Veteran Affairs: We're more secure

The U.S. Department of Veterans Affairs (VA) is "pretty confident" the agency will not have another large data breach like the one in May that could have exposed the personal records of 26.5 million military veterans and family members, the agency's chief information officer said Monday.

The VA has taken several steps to improve its security since the breach, said Robert Howard, who was appointed the VA's assistant secretary for information and technology just days before a VA laptop and hard drive were stolen from an employee's home.

"There really is an increased awareness throughout the VA," Howard said. "We still have a lot of work to do in that area, but we've clearly improved the awareness of folks with respect to treating information the same way they'd want their information treated."

Howard, speaking before the American Council for Technology's Industry Advisory Council in Washington, D.C., also talked about the VA's IT reorganization, started in March, and accelerated by the data breach. The VA is moving to centralize its IT staff, instead of having divisions within the agency control their own IT functions, addressing a long-time criticism from the U.S. Congress and government auditors.

A major cybersecurity concern is employees "not thinking" about risks and the VA is working to educate workers, Howard said. "What leaps right out at you is employee carelessness," he said. "We've all been there."

Howard, a former major general in the U.S. Army and a former vice president with defense and transportation technology vendor Cubic Corp., called the changes happening in the VA IT organization "very dramatic." Along with the reorganization, Howard now has authority over the VA's entire IT organization, he said.

"No more excuses," he said. "We've got everything we need. We've got the organization, we've got the authority, we've got the money."

Among Howard's goals are standardization and interoperability of IT systems within the VA, as well as a strengthened focus on security, he said. The ultimate goal is to use IT to better serve VA customers, he added.

Part of the reorganization is focused on creating the "gold standard" for data security, Howard said. He was appointed to his position May 1 and the breach happened May 5. VA announced the breach May 22.

"I didn't find out about [the breach] until the 16th of May," he said. "That tells you something about our process."

Police recovered the laptop and hard drive in late June, and computer forensics experts determined the personal data had not been accessed. But the VA has made several changes, including encryption on laptops not directly used for medical procedures, Howard said. The breach "was a real eye-opener, for government and probably for industry as well," he said. "We're encrypting everything in sight."

Howard said he believes VA should improve the annual grade it receives in IT security given by the House of Representatives Government Reform Committee. The agency has received a failing grade in four of the past five years.

When a reporter noted the agency's score had not been very high in recent years, Howard responded, "It is now."

But Howard said he expected the agency's grade wouldn't be perfect either. "This stuff's not going to happen overnight," he said.