VA toughens security after PC disposal blunders

The Department of Veterans Affairs is tightening its policy on the disposal of old computers following disclosures that 139 computers containing sensitive personal information about veterans, including their medical records, were given away.

Although the VA has had security rules since 1997 on purging sensitive data before disposing of old computers, the policy was breached by the Indianapolis VA Medical Center. The facility failed to erase personal information before giving away the computers to educational institutions, the state of Indiana or private individuals.

The computers' hard drives contained a wealth of personal data, including information about a veteran with AIDS and others with mental health problems. Some computers also contained the numbers of 44 government credit cards, according to memos on the incident obtained by Federal Computer Week.

Three of the computers wound up at a local thrift store in Indianapolis, where a local TV reporter bought them in May. Those computers contained data on seven veterans; the total number of veterans whose personal data was on the computer hard drives has not been determined. All but 15 of the computers have been recovered.

John Gauss, the VA's chief information officer, said the agency decided to buy an enterprise license for Ontrack Data International Inc.'s DataEraser software as a result of the Indianapolis incident.

"We also examined our overall cybersecurity process and decided we were going to strengthen it through the development of a qualification and certification program for ISOs," or information security officers, Gauss said.

Bruce Brody, the VA's cybersecurity chief, said the Indianapolis incident helped speed efforts to tighten security within the VA.

Although the VA's new policy has not been formalized, the Office of Cyber Security plans to establish a program by Oct. 1, 2003, to train and certify all 600 ISOs within the department. Nevertheless, information security officials already know about the new policy, Gauss said.

In a letter to Rep. Steve Buyer (R-Ind.), VA Secretary Anthony Principi said the Indianapolis incident is an "unacceptable violation of VA security policy.... I share your concern over the confidentiality, integrity and availability of the sensitive veteran data [with] which our department is entrusted."

He spelled out a new policy that will include random audits and inspections by the Office of Cyber Security to make sure policies are being followed.

"The purpose is not to go find people and bust them, [but to] find when people make mistakes and talk directly to them," Gauss said.

***

VA on guard

The Department of Veterans Affairs has taken several steps to prevent future privacy breaches, such as what recently occurred when the agency donated computers to outside organizations without removing sensitive data from the hard drives.

VA officials:

* Bought an enterprise license for Ontrack Data International Inc.'s DataEraser, which overwrites data on a hard drive so that it cannot be recovered.

* Plan to buy electromagnetic wands for deleting information by demagnetizing hard drives.

* Are developing a program for certifying information security officers.