VA security measures still weak, GAO says

Now that the VA has been publicly reamed coming and going over the loss of 26.5 million names and Social Security numbers, the agency has taken due care and is at minimal risk for a similar occurrence, right?

Don't bet on it. Indeed, the Government Accountability Office and Veterans Affairs inspector general told Congress that sensitive information remains at serious risk because the VA has yet to fix their weak security measures, the Washington Post reports.

The GAO and the IG found ignored warnings, weak management and lax rules.

They found that the Veterans Affairs Department routinely failed to control and monitor employee access to private information, did not restrict users to "need-to-know" data and often waited too long to terminate accounts when an employee quit or was fired.

"Much work remains to be done," Linda Koontz, a director on information management at GAO, told the House Veterans Affairs Committee. "Only through strong leadership, sustained management commitment and effort, disciplined processes, and consistent oversight can VA address its persistent, long-standing control weaknesses."

The burden is on VA Secretary Jim Nicholson to force change through a highly resistant culture. As is too often the case in government agencies, the CIO lacks power to enforce security rules. "It is up to the secretary to make sure the CIO has the support," Koontz said.

House members again suggested that Nicholson should bear responsibility. Rep. Bob Filner (D-Calif): "This was a disaster waiting to happen. Between all the lines, there was a failure of management. At the very top. The secretary hasn't taken control of the problem and he should be held accountable."

Rep. Michael Bilirakis, R-Fla.: "In seeing where the buck stops, really it stops with the head of the VA."

Last month's breach was far from the only case of bad security practices at VA. Employees have repeatedly forwarded vets' medical info in unencrypted email. Employees freely logged on to the agency's secure network while off duty – and even after they had been fired.

Files were not adequately segregated or password-protected. And VA has consistently failed to address the issues across the agency. The agency also has yet to put in place a security response program to monitor suspicious logon activity, said Michael Staley, an assistant VA inspector general.

"These conditions place sensitive information, including financial data and sensitive veteran medical and benefit information, at risk, possibly without detection of inadvertent or deliberate misuse, fraudulent use, improper disclosure or destruction," Staley said.