IT security challenges at VA putting medical records at risk

The Department of Veterans Affairs has IT security challenges that are potentially putting sensitive data—such as medical records—at risk, according to the Government Accountability Office and the VA’s Office of the Inspector General.

Gregory Wilshusen, the GAO’s director of information security Issues, testified on Thursday before the House Committee on Veterans’ Affairs Subcommittee on Technology Modernization, warning that the VA faces several security challenges as it attempts to secure and modernize its information systems.

VA.jpg

“In providing healthcare and other benefits to veterans and their dependents, VA relies extensively on IT systems to receive, process and store sensitive data—including veterans’ medical records and other personally identifiable information,” Wilshusen told lawmakers.

However, he charged that the VA’s information security programs are deficient. In particular, Wilshusen said that the agency’s IT security challenges include effectively safeguarding its sensitive information by implementing information security controls; mitigating known vulnerabilities in a timely manner; accurately identifying critical cybersecurity staffing needs; and managing risks in its IT supply chain.

“Fiscal Year 2018 was the seventeenth year in a row that VA had reported a material weakness in information security,” added Wilshusen.

According to testimony by Nick Dahl, the VA’s deputy assistant inspector general for audits and evaluations, the OIG has a “long history of reporting on security incidents at VA in which sensitive information, including personally identifiable information (PII), has been lost, stolen or improperly secured, potentially exposing countless veterans and their families to the loss of privacy, identity theft and other financial crimes.”

In addition, Dahl noted that the OIG has “reported IT security controls as a material weakness for more than 10 consecutive years.” He also testified that the VA continues to face significant challenges in complying with Federal Information Security Management Act requirements partly because it’s maintaining an aging and outdated IT security infrastructure.

“Lack of proper safeguards renders these systems and networks vulnerable to intrusions by groups seeking to obtain sensitive information, commit fraud, disrupt operations, or launch attacks against other VA systems,” added Dahl. “Until proven processes are in place to ensure adequate controls across the enterprise, the IT material weakness will persist—putting VA’s mission-critical systems and sensitive veterans’ data at risk.”

For reprint and licensing requests for this article, click here.