VA toughens security after PC disposal blunders

[InfoSec News <isn () c4i org>]

http://www.fcw.com/fcw/articles/2002/0826/news-va-08-26-02.asp

By Judi Hasson 
Aug. 26, 2002

The Department of Veterans Affairs is tightening its policy on the
disposal of old computers following disclosures that 139 computers
containing sensitive personal information about veterans, including
their medical records, were given away.

Although the VA has had security rules since 1997 on purging sensitive
data before disposing of old computers, the policy was breached by the
Indianapolis VA Medical Center. The facility failed to erase personal
information before giving away the computers to educational
institutions, the state of Indiana or private individuals.

The computers' hard drives contained a wealth of personal data,
including information about a veteran with AIDS and others with mental
health problems. Some computers also contained the numbers of 44
government credit cards, according to memos on the incident obtained
by Federal Computer Week.

Three of the computers wound up at a local thrift store in
Indianapolis, where a local TV reporter bought them in May. Those
computers contained data on seven veterans; the total number of
veterans whose personal data was on the computer hard drives has not
been determined. All but 15 of the computers have been recovered.

John Gauss, the VA's chief information officer, said the agency
decided to buy an enterprise license for Ontrack Data International
Inc.'s DataEraser software as a result of the Indianapolis incident.

"We also examined our overall cybersecurity process and decided we
were going to strengthen it through the development of a qualification
and certification program for ISOs," or information security officers,
Gauss said.

Bruce Brody, the VA's cybersecurity chief, said the Indianapolis
incident helped speed efforts to tighten security within the VA.

Although the VA's new policy has not been formalized, the Office of
Cyber Security plans to establish a program by Oct. 1, 2003, to train
and certify all 600 ISOs within the department. Nevertheless,
information security officials already know about the new policy,
Gauss said.

In a letter to Rep. Steve Buyer (R-Ind.), VA Secretary Anthony
Principi said the Indianapolis incident is an "unacceptable violation
of VA security policy.... I share your concern over the
confidentiality, integrity and availability of the sensitive veteran
data [with] which our department is entrusted."

He spelled out a new policy that will include random audits and
inspections by the Office of Cyber Security to make sure policies are
being followed.

"The purpose is not to go find people and bust them, [but to] find
when people make mistakes and talk directly to them," Gauss said.

***

VA on guard

The Department of Veterans Affairs has taken several steps to prevent
future privacy breaches, such as what recently occurred when the
agency donated computers to outside organizations without removing
sensitive data from the hard drives.

VA officials:

* Bought an enterprise license for Ontrack Data International Inc.'s
  DataEraser, which overwrites data on a hard drive so that it cannot
  be recovered.

* Plan to buy electromagnetic wands for deleting information by
  demagnetizing hard drives.

* Are developing a program for certifying information security
  officers.




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.