VA routinely transmitted sensitive information over unencrypted network – OIG. No, we didn’t – OIT.

[Erica Absetz <eabsetz () opensecurityfoundation org>]

http://www.phiprivacy.net/?p=11932

A report released yesterday by the Office of the Inspector General
(OIG) for the Department of Veterans Affairs indicates that they
substantiated allegations that the VA was routinely transmitting
sensitive information, including PII, PHI, and internal network
routing information, over an unencrypted telecom carrier network. The
Office of Information and Technology (OIT) disputes their findings,
however.

> From the OIG report, the background of the investigation:

The VA Midwest Health Care Network, also known as the Veterans
Integrated Service Network (VISN) 23 within the Veterans Health
Administration, serves more than 400,000 veterans enrolled to receive
medical care residing in Iowa, Minnesota, Nebraska, North Dakota,
South Dakota and portions of Illinois, Kansas, Missouri, Wisconsin,
and Wyoming.

In May 2012, a complainant contacted the VA Office of Inspector
General (OIG) Hotline, alleging that certain VA medical centers
(VAMCs) were transmitting sensitive information, including PII and
internal network routing information, over unencrypted
telecommunications carrier networks. More specifically, the
complainant indicated that unencrypted data were transmitted among
various VAMC networks using the South Dakota Network, which functions
as the local telecommunications carrier network.

The complainant alleged that these security violations occurred at
VAMCs located in Fort Meade, SD; Omaha, NE; and Sioux Falls, SD, which
are in VISN 23.

The allegations were  reportedly substantiated:

Office of Information and Technology (OIT) personnel disclosed that VA
typically transferred unencrypted sensitive data, such as electronic
health records and internal Internet protocol addresses, among certain
VA medical centers and Community Based Outpatient Clinics (CBOCs)
using an unencrypted telecommunications carrier network.

The sensitive information included:

veterans’ and dependents’ names, Social Security numbers, dates of
birth, and protected health information. The data also included the
Veterans Health Information Systems and Technology Architecture’s
electronic health records and internal Internet protocol addresses.

We also noted that the Sioux Falls and Fort Meade VA medical
facilities regularly used unencrypted telecommunications carrier
networks to transmit unencrypted sensitive data to external
organizations providing remote Teleradiology services. Teleradiology
services involve electronically sending radiographic patient images,
such as X-rays, and sensitive patient information from one location to
another for the purpose of interpretation and/or consultation with
radiologists.

Disturbingly, OIT personnel stated that:

sending unencrypted sensitive data to outpatient clinics and external
business partnerswas a common practice at facilities across VA
(emphasis added by PHIprivacy.net). OIT management acknowledged this
practice and formally accepted the security risk of potentially losing
or misusing the sensitive information exchanged via a waiver; however,
the use of a system security waiver was not appropriate.

I wonder if every veteran whose health or other sensitive information
was transmitted insecurely would have agreed to accept the risks.

Not surprisingly, the OIG report recommends encryption and training of
OIT personnel on the importance of encrypting sensitive information.

The OIT disagreed with the OIG’s findings:

OIT does not agree with the assertion that PII and internal network
routing information are being transmitted over unsecured Internet
connections. OIT employs service offerings from industry
telecommunications carriers that are privately segmented from other
public traffic and that secure internal routing information from
exposure to unauthorized entities. These carrier services provide VA
with a private network and do not place traffic on the Internet. It is
necessary, in serving our Veterans, to transmit PII. The network links
in question are not currently employing encryption but these
transmissions are crossing only the private VA network and are not
exposed to or traversing the Internet.

After learning of the allegation, OIT immediately engaged in a
comprehensive review of the locations where the complaints were
focused and subsequently determined that the allegation is
unsubstantiated. The review was conducted utilizing subject matter
experts from outside of the geography and organization in the report.
The communications circuits in the geography in question were
inspected, the configuration of the associated network equipment was
reviewed, and the network administrators were interviewed. All of the
findings conclusively substantiated that traffic is traversing only
VA’s private network and is not utilizing the Internet, or otherwise
publicly exposed, in any way. The telecommunications carrier for these
communications links was also interviewed to validate the nature and
configuration of their service offering. The carrier confirmed that
the communications links in questions are private Multiprotocol Label
Switching (MPLS) that provide a secure, privately segmented network to
VA. A letter from the telecommunications carrier is also attached.

Also attached is a technical explanation and diagrams demonstrating
how sensitive information is routed between VA facilities. Although VA
does not concur with the Inspector General’s findings in this area,
OIT has initiated a review to ensure that the current practice
described in the aforementioned technical documentation is being
consistently applied across the VA enterprise, and if exposures are
found, OIT will correct those exposures without hesitation.

So did the OIG get their findings wrong? If so, that’s a pretty big
mistake that would make me question whether the OIG is competent to
really investigate IT security.

You can read the full report here.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.