Info security tops VA's list

The Department of Veterans Affairs, which has faced information security challenges, has taken a series of steps in the past year to safeguard its computer systems, according to a General Accounting Office report released last month.

GAO concluded that VA has made progress in tightening the security of its data but stressed a focus on "commitment" as VA leaders attempt to correct long-standing weaknesses.

"VA's success in improving information security is largely dependent on the level of commitment to this throughout VA and adequate resources being effectively dedicated to implement its departmentwide plan," GAO officials wrote in the report.

GAO said tighter information security is essential for VA, which manages personal benefit- and health-related information on veterans and their families. The department's services are available to 25 million veterans, plus about 44 million family members.

But making sure the information remains safe amid threats of nosy or disgruntled employees and malicious outsiders remains a concern at VA. In the report, federal investigators quoted Harold Gracey, chief information officer for the department, saying that VA so far has avoided an information security catastrophe. "We haven't had a terrible experience. We've been lucky," he said. "What we're trying to do is get ahead of the curve."

He said that since he took his job in July 1998, he has taken two key steps to improve the security of information within the department. Those measures include establishing a departmentwide working group to examine broad policy issues and procedures for securing information, and establishing a security staff to focus on the more technical aspects of protecting data.

Still, GAO officials stressed that VA needed consistency and central coordination of information security activities in the highly decentralized agency, which is made up of 172 medical centers, 551 clinics, 131 nursing homes and 40 domiciliaries.

"Although progress in correcting weaknesses was uneven across VA organizations, each organization had initiated actions to improve certain aspects of their computer security planning and management programs," GAO wrote. "However, these efforts were performed independently and not coordinated under a departmentwide computer security planning and management program."

Gracey said the department plans to spend $80 million from fiscal 1999 through fiscal 2003 on information security, with the bulk of that money being spent in the final three years as VA continues to refine its information security plans. "We're certainly going to follow GAO's agenda," Gracey said, explaining that the agency has not fully heeded GAO's advice in the past. "They're right, and we haven't been listening," he said.

GAO's information security agenda also includes segregating computer duties such as programming and quality assurance to reduce the risk of fraud and error, as well as instituting more effective password management. Gracey said he intends to automate management of security at VA so that access privileges are changed automatically when an employee switches jobs within the agency.

According to Gracey, getting attention focused on information security has been a challenge because the safety of data is difficult to quantify in a cost-benefit analysis - in which other, more tangible agency expenses such as basic health care costs and benefits might overshadow information security.

"What essentially we're asking for is insurance," he said. "I think getting attention on that was more difficult than I thought."