VA disputes charge that it transmits unencrypted personal data over public Internet

[Erica Absetz <eabsetz () opensecurityfoundation org>]

http://www.networkworld.com/news/2013/030813-va-disputes-charge-that-it-267528.html

Computerworld - The Office of Information Technology at the U.S.
Department of Veterans Affairs has disputed a finding by the agency's
Inspector General that several VA centers routinely transmit
unencrypted sensitive personal data over the public Internet.

The probe by the IG's office was launched following a complaint last
year that three VA Medical Centers in the Midwest Health Care Network
were transmitting personally identifiable information over unencrypted
telecommunications carrier networks.

The investigation found the allegations to be true, said VA assistant
inspector general for audit and evaluations Linda Halliday in a report
released this week.

Investigators from the IG's office visited the three VA medical
centers cited in the complaint. They centers are located in Fort Meade
and Sioux Falls, S.D., and in Omaha, Neb.

The IG's office discovered that unencrypted sensitive information,
including names, Social Security Numbers, dates of birth, and
protected health information of veterans and their dependents, were
sent from the targeted VA centers to other VA facilities, the report
said.

In addition, the two facilities in South Dakota regularly used the
same unencrypted telecommunications carrier network to transmit
sensitive data such as x-rays and other radiographic patient images to
external organizations.

IT staff at the VA centers told investigators that sending unencrypted
sensitive data to other VA centers and to outside business partners
was a common practice at more than just the three centers involved in
the probe.

The transmission of unencrypted personal data violates internal VA
security rules and does not satisfy Federal Information Security
Management Act requirements. "Despite VA and [FISMA] requirements, VA
has not implemented a configuration control that would ensure
encryption of sensitive data," the report said.

"Unencrypted sensitive VA data could be used to perpetrate various
types of fraud, including tax fraud," the report cautioned.

The report called on the VA to immediately implement encryption
controls to protect data during transmission.

Roger Baker, VA assistant secretary for information and technology,
rejected the IG's assertions.

He contended that personally identifiable information is not
transmitted in the clear by any VA center.

Baker said the carrier networks used by the VA to transmit sensitive
data to are completely segmented and not exposed to the public
Internet. The VA, he said, uses a Multiprotocol Label Switching (MPLS)
service from its carriers to ensure it has a private and segmented
network for transmitting data.

"These carrier services provide VA with a private network and do not
place traffic on the Internet," he said.

Baker conceded that the network links investigated by the IG's office
were not using encryption but insisted the data was not traversing the
public Internet.

When the complaint reached the VA last year, the agency's IT team
inspected the communications circuits that were involved, reviewed all
associated network equipment and interviewed network administrators,
Baker said. "All of the findings conclusively substantiated that
traffic is traversing only VA's private network," he said

Even so, the VA's IT organization has initiated a comprehensive review
to ensure that sensitive data is being routed in a secure manner, he
noted.

Jaikumar Vijayan covers data security and privacy issues, financial
services security and e-voting for Computerworld. Follow Jaikumar on
Twitter at @jaivijayan, or subscribe toJaikumar's RSS feed . His
e-mail address is jvijayan () computerworld com.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.