- In spite of a dubious recent string of technical data breaches and government reports that its EHR system is filled with significant security gaps, the VA reported on Thursday that paper-based records are at the heart of its patient data protection problems.
VA Acting Assistant Secretary for Information and Technology Stephen Warren stated that, according to data breach reports his agency submitted to Congress for April, May and June, 98 percent of data breaches continue to involve “physical paper”.
The VA argues that human error mistakes misplaced, mishandled or improperly mailed paper records by agency employees are the root of its data breach problems. Warren, for example, cited a veteran’s claim containing Social Security numbers, addresses, compensation and pension claim ratings would be exposed publicly or sent to the wrong veteran in paper breaches. Warren went on to say that the theft of electronic devices containing patient information is rare and holding steady. “People like laptops because you can sell them easily; folks are taking them for commodity of the things,” Warren said. When it comes to electronic data breaches, he said, “we haven’t really seen new trends.”
Warren didn’t mention that there are different scales to breaches, as there may be more paper-related breaches, but those in which a stolen laptop was stolen may be much more damaging. More importantly, he failed to provide ways in which the VA will improve employee training or fix those human errors.
The VA’s argument that it’s actually doing well in securing patient data given its volume of veteran data in comparison to actual number of breaches seems questionable when recent history is taken into account. Though a VA hospital in Fayetteville, N.C. was found to have exposed 1,100 patient paper records after they were found in a consulting optical shop’s recycle bin, the bulk of the reported security flaws have been technical, not related to human error.
VA technical breach realities
Those following the VA’s patient data protection issues over the past year or so know that they extend beyond just paper records:
Office of the Inspector General (OIG) reveals VA technical security issues – A March report by the OIG uncovered a troubling secret at several Veterans Affairs Medical Centers in Nebraska and South Dakota. The OIG found that the facilities have been sending unencrypted personally identifiable information (PII) to internal VA locations and external clinics over an unsecured telecommunications carrier that also services private internet customers.
The William Jennings Bryan Dorn VA medical center breach – The VA alerted 7405 veteran patients of a breach back in April involving an unprotected laptop with PHI that may have included patient names, birth dates, weight, race, respiratory test results and partial Social Security numbers. The veterans involved later sued the VA for its failure to protect their data and the VA attempted to dismiss the case on June 16 because they didn’t believe harm had been done as a result of the breach.
Foreign countries hack VA system and expose vulnerabilities – The House Veterans Affairs Oversight and Investigations Subcommittee held a hearing in June in which chair members opined that the VA network and database lacked proper security controls. And during those hearings, Linda Halliday, VA assistant inspector general for audits and evaluations, pointed out four specific VA technical security flaws: Access controls, security management, contingency planning controls and configuration management controls.
Furthermore, FCW.com reminded readers that between April and June, the VA reported six missing personal computers, 68 missing Blackberries and 27 missing laptops, three of which were unencrypted. Although it doesn’t look like private information, with the potential exception of the names of some veterans, was compromised and stolen or misplaced electronic devices did not have access to VA’s network, this should still be a concern for the VA.
From an outsider’s perspective, the VA should be looking at all areas of patient data security, not just those involving paper records. Warren mentioned that the VA’s Data Breach Core Team was created in 2008. Perhaps it’s time to bring in outside sources to review VA patient data security controls.