The Veterans Affairs Department will step up enforcement of its contractors to make certain that they meet information security requirements in protecting veterans' personal health data.
VA includes a clause in its contracts requiring information security safeguards, including encryption and policies limiting who can access personal data. But that is no guarantee that vendors follow through, said VA senior IT and procurement officials at a hearing May 19 of the House Veterans Affair Committee subcommittee on oversight and investigations.
The challenge lies in verifying that over 22,000 VA contractors with whom the department shares veteran information adhere to security requirements, said Roger Baker, VA's CIO. These vendors help VA provide healthcare and benefits.
"Our policy, which is stronger than any similarly sized private sector organization that I'm aware of, is that supply chain partners must follow VA's information protection policies, including encryption of mobile devices," he said.
The hearing occurred in the aftermath of the April 22 theft in Texas of a laptop with the personal information of 644 veterans from the vehicle of an employee of a health services contractor.
VA subsequently notified the affected veterans and is providing them with precautionary credit monitoring services. The contractor reported the incident immediately to law enforcement and to the agency and disabled the user account and server access from the stolen laptop, Baker said.
"The information was not encrypted despite contracts with the company that included the required security clause and the company had certified to the VA that they were in compliance," he said.
The incident compelled VA to starting auditing its supply chain partners to ensure compliance with its policies.
"While it is impossible to audit all of our partners, these steps should provide us with substantially improved insight into the level of protection provided to veterans' information anywhere it exists in our extended enterprise," Baker said.
Among the steps, VA will verify that contracts where information is exchanged have the necessary information security clause, he said. Baker also expanded the authority of information security officers at VA facilities to review all contracts where information is exchanged. Previously their scope was limited to IT contracts.
VA will also randomly select a number of contracts at a facility for more in-depth audits of vendors' compliance with VA security policies.
To ensure that the contractor that reported the Texas data breach is beefing up security safeguards, VA said it will conduct an onsite assessment of the contractor's facility and its scope of compliance with all IT information and physical security and records management requirements.
VA is also examining security related to the vendor's 55 other contracts with the Veterans Health Administration and will ultimately work with the department's legal counsel to determine any consequences.
At the same time, Baker said VA has to encourage vendors and others to report breaches, "because we can't mitigate the issue unless we know about it."
VA has required the security clause in contracts after November 2008 and last year reviewed contracts to make sure they contained the clause. Out of more than 22,000 contracts reviewed, vendors in 578 contracts refused or did not believe that their services required adhering t0 the clause, said Frederick Downs Jr., chief procurement and clinical logistics officer in the Veterans Health Administration.
"The 578 contracts were critical to our medical centers' ability to provide patient care," he said. The contracts were for direct healthcare services for nursing homes, hospices and physicians or to support maintenance for MRIs and CT scans.
"We had to weigh that because the risk of not having the contracts was high," Downs said, adding that VA has since clarified guidance for when the information security clause applies to healthcare contracts.
Rep. Steve Buyer (R-Ind.) questioned Baker about what a VA medical center should do when a contractor who delivers a radiologic service refuses to sign the information security clause.
"That is the challenge writ large across the organization with this information," Baker said. "How do we do great medical care and protect the information at the same time?"
The primary purpose of sensitive health information is to provide specific care for veterans. "We have to protect that information from unwanted access at the same time that we provide it to any one who needs to use it," he said.
Medical devices, which are certified by the Food and Drug Administration, add another layer of complexity to providing comprehensive information security. Some vendors who provide or support medical devices for VA cite FDA authority in refusing the VA security clause.
"We have to be careful from an IT perspective how we interact with the medical technology," Baker said. For example, VA can't apply patches to medical technology because it could have unknown effects on, say, an MRI machine.
It's an issue that "VA today is tackling in advance of the rest of the country," he said
