Alleged Palo Alto VA Health Care Data Sharing Violations Investigated
Unlawful sharing of veteran data, a failure to perform background checks on IT vendor’s staff, no risk assessments performed on data extractions software: The VA Palo Alto Health Care System (VAPAHCS) faced some serious accusations, and potentially placed the data of 67,000 enrolled veterans at risk according to a complaint.
The House Committee on Veterans’ Affairs passed on the complaint to the VA Office of the Inspector General (VA OIG) in October 2014, and an investigation was launched. Now, a year on, the report of that investigation has been published.
The VA Palo Alto Health Care System Investigation
The VA OIG was informed of a privacy and policy violation allegedly committed by its Chief of Informatics, who had entered into an agreement with an healthcare technology firm called Kyron. The company was allegedly passed data relating to VAPAHCS patients, with data apparently leaving the VAPAHCS network. Information classed as PHI (Protected Health Information) and PII (Personally Identifiable Information) was accessible by Kyron employees, who had not received a background check by VAPAHCS staff.
The reason for the transfer of data was to run a pilot program on Kyron’s software and to test a technical implementation of its system. The software mines clinical data, analyses the structure of the records, and then performs a statistical analysis of patient progress notes. The software uses processes known as clinical data analytics and “analyzes data to identify treatment processes and outcomes that provide clinicians with a statistical model for making better decisions on the delivery of health care,” according to the VA OIG.
In order to use the software, VAPAHCS was required to send a data output file outside its firewall according to the allegations. However, VAPAHCS claims it only conducted one system data extraction, and that involved de-identified VA patient information.
The investigation into the privacy violations involved site visits, interviews with staff members and security audits and was conducted in accordance with the Council of the Inspectors General on Integrity and Efficiency’s Quality Standards for Inspection and Evaluation.
No Illegal Agreement, but Potential for Exposure of Veterans’ Data
While violations of security policies were discovered, the VA OIG was unable to substantiate a number of claims of privacy violations. The investigation did not uncover an illegal agreement with Kyron, and the claim that data were transmitted outside the company’s firewall was also not substantiated. In fact, the de-identified patient data never left the company’s network.
However, VAPAHCS was discovered to have “potentially jeopardized the confidentiality of veteran’s PII, PHI, and other sensitive information.” The report states “the lack of coordination between the Chief of Informatics and ISOs in executing the Kyron agreement,” resulted in patient data being put at risk. A background check was also not performed on Kyron’s staff prior to data being provided, and staff did not receive VA data privacy and security awareness training.
The report also states that “Information Security Officers (ISOs) failed to execute their required responsibilities in accordance with VA Handbook 6500, Information Security Program, by not providing PAHCS management and staff guidance on information security matters.” Kyron’s software had also not been approved by the VA prior to its use.
The VA OIG did not appear to have a problem with the use of Kyron’s software, which had potential to help managers and clinicians make better decisions, which would likely improve the care provided to veterans. However checks and controls should have been put in place to ensure the use of the software did not violate the privacy of patients.
The VA OIG did make a number of recommendations in this regard, which included:
- Conducting a risk assessment on software prior to its use to identify vulnerabilities and potential threats to VA systems and sensitive data.
- Implementation of controls to ensure that unauthorized software is not installed on VA networks, without a risk assessment first having been conducted and prior approval to use the software received.
- Performing background checks and obtain formal authorization to operate software on VA networks
- Obtaining a signed copy of Contractor Rules of Behavior and to conduct security awareness training of vendor’s staff
The VA OIG report can be downloaded here.