VA Suspends Medical Research Following Most Recent Breach Until Security Certification Is Obtained
Saturday, 2/17/07, it was widely reported that the U.S. Veterans Affairs (VA) was suspending "activities at seven specialized research centers across the country after an unprotected computer hard drive disappeared from one of the facilities in Alabama last month."
The VA Secretary, Jim Nicholson, is requiring the programs to be halted until security certification is obtained.
"Writing to VA's top management on Thursday, Nicholson also said the department would begin unannounced inspections at VA sites nationwide. "It is now clear to me that there are still too many VA employees, both in senior positions and elsewhere, who either still do not comprehend the seriousness of this issue, or who consciously disregard its seriousness," he wrote.Nicholson has come under sharp criticism on Capitol Hill in the past year over a series of computer security failures that put sensitive personal information for millions of veterans at risk. In the latest incident, a backup hard drive containing data such as Social Security numbers for up to 1.8 million veterans and physicians was reported missing Jan. 22 from a research site in Birmingham, Ala. As a federal investigation proceeds, officials have remained tightlipped about the case. But in the letter, Nicholson wrote that the employee was a research assistant and the hard drive may have been stolen. The VA acknowledged earlier this week that the hard drive was not encrypted, a violation of the department's policy."
There WAS a policy requiring the data to be encrypted, however, the data was NOT encrypted as required. Policies were not being enforced.
Think about all the organizations where this is also true. So many businesses create information security policies just to say they have policies, but then do nothing to support the policies through procedures, tools, audits, or business leader example and executive support.
"In auditing the department's security procedures last year, federal investigators found weak management and lax rules."
Policies are all too often not followed.
When employees, business partners, and the public in general know that an organization has policies but does not enforce them, that opens their door of opportunity to exploit this huge vulnerability and steal personally identifiable information (PII), disrupt operations, and commit fraud and other crime.
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
Comments
This is a classic case of the employees being totally unconcerned about following the rules, in this case encrypting information, and WE are the ones who pay the price when our personal information is sold to ID Thieves. As a Certified Identity Theft Risk Management Specialist, I hear all kinds of stories of what is happening out there and see the effects of our government and businesses playing fast and loose with our personal information. The Federal Trade Commission says on average it takes 600 hours to put yourself back to where you were before you were victimized. Who has that kind of time and energy? This is exactly why I have legal insurance and an Identity Theft Shield. Take a look at the website and see for yourself.
Posted by: Belinda Rachman, Esq. | March 18, 2007 6:36 PM
I think it also points to a lack of sufficient, or perhaps more accurately lack of successful and good, training and awareness for personnel. Too little time and resources are put into educating personnel about information security and privacy within most organizations, including within the government.
Yes, the victims of identity theft, fraud and related crimes should not bear the brunt of the poor security practices of the organizations to whom they entrusted their PII.
Posted by: Rebecca | March 20, 2007 1:32 PM