HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

OIG Report: Veterans Benefits Administration Not Tracking Information Security Violations

In April last year, the Office of Inspector General received an anonymous tip-off alleging the Veterans Benefits Administration (VBA) had not integrated appropriate audit logs into the Veterans Benefits Management System. The subsequent investigation substantiated the allegation and revealed that the VBA had not been identifying and logging all security violations accurately.

OIG checked for the existence of audit logs and tested their accuracy by having 17 employees try to access same-station veteran employee compensation claims in the Veterans Benefits Management System (VBMS). Those that were logged were identified as existing in the Share application used by VA Regional Offices (VAROs) or said to have occurred in an unknown system. The actions of two of the 17 employees were not tracked and recorded in the audit logs. The tests were conducted at two VAROs in Texas (Houston and Waco) and one in Washington (Seattle).

OIG was unable to determine why two employees’ audit logs were not recorded, although OIG did conclude that the Office of Business Process Integration (OBPI) had not developed sufficient system requirements to ensure that audit logs were created and made accessible to Information Security Officers (ISOs). The security vulnerability occurred because OBPI assumed that the VBMS had in-built audit log functionality, as was the case for VBA legacy claims processing systems.

Audit logs are necessary as without them, ISOs are unable to accurately detect and resolve security violations that occur within VBMS. Without accurate audit logs, it is not possible to detect when employees improperly process claims. Consequently, until the issue is resolved, VAROs will be more susceptible to fraudulent compensation claims processing.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

The recording and maintenance of accurate audit logs is required under the Federal Information Processing Standards Publication – Minimum Security Requirements for Federal Information and Information Systems – and the VA Handbook – Risk Management Framework for VA Information Systems – Tier 3: VA Information Security Program – also states the need for detailed and accurate audit logs to be created and maintained. Without the logs, it would not be possible to reconstruct a data security incident or to analyze and report on inappropriate accessing of information systems.

To rectify the security vulnerabilities, OIG made a number of recommendations:

  • We recommended the Acting Under Secretary for Benefits develop and provide the Office of Information and Technology with system requirements for integrating audit logs containing the data security officers need to intervene in potential security violations into the Veterans Benefits Management System.
  • We recommended the Assistant Secretary for Information and Technology integrate audit logs into the Veterans Benefits Management System based on the requirements provided by the Acting Under Secretary for Benefits.
  • We recommended the Acting Under Secretary for Benefits test the newly integrated audit logs to ensure that the logs capture all potential security violations.

The VBA agreed to implement the recommendations made by the OIG although it was pointed out that OIG incorrectly stated that the Office of Business Process Integration was at fault, and that the OIG audit did not give an accurate impression of the security weaknesses; overemphasizing their seriousness. The audit suggested that security violations were not logged, but VBA said that any actions taken by employees would be logged separately in the VBA Corporate Database.

VBA also said that based on the information provided, it would not be possible to recreate the sequence of events that resulted in the failure of the system to record the actions of the two employees. OIG disagreed with the VBAs comments.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.