space
FCWspace space
space
HomebarFederal Computer WeekbarGovernment E-BusinessbarTechnologybarEventsbarIT LinksbarVendor DirectorybarAbout Usspacer
spacer
SEARCH THE SITE

Advanced Search
 
  ALSO ONLINE
  Agenda
  Letters Archive
  Online Archive
  Print Archive
  Milt Zall Columns
  Special Reports

  NEWS BY TOPIC
  Accessibility
  CIOs
  City
  Columns
  County
  Defense
  Democracy
  E-Government
  Funding
  Homeland Security
  Industry
  Intergovernmental
  International
  Policy
  Privacy
  Procurement
  Records Management
  Schools
  Seat Management
  Security
  State
  Technology
  Telecom
  Training
  Workforce

  READER SERVICE
  VENDOR          SOLUTIONS
spacer FCW

VA toughens security after PC disposal blunders

BY Judi Hasson
Aug. 26, 2002
Printing? Use this version.
Email this to a friend.
spacerspacer
spacer
RELATED LINKS
spacerspacer

"VA restructuring IT" [Federal Computer Week, Aug. 18, 2002]

"VA bolsters IT security" [Federal Computer Week, Aug. 12, 2002]

"VA systems called open door" [Federal Computer Week, Aug. 25, 2000]


The Department of Veterans Affairs is tightening its policy on the disposal of old computers following disclosures that 139 computers containing sensitive personal information about veterans, including their medical records, were given away.

Although the VA has had security rules since 1997 on purging sensitive data before disposing of old computers, the policy was breached by the Indianapolis VA Medical Center. The facility failed to erase personal information before giving away the computers to educational institutions, the state of Indiana or private individuals.

The computers' hard drives contained a wealth of personal data, including information about a veteran with AIDS and others with mental health problems. Some computers also contained the numbers of 44 government credit cards, according to memos on the incident obtained by Federal Computer Week.

Three of the computers wound up at a local thrift store in Indianapolis, where a local TV reporter bought them in May. Those computers contained data on seven veterans; the total number of veterans whose personal data was on the computer hard drives has not been determined. All but 15 of the computers have been recovered.

John Gauss, the VA's chief information officer, said the agency decided to buy an enterprise license for Ontrack Data International Inc.'s DataEraser software as a result of the Indianapolis incident.

"We also examined our overall cybersecurity process and decided we were going to strengthen it through the development of a qualification and certification program for ISOs," or information security officers, Gauss said.

Bruce Brody, the VA's cybersecurity chief, said the Indianapolis incident helped speed efforts to tighten security within the VA.

Although the VA's new policy has not been formalized, the Office of Cyber Security plans to establish a program by Oct. 1, 2003, to train and certify all 600 ISOs within the department. Nevertheless, information security officials already know about the new policy, Gauss said.

In a letter to Rep. Steve Buyer (R-Ind.), VA Secretary Anthony Principi said the Indianapolis incident is an "unacceptable violation of VA security policy.... I share your concern over the confidentiality, integrity and availability of the sensitive veteran data [with] which our department is entrusted."

He spelled out a new policy that will include random audits and inspections by the Office of Cyber Security to make sure policies are being followed.

"The purpose is not to go find people and bust them, [but to] find when people make mistakes and talk directly to them," Gauss said.

***

VA on guard

The Department of Veterans Affairs has taken several steps to prevent future privacy breaches, such as what recently occurred when the agency donated computers to outside organizations without removing sensitive data from the hard drives.

VA officials:

* Bought an enterprise license for Ontrack Data International Inc.'s DataEraser, which overwrites data on a hard drive so that it cannot be recovered.

* Plan to buy electromagnetic wands for deleting information by demagnetizing hard drives.

* Are developing a program for certifying information security officers.

spacer
Advertisement




spacer
FCW.COM is a product of FCW Media Group, a 101 Communications company