FREE Health Data Management Site Registration

Sign up today and access the leading source of Health Care I.T. information on the Web.
Your FREE site registration entitles you to:

Free Health Data Management e-newsletter
 
Search more than 12,000 articles
 
Access Web Seminars on a host of I.T. topics
 
White Papers and Industry Research that provide valuable insights on a variety of technologies and implementation issues
 
Podcasts, updates on industry events, and much more!

 
   

GAO, VA Differ on Security Progress


November 1, 2007

The Department of Veterans Affairs has made little progress improving data security since a laptop holding data on 26.5 million patients was stolen in May 2006, according to the Government Accountability Office.

But Robert Howard, assistant secretary for information and technology, and CIO at the VA, contends the agency is making much more progress than reflected by the GAO, a congressional investigatory agency. At the same time, Howard notes that government processes mean that officials often cannot move as quickly as desired to make changes.

The GAO in September reported that the VA has not implemented several recommendations from the GAO and 20 of 22 recommendations from the Office of the Inspector General. Among other areas, these recommendations cover appropriately restricting access to data, networks and facilities; ensuring only authorized changes and updates are made to computer programs; and strengthening critical infrastructure planning.

Further, the VA hasn't yet filled the position of chief information security officer that has been vacant since June 2006.

That the security officer position remains unfilled is not for lack of trying, Howard says. In July, the VA closed its third round of accepting applications for the position, and the department expected to make an offer this fall. After the second round, the VA selected an individual, but that person took another job within days of being hired. "That puts the whole thing back to square one," Howard says. The GAO also faulted the VA for still not having clear guidance for identifying devices that require encryption functionality. But "all along, the guidance has been that mobile devices will be encrypted," Howard says. He believes GAO investigators may not have fully understood the steps VA was taking to improve security, including more than 400 items in an "action plan" signed on May 24, 2006.

Encryption software now is on all VA laptops, Howard says, and the software is being implemented on other mobile devices. Further, a mandate now exists to encrypt data on thumb drives. The department also in recent weeks awarded contracts for port monitoring software that will shut off unapproved computing devices plugged into the VA's network. The software also will prohibit the downloading of data to mobile devices, permitting view-only capability.

More NewsLine Articles

Data Security Archive
Policies/Regulation Archive
Hospitals Archive

I.T. Spotlights