VA info security upgrade just getting started, auditors say

The Veterans Affairs Department needs a culture change to reverse long-standing information security weaknesses and to comply with a wide range of policies and federal laws in this area, congressional and agency auditors said Wednesday.

If the VA is moving toward the "gold standard" for information security as stated by department secretary James Nicholson, the department is in the early stages, said Greg Wilshusen, director for information security issues at the Government Accountability Office. Wilshusen testified at a House Veterans' Affairs Subcommittee on Oversight and Investigation hearing.

The latest VA data breach entailed the loss of highly sensitive information on the 1.3 million physicians both living and deceased who have billed Medicaid and Medicare. That could lead to widespread fraud and places medical data for about 535,000 VA patients at risk.

Maureen Regan, counselor to the VA inspector general, said at the hearing that the agency continues to have weaknesses in its information security. Policies implemented by the department following a May 2006 incident that jeopardized 26.5 million people's personal information were a step in the right direction, but more needs to be done, she said.

VA Deputy Secretary Gordon Mansfield said last year's incident, where the information was stored on computer equipment stolen from an agency employee's home and recovered later, was a wake-up call. VA still has a long way to go, he added.

"I will be the first to acknowledge that we have not finished that," Mansfield said. "I sincerely wish I could promise you that no other incidents would occur. I cannot do that. But I can promise that we are working hard to get the message out to our employees that we are doing everything we can to get this problem under control."

Mansfield said the department still has a decentralized nonstandard IT system, making it impossible to implement "any simple fixes." He said he could not predict a final date when the department's systems will be secure.

"It is not a question of technology or machines or software," Mansfield said. "It's a question of people. And we're dealing with 240,000 employees."

A lack of senior personnel slots in IT keeps the department from being able to attract the people it needs, he said.

Robert Howard, the VA's chief information officer, said the department was closing in on a chief information security officer to replace Pedro Cadenas, who left abruptly last summer. But the candidate selected decided to take another job days before she was supposed to start. He said the department must start the hiring process all over again.

There have been hundreds of violations of the department's information security policies and employees have been dismissed for the indiscretions, Mansfield said. In the most recent case, an employee violated the rules by failing to encrypt information on a hard drive and taking it off VA premises without permission from his supervisor, he said.