HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Department of Veteran Affairs Seeks Vendors to Search for Stolen Data

Even when appropriate controls are implemented to secure electronic protected health information (ePHI), data breaches can still occur. Mistakes are made with the configuration of firewalls, ePHI is accidentally disclosed to unauthorized individuals, and phishing attacks and malware allow criminals to gain access to ePHI. Healthcare data breaches have now become as inevitable as death and taxes despite the best efforts of healthcare organizations to keep ePHI secured.

The Department of Veteran Affairs is the largest integrated health system in the United States, with more than 1,700 locations providing healthcare services to more than 8.76 million veterans. The VA stores a considerable volume of ePHI which makes it a large target for cyberattackers.

In April alone, the VA blocked 77.69 million intrusion attempts, blocked and/or contained almost 460 million malware samples, as well as more than 105 million malicious emails. With so many attempted attacks, occasional data breaches are to be expected. When breaches occur, lessons are learned, systems are improved, and security vulnerabilities are plugged to prevent future attacks from taking place.

This month, the Department of Veteran Affairs is going a step further and is trying to discover whether any of its stolen data are being offered for sale on the Internet.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Cybercriminals looking to sell stolen data do not advertise via Google, instead data are listed for sale on underground forums and on darknet marketplaces. These sites are not indexed by the search engines, so determining whether stolen data are being offered for sale is a complex task. The VA has reached out to vendors and is seeking assistance.

The VA is looking for vendors who are able to scour the darknet to discover whether its stolen data are being traded or sold. On May 12, the VA issued a request for information to find vendors who are able to create a one-way encrypted hash of its data to enable a data search to be conducted on the darknet.

Vendors must be able to guarantee that the hash of VA data cannot be used inappropriately and that software or searches will not place VA data or personally identifiable information of veterans at risk of exposure. Software must be capable of determining the source of any stolen data that are discovered to confirm whether the source was the VA or another entity. Vendors must also be able to guarantee that their software complies with all VA IT security policies.

Vendors have been given until May 26 to contact the VA with their proposals.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.