- ‘Welcome to the edge of freedom’: Biden’s boots touch down in DMZ
- Obama: Hole U.S. ‘digging out of’ requires billions more in unemployment benefits
- Obama’s regulatory agenda will cost U.S. economy $143B next year: report
- Patriot Act author on James Clapper: Fire, prosecute him
- Russia P.M. Medvedev: No amnesty for political prisoners
- Michigan GOP Senate hopeful reminds government is the ‘servant’
- Christmas, by Congress: Members mull a 15-cent tax on trees
- U.S. unemployment falls to five-year low of 7 percent; 203K jobs added
- World mourns Nelson Mandela and celebrates his life; burial set for Dec. 15
- Bill O’Reilly reminds: Nelson Mandela ‘was a communist’
VA failed to encrypt vets’ personal data, leaving it vulnerable to hackers
The Veterans Affairs Department has been routinely transmitting veterans’ personal data — including medical information and Social Security numbers — over unsecured Internet connections, leaving the information vulnerable to hacking and fraud, according to an internal watchdog that faults the agency for violating the government’s own security requirements.
“Without controls to encrypt the sensitive VA data transmitted, veterans’ information may be vulnerable to interception and misuse by malicious users as it traverses unencrypted telecommunications carrier networks,” the VA's Office of Inspector General reported.
The types of data that the VA Office of Information Technology (OIT) sent over unencrypted networks included the names of veterans and their dependents, Social Security numbers, dates of birth and protected health information, the IG said.
And top officials approved waivers to security rules to allow the unencrypted transmissions, the report found. The failure to protect the information violated the VA’s own security regulations as well as parts of the American Recovery and Reinvestment Act of 2009, which required “the encryption of electronically transmitted health information,” investigators said.
VA officials acknowledged the waivers, but disputed that the information faced much risk of being intercepted. Although it was not encrypted, it was still sent through private channels, they argued.
“The network links in question are not currently employing encryption but these transmissions are crossing only the private VA network and are not exposed to or traversing the Internet,” said Roger Baker, the Assistant Secretary for Information Technology.
The inspector general acknowledged the VA had been keeping the information separate from the public Internet at large, but said “the risk remains that sensitive VA data and router information can be compromised when it is transmitted across unencrypted telecommunications carrier networks outside of VA’s span of technical control.”
Investigators discovered the problem after inspecting medical facilities in South Dakota and Nebraska, but they believe the issue could be widespread. Sending information unencrypted to community health centers and business partners “was a common practice” in that region, according to OIT officials the inspector general interviewed.
The unsecured information originated from the VA Midwest Health Care Network, which serves 400,000 veterans in Iowa, Minnesota, Nebraska, North Dakota, South Dakota and portions of Illinois, Kansas, Missouri, Wisconsin, and Wyoming, the report said.
Top VA officials, including the Assistant Secretary for Information and Technology and the Acting Under Secretary for Health, Veterans Health Administration, signed waivers allowing OIT to skip “implementing encryption controls in the near term,” the report said. But investigators said those waivers can only be used in “exceptional circumstances” and said the department isn’t following laws regarding the protection of information.
“VA and federal information security requirements clearly call for the encryption of sensitive VA data and emphasize the importance of safeguarding this information,” the IG said.And investigators are worried about the situation snowballing. Instead of stealing veterans’ information, hackers could learn enough about the VA’s infrastructure to shut down its computer networks, the inspector general warned.
Furthermore, in an era of budget cuts where each agency is trying to tighten its belt, investigators said the VA could potentially face fines for violating federal policy regarding cybersecurity.
- Obama administration issues permits for wind farms to kill more eagles
- Bill OReilly reminds: Nelson Mandela was a communist
- Spike in battlefield deaths linked to restrictive rules of engagement
- Kill team: Obama war chiefs widen drone death zones
- Obama: Hole U.S. 'digging out of' requires billions more in unemployment benefits
- Rush Limbaugh: Obama trying to make Mandela death about himself
- PRUDEN: British press horrified as London's new mayor dares to proclaim the truth
- Obama tries to calm Israeli fears over Iranian nuke deal 'not based on trust'
- NAPOLITANO: Pope Francis should be saving souls, not pocketbooks
- Activists urge Obama to go rogue, sidestep Congress
Independent voices from the The Washington Times Communities
Find the latest news and happening that effect those in the Washington D.C., Northern Virginia and Maryland Metro region.
A stat-head’s outlook, direct from his worn in couch cushion.
Classical music and the performing arts: news and reviews you can use.
Covering the world of soccer, including the World Cup, Major League Soccer, D.C. United and the English Premier League and other interesting sporting events.
White House pets gone wild!