The Department of Veterans Affairs (VA) houses massive amounts of data on thousands of veterans all over the country. Furthermore, the Veterans Health Administration (VHA) is considered the largest integrated healthcare system in the United States. So when it comes to the topic of cybersecurity in the VA, there’s a lot at stake. Is enough being done to protect important data?
Security Weaknesses Abound
Each year, the VA conducts a Federal Information Security Modernization Act (FISMA) audit and publishes some of its key findings in a publicly available report. The objective of this report is to determine the extent to which the VA’s information security practices comply with FISMA requirements.
According to the results of one recent report, the VA continues to face rather significant challenges in complying with FISMA requirements. This is the direct result of the nature and maturity of its information security program. The report offers 29 separate recommendations for improving cybersecurity within the department. These findings are broken down into eight key areas of concern that the VA must address as soon as possible:
- Agency-wide security management program. The department has a team working on dozens of specific plans of action to address core vulnerabilities. However, there are still significant risks and weaknesses with this team that must be confronted.
- Identity management and access controls. When it comes to access management programs – which determine who has access to VA systems and what they’re allowed to do within these systems – there are grave concerns. The department lacks strong password management, audit logging and monitoring, authentication (including two-factor), and access management systems.
- Configuration management controls. While the VA has baseline configurations in place to establish and encourage minimum security across the department, auditors discovered that they aren’t being adopted or consistently enforced.
- System development/change management controls. The VA has documented policies in place to ensure that all new systems and applications meet security standards as they go online. Unfortunately, approvals and plans for numerous projects were found to be incomplete or altogether missing. Most glaring were the missing authorizations for two major data centers and five VA medical centers.
- Contingency planning. In case of a major systems failure, the VA has contingency plans in place to secure and recover veteran data. With that being said, these plans haven’t been fully tested and there’s evidence to suggest at least a dozen medical centers have failed to encrypt backups for critical systems.
- Incident response and monitoring. While the VA has made significant improvements in this area over the last couple of years, the department is failing to fully monitor sensitive network connections with a number of important business partners.
- Continuous monitoring. The VA lacks a comprehensive continuous monitoring program that’s capable of identifying abnormalities in the system. This makes it difficult to consistently find and remove unauthorized applications.
- Contractor systems oversight. When it comes to external contractors that the VA works with, the department doesn’t have adequate controls in place for monitoring their cloud computing systems. Furthermore, the report found numerous high-risk vulnerabilities on these contractor networks as a result of things like outdated and/or unpatched operating systems.
The fact that the VA continues to fail in meeting cybersecurity expectations is a surprise to no one. The incompetency within this department has been well documented over the decades. Yet, as difficult as it may be to see, progress is finally being made.
For the most part, this progress has come in the form of the development of robust policies and strategic procedures. Unfortunately, the VA still faces significant challenges in actually implementing tangible components.
4 Possible Suggestions and Solutions
If the VA’s cybersecurity challenges were simple, they would already be solved. Instead, they’re complex and challenging – requiring a rigorous approach. While this is by no means a comprehensive list, here are a few suggestions and solutions that may address some of the aforementioned concerns (as well as some other points of friction):
1. Limit Access
Access is a serious concern in almost every large organization around the world – federal, public, or private. It’s no different in the VA where far too many people have access to information and data that they have no use for.
With such confidential data stored in the VA systems, there’s significant risk in a lackadaisical approach to access management. A stronger system that limits access based on job title and job responsibility is key. It would also be helpful to have a system in place that provides limited and/or temporary access for individuals who need it for isolated purposes. Audit log collections are also helpful. They would provide a comprehensive record of digital comings and goings, while enhancing accountability and amplifying the VA’s ability to detect and identify intruders.
2. Improve Authentication
As of the end of fiscal year 2018, the VA had yet to fully implement two-factor authentication across the entire department (and it was nowhere to be found in local network access). This has to change.
As you may know, two-factor authentication is designed to stop stolen and compromised credentials by requiring a second level of authentication. Instead of only requiring something a person knows (username and password), two-factor authentication also asks for something a person has in their possession (like a smartphone). After logging in with the standard username-password combo, a code is then sent to a specific device via SMS, phone, or email. This code – which typically has an expiration time of just a few minutes – has to be retrieved and then input. Without both elements, login is denied.
With two-factor authentication, the idea is that it’s much more difficult for a remote hacker to gain access to an account. While it’s not a foolproof system, it’s superior to anything the VA currently has in place.
3. Make Key Processes More Efficient
Cyber security issues and process inefficiencies go hand in hand with the VA. It’s one of those chicken and the egg dilemmas: Do cybersecurity flaws make processes inefficient, or do inefficient processes lead to cybersecurity issues? Considering that the VA’s inefficiencies have been around far longer than the internet, it’s safe to assume that fixing certain inefficiencies is the best place to start.
Take the process of obtaining a DD214 copy – the document veterans need to receive benefits like disability – as an example. The process is confusing, time-consuming, and frustrating. There’s so much governmental red tape involved that people often end up waiting weeks to obtain copies. The problem lies in the fact that there’s a lack of organization and proper filing in place to quickly access information. And if there are issues on this side of things, it stands to reason that there are also problems on the data security front.
When procedures are made more efficient, there are fewer shadows for security issues and vulnerabilities to lurk. Restructuring of these processes could produce positive change.
4. Prevent Medical Device Cyber Attacks
As you may guess, hospitals and healthcare organizations are highly profitable targets for hackers using ransomware. These hackers will target medical devices, shut down key systems, and wait until the hospital pays the ransom before it’s restored. In addition to putting lives at danger in the short-term, these attacks have the potential to compromise millions of data records and, over the long-term, put personal privacy at risk.
Just a couple of years ago, the SamSam ransomware attack forced a shut down of the operations in 10 MedStar Health hospitals and 250 outpatient centers. The hackers wanted $19,000 in Bitcoin. MedStar refused to pay and it took days before the network was restored. In another SamSam attack, Indiana-based Hancock Health ended up paying a $55,000 ransom to regain control. Between MedStar, Hancock, and other targets, the SamSam attack cost companies more than $30 million in direct costs and millions more in indirect expenses and reputation loss.
The VA isn’t immune from potentially experiencing similar attacks. As recently as the middle of 2016, the VA had documented 181 cases of infected medical devices. So far, there have been relatively few issues as a result of these infections, but the fact that dozens of devices can be compromised speaks to the severity of the issue at hand.
The VA must work carefully to become more secure at the individual device level. This requires an extensive overarching strategy and a conscientious approach to monitoring. But with ransomware attacks expected to rise in the future, this is an issue that must be dealt with as soon as possible.
More Work To Be Done
It would be unfair to say that the VA is sitting back and ignoring its cybersecurity issues. The truth of the matter is that they’re hard at work correcting the issues uncovered in recent FISMA audit reports. Unfortunately, this to-do list is so extensive that it’ll take years at this pace before every shortcoming can be addressed. The hope is that, in the meantime, nothing catastrophic will occur.
Our nation’s veterans should be honored and respected above all else. In addressing key cybersecurity concerns, we’re actively working toward a VA that prioritizes its members and provides them with the privacy that they deserve.