“VA has not implemented technical configuration controls to ensure encryption of sensitive data despite VA and Federal information security requirements,” the OIG notes in a report issued on March 6 and available here. Moreover, VA Office of Information and Technology Management “acknowledged this practice and formally accepted the security risk of potentially losing or misusing the sensitive information, exchanged via a waiver; however, the use of a system security waiver was not appropriate,” according to the report.
The OIG has investigated allegations of unencrypted transmissions since receiving a complaint in May 2012. The transmissions are being made in the Nebraska and South Dakota regions. The medical centers studied in the report are Fort Meade and Sioux Falls in South Dakota and in Omaha, Nebraska. The centers are part of the VA Midwest Health Care Network, called VISN 23, which serves more than 400,000 veterans in all of Iowa, Minnesota, Nebraska, North Dakota, and South Dakota, and parts of Illinois, Kansas, Missouri, Wisconsin and Wyoming.
OIG notes that Roger Baker, CIO at VA and assistant secretary for information and technology, did not agree with its assertion that protected and sensitive information was being transmitted over unsecured Internet connections. “He nonetheless acknowledged that VA transmits protected identifiable information over privately segmented networks to support service to veterans,” according to OIG. Backer said the department uses Multiprotocol Label Switching network links to provide a segmented network, and his office acknowledged to OIG that these links are not currently using encryption.
Now, Baker has agreed with OIG recommendations to identify VA networks transmitting sensitive data over unencrypted networks and employ encryption; and to ensure I.T. personal receive “complete specialized training emphasizing the importance of encrypting sensitive VA data transmitted across public Internet connections,” according to OIG.