Data Security Breaches at the Department of Veterans Affairs

Internet Risk and Cybercrime at the U.S. Department of Veterans Affairs

Internet Risk

Cybercrime

Today, the mission of the U.S. Department of Veterans Affairs (VA) as taken from President Lincoln's second inaugural address is, "To care for him who shall have borne the battle, and for his widow, and his orphan." To this end, this cabinet-level organization provides healthcare services through the Veterans Health Administration (VHA) to nine million veteran patients each year. In an effort to improve the quality of these healthcare services, the VHA has implemented a number of technological solutions including electronic healthcare records and a nationwide communication network. These solutions, though, have also introduced a number of security risks and a number of high-profile security breaches have drawn increased scrutiny on the VHA in recent years. This paper provides an overview of the VHA and what types of Internet-related security threats it faces. A discussion concerning cybercrime at the VA is followed by a summary of the research and important findings concerning these issues in the paper's conclusion.

Today, through its Veterans Health Administration (VHA), the Department of Veterans Affairs (VA) is the largest healthcare provider in the United States, and millions of veteran patients receive care from its nationwide network of medical centers, outpatient clinics and Vet Centers. In recent years, the VA has committed itself to improving the quality of patient care it provides by implementing a wide range of technological solutions, including electronic healthcare records and a sophisticated communications system (Boyer, 2011). These same innovations, though, have also introduced a number of security problems for this cabinet-level organization, including most especially the compromise of sensitive patient data. Although the VA is not unique in experiencing these types of security problems, the fact that the organization is so large and its mission is so critical makes these breaches an important issue for all stakeholders. To determine the facts, this paper provides an overview of the VA, and a critical analysis of the strategic approaches that are used to identify analyze and address these types of cyber-threats within this organization, taking account the impact of managing the risk throughout this organization. Finally, a summary of the research and important findings concerning these issues are provided in the conclusion.

Review and Discussion

Overview of the Department of Veterans Affairs

The VHA is the nation's largest integrated health care system, and consists of more than 1,700 healthcare facilities that provide care for nearly 9 million veteran patients annually as shown in Figure 1 below (Veterans Health Administration, 2016).

Figure 1. Regional breakdown of VA facilities in the United States

Source: http://www.va.gov/directory/images/VHA/VHAmap.gif

The healthcare facilities identified in Figure 1 above comprise the VHA's integrated services network of 23 divisions as follows:

VISN 1: VA New England Healthcare System

VISN 2: VA Health Care Upstate New York

VISN 4: VA Healthcare - VISN 4

VISN 5: VA Capitol Health Care Network

VISN 6: VA Mid-Atlantic Health Care Network

VISN 7: VA Southeast Network

VISN 8: VA Sunshine Healthcare Network

VISN 9: VA MidSouth Healthcare Network

VISN 10: VA Healthcare System

VISN 12: VA Great Lakes Health Care System

VISN 15: VA Heartland Network

VISN 16: South Central VA Health Care Network

VISN 17: VA Heart of Texas Health Care Network

VISN 18: VA Southwest Health Care Network

VISN 19: Rocky Mountain Network

VISN 20: Northwest Network

VISN 21: Sierra Pacific Network

VISN 22: Desert Pacific Healthcare Network

VISN 23: VA Midwest Health Care Network (Veterans Health Administration, 2016).

In these regions, the VHA operates of 150 medical centers, almost 1,400 community-based outpatient clinics, community living centers, Vet Centers and domiciliaries staffed by more than 53,000 healthcare practitioners (Veterans Health Administration, 2016). With an annual budget exceeding $182 billion (Annual budget submission, 2016), it is clear that an enormous amount of resources have been allocated to the VA to fulfill its mission "To care for him who shall have borne the battle, and for his widow, and his orphan." The organization, though, has failed in this mission in a number of ways in recent years, including most especially the compromise of millions of patient data records as discussed below.

Internet Risk at the Department of Veterans Affairs

Given its far-flung operations and thousands of employees, it is little wonder that the VA has experienced a number of Internet-related security breaches in recent years. Many of the risks that are associated with the Internet directly relate to the advantages the medium provides. As Eastmond (2004) cautions, "The Internet is indeed a technology of freedom -- but it can free the powerful to oppress the uninformed, it may lead to the exclusion of the devalued by the conquerors of value" (p. 70). Notwithstanding these constraints, it is clear that the Internet has introduced fundamental changes in the manner in which people work, live, recreate and communicate with others. For instance, Ball, Haggerty and Lyon (2012) report that, "Digital technologies and the Internet have made the sharing and dissemination of information instantaneous and without restriction across geographical borders" (p. 58). These same technologies, though, introduce risks of data comprise and security breaches that can have devastating effects on individuals, organizations and governmental agencies. In this regard, Barlow also observed early on that, "Cyberspace has a lot in common with the 19th Century West. It is vast, unmapped, culturally and legally ambiguous. . . . It is, of course, a perfect breeding ground for both outlaws and new ideas about liberty" (para. 4).

This assertion is certainly applicable to the VA, and the organization reports that it blocked 181,188,372 intrusion attempts, blocked or contained 546,969,366 malware attacks, and 100,778,911 suspicious or malicious emails in December 2015 alone (Monthly report to Congress of data incidents, 2015). Of these incidents, 394 veterans were affected in some fashion, including 47 lost or stolen electronic communication devices and 240 in relation to protected health information incidents that were reported to Health and Human Services in accordance with the Health Information Technology for Economic and Clinical Health (HITECH) Act (Monthly report to Congress of data incidents, 2015).

Some of the most severe Internet-related security breaches at the VHA are described in Table 1 below.

Table 1

Internet-related security breaches at the VHA

Type of Breach and Date

Description

Stolen Veterans Affairs laptop and hard drive (June 29, 2002)

A laptop computer and hard drive containing sensitive data for more than 26 million veterans, their spouses, and active-duty military personnel was stolen but subsequently recovered by the FBI. Documents show that Veterans Affairs had given permission in 2002 for an analyst, from whom the equipment was stolen, to work from home with data that included millions of Social Security numbers, disability ratings and other personal information. Agency officials previously said the analyst was fired because he violated agency procedure by taking the data home (Electronic Privacy Information Center, 2016, para. 2). According to Konkel (2013), then-VA Secretary James Nicholson was not notified about the incident until three weeks after it took place (para. 4).

Computers donated contained patient data

A report concerning discarded hard drives and disk sanitization practices revealed that in August 2002 the United States Veterans Administration Medical Center in Indianapolis sold or donated 139 of its computers without removing confidential information from their hard drives, including the names of veterans with AIDS and mental illnesses (Matwyshyn, 2009, p. 107).

Personal information comprised (June 7, 2006)

The personal information of about 1.1 million active-duty military personnel, 430,000 members of the National Guard and 645,000 members of the Reserves, was stolen in the recent theft of computer data from the Department of Veterans Affairs. The agency previously said that all 26.5 million people affected by the data theft were veterans and their spouses. The data include Social Security numbers and disability ratings. The VA has estimated that it will cost between $100 million to $500 million to prevent and cover possible losses from the data theft. Though the theft occurred on May 3, 2006, the VA waited until May 22 to inform those who were affected. The delay was just one of many failures by Veterans Affairs in this incident (Electronic Privacy Information Center, 2016, para. 4).

Mismanaged software update (January 15, 2014)

This breach occurred when a bungled software update to VA's eBenefits system exposed at least 5,300 veterans' medical and financial information to the public (Konkel, 2014).

Contractor data breach (December 24, 2014)

This data breach placed more than 7,000 veterans at risk of identity theft. A potential flaw in one of its patient databases managed by a vendor to provide home telehealth services may have exposed personal information of veterans. The contractor alerted VA on Nov. 4 [2014] of the potential security flaw. VA says more than 690,000 veterans took advantage of the national telehealth program in 2014. An investigation was immediately initiated and security scans were conducted by VA, which confirmed the concern. The VA has notified and offered credit protection to all 7,054 veterans in the database. VA says the type of security flaw was one that could have exposed veterans' data, including name, address, dates of birth, phone numbers and VA patient identification number, via the Internet (Contractor security flaw puts data of 7,000 veterans at risk, 2014, para. 2).

The stolen laptop and hard drive shown in Table 1 above resulted in some fundamental changes in the manner in which the VA administers electronic patient data records and other digital communications, including the following:

A greater focus on data encryption. Since this high-profile VA breach occurred, more attention is being paid to encrypting data on laptops and other mobile devices.

Stronger breach notification guidelines. When breaches at the VA occurred prior to this incident, there were few formal internal processes for notifying incident response teams and administrators. The Office of Management and Budget's (OMB) guidelines now require, in most cases, that agencies notify management of data breaches immediately when they happen.

More attention to data retention, classification and minimization. An OMB directive issued in the wake of the VA breach requires them to log all data extracts from databases holding sensitive information. Under the directive, they are also required to verify that the data that has been extracted is erased within 90 days or is still being used for valid purposes.

Stronger remote access policies. The OMB instructed the VA to implement two-factor authentication for controlling remote access to agency networks and data from remote locations. It also asked them to require remote users to reauthenticate themselves after 30 minutes of inactivity. In addition, the VA breach resulted in more focus on securing remote systems via the use of endpoint network admission control tools to ensure that any system logging into a network has adequate antivirus and firewall protections, has all the mandated configurations settings and is properly patched (Vijayan, 2007, para. 2-4).

In addition, other security breaches involving the VHA have included hacking, the inadvertent disclosure of confidential data, and the deliberate misuse of information by unauthorized individuals (Matwyshyn, 2009). Like other large organizations, the VHA is also at risk for other types of security breaches, some of which are particularly difficult to identify and counter. In this regard, Maywyshyn (2009) points out that, "The threats to information security are varied: for example, search engines increasingly index Web pages that may not be meant for public consumption, and employee use of file-sharing software exposes many different kinds of files to communication networks" (p. 33).

Although the VA has taken steps to address these security threats, major lapses in human judgment and employee theft are exceedingly difficult to address until something drastic occurs to draw attention to them. As Maywyshyn emphasizes:

Data security is never perfect, and government agencies cannot perfectly predict security lapses. But the growing number of news stories about compromised personal records reveal a wide range of organizational mismanagement and internal security breaches: lost hard drives and backup tapes, employee theft, and other kinds of administrative errors. (2009, p. 33)

The implications of these security breaches are far-ranging and severe. The compromise of sensitive patient data can be done by physicians, nurses, healthcare employees and even organized crime syndicates (Matwyshyn, 2009). In some cases, the theft of patient data can result in credit card fraud and other types of identity theft that can cost veterans and their families billions of dollars each year (Matwyshyn, 2009).

More troubling still, a confidential report from the VA's Office of Information and Technology Risk Management obtained by CNBC predicted that "A data breach to financial, medical and personal information is practically unavoidable [and] is likely to happen within 12 to 18 months" (cited in Gusovsky, 2014, para. 3). The confidential report went on to caution that, "The VA cannot ensure the safety and privacy of Veteran and employee healthcare, benefits, and financial information. The VA is non-compliant with its own privacy and security policies and with Federal laws and regulations" (cited in Gusovsky, 2014, para. 3).

Besides this damning report, other information technology security issues were also identified during testimony in June 2014 by Jerry Davis, former deputy assistant secretary for information security at the VA. According to Davis's testimony, "In nearly 20 years of building and managing security programs across government and private industry, I had never seen an organization with as many unattended IT security vulnerabilities" (cited in Gusovsky, 2014, para. 6). The June 2014 congressional hearing also uncovered the fact from two VA officials that the VA has been hacked numerous times by foreign actors since March 2010 (Gusovsky, 2014). In this regard, one congressman reported that, "the VA's database has repeatedly been compromised since 2010 by foreign actors, including in China and possibly in Russia" (cited in Gusovsky, 2014, para. 7). In fact, between March 2010 and February 2014, there were at least eight major security breaches of the VA's network, including the "Master Password" file (Gusovsky, 2014).

Given these serious charges, it is reasonable to suggest that there is a "perfect storm" brewing at VHA that will have serious consequences for the organization and its stakeholders, but there are other threats arrayed against this government organization as well. Further exacerbating the risks that are inherent in using the Internet and other digital devices for patient data records and other sensitive information are the growing numbers of cybercriminals such as hackers who exploit this environment for a wide range of illegal and illicit purposes as discussed further below.

Cybercrime at the Department of Veterans Affairs

What is cybercrime? According to the definition provided by Glennon (2012), "The term cybercrime has been used broadly to describe a wide range of activities, from illegal interference and illegal access to the misuse of devices and content-related offenses" (p. 86). As noted above, the VHA experiences millions of cyber-attacks each month, and these represent a major concern for VA authorities, policymakers, patients and their families alike. The VA of course is not alone is experiencing these types of security breach attempts. For instance, Inan and Namin (2016) report that there has been "an overall 91% increase in targeted attacks and 62% increase in the number of breaches in 2013. It is alarmingly a major concern that over 552 million identities were exposed and about 38% of mobile users have experienced mobile cybercrime in the same year" (p. 28). It is estimated that the costs of cybercrime each year top $400 billion (Inan & Namin, 2016). Moreover, noting that the nation's thousands of blind or visually impaired veterans are at special risk of security-related mishaps, Inan and Namin emphasize that, "The increasing number of cyber-crime incidents occurring in cyber-space raises the alarm and need for better protection and guards for individuals and, in particular, those with visual impairments" (p. 29).

It is important to note, though, that not all cybercrimes are so-called "hacking" attempts. For instance, according to Bell (2001), "In popular culture, hacking tends to be conflated with breaching computer security systems for malicious reasons - a form of cybercrime - though this is more properly called cracking" (p. 216). Some authorities, though, maintain that so-called "cybercrimes" are simply conventional crimes being committed in a new medium (Brenner, 2007). This argument loses some of its weight when some of the types of novel cybercrimes are considered since there is no parallel to a conventional crime when these take place strictly in a virtual environment where anonymity prevails and cybercriminals can act with veritable impunity unless and until governmental authorities locate and stop them. For example, Glennon (2012) points out that, "Cyberattacks, cybercrimes, and cyber-espionage do not fit well into existing categories. For one thing, they're usually not easily distinguishable from one another until well after their initiation, if then" (p. 86).

Some indication of what types of threats the VHA faces today can be discerned from an analysis of the cybercrime industry conducted by Tuluc (2012) who reports that monetary gain is the overarching motive behind the majority of such attacks. For instance, Tuluc (2012) notes that, "The cybercrime landscape is changing in terms of hackers' monetary motives, some criminal organizations are skillful in carrying out cybercrime activities" (p. 180). Foreign-based cybercriminals have used -- or attempted to use -- stolen patient data files to file false Medicaid benefit claims and used other identity theft strategies to bilk unsuspected companies out of billions of dollars worth of products and services each year (Matwyshyn, 2009). The costs that are associated with attempting to prevent such abuses are also astronomical and cybercriminals are constantly on the lookout for any potential vulnerabilities in government network systems (Matwyshyn, 2009).

The foregoing trends also underscore the need for ongoing vigilance on the part of VHA in protecting sensitive patient and other data. Besides employee training in data security measures, other steps needed include contingency plans for internal and external sources of cybercrime. In this regard, Snell (2016) cites the increasing cybercrime activity against healthcare and notes that, "Data security plans need to account for numerous types of breaches, whether it is an incident stemming from an employee or an unauthorized third-party" (2016, para. 3). To its credit, the VA has taken some steps along these lines in recent years. According to a VA spokesperson, "VA takes seriously its obligation to properly safeguard any personal information within our possession. VA has in place a strong, multi-layered defense to combat evolving cybersecurity threats" (cited in Gusovsky, 2014, para. 6).