- The Veterans Health Administration, the largest integrated health care system in the U.S., has reportedly been hacked numerous times by foreign countries such as China and Russia since 2010. The House Veterans Affairs Oversight and Investigations Subcommittee held a hearing yesterday that allowed different representatives and chairmen to debate the extent to which veterans’ health data was compromised.
Details regarding exactly what information has been compromised are sparse, but attendees asserted that the data was unencrypted and included names, dates of birth and Social Security numbers of veterans that could be used to commit credit and identity fraud. And there were a total of eight countries that were hacking into the VA’s system, but only China and Russia were named.
Former VA Chief Information Security Officer Jerry Davis said the main culprit was a lack of strong VA network and database security controls. “These groups of attackers were taking advantage of weak technical controls within the VA network,” Davis, now CIO of NASA Ames Research Center in Moffett Field, Calif., said according to healthcareinfosecurity.com. “Lack of controls such as encryption on VA databases holding millions of sensitive records, web applications containing common exploitable vulnerabilities and weak authentication to sensitive systems contributed to the successful unchallenged and unfettered access and exploitation of VA systems and information by this specific group of attackers.”
The Huffington Post reports that Linda Halliday, an assistant inspector general, told lawmakers that 4,000 weaknesses and vulnerabilities caused by weak passwords and user accounts in the VA’s system have not been addressed. The foreign hackers apparently were able to make their way into the VA network domain controller (DC). Michael Bowman, director of information technology and security audit for the VA inspector general argued with VA CIO Stephen Warren about the seriousness of this type of access.
Later there was a strong exchange of word between Warren and Rep. Michael Coffman, the Republican chairman of the subcommittee. They disagreed about whether veterans should have been informed sooner that their data had been breached and whether Warren was truly concerned about the foreign hacking incidents.