- According to a recent VA Office of Inspector General (OIG) report, the Veterans Benefits Administration neglected to implement appropriate audit logs that would identify information security violations in the Veterans Benefits Management System (VBMS).
Last month, OIG was notified by an anonymous entity that the Veterans Benefits Administration had not integrated proper audit logs in the VBMS, a claims processing system.
Upon investigation, OIG found officials at the Veterans Benefits Administration failed to establish satisfactory system requirements in the VBMS that would ensure that accurate audit logs were created.
Without accurate audit logs, Information Security Officers could not effectively identify, report, and react to data security issues in the VBMS, OIG pointed out. The organization also could not detect if an employee improperly processed a claim.
OIG discovered that the VBMS was not compliant with audit log procedures and regulations after testing the functionality at two facilities in Texas and one in Washington. Seventeen VA Regional Office employees were tasked with inappropriately accessing the same-station veteran employee compensation claims in VBMS and Information Security Officers were asked to review the audit logs.
“The audit logs available to ISOs after our testing did not show that the security violations occurred within VBMS,” explained OIG. “The audit logs identified security violations for 15 of the 17 employees who accessed same-station veteran employee claims through VBMS. However, the audit logs indicated that the violations occurred in Share or an unknown system.”
In addition, the audit logs did not track the actions of two out of the 17 employees.
To rectify the information security vulnerability, OIG recommended:
• The Acting Under Secretary for Benefits establish and provide the Office of Information and Technology with information system requirements for creating accurate audit logs. The logs must also include data security information needed for officers to detect a potential security incident.
• The Assistant Secretary for Information and Technology incorporate audit logs into the VBMS based on the system requirements from the Acting Under Secretary for Benefits.
• The Acting Under Secretary for Benefits tests and evaluates the new audit logs for accuracy.
OIG disclosed that the security vulnerability occurred because the Office of Business Process Integration did not create system requirements in VBMS to assure audit logs could accurately pinpoint security violations. It assumed that audit log functionality was already built into the VBMS as it was for legacy claims processing systems.
However, the Veterans Benefits Administration is required by several regulations to ensure audit logs are functional and accurate.
Under the Federal Information Processing Standards Publication, the Veterans Benefits Administration is required to develop, sustain, and retain audit records to supervise, analyze, and report on inappropriate access of information systems. The organization must also develop the capability to monitor the actions of individual users.
Additionally, the VA Handbook states that information systems are required to create detailed audit logs that can help recreate a data security incident.
The Veterans Benefits Administration agreed to OIG’s recommendations, although it stated that the report overemphasizes its security vulnerabilities.
The VA has already stated that it needs to improve its healthcare data security measures, so having accurate audit logs will likely only help further that goal.
Failing to have necessary audit logs could lead to data security issues for organizations, as other OIG reports have shown.
For example, OIG released a similar report in 2014 that warned Premara Blue Cross that it was susceptible to healthcare data breaches after it found that Premara’s security measures were inadequate to protect the company from cyberattacks.
OIG suggested that the health insurance company improve its access controls, network security, and configuration management for its information systems.
A couple of months after the release of the OIG report, Premara Blue Cross discovered a reported healthcare data breach that affected 11 million patients. The security incident was caused by cyber attackers who were able to gain access to Premara’s information systems.
As the OIG reports show, it is crucial that healthcare organizations and other HIPAA-covered entities perform audits of their healthcare data security procedures. It is also key that covered entities implement the recommendations from formal audits.
With the Phase 2 HIPAA audits around the corner, more healthcare organizations are reviewing their healthcare data security measures and HIPAA compliance procedures.
The audits are designed to identify weaknesses in a healthcare organization’s healthcare data security framework and help the organization develop corrective action plans.
As more healthcare providers incorporate mHealth technologies and connected devices to their care delivery models, it is important that the organization accommodate these items into their security procedures.
The HIPAA audits as well as the OIG reports are were developed to investigate potential healthcare data security vulnerabilities and help organizations fix security issues before a healthcare data breach occurs.