VA employees tap cloud apps on their own, posing security risk

Computer savvy Veterans Affairs Department employees have started to use Internet-based services and tools that the VA does not provide on its systems, presenting a security challenge, according to its chief information officer. It's also a clarion call for the department to adopt these applications, CIO Roger Baker said on Wednesday during a media call about VA's monthly data breach report to Congress.

The November report revealed that employees in the Chicago VA hospital maintained a calendar on the Yahoo.com website that listed more than 1,000 patients.

This schedule included patients' names, surgery dates, types of procedures and the last four digits of their Social Security numbers. An investigation revealed the facility's orthopedics department had used the Yahoo.com site since July 2007, according to the data breach report.

The investigation determined that four orthopedic residents shared the same Yahoo.com account and password to access the data, and in past years a rotating series of residents had access to that account.

According to the report, the Chicago facility discovered the Yahoo account on Nov. 23, and the VA network operations center blocked access to it the next day. VA officials deleted information from the Web page on Nov. 29 and then sent letters on Dec. 2 to veterans whose data was stored on the account.

Baker said VA had previously discovered that eight other hospitals used Google Docs -- which features online spreadsheets, word processing programs and presentation software -- to store patient information, and that too had been shot down.

In both cases employees violated VA security and privacy regulations, but the CIO noted the incidents illustrate the inevitability of cloud computing, where information is stored on remote servers and accessed locally.

Both Google and Yahoo provide "great tools," Baker said, adding that his job is to figure out how to keep up with the services offered by these companies and other commercial providers.

Baker surmised that the orthopedics residents, who work in multiple hospitals, developed the Yahoo account so they could access VA patient information while working at non-VA hospitals. His aim is to figure out how to provide remote access for medical staff on VA systems.

The department has adopted a "cloud first" computing strategy in line with an Office of Management and Budget policy released on Dec. 9. But Baker said his challenge is determining how to support applications such as the one used in Chicago in a safe and secure fashion.

The CIO said he is mindful of such historical precedents, which illustrate what can happen when VA's information technology department fails to keep up with computing advances that are readily available to technologically adept employees.

In the late 1970s, field employees frustrated by the lack of technology tools formed what Baker called an underground railroad to develop what became the Veterans Health Information Systems and Technology Architecture, VA's standard electronic health record.

Baker acknowledged that unless he keeps pace with advances in cloud computing, he could be facing a rebellion of his own.