VA OIG: Palo Alto Healthcare System vendor partnership put patient data at risk

The Palo Alto VA Healthcare System put patient health information at risk during a pilot program with an outside vendor meant to improve its IT capabilities, according to a report from the Department of Veterans Affairs' Office of Inspector General.

The OIG was investigating a complaint alleging that the facility's chief of informatics formed an illegal agreement with the vendor, Kyron, and that sensitive patient information was transmitted outside of VA's firewall.

The agreement allowed the vendor, as part of a pilot program, to test its extraction software on a VA server to transform de-identified VA patient information into structured patient profiles--part of an effort to improve search and query of patient interventions and outcomes. This effort was meant to make data mining easier and more cost effective.

While those allegations were not substantiated, the investigation uncovered that Kyron personnel were given access to VA patient information within VA's IT enterprise without appropriate background checks and without undergoing the VA's security and privacy awareness training.

In addition, the VA's information security officers (ISOs) did not complete system security documentation and system risk analysis before allowing the Kyron software to be placed on the VA server. In effect, the pilot program did not have formal approval, according to the OIG.

The report recommends that local and regional ISOs implement controls to ensure that unauthorized software is not installed on VA networks without a formal risk assessment and formal approval to operate. In addition, Kyron employees' access to the data was cut off until they completed the background checks and security and privacy training.

There's been no shortage of criticism recently for the VA's IT efforts. Though nearly $1 billion has been spent since 2009 on rolling out its electronic benefits management system, that project still suffers from defects and a lack of response-time goals, according to a Government Accountability Office report.

In addition, the OIG recently chastised the VA's use of the collaboration tool Yammer as an insecure time-waster.

Meanwhile, more than a year after the scandal involving veteran wait times, an independent report found problems within the department may only be getting worse.

To learn more:
- read the report (.pdf)