VA systems called 'open door'

A private auditing firm hired by the Department of Veterans Affairs' inspector

general easily broke into computers at the agency "dozens of times" this

year, gaining total control of data and creating a phantom veteran to fraudulently

collect benefits.

Testifying before the House Veterans Affairs Committee's Oversight and

Investigations Subcommittee last week, lawmakers and VA officials expressed

frustration regarding the failure to protect the records of 7 million veterans

who count on the system for health and other benefits.

The security problems plaguing the system have been known for at least

five years, a period during which the VA has spent more than $5 billion

on information technology.

"We need a system that's more like a rock than a mushroom," said Rep.

Terry Everett (R-Ala.), subcommittee chairman.

Rep. Corrine Brown (D-Fla.), the ranking Democrat on the panel, said

the security problems at VA represent "an open door to the U.S. Treasury."

The security audit, performed by PricewaterhouseCoopers, found major

weaknesses in the firewalls at computers operated by the Veterans Benefits

Administration and the Veterans Health Administration.

Michael Slachta Jr., the VA's assistant inspector general for auditing,

said the agency's programs and financial data are "vulnerable to destruction,

manipulation and fraud."

Slachta said virtually any VA information is available for the picking,

and hackers could enter the system through a back door to access VA computer

systems.

"We were able to get to the individual veteran's record," Slachta said.

Hackers could obtain a veteran's Social Security number, which could be

used to open checking accounts and verify identity, and could access a veteran's

master identification record and cull information about a veteran's family.

Slachta said the VA did not even detect that its systems had been hacked.

PricewaterhouseCoopers did not try to break into VHA systems, but Slachta

said VHA records are no more secure than those at the VBA.

"VHA's program and financial data continue to be vulnerable to error

or fraud because of serious weaknesses in automated data processing general

controls throughout VHA," Slachta said.

K. Adair Martinez, the VBA's chief information officer, said the VA

has been able to detect and thwart some attacks. The VBA detected and blocked

two attacks on the system the week of Sept. 10.

In the past six months, she said, the VA has installed software to detect

hackers and fortify its firewalls. Whenever there is a problem, she said,

IT staffers are notified by beeper at home.

"No system is totally bulletproof," she said, "but we're putting patches

on all the time."

Veterans groups expressed indignation at the security breaches at the

VA.

"We're appalled that the medical records of veterans were subject to

being compromised," said Dick Mannemacher, spokesman for Disabled American

Veterans. "We feel medical records and information systems have to be tightened

to protect those persons who became sick and disabled in the nation's defense."

In its latest report on VA computer problems, the General Accounting

Office said the VA has failed to provide leadership to develop a seamless

computer system.

"Until the department develops and implements a coordinated system,

there is little assurance that the records are protected," said Joel Willemssen,

GAO's director of Civil Agencies Information Systems, who also testified

at the hearing.

Everett said VA's decentral——ized environment with a classic stove-pipe

architecture is partly to blame for the lax security. VA CIOs responsible

for benefits, health and national veteran cemeteries operate independently.

"It is a prime example of people protecting their turf," Everett said.

Nevertheless, the White House last month named Edward Meagher, an industry

IT expert, as the first assistant secretary for information and technology

to serve as the VA's CIO. Meagher awaits confirmation by Congress and is

working as a special assistant to the VA secretary.