The VA Spends on InfoSec; Updates Planned for Cloud, Mobile & EHR
The Department of Veteran Affairs is seeking to increase its information security budget from $156 million in 2015 to $180.3 million in 2016, a 16 percent increase, according to Federal Computer Week. It comes at a beneficial time, as they failed their most recent security audit, as reported in a Government Accountability Office (GAO) report, putting veterans’ sensitive health data at risk.
The VA collects and maintains sensitive medical records and personally identifiable information (PII) of veterans through the use of medical, administrative and financial applications, the GAO noted.
But they lack many proper safeguards for protecting that data, including:
- Failure to address an underlying vulnerability that allowed a security incident to occur
- Did not allow access to activity logs on VA’s networks for investigation
- Poor reporting of security incidents
- No evidence to show that their remediative security actions were effective
- Failure to address key web application vulnerabilities
- Vulnerabilities identified in VA’s workstations had not been corrected
- 10 critical software patches weren’t applied, each ranging in availability from 4-31 months (policy requires critical patches to be applied within 30 days)
Where are these threats coming from? According to the GAO, threats can be unintentional, caused by software upgrades for defective equipment that can disrupt systems or result in user error. Other threats may come from insiders, or attacks from hackers, criminals, foreign nations, etc., that may exploit vulnerabilities such as software code flaws.
Foreign Attackers Target Vulnerable VA Systems
VA is definitely a target for hackers - there were over 14 million intrusion attempts on VA networks last month, according to FCW.com. And from 2010-2013, foreign attackers had been compromising an unencrypted VA database containing PII of nearly 20 million veterans, as the VA’s former CISO stated in a hearing, covered by NextGov.com.
Attackers exploited VA system weaknesses and stole veteran data and passwords. They also compromised a domain controller that runs the email system used by VA senior executives, exporting emails and putting the entire organization at risk.
Back in 2013, the VA couldn’t track network breaches as it lacked the login software needed to trace unauthorized access. An assistant inspector general also reported that weak passwords and user accounts with inappropriate access were among some of the most common security problems at the VA, as Politico.com reported.
Protecting against authentication and access-related breaches requires the use of strong security controls and two-factor authentication to keep attackers from gaining remote access. Security controls that track and log more detailed authentication data can give security teams insight into a potential fraudulent login, as well as track malicious user activity. Learn more about Duo’s Security Controls.
Increase in VA Budget for Cloud, Mobile and EHR Upgrades
The increase in information security spending is reflected by an overall increase in IT budget requests for $4.1 billion, a six percent increase from 2015, as Federal Computer Week reported. Most of that goes toward operations and maintenance, at $2.5 billion, which includes upgrading from old hardware to a new cloud-based phone system.
Another $160 million is slated to update its electronic health record (EHR) system, as well as $20 million for mobile app development. For this year, the VA plans to spend $269 million on a multi-year project to upgrade its VistA (Veterans Health Information Systems and Technology Architecture) EHR system used throughout the VA’s 151 hospitals and over 800 outpatient clinics.
Healthcare-Informatics.com reported on the VA’s three-year, $162 million contract with ASM Research to modernize its EHR system, with 2017 as its completion date. Part of their contract includes creating a web-based interface for access to patient records. And hopefully, they’ve strategized about securing access to patient records via their web applications.
Securing Patient Data: Breach Prevention Doesn’t Have to Be Brain Surgery
Learn about how Duo Security can protect healthcare applications, including EHR and e-prescription software in our new guide, Duo Security’s Guide to Securing Patient Data: Breach Prevention Doesn’t Have to Be Brain Surgery.
To help you navigate patient data security, our guide will:
- Summarize relevant health IT security legislation, including federal and state
- Provide information security guidelines on remote access risks and solutions
- Provide extensive security resources and a real hospital case study
- Explain how to protect against modern attacks and meet regulatory compliance with two-factor authentication
Ideal for CISOs, security, compliance and risk management officers, IT administrators and other professionals concerned with information security, this guide is for IT decision-makers that need to implement strong authentication security, as well as those evaluating two-factor authentication solutions for organizations in the healthcare industry.