Roger Baker, CIO of the Department of Veterans Affairs, believes he has the technical solution that will turn around many of the information security problems that have plagued VA for years and will help ensure the department does a better job of protecting its network and sensitive data.

The VA, whose sprawling, decentralized structure has made it difficult to effectively apply information security across the organization, will install a data scanning tool that will enable its network security center to monitor what's going on with all electronic devices connected to the department's network.
 
That includes the status of hardware and software security patches, level of security compliance and the identification of the administrative division that owns it. VA will also deploy forensic software to examine systems on the network, provide electronic evidence of intrusions, fix compromised systems and be able to search computers and devices for malware.

"VA will have visibility to every device on our network by Sept. 30 this year," Baker said at a May 19 hearing of the House Veterans Affairs Committee subcommittee on oversight and investigations. Baker is also VA's assistant secretary for information and technology.

The hearing was held in the aftermath of several high-profile data breaches at VA and other agencies, including the April 22 theft in Texas of a laptop containing personal information of 644 veterans from the vehicle of an employee of a health services contractor.

Detecting intrusion

The electronic visibility effort is designed to ensure that VA policies are being followed throughout the department and monitored, that unauthorized devices are not allowed to connect to the VA network and that medical devices are encrypted, Baker said.

It will also make sure that all VA systems have intrusion detection in operation and settings that do not allow unencrypted memory sticks or flash drives. And all devices will have the latest security patches.
 
This effort will tackle many of the as yet unfulfilled recommendations from VA's security audits by its department inspector general and the Government Accountability Office (GAO), Baker said. Under the Federal Information Security Management Act, agencies and their inspectors general annually measure how well their systems meet federal security requirements.

Focus on medical devices

In another critical effort, VA plans to secure all its 50,000 medical devices by the end of the year, Baker said. The challenge is that the Food and Drug Administration must certify medical devices, and any updates made to them. That means that applying patches and malware protection updates through to the device is tightly restricted, Baker said.

"Over 122 medical devices have been compromised by malware over the last 14 months," he said.

To secure them, VA has established a virtual local area network for medical devices and set up a protection program, including assessments of the medical devices, scanning and separate patching.
 
Until it completes its plans, VA continues to have weaknesses in securing its information and systems, said Greg Wilshusen, director of information security issues at GAO, said at the hearing. These are most evident in the areas of access control, secure computer configurations, and contingency planning. For instance, VA has a long backlog of security weaknesses, for which it already has scheduled fixes for but, has been unable to accomplish .

Until the department fully establishes a comprehensive information security program and fixes known security vulnerabilities, "its computer systems and sensitive information will remain exposed to an unnecessary and increased risk of unauthorized use, disclosure, tampering, theft and destruction," Wilshusen said at the hearing.

VA should also make sure that laptops require strong two-factor authentication to access the data, he said. For two-factor authentication, someone who steals a laptop would need to know a piece of information, like a password, but also possess a token or some sort of biometric, like a card containing the user's information, which would allow only that user to authenticate to that system.
 
Another method to protect information is encrypting data on the laptop. "That's essential, and VA has made progress in that on the agency's laptops," Wilshusen said.

In 2007, GAO did a test of 248 laptops at eight VA locations and found that they had encrypted 244 of the laptops, or about 98 percent. Where VA often has issues is when contractors have not encrypted data on laptops, he said.