A report released yesterday by the Office of the Inspector General (OIG) for the Department of Veterans Affairs indicates that they substantiated allegations that the VA was routinely transmitting sensitive information, including PII, PHI, and internal network routing information, over an unencrypted telecom carrier network. The Office of Information and Technology (OIT) disputes their findings, however.
From the OIG report, the background of the investigation:
The VA Midwest Health Care Network, also known as the Veterans Integrated Service Network (VISN) 23 within the Veterans Health Administration, serves more than 400,000 veterans enrolled to receive medical care residing in Iowa, Minnesota, Nebraska, North Dakota, South Dakota and portions of Illinois, Kansas, Missouri, Wisconsin, and Wyoming.
In May 2012, a complainant contacted the VA Office of Inspector General (OIG) Hotline, alleging that certain VA medical centers (VAMCs) were transmitting sensitive information, including PII and internal network routing information, over unencrypted telecommunications carrier networks. More specifically, the complainant indicated that unencrypted data were transmitted among various VAMC networks using the South Dakota Network, which functions as the local telecommunications carrier network.
The complainant alleged that these security violations occurred at VAMCs located in Fort Meade, SD; Omaha, NE; and Sioux Falls, SD, which are in VISN 23.
The allegations were reportedly substantiated:
Office of Information and Technology (OIT) personnel disclosed that VA typically transferred unencrypted sensitive data, such as electronic health records and internal Internet protocol addresses, among certain VA medical centers and Community Based Outpatient Clinics (CBOCs) using an unencrypted telecommunications carrier network.
The sensitive information included:
veterans’ and dependents’ names, Social Security numbers, dates of birth, and protected health information. The data also included the Veterans Health Information Systems and Technology Architecture’s electronic health records and internal Internet protocol addresses.
We also noted that the Sioux Falls and Fort Meade VA medical facilities regularly used unencrypted telecommunications carrier networks to transmit unencrypted sensitive data to external organizations providing remote Teleradiology services. Teleradiology services involve electronically sending radiographic patient images, such as X-rays, and sensitive patient information from one location to another for the purpose of interpretation and/or consultation with radiologists.
Disturbingly, OIT personnel stated that:
sending unencrypted sensitive data to outpatient clinics and external business partners was a common practice at facilities across VA (emphasis added by PHIprivacy.net). OIT management acknowledged this practice and formally accepted the security risk of potentially losing or misusing the sensitive information exchanged via a waiver; however, the use of a system security waiver was not appropriate.
I wonder if every veteran whose health or other sensitive information was transmitted insecurely would have agreed to accept the risks.
Not surprisingly, the OIG report recommends encryption and training of OIT personnel on the importance of encrypting sensitive information.
The OIT disagreed with the OIG’s findings:
OIT does not agree with the assertion that PII and internal network routing information are being transmitted over unsecured Internet connections. OIT employs service offerings from industry telecommunications carriers that are privately segmented from other public traffic and that secure internal routing information from exposure to unauthorized entities. These carrier services provide VA with a private network and do not place traffic on the Internet. It is necessary, in serving our Veterans, to transmit PII. The network links in question are not currently employing encryption but these transmissions are crossing only the private VA network and are not exposed to or traversing the Internet.
After learning of the allegation, OIT immediately engaged in a comprehensive review of the locations where the complaints were focused and subsequently determined that the allegation is unsubstantiated. The review was conducted utilizing subject matter experts from outside of the geography and organization in the report. The communications circuits in the geography in question were inspected, the configuration of the associated network equipment was reviewed, and the network administrators were interviewed. All of the findings conclusively substantiated that traffic is traversing only VA’s private network and is not utilizing the Internet, or otherwise publicly exposed, in any way. The telecommunications carrier for these communications links was also interviewed to validate the nature and configuration of their service offering. The carrier confirmed that the communications links in questions are private Multiprotocol Label Switching (MPLS) that provide a secure, privately segmented network to VA. A letter from the telecommunications carrier is also attached.
Also attached is a technical explanation and diagrams demonstrating how sensitive information is routed between VA facilities. Although VA does not concur with the Inspector General’s findings in this area, OIT has initiated a review to ensure that the current practice described in the aforementioned technical documentation is being consistently applied across the VA enterprise, and if exposures are found, OIT will correct those exposures without hesitation.
So did the OIG get their findings wrong? If so, that’s a pretty big mistake that would make me question whether the OIG is competent to really investigate IT security.
You can read the full report here.