Six years after the Veterans Affairs Department was vilified for disregarding its own gap-filled information security and privacy policies, the VA now stands as a model for how to effectively integrate tough safeguards into its daily operations.
In May 2006, a laptop containing the personal information of millions of veterans was stolen from the home of a VA employee, who planned to work on it afterhours. The laptop was later recovered, and forensics determined that thieves had not accessed veterans’ files. Still, VA provided credit monitoring for all those affected.
[See also: DHS lists top 5 mobile medical device security risks.]
But the breach and its embarrassing aftermath produced a sea change at VA to protect veterans’ information through policies and procedures that are now communicated clearly as a top priority from the secretary on down through the sprawling agency. VA relies on automated technologies, continuous monitoring and reporting, and periodic employee training and re-training for adherence.
“Nobody wants to have that same birthmark that we had relative to that laptop,” said Roger Baker, VA CIO, in a May 23 briefing with reporters. “I can tell you for certain that it has had a huge and lasting impact on the VA,” he added.
In addition to stronger information security requirements across the government, Congress continues to require VA to report monthly on data breach incidents. Over time, incidents fall primarily into handling paper records, such as mis-mailing incidents on individual veterans, he said.
Among the best practices that Baker said that VA has established to shore up its information security protections are:
- VA has an independent privacy breach analysis team made up of legal, technology, business and privacy officers who examine each incident that is reported to Congress, how it was handled and what else can be done to prevent it in the future;
- VA encourages reporting of near-misses, a technique learned from NASA, without repercussions unless it was egregious or violated laws in order to fix problems before they become bigger;
- Transparency on data breaches helps to drive employee training because they have read about it in the press, and they don’t do it anymore;
- All VA laptops are encrypted;
- Personal data does not flow outside the VA unless it’s encrypted according to the latest federal information processing standard from the National Institute of Standards and Technology (NIST);
- VA CIO reports daily to the VA secretary about any information protection incidents.