VA sets aside $20 million to handle latest data breach

[InfoSec News <alerts () infosecnews org>]

http://www.govexec.com/story_page.cfm?articleid=37191

By Daniel Pulliam
govexec.com
June 14, 2007

The Veterans Affairs Department has set aside more than $20 million to respond
to its latest data breach, the agency's top technology officer said Thursday.

The department does not expect to spend the full $20 million, but designated
that much because the breach potentially puts the identities of nearly a million
physicians and VA patients at risk, said Bob Howard, the department's chief
information officer. Howard spoke at The E-Gov Institute's Government Health IT
Conference and Exhibition in Washington.

"We have no evidence that [information is at risk]. None whatsoever, but we
don't take the chance," Howard said. "The attitude of the VA right now is if we
think we've put anybody's information at risk, then we need to step up to the
plate and try to remedy that."

The breach occurred in January, when a hard drive went missing from a
Birmingham, Ala., VA medical research facility. The drive contained highly
sensitive information on nearly all U.S. physicians and medical data for more
than a half million VA patients. Any physician who billed Medicaid and Medicare
through 2004 could be affected.

The hard drive has not been recovered. The VA estimates that about half of the
1.3 million doctors whose information was on the hard drive, and 254,000
veterans, are potentially at risk. This group was notified by mail at the end of
May. The letters noted that VA is providing credit monitoring services through a
General Services Administration blanket purchase agreement from the multiple
award schedules program.

The credit monitoring funds will come out of the VA's fiscal 2007 cybersecurity
budget, but Congress included an extra $15 million in the recently passed
emergency supplemental bill for funding the wars in Iraq and Afghanistan (H.R.
2206), Howard said.

Because the January data breach occurred in a medical research facility, the
technology office tried to get health care-related funds reprogrammed to cover
the credit monitoring, Howard noted, but the effort was unsuccessful.

"We were very worried about using cyber money that was needed to fix other
things so they listened to us and helped us out [through the supplemental],"
Howard said. "I'm spending my life in the protection of information. The fact of
the matter is that it is a very important aspect to us."

Investigators are still trying to locate the hard drive and the FBI has offered
a $25,000 reward for information leading to its return.

In May 2006, the VA shocked Congress, the veterans community and the military by
announcing that a laptop computer containing personal data on 26.5 million
veterans and active-duty military personnel had been stolen. This prompted
multiple hearings and legislation intended to better protect the government's
sensitive information.

Howard said the department's health care information system, known as VistA, has
weaknesses since it was built at a time when the VA did not worry as much about
security.

Department officials are looking at ways of speeding up the modernization of
VistA, which is scheduled to take until at least 2015, Howard said. The update
is intended to make the medical records stored on the system available worldwide
via the Internet but at the same time protect security.

"We're not satisfied with the timeline we've laid out for VistA," Howard said.
"We want to accelerate it, and it may take additional money, but we're not sure.
The biggest concern we have is money. You don't want to just throw money at the
problem unless you know what you're doing."

Currently the system is "facility centric," revolving around the department's
1,400 locations. With patients moving out of the Defense Department's health
system and in and out of private health care systems, VA has to be able to
access the medical information through a single portal from anywhere, Howard
said.

The modernization of VistA is "enormously complex," since the system was "built
internally over time by the officials who work with the requirements," Howard
said. The modernization will be approached incrementally, rather than with a
"big bang approach," he said.

"We are not there by any sense of the imagination," he said. "That's a tall
order, but that's the vision that we're focused on and hopefully we can figure
out how to do that at some point."

Howard said the fact the department is now working with the Defense Department
to build a joint electronic health system has improved the prospects of securing
resources from Congress to hasten the VistA upgrade.

In addition, the centralization of IT authority around the CIO's office has
improved the VA's ability to implement the upgrade, Howard said.

"We've got it all now. We've got the people. We've got the money. The IT
appropriation. But we've also got the problems," Howard said. "Centralization
has already begun to help us get things done faster, improve standardization,
improve compatibility -- all of the things that will help us modernize our
electronic health records."


_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com