GAO and VA OIG Identify Privacy and Security Failures at the Department of Veterans Affairs

Share this article on:

Two government watchdog agencies have recently published reports of reviews of privacy and security safeguards at the U.S. Department of Veterans Affairs. The Government Accountability Office (GAO) review revealed several security failures, while the VA Office of Inspector General review (VA OIG) confirmed that privacy policy changes have exposed sensitive information.

GAO assessed the security controls at the VA to determine whether they met the requirements of the National Institute of Science and Technology (NIST) Cybersecurity Framework. GAO determined that the VA had failed to meet all requirements of NIST Cybersecurity Framework and was deficient in five areas: Security management, access control, configuration management, contingency planning, and segregation of duties. The VA had reported that it had only met 6 of the 10 cybersecurity performance targets set by the Trump administration and had not yet met the targets for software asset management, hardware asset management, authorization management, and automated access management. The security failures identified by GAO were similar to those at 18 other government agencies.

As with the other government agencies, modernizing and securing information systems has been a major challenge. Security practices have been implemented, but those practices have not been implemented consistently across the entire agency and many vulnerabilities remain unaddressed. The VA was found not to have consistently mitigated vulnerabilities, has not fully established a cybersecurity risk management program, was not identifying critical cybersecurity staffing needs, and was not effectively managing IT supply chain risks.

In 2016, GAO had recommended 74 actions that the VA needed to take to improve its cybersecurity program and address deficiencies. As of October 2019, only 42 of those recommendations had been addressed. The latest review also added a further 4 recommendations for its cybersecurity risk management program, along with one additional recommendation to accurately identify IT/cybersecurity workforce positions. The VA concurred with the GAO recommendations and will implement the additional recommendations as soon as possible.

Another report was recently published by VA OIG following a review of the Veterans Benefits Administration’s (VBA) Records Management Center (RMC). The review was conducted to determine whether staff were disclosing third-party, sensitive personally identifiable information (PII).

Many records held by VBA contain the PII of other individuals. Staff at RMC were previously required to redact third-party PII when processing Privacy Act requests, and only provide information on the person making the request. A change to the VA privacy policy in 2016 meant that third-party PII stopped being redacted, which resulted in the disclosure of a considerable amount of third-party PII when processing the Privacy Act requests.

The decision to stop redacting third-party PII has meant that requests can be processed much faster, but it has also placed many individuals at risk of identity theft. Since those individuals are unaware that their PII is being disclosed, they would not know to take steps to reduce risk.

A sample of 30 Privacy Act responses out of a total of 65,600 requests processed between April 1, 2018 and September 30, 2018 were reviewed. 18 of those 30 requests contained the names and Social Security numbers of unrelated third parties. In some cases, the requests included the PII of more than 100 third parties, including the PII of physicians and other people involved the care of a veteran.

From the data of the privacy policy change n 2016 to May 2019, approximately 379,000 requests had been processed. The 30-request sample was found to contain the names and Social Security numbers of 1,027 unrelated third parties. Assuming the 30 responses were representative of the total, the PII of millions of third parties may have been disclosed. Further, the discs on which the information was saved were not encrypted or protected with passwords. The policies covering the mailing of discs had not been updated following the privacy policy changes in 2016.

According to the VA OIG report, after privacy concerns were raised, VBA agreed that a further update to its privacy policy was required and from no later than October 1, 2019 the redaction of third-party PII will resume.

Author: HIPAA Journal

Share This Post On