VA Addresses Thumb Drive RiskTaking Steps to Prevent Use of Devices Lacking Encryption
A guard at a regional VA office in Nashville recently discovered the thumb drive and took it home, where his wife, who has security clearance from two government agencies, checked it, says Roger Baker, VA assistant secretary for information and technology. She determined the drive contained sensitive information, and the guard returned it the next day.
A VA employee had been using the personal thumb drive to store information on 240 veterans and beneficiaries in violation of VA policy, Baker says. The information included names, Social Security numbers, addresses and health data. Affected veterans are being offered free credit protection because the drive was inappropriately removed from the VA facility, Baker explains.
Breach Prevention EffortsThe VA recently spent $50 million on technology that enables it to identify all computers and other devices linked to its network and determine if they have encryption and other security provisions in place. After this incident, Baker says, the new technology was used "to look for other areas where software that keeps people from plugging unencrypted thumb drives into computers had not yet been turned on." VA officials then made sure the software was properly activated on all devices.
The VA also is using the new technology to verify that its computers that are not encrypted meet the VA's standard for exemption from its encryption mandate, Baker adds. For example, older laptops that run a barcode medication application are not encrypted because no patient data is stored on the devices and encryption would adversely affect the performance of the application.
In addition, the VA is using the technology to make sure all software patches are up to date, Baker says. Next year, the VA will use the technology to check the security provisions of all medical devices linked to its network.
Enforcing Security GuidelinesIn his monthly teleconference with the news media, Baker noted that a letter has been mailed to the CEO of every VA contractor to remind them that they must meet VA security guidelines. Plus, an audit of vendor contracts is continuing on a facility-by-facility basis.
Baker also reviewed other details of the VA's October report to Congress on information breaches. For example, 1,950 veterans are being notified of a breach stemming from pages that are missing from a log book at a pulmonary laboratory in Oklahoma City.
The VA has been unable to confirm that the missing pages have been shredded as intended. They contained names, healthcare information and the last four digits of veterans' Social Security numbers.
The incident, discovered Oct. 15, is being reported to the Department of Health and Human Services' Office for Civil Rights and local news media, in addition to those affected. The HITECH Act's breach notification rule requires that action for breaches affecting 500 or more individuals.
The OCR's list of major health information breaches contains five other VA incidents.