Information security is a 'major challenge' at VA, watchdogs tell Congress

Photo credit Photo by Staff Sgt. Brendan Stephens/North Carolina National Guard

The Department of Veterans Affairs has been struggling with information management and security for nearly two decades, two federal watchdogs told Congress Thursday. 

At a House Veterans Affairs Committee hearing, the Office of the Inspector General (IG) and the Government Accountability Office (GAO), outlined ways VA falls short in managing and protecting veteran data, including the ways it lags behind other federal agencies. 

Information management issues are "not a new problem" for VA, according to an upcoming IG report. Information management has been "a major management challenge since 2000," Nick Dahl, deputy assistant inspector general for audits and evaluations, testified at the hearing. 

"VA must show that it is secure, it can be trusted and it has the tools, policies and leadership" to protect veteran data, Rep. Susie Lee, D-Nev., said.

There was a time when such attacks targeted primarily financial institutions. 

"That day is past," said Rep. Jim Banks, R-Ind., who added that such security incidents are now "nearly daily occurrences (that) threaten nearly every government agency."

VA could be particularly at risk, with increasingly outdated legacy technology that "carries vulnerabilities" and scarce resources to combat attacks, Banks said. 

The IG and GAO have long histories of reporting on security incidents at VA, representatives from the watchdog agencies said, including incidents "in which sensitive information, including personally identifiable information, has been lost, stolen or improperly secured, potentially exposing countless veterans and their families to the loss of privacy, identity theft and other financial crimes." 

VA has carried a "high number of unresolved recommendations" from IG and GAO for years and those will be "unresolvable" until VA replaces its outdated systems, Banks said. 

The Veterans Health Administration is the nation's largest healthcare network and serves about 9 million veterans annually. VHA is contending with thousands of "security incidents" annually, though the number has dropped steadily in the last three years.

"Healthcare recognized (this threat) somewhat later than other industries," Banks said, adding that the first major healthcare data breach was in 2014. At VA there is increasingly a real-time exchange of "huge volumes of sensitive data ... Patients demand this, but also expect peace of mind that their data will not be mishandled or stolen," he said. 

Incidents at VA include web-based attacks, phishing attacks, loss or theft of computer equipment and more, according to GAO. From fiscal years 2016 to 2018, VA reported 7,245 security incidents. 

In fiscal year 2018, VA security incidents were: 

  • 20 percent email/phishing;
  • 20 percent loss or theft of computer equipment;
  • 13 percent web-based attacks;
  • 4 percent improper use of information by an authorized user; 
  • 41 percent "other;"
  • Less than 1 percent external/removable media or devices;
  • Less than 1 percent attrition or impersonation. 

The large percentage of incidents labeled "other" could indicate "a lack of agency awareness and ability to investigate and catalog incidents," GAO officials said. 

VA Chief Information Security Officer Paul Cunningham told Congress VA does "have active state-sponsored threat actors that are trying to get in" to its systems. "We recognize those when we can" but Cunningham added that VA doesn't "spend a lot of time doing attribution as much as blocking" the attacks. And VA does not have a dedicated intelligence community "like other agencies," he said, often leaving identification of threats to the Department of Homeland Security and other intelligence officials. 

VA is aware of the "treasure trove of information" it protects on behalf of veterans "and the lengths our enemies will go" to compromise that data, Cunningham said. 

Electronic health records

VA recently announced that veterans can now access their VA health records on their iPhones through the Health app. 

But it was initially unclear what access Apple may have to the data in the app. 

"Once it leaves VA space, how the veteran uses that information becomes a challenge," Cunningham said, adding that VA was working to educate veterans about data security. 

Apps VA partners with, such as the Health iOS app, "are vetted" through VA development teams, Cunningham said. "They have to go through analysis of what they can do with that information and sign releases that they won't sell that information." 

But Cunningham also said VA was "looking at what information they can download" and the department is "looking at ways to protect that information from the time it leaves the VA boundary to when it arrives on a veteran's personal device." 

Apple does not have access to veteran data through the Health app, VA spokeswoman Susan Carter told Connecting Vets in a statement. "When a veteran connects their health record to the Health app, the data is securely transferred directly to the individual’s mobile device, where it remains encrypted. At no point does this data reside on Apple’s servers, nor can Apple access the data stored on an individual’s device," Carter said. 

VA has plans to begin sharing veterans' medical records with its network of community providers next year, part of a massive undertaking by VA and the Defense Department to create universal electronic health records for service members and veterans years in the making. 

A Connecting Vets Freedom of Information Act request previously showed how often VA has experienced major data breaches in the last 10 years, though VA has been largely silent on specific efforts to protect veteran data. 

Another committee hearing earlier this week showed that foreign agents are also directly targeting veterans on social media with scams, fraud and misinformation. 

As VA increasingly plans to rely on technology, Congress members said information security must be a focus from the start. 

"I have heard from veterans loud and clear about privacy and data security concerns," Lee said. "And those will become more amplified as more systems become electronic. We don't want to hold up progress sorely needed, but we do need to be mindful of the risks we take as VA moves ahead."

Reach Abbie Bennett: or @AbbieRBennett.
Want to get more connected to the stories and resources Connecting Vets has to offer? Click here to sign up for our weekly newsletter.