VA's use of Yammer made for PHI, data security risk

Identified "vulnerable security features" in the platform
By Erin McCann
11:05 AM
Share
Website

Turns out the Department of Veterans Affairs uses a Web-based communication platform that isn't exactly secure. In fact, a new report suggests VA practices in this case put protected health information at serious security risk.

The report, conducted by the VA Office of Inspector General, concluded that the agency has been using improperly the Yammer Web-based communication platform, an application not approved or monitored by the agency.

[See also: OIG identifies big HHS security shortfalls.]

The office identified several "vulnerable security features, recurring website malfunctions" through the use of the Yammer platform.

Further, the report underscored that the Web application had no system or administrative person responsible for removing former VA employees or contractors.

"The relatively simple process to post to Yammer not only made VA vulnerable from user uploading, on purpose or accidentally, personally identifiable information, protected health information, or VA sensitive information, of which any current or former employee remaining active on the site would have access," wrote Quentin G. Aucoin, assistant inspector general for investigations, in the report.

[See also: OIG: Certified EHRs aren't so secure.]

Not only did VA employees using the Yammer platform  put beneficiary PHI and PII at risk, they also sigifnicantly increased the agency's risk of malware and viruses by downloading and sharing files online.

Then there was the potential overload problem.

"The continuous data streams, instant messaging, video, audio, large file and attachments and other uploaded non-VA content to the site may cause congestion, delay or disruption of service and downgrade the performance of VA's network," Aucoin added. 

There were some 50,000 registered VA email addresses on the platform, with about 25,000 of those being active users.

The inspector general submitted several recommendations to address the improper use of the platform in the report, including first to have the application officially evaluated and ensuring that all employees are aware which platforms are approved by the agency and which are not approved.