Data security critical with VA's intro of iPhone

Once it allows employees and clinicians in its hospitals to start using iPhones and iPads on the job on Oct. 1, the biggest issue for the Department of Veterans Affairs (VA) is information security.

Employees will be able to view sensitive data, but be unable to download and store information on a mobile device unless it meets security requirements. The viewer tool is a capability that VA has utilized for other devices, such as employees’ home computers, said Roger Baker, VA CIO.

[See also: VA poised to go mobile]

The two devices are the first of many, over the long term, that VA anticipates will be able to connect to its network and access veterans’ information. The government-acquired BlackBerry has been the sole smartphone or mobile device that VA has sanctioned on its network. 

Baker announced in June that VA would begin in October to allow the most popular mobile devices, but did not name them.

The Apple devices will be used primarily for administrative type of information, encrypted e-mail and for general access to the VA network and its electronic medical system.

Employees and medical staff who want to access VA’s network using an iPhone or iPad must first be authenticated at their facility as an official VA user. VA will apply mobile device management (MDM) software, which is available from a variety of vendors, to secure, manage and monitor mobile devices across service providers and organizations, before the Apple device can connect to the VA network to assure a secure environment.

[See also: Privacy concerns barrier to VA physicians' use of e-tools]

“It’s not just about encryption but the device characteristics, its ability to keep various programs from interfering with one another and our ability to detect what’s occurring on the device so we are confident that the information is protected,” Baker said at a July 25 briefing with reporters.

VA is considering allowing applications to actually store information on the device – but must first verify that the encryption of the information and the security controls on the device are adequate.

The expectation, based on a pilot that is underway, is that the encryption being applied on the device will be adequate for the type of information that can be put on the device, even if it may not meet the federally required Federal Information Processing Standard (FIPS) 140-2 for encryption from the National Institute of Standards and Technology (NIST).

“I will accept the risk for the organization that that encryption is sufficiently strong, that it does not present an undue risk of information breach,” Baker said.