Veterans Affairs relies on IT systems to receive and maintain sensitive data, including medical records. Federal law establishes requirements for protecting personally identifiable information and securing IT systems.
VA partially implemented certain key privacy practices. For instance, it still needs to ensure that it is hiring and training enough staff to protect the privacy of its data. In addition, VA has struggled to safeguard its information and protect its IT systems from unauthorized access.
Our 8 prior recommendations to VA could help address these issues. As of February 2023, VA had implemented 5 of these recommendations.
What GAO Found
Federal law and policy establish requirements for protecting personally identifiable information (PII) and securing federal systems and information. Federal guidance also includes key practices for establishing privacy programs. GAO reported in 2022 that federal agencies, including the Department of Veterans Affairs (VA), varied in the extent to which they established privacy policies and procedures and implemented key practices. While VA partially addressed privacy practices, gaps remain. For example, it had not fully defined the role of privacy officials in carrying out risk management steps for authorizing systems that contained PII. Without fully incorporating these practices, VA will have less assurance that it is consistently and effectively implementing privacy protections. In addition, privacy officials at all 24 Chief Financial Officers Act of 1990 agencies, including VA, reported experiencing challenges in implementing their privacy programs.
GAO and the VA Office of Inspector General (OIG) have highlighted security challenges that VA has faced in safeguarding its information and information systems. For example, in 2019, GAO reported that VA did not fully address four cybersecurity practices in establishing a cyber-risk management program. Further, in 2022, the VA OIG reported that the department faced challenges implementing components of its information security program. The report had 26 recommendations for improvement, including implementing needed access and configuration management controls. In addition, an Office of Management and Budget report to Congress summarizing fiscal year 2021 agency cybersecurity performance noted that an independent assessment had concluded that VA's program was not effective.
Why GAO Did This Study
In providing health care and other benefits to veterans and their dependents, VA relies on IT systems and networks to receive, process, and maintain sensitive data, including veterans' medical records and associated PII. VA maintains these data in a variety of systems, including its legacy electronic health record system.
Federal systems and networks, including those of VA, are often interconnected with other internal and external systems and networks. This increases the risk of cyberattacks. Since 1997, GAO has designated information security as a government-wide high-risk area—a designation that remains today.
GAO was asked to review VA (1) privacy practices and challenges, and (2) security challenges. To address both objectives, GAO summarized results and challenges from its previously issued products. GAO also reviewed VA OIG reports on cybersecurity. In addition, GAO incorporated information on the department's actions to implement prior privacy and security recommendations.
In its 2019 and 2022 reports, GAO made eight recommendations to VA to address key privacy and security practices. The department concurred with these and has thus far implemented five of the recommendations.