- ‘Tis the Season: London florist creates $4.6 million Christmas wreath
- No tailgating allowed at Super Bowl XLVIII
- Pentagon to transport African troops to Central African Republic
- Chinese man fed up with his girlfriend’s shopping jumps to his death
- Ukraine leader to talk with protesters; Washington urges caution
- Pope Francis: A nun saved my life
- Israeli P.M. Netanyahu backs out of Mandela funeral
- Elian Gonzalez makes first trip outside Cuba since custody battle
- U.S., British intelligence agents enter online sci-fi world to spy on gamers
- Sarah Palin to host the outdoors show ‘Amazing America’
VA failed to encrypt vets’ personal data, leaving it vulnerable to hackers
The Veterans Affairs Department has been routinely transmitting veterans’ personal data — including medical information and Social Security numbers — over unsecured Internet connections, leaving the information vulnerable to hacking and fraud, according to an internal watchdog that faults the agency for violating the government’s own security requirements.
“Without controls to encrypt the sensitive VA data transmitted, veterans’ information may be vulnerable to interception and misuse by malicious users as it traverses unencrypted telecommunications carrier networks,” the VA's Office of Inspector General reported.
The types of data that the VA Office of Information Technology (OIT) sent over unencrypted networks included the names of veterans and their dependents, Social Security numbers, dates of birth and protected health information, the IG said.
And top officials approved waivers to security rules to allow the unencrypted transmissions, the report found. The failure to protect the information violated the VA’s own security regulations as well as parts of the American Recovery and Reinvestment Act of 2009, which required “the encryption of electronically transmitted health information,” investigators said.
VA officials acknowledged the waivers, but disputed that the information faced much risk of being intercepted. Although it was not encrypted, it was still sent through private channels, they argued.
“The network links in question are not currently employing encryption but these transmissions are crossing only the private VA network and are not exposed to or traversing the Internet,” said Roger Baker, the Assistant Secretary for Information Technology.
The inspector general acknowledged the VA had been keeping the information separate from the public Internet at large, but said “the risk remains that sensitive VA data and router information can be compromised when it is transmitted across unencrypted telecommunications carrier networks outside of VA’s span of technical control.”
Investigators discovered the problem after inspecting medical facilities in South Dakota and Nebraska, but they believe the issue could be widespread. Sending information unencrypted to community health centers and business partners “was a common practice” in that region, according to OIT officials the inspector general interviewed.
The unsecured information originated from the VA Midwest Health Care Network, which serves 400,000 veterans in Iowa, Minnesota, Nebraska, North Dakota, South Dakota and portions of Illinois, Kansas, Missouri, Wisconsin, and Wyoming, the report said.
Top VA officials, including the Assistant Secretary for Information and Technology and the Acting Under Secretary for Health, Veterans Health Administration, signed waivers allowing OIT to skip “implementing encryption controls in the near term,” the report said. But investigators said those waivers can only be used in “exceptional circumstances” and said the department isn’t following laws regarding the protection of information.
“VA and federal information security requirements clearly call for the encryption of sensitive VA data and emphasize the importance of safeguarding this information,” the IG said.And investigators are worried about the situation snowballing. Instead of stealing veterans’ information, hackers could learn enough about the VA’s infrastructure to shut down its computer networks, the inspector general warned.
Furthermore, in an era of budget cuts where each agency is trying to tighten its belt, investigators said the VA could potentially face fines for violating federal policy regarding cybersecurity.
By Brahma Chellaney
Beijing's creeping aggression signals a challenge to U.S. presence in the Asian Pacific
- Chinese man fed up with his girlfriend's shopping jumps to his death
- CURL: Obama tells a whopper on IRS scandal
- Satanists petition for statue at Oklahoma Statehouse
- Tech companies call for an end to NSA online snooping
- Lawmakers see 'false narrative' of Obama as a terrorist fighter
- Ted Cruz sees legal landmines ahead for Obamacare
- Bill OReilly reminds: Nelson Mandela was a communist
- WOLF: The president's other Obamacare lies
- MSNBC host: Obamacare a 'wealthy white men' racist word
- MILLER: Brady Campaign says Colorado recalls due to NRA, not grassroots opposition to gun control
Independent voices from the The Washington Times Communities
Find the latest news and happening that effect those in the Washington D.C., Northern Virginia and Maryland Metro region.
The world impacts us. What happens in our towns, cities, states, country and on this planet makes a difference to us.
Happiness is attainable. Morning to night. I love to teach, deal with folks that have an issue and really wish to tackle it and write.
Brazen, leading-edge, “call it like it is” columns and reporting from Ohio native, radio host and writer, Sara Marie Brenner.
White House pets gone wild!
Let it snow