Information Security and the Department of Veterans Affairs
For all federal agencies, information security is a critical area of focus and concern. But cyber threats are rather unique for the Department of Veterans Affairs. When unaddressed, cybersecurity issues can prevent effective administration of veterans’ programs and services, and they can degrade the medical devices used by the Department of Veterans Affairs to deliver medical care. Today, thousands of the VA’s actively used devices have outdated operating systems – some are so old, the operating systems cannot be updated, leaving our nation’s veterans vulnerable. Recent cyberattacks at the VA have even involved medical equipment that possessed preloaded malware at the time they were acquired.
Ultimately, the vulnerabilities at the VA are the result of a supply chain problem. The VA currently does not have its own list of prohibited vendors and relies on a general list established outside the department. Additionally, the VA has struggled to articulate its own supply chain security policy. During hearings hosted by the House Committee on Veterans’ Affairs Subcommittee on Technology Modernization earlier this month, witnesses from the VA were asked by Ranking Member Jim Banks (R-IN) if the Department ever purchased products from Huawei, ZTE, Dahua, and other Chinese suppliers, to which they responded they would have to take those questions back for the record, as they did not have the answer on hand. The VA also did not have an immediate answer when asked how confident the Department was that devices it was currently using was free of malware.
Policymakers also expressed concern during the hearing about the VA’s definition of security ‘breach’. Presently, the VA considers an incident to be a breach if sensitive information left the hands of the VA and exited the building. This interpretation does not consider it to be a breach if a VA employee had access to unauthorized personal or sensitive information. For other federal agencies, this improper insider access to sensitive information would be considered a breach as it is a violation of a policy.
These inefficiencies and discrepancies are evident in a recent study provided by the Government Accountability Office (GAO). This study provides a breakdown of VA information security threats for Fiscal Year 2018. 41% of incidents were labelled as ‘Other’, meaning that they could not fall under a typical category (Improper Usage, Web, E-mail/Phishing, Attrition/Impersonation, Loss of Theft of Equipment, External/Removable Media) or were ‘unidentified’. This high percentage of incidents lacking significant qualifiable information is disconcerting and adds to other evidence that the VA needs to improve its overall cyber hygiene.
Department of Veterans Affairs Information Security Incidents by Threat Vector Category, Fiscal Year 2018
Since the GAO’s audit in 2016, the VA still has 42 recommended action items that have yet to be implemented as of last month. The VA did attempt to implement 39 of those recommendations, but after review, the GAO determined that the effectiveness of those implementations was not enough to clear the agency. In the Federal Information Security Management Act (FISMA) audit of Fiscal Year 2018, the VA received a ‘material weakness’ rating, the lowest rating that can be received, for information technology. The VA is 1 of 18 federal agencies to have received this rating, which may make it seem as though it is on par with its peers. But the fact that the VA has received this rating continuously for the last 17 years confirms the seriousness of its cybersecurity challenges raised during the recent subcommittee hearing. Although all federal agencies have a significant amount of work to do regarding information security, the VA may be lagging far behind its peers.