Information Security and the Department of Veterans Affairs

NEXT STORY
DoD Releases Instruction 5010.44 Intellectual Property Acquisition and Licensing

Information Security and the Department of Veterans Affairs

11/25/2019

alengo

For all federal agencies, information security is a critical area of focus and concern. But cyber threats are rather unique for the Department of Veterans Affairs. When unaddressed, cybersecurity issues can prevent effective administration of veterans’ programs and services, and they can degrade the medical devices used by the Department of Veterans Affairs to deliver medical care. Today, thousands of the VA’s actively used devices have outdated operating systems – some are so old, the operating systems cannot be updated, leaving our nation’s veterans vulnerable. Recent cyberattacks at the VA have even involved medical equipment that possessed preloaded malware at the time they were acquired.

Ultimately, the vulnerabilities at the VA are the result of a supply chain problem. The VA currently does not have its own list of prohibited vendors and relies on a general list established outside the department. Additionally, the VA has struggled to articulate its own supply chain security policy. During hearings hosted by the House Committee on Veterans’ Affairs Subcommittee on Technology Modernization earlier this month, witnesses from the VA were asked by Ranking Member Jim Banks (R-IN) if the Department ever purchased products from Huawei, ZTE, Dahua, and other Chinese suppliers, to which they responded they would have to take those questions back for the record, as they did not have the answer on hand. The VA also did not have an immediate answer when asked how confident the Department was that devices it was currently using was free of malware.

Policymakers also expressed concern during the hearing about the VA’s definition of security ‘breach’. Presently, the VA considers an incident to be a breach if sensitive information left the hands of the VA and exited the building. This interpretation does not consider it to be a breach if a VA employee had access to unauthorized personal or sensitive information. For other federal agencies, this improper insider access to sensitive information would be considered a breach as it is a violation of a policy.

These inefficiencies and discrepancies are evident in a recent study provided by the Government Accountability Office (GAO). This study provides a breakdown of VA information security threats for Fiscal Year 2018. 41% of incidents were labelled as ‘Other’, meaning that they could not fall under a typical category (Improper Usage, Web, E-mail/Phishing, Attrition/Impersonation, Loss of Theft of Equipment, External/Removable Media) or were ‘unidentified’. This high percentage of incidents lacking significant qualifiable information is disconcerting and adds to other evidence that the VA needs to improve its overall cyber hygiene.

Department of Veterans Affairs Information Security Incidents by Threat Vector Category, Fiscal Year 2018

Since the GAO’s audit in 2016, the VA still has 42 recommended action items that have yet to be implemented as of last month. The VA did attempt to implement 39 of those recommendations, but after review, the GAO determined that the effectiveness of those implementations was not enough to clear the agency. In the Federal Information Security Management Act (FISMA) audit of Fiscal Year 2018, the VA received a ‘material weakness’ rating, the lowest rating that can be received, for information technology. The VA is 1 of 18 federal agencies to have received this rating, which may make it seem as though it is on par with its peers. But the fact that the VA has received this rating continuously for the last 17 years confirms the seriousness of its cybersecurity challenges raised during the recent subcommittee hearing. Although all federal agencies have a significant amount of work to do regarding information security, the VA may be lagging far behind its peers.

Topics: Cybersecurity, Health Affairs

Comments (0)

Name *

Email *

Comment *

Please enter the text displayed in the image.

Characters *

Legal Notice *

NDIA is not responsible for screening, policing, editing, or monitoring your or another user's postings and encourages all of its users to use reasonable discretion and caution in evaluating or reviewing any posting. Moreover, and except as provided below with respect to NDIA's right and ability to delete or remove a posting (or any part thereof), NDIA does not endorse, oppose, or edit any opinion or information provided by you or another user and does not make any representation with respect to, nor does it endorse the accuracy, completeness, timeliness, or reliability of any advice, opinion, statement, or other material displayed, uploaded, or distributed by you or any other user. Nevertheless, NDIA reserves the right to delete or take other action with respect to postings (or parts thereof) that NDIA believes in good faith violate this Legal Notice and/or are potentially harmful or unlawful. If you violate this Legal Notice, NDIA may, in its sole discretion, delete the unacceptable content from your posting, remove or delete the posting in its entirety, issue you a warning, and/or terminate your use of the NDIA site. Moreover, it is a policy of NDIA to take appropriate actions under the Digital Millennium Copyright Act and other applicable intellectual property laws. If you become aware of postings that violate these rules regarding acceptable behavior or content, you may contact NDIA at 703.522.1820.

I have read the legal notice.