VA vulnerable to cyber attacks, GAO official says

Information security problems have left the U.S. Department of Veterans Affairs vulnerable to cyber attacks, according to testimony presented Tuesday by the Government Accountability Office before the House Committee on Veterans' Affairs' subcommittee on oversight and investigations.

The agency "continues to face long-standing challenges in ... implementing its information security program," according to Greg Wilshusen, director of information security issues at GAO. Since 2007, Wilshusen said, weaknesses in control areas including access control, configuration management, segregation of duties, contingency planning and security management have been "consistent." The subcommittee is considering draft legislation to improve the VA's information security.

"Emphasizing that specific security-related actions should be taken based on risk could help ensure that VA is better able to meet the objectives outlined in the draft bill," Wilshusen said in his report. "Doing this would allow for the natural evolution of security practices as circumstances warrant and may also prevent the department from focusing exclusively on performing the specified actions in the draft bill to the detriment of performing other essential security activities."

Among examples of incidences that have affected the VA's systems, Wilshusen talked about a software glitch on the agency's eBenefits system uncovered in January that exposed the personal information of veterans to anyone who could log onto the system. The system--which aims to enable quicker processing of disability compensation claims--was unveiled last summer as part of an effort to reduce the VA's backlog of claims.

Earlier in January, GAO published a report chastising the VA and seven other federal agencies for their inconsistency in responding to data breaches involving personally identifiable information. VA, according to the report, failed to document a single impacted individual in 60 incidents reviewed from November 2012 through November 2013. The agency also consistently failed to document lessons learned from such breaches, GAO found.

An investigative report published last fall found that the VA was overrun with privacy violations, with reasons stemming from failure to encrypt and "shoddy" safeguards to lack of accountability.

For more information:
- read the GAO testimony (.pdf)