Department of Veterans Affairs Assistant Secretary for IT and CIO LaVerne Council told members of a House Oversight subcommittee Wednesday that the agency has blocked 160 million malware attacks over the past year, but confirmed that the department has “not moved fast enough” in some instances, a pattern that she called “not acceptable."
The VA has tried to improve its cybersecurity capabilities, but Brent Arronte, the department's deputy assistant inspector general, testified that it continuously struggles with “repeat information security deficiencies” and “inconsistent implementation” of security protocol. He cited a lengthy record of ongoing security issues that included VA sites that shared local networks with other medical centers, inconsistent password standards, and databases that were not patched or securely configured to protect against information security vulnerabilities, legacy technologies that slow vulnerability mitigation, and lack of protocol for segregating medical devices from networks.
“As a result, we are not satisfied with the inconsistent reporting of security incidents to the OIG,” Arronte said.
This week, the Office of the Inspector General (IG) released an audit that measured the agency's progress implementing 31 information security recommendations made by the IG last year, as well as, several from 2006. The report said the agency's information security remains a “material weakness.”
Arronte's testimony cited several other security failings, including VA employees accessed the agency's network from foreign nations (including India and China), employees used the unapproved web-based collaboration technology Yammer.com, and transmitted personally identifiable information and internal network routing information over unencrypted telecommunications.
Meanwhile, the agency's security budget increased to $370 million as the VA tries to implement an electronic health record system that protects against cyber threats and is interoperable with the Department of Defense and health care providers. The department will also spend more than $50 million to create a data-management program.
The security objectives, while ambitious, raised concerns from lawmakers that the VA has been slow to implement even basic security improvements, including password encryption and fixing unsecured wireless access at VA sites.
“Systems are unsecure, inefficient, and inoperable. Veterans are faced with lengthy wait times to schedule appointments and their medical records are vulnerable to data breaches,” said Rep. Will Hurd (R-TX), the House Oversight's IT Subcommittee chairman, during the hearing.
When Rep. Gerald Connolly (D-Va.) asked pointedly about the VA's progress on enhancing cybersecurity, Council noted the high number of malware attacks the agency blocked over the last year. And, she noted, the VA is “partnering with DHS in a number of key capabilities” and “will continue to be vigilant.”