Particularly Pervasive

While cybersecurity issues are not uncommon for government agencies, VA’s problems are particularly pervasive, noted Greg Wilshusen, director of information technology and cybersecurity for the Government Accountability Office. Wilshusen testified that VA was one of 18 agencies where agencywide information security was not implemented properly during fiscal year 2018.

“However, FY2018 was the 17th year in a row that VA had reported a material weakness in its information security,” he added. “Few agencies, I believe, meet that longevity of that particular weakness.”

One of the reasons that cybersecurity has remained a critical issue at VA is a failure to create plans of action that are proven to work, Wilshusen and Dahl agreed.

“VA has developed numerous plans of action and milestones to address system security risks, but we continue to identify plans for which there is inadequate evidence of effective action to justify the closure of such plans,” Dahl said.

“VA often doesn’t seem to be validating the effectiveness of its corrective actions,” Wilshusen added.

Of the 70 recommendations made by GAO in a 2016 report for how VA could improve its cybersecurity, 42 remain open. “VA said that it’s addressed 39 of those 42 open recommendations,” Wilshusen explained. “But when we went in and looked at the evidence provided, it wasn’t sufficient for us to close that recommendation.”

While he’s only been on the job for less than a year, VA’s chief information security officer, Paul Cunningham, assured the legislators that he was aware of the long-standing cybersecurity challenges VA faces and that he can already see positive changes happening. “I did notice some siloing—or the remains of silos from the past—but I’ve also noticed that, in working with VA operations, there’s an open door,” Cunningham said. “There are still some legacy issues, especially around the FISMA reports in FY2018, but there’s also some really clever ideas being put in place.”

Those ideas include the development of an Office of Quality Process and Risk and the establishment of a risk officer who would report on cybersecurity issues to the chief information officer and other VA leadership.

“That’s an incredible feat, because a lot of organizations have difficulty getting the office set up and staffed,” he noted.

The same day as the hearing, VA’s inspector general released a report on the department’s latest information security failure—one that put the personally identifiable information of millions of veterans, physicians and others at risk. Under the Privacy Act of 1974, veterans can request access to the claims they file with VBA, with requests managed by VBA’s Records Management Center in St. Louis. But following a change to VBA’s Privacy Act in May 2016, the agency stopped redacting the personal information of third-party individuals that appear in a patient’s medical record, such as spouses, other veterans or even physicians. Military service records may contain the PII of multiple individuals, including the names and Social Security numbers of doctors who treated a veteran.

Reviewing a random sample of 30 Privacy Act responses of over 65,000 requests processed from April 1, 2018, through Sept. 30, 2018, OIG investigators found that 18 included third-party PII. Within those 18 Privacy Act responses, they found 1,027 third-party names and Social Security numbers.

“The review team determined disclosures under the May 2016 release policy raised legal concerns, and more importantly, put millions of people at risk of identity theft,” the report states. “The team also found that the [policy] did not require staff to inform third parties that their information was released.”

The reviewers also found that VBA officials failed to encrypt or password-protect the discs mailed to Privacy Act requesters. This means the information was accessible to anyone who might have intercepted the package.

Prior to the May 2016 policy change, VBA officials had redacted third-party PII information in requests. According to the IG report, VBA changed its Privacy Act release policy in 2016 to “improve veterans’ access to their records.” At the time, VBA had a significant backlog of Privacy Act requests. The time required to go through and redact information was cited as a major contributing factor to that backlog. VA’s Office of General Counsel determined that the Privacy Act did not specifically address third-party information and that there was case law that could support no longer redacting it.

While then-VA Deputy Under Secretary Sloan Gibson approved the policy, VA officials with roles more closely related to privacy expressed concern at the time.

“VBA officials agreed that the policy could increase the risk for identity theft,” the report states. “The former director of VA’s Office of Privacy and Records Management provided the review team with a document that identified privacy and business-related concerns with the release of third-party information before the May 2016 Privacy Act release policy was issued. He stated he was totally against the policy change and thought it would come back to ‘bite’ VBA.”