Report: VA's IT security still needs work

The U.S. Department of Veterans Affairs has made some progress since a May 2006 data breach, but it has not completed 20 of 22 recommendations from an internal auditor, according to a report released Wednesday.

As of May, the VA had not yet addressed several "critical success factors" for transforming its IT management, the U.S. Government Accountability Office said in its report. The VA had only completed two of 22 recommendations from its inspector general following the breach, in which a laptop and hard drive containing personal records of 26.5 million veterans and family members were stolen from a VA employee's home.

The VA also needs to improve its IT asset control, the GAO said, referencing a July report showing about 2,400 missing IT devices at four VA locations in 2005 and 2006. While the VA has "many significant initiatives under way," problems persist even in the programs meant to fix past problems, the GAO report said.

"We continue to see management weaknesses in these programs and initiatives, which are the very weaknesses that VA aims to alleviate," the GAO report said.

The VA has not completed a comprehensive security management program recommended by the GAO, and it has not strengthened its critical infrastructure planning process, which was recommended by its inspector general, the GAO said.

In addition, the VA has worked with the U.S. Department of Defense for 10 years to share electronic medical records, but the two agencies are "far" from completing that work, the GAO said.

Robert Howard, the VA's assistant secretary for information and technology since last September, largely agreed with the GAO report while testifying before the U.S. Senate Veterans Affairs Committee Wednesday.

"Since the May 2006 data breach, the VA staff is now more aware of the importance of protecting our veterans' and employees' information and identities," Howard said. "While we do have a way to go here, I have definitely seen improvement."

The VA has encrypted more than 18,000 laptops since the breach, and it is rolling out software that blocks unauthorized data storage devices, such as thumb drives, from connecting to the VA's network, he said. The agency has also installed software that blocks VA employees from sending e-mail containing Social Security numbers, he said.

As the VA was rolling out the e-mail filtering software, the software caught about 7,000 e-mails containing Social Security numbers in just one month, Howard said.

The VA is also in the process of centralizing its long-criticized location-based IT structure, and the agency's goal is to compete the realignment by July, Howard said.

Senator Daniel Akaka, a Hawaii Democrat and committee chairman, noted that VA Secretary of Veterans Affairs Jim Nicholson promised the agency would become a "gold standard" for cybersecurity following the 2006 breach. "How close is VA to becoming the government leader in information security?" Akaka said.

Howard recounted some of the agency's progress, but said there's still work to do.

"I don't know, to be honest with you," he said. "We hope to be very close by the end of this fiscal year."

Howard also talked about seven major priorities, including a "well-led, high-performing IT organization." Senator Richard Burr, a North Carolina Republican, asked Howard to rate each priority on a scale from one to 10, with 10 meaning fully completed.

Howard's progress ratings on some of the priorities:

* Standardizing its IT infrastructure and business processes: 3

* Establishing programs to make the agency's IT system more : 2 or 3

* Remedying the agency's "long-standing IT material weaknesses" relating to a lack of security controls: 5

"All this will take some time to put in place," he said.