Witnesses say information security at VA still weak

Wilshusen said under the Federal Information Security Management Act, it was VA’s responsibility to ensure its contractors were following the proper security procedures, including encrypting sensitive data on the laptop. In order to prevent a similar breach, he stressed that VA needed stronger, two-factor security controls for networked computers and to ensure any device linked up to the network is completely encrypted.

VA chief information officer Roger Baker acknowledged that information security has been a challenge for his department, but said since he took over last year he has made it his top priority and outlined a number of changes under way to the department’s approach. That includes on-site audits of contractors thought to be in violation of the policies and creating a program that will allow VA to instantly identify any unauthorized or unencrypted devices attached to its network.

“I recognize that we are far from perfect and have a long way to go to achieve our information protection goals,” Baker said.

Wilshusen said many of the problems at VA stem from the department’s previous, decentralized approach to information security. He admitted that some progress has taken place on that front since the 2006 theft of a laptop containing personal data on more than 26 million veterans. He said since then the department has made information security a greater priority.