Though the Department of Veterans Affairs has taken action to address previously identified IT vulnerabilities, it has not done enough to prevent future problems, according to a new report from the Government Accountability Office (GAO).
Among the issues the GAO found:
- While the VA took actions to contain and mitigate effects of a 2012 incident involving an attack by malicious outsiders, it could not document that the actions taken were effective. Its Network and Security Operations Center analyzed the incident and documented actions taken in response, but it still has a policy of purging digital evidence one month after a forensic analysis report is complete. Federal guidance recommends data be kept for three years.
- As GAO reported in April, VA's incident-response policies defined roles and responsibilities, but did not include authorities for the incident response team. That meant it couldn't verify that its networks were free from the intrusion.
- VA took insufficient actions to address vulnerabilities in two key Web applications--one problem had been outstanding for more than a year.
- Weaknesses identified on laptops had not been corrected in a timely manner.
"Collectively, these weaknesses increase the risk that sensitive data--including veterans' personal information--could be compromised," the report states.
The VA "continues to face long-standing challenges in ... implementing its information security program," Greg Wilshusen, director of information security issues at GAO, told the House Committee on Veterans' Affairs' subcommittee on oversight and investigations in March.
He spoke of "consistent" problems with control areas including access control, configuration management, segregation of duties, contingency planning and security management.
Similar GAO reports from April and June called for better breach response and cybersecurity training.
Meanwhile, Stephen Warren, the VA's chief information officer, told HealthcareInfoSecurity.com that he worries the public will lose faith in online security.
"If people stop going to the Internet because they don't think it's safe, all the things we're trying to do to enable delivery of service benefits are going to be impacted," Warren said.
To learn more:
- read the report (.pdf)