing from a Birmingham, Ala., VA medical research facility. The drive contained highly sensitive information on nearly all U.S. physicians and medical data for more than a half million VA patients. Any physician who billed Medicaid and Medicare through 2004 could be affected.
The hard drive has not been recovered. The VA estimates that about half of the 1.3 million doctors whose information was on the hard drive, and 254,000 veterans, are potentially at risk. This group was notified by mail at the end of May. The letters noted that VA is providing credit monitoring services through a General Services Administration blanket purchase agreement from the multiple award schedules program.
The credit monitoring funds will come out of the VA's fiscal 2007 cybersecurity budget, but Congress included an extra $15 million in the recently passed emergency supplemental bill for funding the wars in Iraq and Afghanistan (H.R. 2206), Howard said.
Because the January data breach occurred in a medical research facility, the technology office tried to get health care-related funds reprogrammed to cover the credit monitoring, Howard noted, but the effort was unsuccessful.
"We were very worried about using cyber money that was needed to fix other things so they listened to us and helped us out [through the supplemental]," Howard said. "I'm spending my life in the protection of information. The fact of the matter is that it is a very important aspect to us."
Investigators are still trying to locate the hard drive and the FBI has offered a $25,000 reward for information leading to its return.
In May 2006, the VA shocked Congress, the veterans community and the military by announcing that a laptop computer containing personal data on 26.5 million veterans and active-duty military personnel had been stolen. This prompted multiple hearings and legislation intended to better protect the government's sensitive information.
Howard said the department's health care information system, known as VistA, has weaknesses since it was built at a time when the VA did not worry as much about security.
Department officials are looking at ways of speeding up the modernization of VistA, which is scheduled to take until at least 2015, Howard said. The update is intended to make the medical records stored on the system available worldwide via the Internet but at the same time protect security.
"We're not satisfied with the timeline we've laid out for VistA," Howard said. "We want to accelerate it, and it may take additional money, but we're not sure. The biggest concern we have is money. You don't want to just throw money at the problem unless you know what you're doing."
Currently the system is "facility centric," revolving around the department's 1,400 locations. With patients moving out of the Defense Department's health system and in and out of private health care systems, VA has to be able to access the medical information through a single portal from anywhere, Howard said.
The modernization of VistA is "enormously complex," since the system was "built internally over time by the officials who work with the requirements," Howard said. The modernization will be approached incrementally, rather than with a "big bang approach," he said.
"We are not there by any sense of the imagination," he said. "That's a tall order, but that's the vision that we're focused on and hopefully we can figure out how to do that at some point."
Howard said the fact the department is now working with the Defense Department to build a joint electronic health system has improved the prospects of securing resources from Congress to hasten the VistA upgrade.
In addition, the centralization of IT authority around the CIO's office has improved the VA's ability to implement the upgrade, Howard said.
"We've got it all now. We've got the people. We've got the money. The IT appropriation. But we've also got the problems," Howard said. "Centralization has already begun to help us get things done faster, improve standardization, improve compatibility -- all of the things that will help us modernize our electronic health records."
COMMENTS
- Throwing out a number like that is just used to justify hiring more (SES) staff to "make sure" it "never happens" again. Vet Posted June 27, 2007 4:33 PM
- I am a disabled veteran and have been retired from teh military for 11 Years now. I have been trying to get my disability for other problems that I have had since I retired, Such as a heart stint, I was always having problems with my heart, and Headaches, among the few things, I started to school to use my GI bill (VietNam Era) Well I really had just gotten started going and then my ten year delimited was met and I was shut down. I appealed the action and was denied again. In the military I was always gone and never got to go to scool like some of the other soldiers, So I had to wait. I sent my kids to school and then I got to go, But I was never explained about the delimited, Which stopped payment, So to continue my Education and get my BSB/M I have paid for it using loans and credit card. I had ask them when they cut me off, just fund me until I get done with school. No Avail. They did not care and still do not care about the veterans, that 20 million that was set aside to allow people to check their credits, really needs to be supervised. I feel that it is just another rip-off of the VA system. I am really disgusted with the System. Randy Lyle Posted June 21, 2007 8:08 AM
- when the va let me know about it i proceeded to get my " free " credit report . it was not free as i was prompted to " pay " for it to another company . GEORGE W. BRENISER Posted June 15, 2007 4:12 PM
