VA Information Systems:

Computer Security Weaknesses Persist at the Veterans Health Administration

AIMD-00-232: Published: Sep 8, 2000. Publicly Released: Sep 8, 2000.

Contact:

Robert F. Dacey
(202) 512-3000
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Pursuant to a legislative requirement, GAO reviewed information system general controls over financial and sensitive veteran medical information maintained by the Veterans Health Administration (VHA), focusing on: (1) specific computer security weaknesses GAO identified at the New Mexico and North Texas health care systems in conjunction with the audit of the Department of Veterans Affairs (VA) fiscal year (FY) 1997 financial statements; and (2) departmentwide computer security initiatives that GAO reported in October 1999.

GAO noted that: (1) in September 1998, GAO reported that computer security weaknesses placed critical VA operations, including health care delivery, at risk of misuse and disruption; (2) since then, VA's New Mexico and North Texas health care systems have corrected most of the specific computer security weaknesses that were identified in 1998; (3) however, serious computer security problems persist throughout VHA and the department because: (a) VA has not yet fully implemented an integrated security management program; and (b) VHA had not devoted adequate resources to effectively manage computer security at its medical facilities; (4) consequently, financial transaction data and personal information on veteran medical records continue to face increased risk of inadvertent or deliberate misuse, fraudulent use, improper disclosure, or destruction, possibly occurring without detection; (5) GAO identified additional computer security problems at the New Mexico and North Texas health care systems and also found similar serious weaknesses at the VA Maryland Health Care System; (6) these medical facilities had not adequately controlled access granted to authorized users, prevented employees from performing incompatible duties, secured access to networks, restricted physical access to computer resources, or ensured the continuation of computer processing operations in case of unexpected interruption; (7) the access and service continuity weaknesses GAO found are similar to problems consistently identified since 1998 at VHA medical facilities by VA's Office of Inspector General (OIG), internal VHA reviews, and consultant studies; (8) VA's OIG has reported departmentwide information system security as a material internal control weakness since the FY 1997 consolidated financial statement reporting period; (9) VA recognized the significance of these problems and began reporting information system security as a material weakness in its Federal Managers' Financial Integrity Act of 1982 report for 1998; (10) one reason for VA's continuing information system control problems is that the department had not implemented a comprehensive, integrated security management program; (11) initiating a process to review and build on security practices developed by other VA organizations could expedite VA efforts to develop departmentwide guidance in these areas; and (12) until VA develops and implements a comprehensive, coordinated security management program and ensures that adequate resources are devoted to this program, it will have limited assurance that financial information and sensitive veteran medical records are adequately protected from misuse, unauthorized disclosure, and destruction.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: The Acting Secretary of Veterans Affairs should direct the acting VA Chief Information Officer (CIO) to work with the VHA CIO and medical facility directors as appropriate to ensure that the remaining computer security weaknesses at each health care system GAO visited, which are summarized, are corrected in accordance with the action plans developed by each of the medical facilities and detailed in GAO's separate reports to the facility directors.

    Agency Affected: Department of Veterans Affairs

    Status: Closed - Implemented

    Comments: In November 2003, VHA's security office provided GAO with a list of actions taken to correct the computer security weaknesses GAO identified in connection with its review of information system controls at VA's medical facilities in Albuquerque, New Mexico, Baltimore, Maryland, and Dallas, Texas. Based on GAO's review of the actions reported, independent work performed by the VA's Inspector General, and GAO's own review, GAO determined that VA had taken sufficient action to remediate the computer security weaknesses reported.

    Recommendation: The Acting Secretary of Veterans Affairs should direct the acting VA CIO to work with the VHA CIO and medical facility directors as appropriate to provide security oversight resources as prescribed in VHA policy to effectively implement and oversee VA's computer security management program through assessing risk, implementing policies and controls, promoting awareness, and evaluating the effectiveness of information system controls at VHA facilities.

    Agency Affected: Department of Veterans Affairs

    Status: Closed - Implemented

    Comments: In March 2001, the VA's Office of Information and Technology reported that all VHA facilities had designated information security officers to work on security activities full-time or at least as a primary duty, as prescribed in VHA policy. These information security officers are to work on information security issues to include assessing risk, implementing policies and controls, promoting security awareness, and evaluating the effectiveness of information system controls.

    Recommendation: To facilitate the development of detailed departmentwide guidance and oversight processes relating to key aspects of computer security programs, such as assessing risk, monitoring system and user access activity, and evaluating the effectiveness of information system controls, the Acting Secretary of Veterans Affairs should direct the acting VA CIO to implement a cooperative process across all VA component offices that would identify and, where appropriate, integrate security guidance developed by VA components.

    Agency Affected: Department of Veterans Affairs

    Status: Closed - Implemented

    Comments: In February 2002, the VA's Office of Cyber Security established a process to identify and, where appropriate, integrate security guidance already developed by VA components to facilitate department-wide efforts to update its security requirements. This process was implemented in January 2002.

    Recommendation: The Acting Secretary of Veterans Affairs should direct the acting VA CIO to monitor and report to issues, such as an administration's lack of commitment of resources to the departmentwide program, that could affect the development and implementation of VA's departmentwide computer security program.

    Agency Affected: Department of Veterans Affairs

    Status: Closed - Implemented

    Comments: In October 2000, the VA's Office of Information and Technology reported that it had established a process for briefing the VA Secretary and senior Information Technology executives quarterly on the status of information security issues department-wide. This would include highlighting the lack of resource commitment by any VA component. In April 2001, this reporting requirement was reemphasized by the VA Secretary with the appointment of the VA security czar.

    Jul 17, 2014

    Jun 25, 2014

    May 30, 2014

    Apr 17, 2014

    Apr 2, 2014

    Jan 28, 2014

    Jan 8, 2014

    Sep 26, 2013

    Feb 20, 2013

    Feb 1, 2013

    Looking for more? Browse all our products here