Employees’ Social Media App use makes VA Vulnerable to Data Exposure, says OIG

The VA Office of the Inspector General (OIG) has recently published the findings of its administrative investigation into improper web-based collaboration technology by the Department of Veteran Affairs (VA). It determined the agency is particularly vulnerable to data exposure from employees’ social media app use.

Employee’s use of the social media application from Yammer.com could potentially result in the expose of sensitive veteran data. The OIG discovered employees have been using the social media app, even though the app had not been sanctioned by the VA. VA policy requires all social media applications to be approved before use, and have usage monitored.

The OIG determined that the application “had vulnerable security features, recurring website malfunctions, and users engaged in a misuse of time and resources.” Yammer Notifier, a desktop application, was approved by one Technical Reference Model (TRM) with constraints; however use of the Yammer social network was not.

The application has a lack of security controls and it was too easy for Protected Health Information (PHI) and Personally Identifiable Information (PII) to be uploaded and shared. Another problem was the lack of an administrator or system to remove contracted and former employees, allowing veteran data to potentially be accessed, downloaded and shared even after employment contracts have ended.

The Technology Director of the Veterans Health Administration (VHA), William Cerniuk, was interviewed as part of the investigation and told the OIG, Yammer was a “social media site which is semi-private, allowing the ability for VA employees who have VA email addresses, contractor [or] permanent, to have discussions that do not involve PII or PHI.”

He also confirmed that “Staff began using Yammer in early 2012 as an “organizational approach” to disseminate product development messaging,” and explained that the app is “essentially, for lack of a better definition, Facebook for your company.”

However, there were security issues. He said there was no centralized administrator, but “at any given point in time you or I or anyone else in Yammer can hit a button next to my name that says, ‘this person is no longer in the network.’ The system would then disable that person’s login”. That individual would then need to confirm by email if they still needed to be in the network. If no email is received, the login remains disabled. However, he went on to say “Now, this is not done by any rigor of any sort. No one is assigned this duty of going through and digging out who belongs. So people will be able to log into Yammer after they leave the VA if their account isn’t disabled either by themself or otherwise.”

Employees Found to be Violating VA Policy on Yammer


The OIG determined some employees were routinely violating VA policy by uploading, downloading and sharing files, and that the activity on Yammer had potential allow malware and viruses to spread quickly from the site. The report went on to say, “users were unable to remove the Online Now instant messaging feature, resulting in every user violating VA policy simply by logging onto the site.”

An Inappropriate use of Time and Resources


The security vulnerabilities introduced by the use of Yammer were not the only issues the OIG had with the use of the app. The OIG report said Yammer was not an appropriate use of employees’ time and resources, and much time was being wasted on non-work related communication. In some cases, users were even using the platform to send spam, and the widespread uploading, downloading and sharing of information via the platform could potentially have an adverse effect on the speed of the VA’s network.

Recommendations Issued to Address Data Security Issues


The OIG made three recommendations in its report and gave the VA until October 1, 2015 to comply.

The use of VA Yammer must be formally evaluated, and its use by the Department of Veteran Affairs must be either approved or disapproved. If the decision is taken to approve use of the social media application, it must first meet the minimum standards for data security laid down by federal laws, in addition to internal VA policy and guidance. However, should it be disapproved, its use must be strictly prohibited on all VA-equipment and networks. The VA must confer with the Offices OIT, OPIA, and General Counsel (OGC) in this regard.

The VA Chief of Staff has been recommended to consult with the Offices of Human Resources (OHR), Accountability

Review (OAR), and the OGC to determine whether it is necessary to take action against accountable officials or other contractors or employees who were involved in the matter.

Finally, the VA Chief of Staff must ensure that all employees receive instruction on the web-based collaboration technologies that have been authorized for use by employees, as well as those which are prohibited.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.