Data breach at VA should be no surprise

Despite failing grades in IT security, Veterans Agency officials took little action
Written by ZDNet UK, Contributor

As veterans vent anger over news that 26.5 million vets' social security numbers were burgled from an employees' home - an employee who carried the sensitive data from his office on computer disks - the Washington Post reports that the VA is notorious for its poor security practices.

The department has consistently ranked near the bottom among federal agencies in an annual congressional scorecard of computer security. For five years, the VA inspector general has identified information security as a material weakness and faulted officials for slow progress in tackling the problem.

Shockingly, VA officials didn't call the FBI for two weeks to investigate the theft.

In 2005, The House Government Reform Committee, chaired by Rep. Thomas M. Davis III (R-Va.), gave the VA an F on its annual ranking of federal agencies. Excpet for 2003, when it got a C, the VA has received an F every year since 2001. "Perhaps if the department improved its compliance with the existing information protection laws, this breach would not have happened. There seem to be two problems here: a department that's inadequately protected, and an employee who acted incredibly irresponsibly," Davis said.

Want data points?

In 2003, tests by IG staff showed that a hacker could gain access to veterans' protected medical information from outside the VA network.

In 2005, reviews found that access controls were not consistently applied at dozens of data centers, medical centers and regional offices. Recommendations included ensuring that background checks are performed on VA and contract workers, restricting off-duty workers' access to sensitive information and providing annual security awareness training for employees.

In a report last November, acting Inspector General Jon A. Wooditch wrote that many of the security concerns the IG had reported on for years remained unresolved. He cited a March 2005 report, saying 16 recommendations still had not been implemented eight months later.

"We identified significant information security vulnerabilities that place VA at considerable risk of . . . disruption of mission-critical systems, fraudulent benefits payments, fraudulent receipt of health care benefits, unauthorized access to sensitive data and improper disclosure of sensitive data," he wrote. "The magnitude of these risks is impeding VA from carrying out its mission of providing health care and delivering benefits to our nation's veterans."

Editorial standards