VA conducts security review of laptop PCs, bars nondepartment PCs from VPN

The Veterans Affairs Department has ordered a security review of every laptop computer at the VA and has banned employees from connecting any employee-owned computers to the VA virtual private network (VPN), VA Secretary James Nicholson said in a hearing at the House Committee of Government Reform today.

Nicholson was called to testify in the wake of the theft of a laptop that contained VA records on 26.5 million veterans. The laptop was stolen from the home of a VA data analyst. Nicholson said he has suspended the practice of permitting employees in the Veterans Benefit Administration from removing claims files from office computers and working on them at home.

The VA has also started a departmentwide security review of every laptop to ensure that all antivirus and security software is current. That review will include the removal of any unauthorized information or software on department laptops. The VA will also change security settings for its VPN every day, Nicholson said.

With the release this week of a new directive, “Safeguarding Confidential and Privacy Act-Protected Data at Alternative Work Locations,” the VA has also re-enforced its information security policies for teleworkers, Nicholson said.

This directive, he added, informs all employees that failure to comply with VA information security policy may violate federal law, with the possibility of civil or criminal penalties for violations.

To reinforce the importance of information security, Nicholson said every VA facility and office in the country will stand down for a “Security Information Week” beginning June 26. This will permit managers to review security and reinforce privacy obligations and responsibilities with their staff, Nicholson said.