box10.gif (1299 bytes)







U.S. report

VA will expand device monitoring in 2011

WASHINGTON, D.C. – The Veterans Affairs Department, which has had a number of embarrassing security and privacy breaches in the past few years, in 2011 will expand visibility into activities on its network beyond personal computers to include printers and other devices that are connected to it.

Government Health IT reports the VA will also reduce the number of unencrypted laptops this year as it continues to replace aging computers with new ones that can support the security application.

“We’ve rolled out the visibility to the desktop initiatives so that we can see all the things that are going on and the desktops causing the issues across the enterprise,” said Roger Baker, VA CIO, in a recent information security briefing with reporters.

“We have pretty much eradicated the thumb drives and those things that are unencrypted now with the visibility to the desktop,” he said. “There is this constant push for improvement at VA. We’re better now than we were a year ago.”

A data scanning tool enables VA’s network operations center to monitor what’s going on with computers and other electronic devices connected to the department’s network, including the status of hardware and software security patches, the level of security compliance and the identification of the administrative division that owns it.

Electronic visibility is designed to ensure that VA policies are being followed throughout the department and that unauthorized devices are not allowed to connect to the VA network.

In Baker’s view, paper is a bigger problem than electronics over the last six months.

“As long as we continue to print things out on paper, we’re going to continue to have issues with breaches caused by paper,” he said. Unlike for electronic devices, “we don’t have paper detectors on the doors when people walk out.” 

In 2010, VA employees demonstrated a focus on protecting personal information across the sprawling department, Baker said. “I’ve been impressed with the fanaticism with protecting that information. Everybody gets training,” he said, adding that employees have also reported potential breaches or near-misses.

VA sends to Congress a monthly accounting of information security breaches, many of which “are raised because somebody saw something and they reported it,” Baker said.

“If you can encourage people to report things that they see that might cause an issue in the future, you can start addressing those things,” he said, though he admitted that there’s a fine balance between wanting to take some disciplinary action in some incidents and taking the risk of stifling others from reporting potential issues.

VA also completed the Medical Device Isolation Architecture at the end of 2010 to secure its 50,000 medical devices in use throughout the department’s healthcare facilities. The challenge has been that the Food and Drug Administration must certify medical devices and any updates made to them. Application of VA security patches and malware protection updates through to the devices has been restricted.

Posted January 13, 2011