CEO Artemis Solutions Group
Intelligent Biometric Solutions, iQBio
February 3rd, 2006
Once again the pervasive culture of hubris, arrogance, recklessness and self-serving glad-handing at the United States Veterans Affairs Office has exposed the personal data of our fighting men and women through yet another act of stupidity regarding the protection of personal identifiable data to which they have been entrusted.
Twice within one week, the VA announced two separate breaches. One in Bremerton, WA involving raw files that were left in an employees car and one in Birmingham, AL involving yet another un-encrypted portable hard drive with personally identifiable data. What DATA? Who Authorized the transfer of this data to an un-encrypted insecure drive AGAIN? How much data is on the drive?
To be perfectly clear this is at least the FIFTH BREACH of portable data that has actually come to light from the VA in the last year.
The culture of carelessness with sensitive data appears to be alive and well at the VA. Again!
Let's take a quick look back at the controversy that erupted last year in May when ANOTHER un-encrypted portable hard drive was "lost" by an unnamed VA employee. Here are the particulars and the remarkable similarities to this current breach:
Like the breach last year, this data breach was not exposed for two weeks after it was known by the VA. The culture of denial and cover-up is alive and well at the VA.
- “I will not tolerate inaction and poor judgment when it comes to protecting our veterans,” said Nicholson, declaring that he initially left it to VA investigators rather than calling the FBI.
“I am outraged at the loss of this veterans’ data and the fact an employee would put it at risk by taking it home in violation of our policies,” he said in a statement to The Associated Press. “Upon notification, my first priority was to take all actions necessary to protect veterans from harm.” Actually... what he meant to say was upon notification his first priority was to try to mitigate the damage, minimize the impact and save his career. Everything else is window dressing.
This latest breach was reported to the department on January 23rd, and as you can guess, was not reported to the public until February 2nd, after 5:00PM on a Friday nearly two weeks later. News stories leaked on a Friday traditionally have much less impact than those reported during the week when the standard news outlets would normally devote much greater coverage to the reporting. This is especially true when the news is announced "after hours". The kicker in this report is that they announced it on Super Bowl Weekend, thus hoping to mitigate the effects even further while the countries attention is focused elsewhere. Distract, Evade and Mitigate Damage.
In his statements before Congress, the Secretary of Veterans Affairs, Jim Nicholson was severely rebuked for not turning this information over to the FBI immediately.
- "Sen. Patrick Leahy said President Bush should call Nicholson “into the woodshed” because of the data theft. Citing past budget problems at the VA, Leahy said Nicholson should consider resigning."
- On January 23, VA's IG was notified the external hard drive was missing. The OIG opened a criminal investigation, sent special agents to the medical center, and notified the FBI. VA's Office of Information & Technology in Washington, D.C. also dispatched an incident response team to investigate.
In his statement last year:
- "VA is revising its regulations, policies, guidelines and directives in the entire area of information technology and information security. This has been a wake up call to us, and we are working to assure that we have clear guidance for all VA employees in place, and that they are aware of what is required of them - and of the consequences, should they fail to adhere to that guidance. We are revising VA Directive 6500 which sets forth the guidelines for information security and the enforcement mechanisms pertaining to that. This is a fast track initiative, and I anticipate issuing the revised directive shortly.
But I am convinced that, coming out of a very bad situation, we can make the VA a model for data security. I believe we can craft a structure that will be the Gold Standard for the government, much as the VA's vaunted electronic medical records and health care system are being held up as a standard to be emulated."
- "VA is unwavering in our resolve to be the leader in protecting personal information, and training and educating our employees in best practices in cyber and information security," said Nicholson. "We have made considerable progress, but establishing a culture that always puts the safekeeping of veterans' personal information first is no easy task. I have committed VA to achieving such reform ? and we will. This unfortunate incident will not deter our efforts, but it underscores the complexity of the task we have undertaken."
The VA's own website states the following while they were trying to mitigate the public relations damage over the last breach:
Since the incident, all VA employees have received training in the proper handling of sensitive information and laptop computers throughout the department have had reliable data encryption programs installed.
This prose to please the proletariat is expected, but where is the BEEF? If this statement were true, and all relevant department policies were followed, why did we have the loss of the un-encrypted hard drive in Birmingham and the theft of RAW FILES in Bremerton, WA last week? You can encrypt the laptops, but if the data itself is not encrypted - what good does it do? There are some serious questions to answer at the leadership level in the VA.
Here are some relevant issues that were uncovered as a result of the the last data breach and the resulting cover-up:
James Nicholson's testimony before Congress in June 2006:
- "As I stated in my testimony before both the House and Senate Committees on Veterans' Affairs last month, I am outraged at the theft of this data and the fact an employee would put it at risk by taking it home in violation of VA policies. I am also gravely concerned about the timing of the Department's response once the burglary became known." This time they again waited almost two weeks to inform the public. Evidently he wasn't outraged enough.
- "I have initiated several actions to determine how to best strengthen our privacy and data security programs. On May 24, 2006, we launched the Data Security-Assessment and Strengthening of Controls program, a high priority, focused plan to strengthen our data privacy and security procedures. This program will minimize the risk of a re-occurrence of incidents similar to this recent breach, and seeks to remedy material weakness that could place sensitive information at risk.
One existing Security Guideline, Security Guideline for Single-User Remote Access, describes appropriate security measures for mobile or fixed computers used to process, store, or transmit information or connect to VA IT systems when such computers are housed in an alternate work location. It identifies and recommends the minimally acceptable security controls when VA personnel use anything other than a direct connected, VA-controlled local area network (LAN) connection to perform VA information processing. Examples include people that are on travel, telecommuting or working from alternate work locations. This document requires that any data not stored on our systems be encrypted and password protected. If this is true and the policy was circumvented, these employees should be fired along with Mr. Nicholson.
Point TWO: BOTH Employees that recklessly handled this data in violation of the above mentioned policies should be fired.
Point THREE: STRICT POLICIES of limiting access to ONLY individuals that have a need to use this information for the service of the VA Clients need to be implemented and enforced.
Point FOUR: ANYONE having access to individually identifiable data must undergo on-going security clearances. The data analyst in last years breach did not have the required on-going security clearance reviews. None. Ever.
Point FIVE: Encrypt and secure access to the data with reporting and tracking capability.
The VA has been lax in its stewardship, warehousing and use of the data with which they are entrusted. This unauthorized release of this data is a threat to both personal liberty and national security. Look at our previous blog on this last year for clarification of this issue and the evasion, deception and progressive clarifications by the VA.
The VA implemented Directive 6500 on August 4th, 2006 which requires Department-wide compliance with the Federal Information Security Management Act of 2002, 44 U.S.C. §§ 3541-3549. This directive specifically requires the implementation of best practices with regard to data integrity and transparency when data is breached. Have we seen the last of the "updates" from the VA? We'll be watching and waiting for the other shoe to drop. How about a different message - SECURE THE DATA ALREADY?