VA will expand device monitoring in
WASHINGTON, D.C. – The Veterans
Affairs Department, which has had a number of embarrassing security and
privacy breaches in the past few years, in 2011 will expand visibility
into activities on its network beyond personal computers to include
printers and other devices that are connected to it.
Government Health IT reports the VA will also reduce the number of
unencrypted laptops this year as it continues to replace aging computers
with new ones that can support the security application.
“We’ve rolled out the visibility to the desktop initiatives so that we
can see all the things that are going on and the desktops causing the
issues across the enterprise,” said Roger Baker, VA CIO, in a recent
information security briefing with reporters.
“We have pretty much eradicated the thumb drives and those things that
are unencrypted now with the visibility to the desktop,” he said. “There
is this constant push for improvement at VA. We’re better now than we
were a year ago.”
A data scanning tool enables VA’s network operations center to monitor
what’s going on with computers and other electronic devices connected to
the department’s network, including the status of hardware and software
security patches, the level of security compliance and the
identification of the administrative division that owns it.
Electronic visibility is designed to ensure that VA policies are being
followed throughout the department and that unauthorized devices are not
allowed to connect to the VA network.
In Baker’s view, paper is a bigger problem than electronics over the
last six months.
“As long as we continue to print things out on paper, we’re going to
continue to have issues with breaches caused by paper,” he said. Unlike
for electronic devices, “we don’t have paper detectors on the doors when
people walk out.”
In 2010, VA employees demonstrated a focus on protecting personal
information across the sprawling department, Baker said. “I’ve been
impressed with the fanaticism with protecting that information.
Everybody gets training,” he said, adding that employees have also
reported potential breaches or near-misses.
VA sends to Congress a monthly accounting of information security
breaches, many of which “are raised because somebody saw something and
they reported it,” Baker said.
“If you can encourage people to report things that they see that might
cause an issue in the future, you can start addressing those things,” he
said, though he admitted that there’s a fine balance between wanting to
take some disciplinary action in some incidents and taking the risk of
stifling others from reporting potential issues.
VA also completed the Medical Device Isolation Architecture at the end
of 2010 to secure its 50,000 medical devices in use throughout the
department’s healthcare facilities. The challenge has been that the Food
and Drug Administration must certify medical devices and any updates
made to them. Application of VA security patches and malware protection
updates through to the devices has been restricted.
Posted January 13, 2011