Each month, Roger Baker, CIO of the Veterans Affairs Department, briefs reporters about the previous month’s electronic and paper data breaches and near misses. It used to be a lively discussion mostly about human gaffes with technology that had potentially negative consequences for sometimes a large number of innocent individuals.
Over time, however, the data breach reports have become, to be honest, rather boring.
Data breaches now occur only with paper records, for example in the June report (PDF), a total of nine mis-mailed prescriptions out of 6,305,975 total packages mailed out from VA's outpatient pharmacy. Or a form for one veteran is put in an envelope and mailed to another.
A major reason for the improvement in electronic health information security is that VA has now encrypted all its laptops, save the few that are not used for information operations.
Encrypted laptops essentially become a brick when an unauthorized person tries to access them when they are lost and stolen.
“It is no longer a problem of the CIO world here,” Baker said at his Aug. 2 briefing. While there is still cost to replacing laptops and other lost or stolen mobile devices, there is benefit for VA’s reputation in not having to publicly identify that electronic protected health information is missing or may have been accessed.
Private and public healthcare organizations must report to the Health and Human Services secretary and to the public when data breaches affect more than 500 individuals. Four VA data breaches appear among 479 incidents on the Office of Civil Rights “Wall of Shame”. Only one involved a laptop, which was stolen in 2010 from a VA contractor, which later installed encryption on its computers.
As a result of VA’s 2006 data breach involving the theft of a laptop containing the data of millions of veterans, and which was subsequently recovered, the department started to encrypt its computers as they were replaced and updated.
VA also consolidated its IT under the department CIO, set stringent privacy and security policies and procedures and stepped up employee training.
Additionally, VA has established electronic visibility to every device “versus having to do a data call and believing what you get out of 210 different organizations,” Baker said. The tool enables VA security staff to see exactly what software is running and what is going on in every desktop, laptop and server across the enterprise.
Baker also reports daily to VA Secretary Eric Shinseki about everything that has happened in IT for the past 24 hours.
“My routine for the past four years has been to get my exercise in early and get to the office by 7 a.m. so that I can be ready to sit down with the secretary at 8 a.m., and give him a full brief of everything going on inside of IT,” Baker said.
With information moving to smart phones, VA has also put in place a mobile device manager to foster information security for the 1,000 iPhone devices that are in the initial rollout. A more robust mobile device manager that will be able to handle the many thousands more anticipated mobile devices is now in procurement. Existing password-protected Blackberry smart phones can be wiped clean if they are lost or stolen.
VA uses a cross-functional team to assess what caused a data breach or near miss, where people need notification or credit monitoring and overall determines how VA will handle the information breaches. The core team makes an evaluation of what occurred and determines what goes into monthly data breach report to Congress, which required the monthly report in the wake of the 2006 incident.
“The CIO doesn’t have editorial authority over the data breach report,” Baker said, adding that’s important for agency transparency.
For example in a past incident where no personal data was at risk, a clinician lost a laptop out of the trunk of the car because it wasn’t shut tight, and the computer fell by the side of the road. Veterans’ information was likely on it, but the laptop was encrypted so there was no risk of an information breach. A service member driving by right after picked up the laptop and returned it to a local military base, which returned it to the VA. The tight chain of custody while it was outside the clinician’s control was documented so the incident was quickly cleared.
“We look at near misses, and that’s why we have focused so much on encrypting those laptops. We know that traveling things are going to happen to them, and there is no way to make an absolute assertion that nothing has happened to the information unless they are encrypted,” Baker said.
Paper health records will continue to vex VA and any other healthcare organization, but
electronic data breaches seem to becoming a thing of the past at VA. Congress may find the monthly data breach reports increasingly boring also.