Department of Veterans Affairs employees improperly used Yammer.com, a web-based collaboration tool to increase productivity, and introduced data security risks, according to an audit report.
The VA Office of Inspector General concluded that the relatively simple process to post to Yammer not only made VA vulnerable from user uploading, but that any current or former employee remaining active on the site had access to personally identifiable information, protected health information, and agency-sensitive information.
After signing up, any user could access, disseminate, or process sensitive information, which should be restricted to VA personnel with an official need to know, states IG. Further, there was no administrator or system set in place to ensure former VA employees and VA contractor employees no longer had access or that VA users did not, accidentally or on purpose, upload PII, PHI, or VA sensitive data.
If that wasnt enough, auditors also found that Yammer users at the VA violated department policy when they downloaded and shared files, videos, and images, while risking malware or viruses which could spread quickly on a social media site because of a false sense of security that VA approved the use of Yammer.
Making matters worse, OIG reported numerous user posts that were non-VA related, unprofessional, or had disparaging content that reflected a broad misuse of time and resources. Yammer also regularly spammed and excessively emailed VA employees, according to the report.
In particular, OIG took Stephen W. Warrenthe VAs former chief information officerto task for giving the false impression in official communications that the agency approved the use of the Yammer social network. Warren, a registered VA Yammer user since May 2011, even hosted a question and answer forum on Yammer in June 2013. He served as CIO of the VA up until early last month.
OIG disclosed in its report that as of earlier this month 25,171 VA email addresses were registered with Yammer as active members and another 25,609 VA email addresses were registered as not yet activated.
Register or login for access to this item and much more
All Health Data Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access