Why We Did This Review
The Office of Inspector General (OIG) evaluated the merits of an allegation that VA
was transmitting sensitive data, including Personally Identifiable Information (PII) and
internal network routing information, over unencrypted telecommunications carrier
networks. In July 2012, the OIG informed the Assistant Secretary for Information and
Technology of the possible security violations so VA could assess relative risks
and take appropriate corrective actions.
What We Found
We substantiated the allegation that VA was transmitting sensitive data, including PII and
internal network routing information, over an unencrypted telecommunications carrier
network. Office of Information and Technology (OIT) personnel disclosed that
VA typically transferred unencrypted sensitive data, such as electronic health
records and internal Internet protocol addresses, among certain VA medical
centers and Community Based Outpatient Clinics (CBOCs) using an unencrypted
telecommunications carrier network. VA has not implemented technical
configuration controls to ensure encryption of sensitive data despite VA and Federal
information security requirements. OIT personnel stated that sending unencrypted
sensitive data to outpatient clinics and external business partners was a common
practice at facilities across VA. OIT management acknowledged this practice and
formally accepted the security risk of potentially losing or misusing the sensitive
information exchanged via a waiver; however, the use of a system security waiver
was not appropriate. Without controls to encrypt the sensitive VA
data transmitted, veterans’ information may be vulnerable to interception and misuse by
malicious users as it traverses unencrypted telecommunications carrier networks.
Further, malicious users could obtain VA router information to identify and disrupt
mission-critical systems.
read more.........http://www.washingtonguardian.com/sites/default/files/va_data_encryption.pdf