VA Data Breached Again -- Enough Already

By Kim S. Nash  |  Posted Wednesday, February 07, 2007 05:02 AM

Not again. More data is missing from the VA. On Feb. 2, the U.S. Department of Veterans Affairs announced that a portable hard drive was reported missing from its Birmingham, Ala., office on Jan. 22. Over the weekend, Rep. Spencer Bachus (R-Ala.) told the Associated Press that the drive contained data on as many as 48,000 veterans.

Baseline readers know the high business and personal costs of data breaches, and that there's been a steady rain of them reported in the past two years.

But the VA takes the cake at this point. These breaches aren't going unnoticed, and some observers are calling for the head of Jim Nicholson, secretary of Veterans Affairs. Nicholson says in a press release about the Alabama incident that the VA "resolve[s] to be the leader in protecting personal information." But James Childers, blogger and CEO of tech security vendor Artemis Solutions Group, based in Freeland, Wash., retorts: "This statement would be almost laughable if it wasn't such a serious threat to both personal liberty and national security."

What gives me pause is that the day before the VA announced the Alabama problem, Nicholson speechified at the annual Military Health Systems Conference in Washington, touting the VA's electronic medical records system as "one of the most comprehensive and sophisticated" in the United States. That may be true; exam notes are digitized alongside patients' lab test results and X-rays, the VA claims, adding that there's no downtime. "Records are available 100 percent of the time to health care workers," the VA said last week in a statement about Nicholson's speech.

But clearly, what isn't so comprehensive and sophisticated is the VA's general approach to data security. Imagine when that internal electronic medical records system is breached. The VA called in the FBI for a criminal investigation of the Alabama incident and started an "administrative" investigation "to determine how such an incident could occur," according to the VA press release.

Well, here's a hint for the VA: Check your history books. Perhaps the press releases, internal documents and all the other information related to the seven other data breaches you reported in the past two years will give you some leads. Unless you've lost that data, too.

UPDATE: As part of its proposed $87 billion budget for the next fiscal year, the VA has asked for $70 million "for cyber security" so it can become, in its words, "the gold standard in I.T. security."

I really don't have a good handle on this -- what kind of security can you buy for $70 million? Of course, it depends on how you use the money. But is that enough?