VA gets ready for iPhones and iPads

Veterans Affairs Department employees should be able to use their personal iPhones and iPads on VA internal networks by Oct. 1, according to the VA's CIO, Roger Baker.

Assuming all security testing is completed as expected, the first applications for the mobile devices are likely to be primarily e-mail and clinician interface applications, in which any VA information stored on the devices would be encrypted for the purpose of security and privacy, Baker said in a conference call with reporters July 25.

Some of the kinks in the plans are still not worked out, Baker added. For example, although the VA intends to purchase some iPhones and iPads for employee use, it is still considering whether to do a bulk purchase. In addition, one of the main goals is to allow secure access for the many VA employees who already own personal iPhones and iPads, Baker said.

VA to open network to popular mobile devices

iPhone, iPad, Android: What can you buy with $2,000?

VA users who wish to have VA network access would have to be willing to submit their iPhone or iPad to some initial testing, and possibly ongoing checks to determine if any applications are interfering with security applications, Baker said.

“We will have to be clear about enforcement,” he said. “ We need flexibility on both sides. ...The most important thing is the ability to store information in an encrypted form.”

In addition to storing certain types of encrypted VA data, the VA employees by Oct. 1 would be able to use their iPhones and iPads in “view only” mode to visually access any data they are authorized to view on the VA system but without being able to download the data, he added.

Baker initially announced earlier this month that the department was conducting tests and expected to enable access to departmental wired and wireless networks for several additional popular mobile devices. About 20,000 to 30,000 VA employees already use authorized BlackBerry mobile devices on VA networks.

Baker disclosed that the iPhone and iPad would be the only covered devices for the Oct. 1 target date. At a future time, many more mobile devices are expected to be enabled for “view only” access, he added.

Several other issues also are being considered as the Oct. 1 target date approaches, including how to include flexibility into acquisitions so that the VA, due to long acquisition processes, is not stuck buying older devices as the next-generation devices are released, he said.

The transition to mobile devices also may reduce costs as VA employees may be offered iPhones or iPads as a substitute for laptop computers, Baker added. The mobile devices first won't replace desktop computers but may do so eventually, he added.

The shift to mobile devices “should be a cost-reducing move for the organization,” Baker said. “These are cheaper than laptops. An employee can have either this or a laptop.”

Another concern that is being evaluated in pilot testing is whether encryption and security for iPhones and iPads can meet Federal Information Processing Standard 140-2, which Baker referred to as an “interesting piece of this.”

Baker said the VA will test iPhone and iPad encryption applications to ensure they meet a standard that is adequate to protect information and does not create “undue risk.” Baker said he, on behalf of the VA, would accept encryption measures that met that standard.

Baker added that his approach might present some concerns to enforcement of FIPS 401-2 by the the National Institute of Standards & Technology but he added that “NIST does not have to support the VA,” Baker said.

Baker acknowledged that his decision was pragmatic, and was based on trying to support thousands of VA employees who are demanding access to popular and efficient iPhone and iPad applications used by many clinicians in the private sector.

“We have had such strong demand from clinicians and users of mobile devices,” Baker said. If a CIO habitually says “no” to such demands, there is a risk that the users will seek work-arounds on their own and the CIO would lose credibility, he suggested.

“I want to say 'yes' instead of saying “no,' ” Baker said, adding that NIST should be able to understand the pragmatic nature of his approach.

“I do not think NIST will view this unpragmatically,” Baker said.

Baker also said the target date of Oct. 1 is likely to be met “unless we find something completely unexpected” during the final testing period.