WASHINGTON – Employees at the Department of <a href="/directory/veterans-affairs" target="_blank" class="directory-item-link">Veterans Affairs continued to lose mobile devices in July, but the number of overall security breaches the department experienced declined slightly from the previous month, according to VA Chief Information Officer Roger Baker.
As the largest healthcare organization in the world and with thousands of contractors, VA experiences a variety of incidents each month. But with the exception of a few incidents every year, most of its security and data breaches are not significant, Baker said during a press briefing this week.
VA must notify Congress monthly about both routine and major data breaches, a requirement imposed in the aftermath of several security breakdowns during the past year.
The public can now see those reports for itself, as the VA began to post them on the VA's Web site on Aug. 11.
"We gain a lot with transparency," Baker said. "When you see what normally happens and how they are handled, it lends a bit of confidence to what we're going to do when more serious ones occur," he said.
For example, losing smart phones is a common security problem at VA, as it is elsewhere. In July, employees lost 13 Blackberry phones compared with 24 missing in June, he said.
However, it's difficult to impose consequences for the losses. There isn't a cost benefit to denying the issuance of another smart phone to physicians and other professionals who lose them because the devices are inexpensive relative to the productivity gains they provide, Baker said.
"I don't take losing a couple of hundred dollars of taxpayer money lightly," he said. "But compared with a doctor that we may be paying $300,000 a year, I don't want them spending time trying to figure how to get a new Blackberry. I want them to have a new Blackberry in their hands so they can be certain of providing patient services."
VA also has a policy of encrypting mobile devices to reduce the potential for the disclosure of personal information by making the device unusable when they are lost or stolen.
In addition to the lost Blackberries, VA also reported this month:
- 66 internal unencrypted email incidents in July versus 74 in June in which employees did not follow VA policy to encrypt emails that contained sensitive patient information;
- 103 mis-mailing incidents in July versus 119 in June, in which a veteran was sent the wrong information or was sent the information of other veterans;
- Six laptops missing or stolen in July vs. 16 in June. Of those in the July report, five were encrypted and one was used for reading bar codes for ensuring the correct administration of medications, so it did not contain sensitive health information. In June, 11 of the 16 missing laptops were encrypted;
- 10 mis-mailed pharmacy incidents out of 5.6 million pharmacy packages mailed in July versus seven incidents in June.
