IG: Contractor Improperly Accessed VA ITEmployees Shared Accounts to Access Medical Records System
Belinda Finn, assistant inspector general for audits and evaluations, wrote in an audit dated July 27, that contractor personnel improperly shared user accounts when accessing VA networks and the Veterans Health Information System and Technology Architecture systems, known as VistA, which handles sensitive electronic healthcare records. Employees at the contracting company told the IG they were not well aware of VA's IT security requirements, which the inspector general said is spelled out in their contract.
That response, as well as VA's inaction, didn't bode well with Finn. "Without effective controls to prevent unauthorized access by contractors, VA information systems and sensitive veteran data are vulnerable to increased risks of compromised availability, integrity and confidentiality," Finn wrote. "The lack of individual accountability over user accounts provides ample opportunities to conceal malicious activity such as theft or misuse of veteran data."
Neither the IG nor the VA in its response identified the contractor by name. But, according to the audit, the vendor provides the VA with hardware and proprietary software to allow veterans, over the telephone, to access VistA applications to refill prescriptions and schedule and confirm medical appointments.
Among the failures Finn spelled out in the audit: Termination of user accounts for separated employees and not obtaining appropriate security clearances or complete security awareness training prior to gaining access to VA systems. In addition, the auditor said, the contractor's systems contained a number of information security control deficiencies that could allow malicious users to gain unauthorized access to VA information systems.
The auditor blamed the VA for not implementing effective oversight to ensure that contractor practices comply with its information security policies and procedures.
The IG recommended Roger Baker, the VA assistant secretary for information and technology - who serves as the departmental chief information officer - implement procedures for monitoring contractor user accounts and terminate accounts for separated employees. Moreover, the IG said, the CIO should ensure contractor employees obtain appropriate security clearances and security awareness training before accessing VA systems. The IG also recommended the CIO ask the VA deputy assistant secretary for acquisition and logistics to modify vendor contracts to reflect higher level personnel security requirements. A final recommendation would have the CIO review contractor system security controls and practices to ensure compliance with VA requirements.
Stephen Warren, the VA principal deputy assistant secretary for information and technology, responded that the department concurred with the IG's recommendations and is implementing them.
The July 2010 complaint left on the departmental hotline alleged that the unauthorized access occurred at VA medical facilities in Columbia and Kansas City, Mo.; Huntington, W.Va.; and Wilmington, Del.
As part of its review, the IG visited the vendor's corporate offices to discuss the merits of the hotline allegation and gain an understanding of its information security controls. Auditors also identified contractor employees who access VA systems and reviewed their personnel files for evidence of security clearances and security awareness training. At VA hospitals, the IG examined processes for granting contractors' security clearances with related security awareness training, reviewing contractors' user accounts, and for providing oversight of contractor managed systems.