The Department of Veterans Affairs will step up enforcement of its contractors to ensure they meet information security requirements for protecting veterans' personal health data.
 
VA includes a clause in its contracts requiring information security safeguards, including encryption and policies limiting who can access personal data. But that is no guarantee that vendors follow through, said VA senior IT and procurement officials at a hearing May 19 of the House Veterans Affair Committee subcommittee on oversight and investigations.
 
The challenge lies in verifying that more than 22,000 VA contractors with whom the department shares veteran information adhere to security requirements, said Roger Baker, VA's CIO. These vendors help VA provide healthcare and benefits.
 
"Our policy, which is stronger than any similarly sized private sector organization that I'm aware of, is that supply chain partners must follow VA's information protection policies, including encryption of mobile devices," he said.

Hearing follows recent theft

The hearing occurred in the aftermath of the April 22 theft in Texas of a laptop with the personal information of 644 veterans from the vehicle of an employee of a health services contractor.

VA subsequently notified the affected veterans and is providing them with precautionary credit monitoring services. The contractor reported the incident immediately to law enforcement and to the agency and disabled the user account and server access from the stolen laptop, Baker said.

"The information was not encrypted despite contracts with the company that included the required security clause and the company had certified to the VA that they were in compliance," he said.

The incident compelled VA to start auditing its supply chain partners to ensure compliance with its policies.

"While it is impossible to audit all of our partners, these steps should provide us with substantially improved insight into the level of protection provided to veterans' information anywhere it exists in our extended enterprise," Baker said.

Tightened verification

Among the steps, VA will verify that contracts where information is exchanged have the necessary information security clause, he said. Baker also expanded the authority of information security officers at VA facilities to review all contracts where information is exchanged. Previously their scope was limited to IT contracts.

VA will also randomly select a number of contracts at a facility for more in-depth audits of vendors' compliance with VA security policies.

To ensure that the contractor that reported the Texas data breach is beefing up security safeguards, VA said it would conduct an onsite assessment of the contractor's facility and its scope of compliance with all IT information and physical security and records management requirements.

VA is also examining security related to the vendor's 55 other contracts with the Veterans Health Administration and will ultimately work with the department's legal counsel to determine any consequences.