CIO: VA is working toward gold standard in IT security

A new day is dawning at the Department of Veterans Affairs, said Bob Howard, the VA’s assistant secretary of information and technology and chief information officer, explaining the department’s major information technology reorganization and its plans to strengthen data security.“Life changed big time,” he said, in May, when a VA laptop computer and a hard-disk drive with about 26.5 million veterans’ personal records were stolen from the home of a department employee. “It was a wake-up call for us and a wake-up call for all of government.”Howard said the department’s determination to become the gold standard of data security is on its way to becoming a reality. “We’re encrypting everything in sight,” he said.He outlined the VA’s five-step plan at an executive session of the American Council for Technology/Industry Advisory Council today at the National Press Club. “A high-performing IT organization has got to happen or we will not be able to achieve some of the other objectives we have on the table,” he said.The VA is the only agency that has a separate appropriation for IT, Howard said. “It’s $1.2 billion and growing,” he said.“Management of that appropriation is also a very important priority,” he said, adding that the final three priorities come under Data Security Assessment and Strengthening of Controls, an internal VA program.In March, VA Secretary Jim Nicholson began to centralize the agency’s IT and strengthen the department’s security controls, Howard said. “We want to move ourselves from a very narrowly focused organization in terms of IT to a more process-based organization oriented on the customer,” he said.Since the May laptop theft, improving data security has become a major focus within the VA, and Howard views his life now in two phases: prebreach and post-breach. “I didn’t even find out about [the theft] until the 16th of May, which tells you a little bit about our [security] process, doesn’t it?”He said encryption, education and training, and background investigations can help prevent data losses, but they are not a panacea. “The bottom line is people,” he said. “What leaps out at you is employee carelessness” and all the training in the world won’t ensure that there won’t be other data breaches.“The dilemma is how far do we go in technologically trying to protect ourselves, and at the same time not shut the house down,” he said. Many devices used at VA medical centers that are linked to IT networks cannot be encrypted, he added.The VA has completed its assessment of how to deal with the problem, Howard said. “We looked internally at ourselves and also at what the contractor community is doing.” He cited three main areas designed to strengthen controls: technical solutions such as encryption, better management through clear directives and improving operational methods.As an example of the latter, Howard said a laptop that was chained to a desk in a locked room on a secure floor was stolen a few weeks ago from a VA hospital in Brooklyn, N.Y. It contained information about veterans who had been at the medical facility, but the data could not be encrypted because the computer was linked to a pulmonary device.Erasing the data of the previous patient before each use would have prevented the problem. "You don’t need [to keep personal data] on the machine. That’s an example of a methodology that needs to be put in place,” Howard said.“We’re trying to get a much better handle on how we manage these things, to focus in on what happened, what occurred, what are we doing to close these incidents out and any remedial actions that need to take place,” he said, but added that vulnerabilities will always remain.