Veterans Affairs Department employees continued to lose mobile devices in July, but the number of overall security breaches it experienced declined slightly from the previous month, according to VA chief information officer Roger Baker.
As the largest health care organization in the world, with thousands of contractors, VA experiences a variety of incidents each month. But with the exception of a few incidents every year, most of its security and data breaches are not significant, he during a press briefing this week.
VA must notify Congress monthly about both routine and major data breaches, a requirement imposed in the aftermath of several security break-downs during the past year. The public can now see those reports for itself, as the VA began on August. 11 to post them on the VA's Web site.
"We gain a lot with transparency," Baker said about making the report public. "When you see what normally happens and how they are handled, it lends a bit of confidence what we're going to do when more serious ones occur," he said.
For example, losing smart phones is a common security problem at VA, as it is elsewhere. In July, employees lost 13 Blackberry smartphones compared with 24 missing in June, he said.
However, it's difficult to impose consequences for the losses. There isn't a cost benefit to denying the issuance of another smart phone to physicians and other professionals who lose them because the devices are inexpensive relative to the productivity gains they provide, Baker said.
"I don't take losing a couple of hundred dollars of taxpayer money lightly," he said. "But compared with a doctor that we may be paying $300,000 a year, I don't want them spending time trying to figure how to get a new Blackberry. I want them to have a new Blackberry in their hands so they can be certain of providing patient services."
VA also has a policy of encrypting mobile devices to reduce the potential for the disclosure of personal information by making the device unusable when they are lost or stolen.
In addition to the lost Blackberries, VA also reported this month:
-- 66 internal unencrypted email incidents in July vs. 74 in June in which employees did not follow VA policy to encrypt emails that contained sensitive patient information;
-- 103 mis-mailing incidents in July vs. 119 in June, in which a veteran was sent the wrong information or was sent the information of other veterans;
-- 6 laptops missing or stolen in July vs. 16 in June. Of those in the July report, five were encrypted and one was used for reading bar codes for ensuring the correct administration of medications, so it did not contain sensitive health information. In June, 11 of the 16 missing laptops were encrypted;
--10 mis-mailed pharmacy incidents out of 5.6 million pharmacy packages mailed in July vs. 7 incidents in June.
