The Department of Veterans Affairs (VA) continues to face long-standing challenges in effectively implementing its information security program, according to the U.S. Government Accountability Office’s (GAO) latest report.
Specifically, the VA had weaknesses in key information security control areas from 2007 to 2013. Those areas include access control, configuration management, segregation of duties, contingency planning and security management.
The number of incidents affecting the VA’s information, computer systems and networks has generally risen over the last several years. Specifically, in fiscal year 2007, the department reported 4,834 information security incidents to US-CERT; in fiscal year 2013, it reported 11,382 incidents. These included incidents related to unauthorized access, denial-of-service attacks; installation of malicious code; improper usage of computing resources; and scans, probes, and attempted access, among others.
The report claims that draft legislation being considered by Congress would address the governance of the VA’s information security program and security controls for the department’s systems. It would require the secretary of the VA to improve transparency and coordination of the department’s security program and ensure the security of its critical network infrastructure, computers and servers, operating systems, and web applications, as well as its core veterans’ health information system.
The VA maintains the largest integrated healthcare system in the nation for approximately six million patients, provides compensation and benefits for about four million veterans and beneficiaries, and maintains about three million grave sites at 164 properties.