- A new report by the Office of the Inspector General (OIG) has uncovered a troubling secret at several Veterans Affairs Medical Centers in Nebraska and South Dakota. The OIG found that the facilities have been sending unencrypted personally identifiable information (PII) to internal VA locations and external clinics over an unsecured telecommunications carrier that also services private internet customers.
“VA has not implemented technical configuration controls to ensure encryption of sensitive data despite VA and Federal information security requirements,” the OIG report states. “IT personnel stated that sending unencrypted sensitive data to outpatient clinics and external business partners was a common practice at facilities across VA.” While no data breaches actually occurred, the potential for fraud if an unauthorized party got hold of the social security numbers, benefits information, and EHR data was huge. Not only does the practice violate basic HIPAA and HITECH Act rules, VA’s own security handbook requires that the electronic transmission of VA sensitive information must be encrypted in accordance with Federal Information Processing Standards (FIPS) 140-2.
The VA’s Assistant Secretary for Information and Technology asserted that PII and internal network routing information was not transmitted over unsecured internet connections, but admitted that the VA’s segmented Multiprotocol Label Switching (MPLS) network was not currently encrypted. “We recognize that using MPLS networks can segment data traffic from unsecured Web connections,” the report responded. “But a MPLS network alone does not provide encryption, integrity, or authentication protections for the transmission of sensitive data and such services may be vulnerable to denial of service or sniffing attacks by malicious users.”
The revelation follows on the heels of several other major VA missteps, including being called to a stern Congressional hearing after failing to deliver on its promise of a joint EHR with the Department of Defense, an unfavorable report from the Government Accountability Office about the VA’s poor project planning, and significant budget cuts from sequestration, which began on March 1. The massive healthcare system is also facing a shakeup after three of its top information technology executives resigned one after the other.
The 40,000 patients whose data was at risk may not be pleased with this information, assuming they’re notified of the vulnerability. But the VA is planning to take steps to fix its mistakes. “The VA’s Office of Information Technology plans to implement a VA-wide encryption solution to protect sensitive data transmitted across telecommunications carrier networks,” the report acknowledges. “This solution will use Advanced Encryption Standard cryptography so VA can employ network security controls while utilizing existing MPLS carrier networks.”