US Veterans Agency disputes charge data security charge

US Veterans Agency disputes charge data security charge

Regulator finds that VA centres don't encrypt personal data during transmission to other offices

Article comments

The Office of Information Technology at the US Department of Veterans Affairs has disputed a finding by the agency's Inspector General that several VA centres routinely transmit unencrypted sensitive personal data over the public Internet.

The probe by the IG's office was launched following a complaint last year that three VA Medical centres in the Midwest Health Care Network were transmitting personally identifiable information over unencrypted telecommunications carrier networks.

The investigation found the allegations to be true, said VA assistant inspector general for audit and evaluations Linda Halliday in a report released this week.

Investigators from the IG's office visited the three VA medical centres cited in the complaint. They centres are located in Fort Meade and Sioux Falls, S.D., and in Omaha, Neb.

The IG's office discovered that unencrypted sensitive information, including names, Social Security Numbers, dates of birth, and protected health information of veterans and their dependents, were sent from the targeted VA centres to other VA facilities, the report said.

In addition, the two facilities in South Dakota regularly used the same unencrypted telecommunications carrier network to transmit sensitive data such as x-rays and other radiographic patient images to external organisations.

IT staff at the VA centres told investigators that sending unencrypted sensitive data to other VA centres and to outside business partners was a common practice at more than just the three centres involved in the probe.

The transmission of unencrypted personal data violates internal VA security rules and does not satisfy Federal Information Security Management Act requirements. "Despite VA and [FISMA] requirements, VA has not implemented a configuration control that would ensure encryption of sensitive data," the report said.

"Unencrypted sensitive VA data could be used to perpetrate various types of fraud, including tax fraud," the report cautioned.

The report called on the VA to immediately implement encryption controls to protect data during transmission.

Roger Baker, VA assistant secretary for information and technology, rejected the IG's assertions.

He contended that personally identifiable information is not transmitted in the clear by any VA centre.

Baker said the carrier networks used by the VA to transmit sensitive data to are completely segmented and not exposed to the public Internet. The VA, he said, uses a Multiprotocol Label Switching (MPLS) service from its carriers to ensure it has a private and segmented network for transmitting data.

"These carrier services provide VA with a private network and do not place traffic on the Internet," he said.

Baker conceded that the network links investigated by the IG's office were not using encryption but insisted the data was not traversing the public Internet.

When the complaint reached the VA last year, the agency's IT team inspected the communications circuits that were involved, reviewed all associated network equipment and interviewed network administrators, Baker said. "All of the findings conclusively substantiated that traffic is traversing only VA's private network," he said

Even so, the VA's IT organisation has initiated a comprehensive review to ensure that sensitive data is being routed in a secure manner, he noted.


Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
* *