The electronic data-exchange network between Department of Veterans Affairs medical centers and their research partners is ineffectively managed and leaves potentially sensitive data vulnerable to security breaches, the VA's Office of the Inspector General says.
In a report issued this week, the VA OIG says the medical centers "cannot readily account" for their numerous connections and data-sharing arrangements with universities and research organizations. They also could not adequately account for the research data exchanged, where the information was hosted, or how sensitive the information was. In several cases, OIG identified unsecured electronic and hard-copy data at both the VA facilities and in co-located research centers.
In addition, the VA and its research partners "have not consistently instituted formal agreements requiring that hosting facilities implement controls commensurate with VA standards for protecting the sensitive data," according to the report, leaving sensitive information vulnerable to breach.
The OIG recommended development and implementation of a centralized data governance model by the VA's assistant secretary in the Office of Information Technology (OITT) and its undersecretary for health, and that research partners be required to implement controls meeting VA information security requirements.
VA officials agreed to make the changes.
The Department of Defense, for its part, is building out a Web-based application to track and manage government-funded studies involving humans. The Protections in Research, Oversight Management Information System (PROMIS) was developed by the Office of Naval Research. In July the Pentagon authorized the system as a central data repository for all military-funded human research projects.
To learn more:
- here's the OIG report