For VA, all security is local

IG’s latest findings illustrate difficulty of assessing risk from data breaches.

When an external hard drive went missing from a Veterans Affairs Department medical center in Birmingham, Ala., earlier this year, the incident added to the notoriety that the department earned in May 2006, when a VA laptop PC containing the personal information of 26.5 million veterans and their families was stolen from a VA employee’s home.The most recent incident revealed that enforcement of data security policies and procedures set by the agency’s headquarters is hit or miss at local offices, according to VA’s Office of Inspector General, which released an investigative report June 29. The local data loss underscored a lack of governmentwide guidance on assessing the degree of risk to potential victims of data security incidents, the IG said. The loss also exposed a lack of guidelines for handing incidents in which lost or stolen data belongs to more than one agency. Without guidelines, agencies are likely to make inconsistent decisions about what protections to offer people whose personal data was compromised, the report states. VA’s response to the Birmingham incident was to assume that the victims were at high risk of harm because of the incident. On that basis, VA offered the victims free credit monitoring, which is costing the government $20 million. The IG’s report made the point that “a very liberal use of high-risk levels can result in spending millions of dollars in taxpayer money needlessly.”In January, an information technology specialist reported missing a VA-owned external hard drive from the Birmingham Medical Center’s Research Enhancement Award Program office. The employee had used the hard drive to back up research files, which contained personally identifiable information and health information on about 250,000 veterans and data from the Health and Human Services Department on 1.3 million medical providers. The IG recommended that VA coordinate with the Office of Management and Budget and the President’s Identity Theft Task Force to develop governmentwide risk-analysis criteria to determine when potential identity theft victims of data loss should be notified and offered free credit monitoring. In the absence of governmentwide criteria, VA or other agencies that lose personal data must determine whether the loss of a single personal identifier, such as a Social Security number, creates a risk of identity theft, said Robert Howard, the VA’s chief information officer, in a letter to the the IG’s office last month.VA ultimately offered credit monitoring to 864,000 affected veterans, employees and health care providers whose SSN numbers were on the missing hard drive, Howard said.  VA has not located the drive. It also has no evidence that the missing data has been used to commit fraud.  The data loss was disheartening for the Veterans Health Administration, which oversees all VA hospitals, said Michael Kussman, VA’s undersecretary for health, in a written response to the IG report. “The loss of information at the Birmingham Research Enhancement Award Program is a disturbing incident, given the Veterans Health Administration’s focus on data security over the past year,” Kussman said.

Administrative investigation: Loss of VA information, VA Medical Center, Birmingham, Ala.

No hard-and-fast guidelines exist for assessing riskThe Veterans Affairs Department’s Office of Inspector General is not the first to ask the Office of Management and Budget for risk-assessment guidelines for handling incidents involving the  loss or theft of personal data.

The Government Accountability Office recommended in April that OMB develop risk-assessment guidelines to help federal agencies determine when to offer free credit monitoring after those  incidents.

Karen Evans, OMB’s administrator for e-government and information technology, said the agency  is looking into ways to supplement guidance it offered in 2006. “We released a high-level decision chart for agencies last year. It includes recommendations from the Identity Theft Task Force and a decision flowchart, she said.

“We plan to take a look at the flowchart and see how we can complement it,” Evans added. “We will figure out if there is anything we can offer and talk to the National Institute of Standards and Technology.”

Evans also said no single approach will fit all agencies. She said each agency must weigh the consequences of data security incidents and analyze what they need to accomplish.
— Jason Miller