VA Information Systems

In September 1998, GAO reported that computer security weaknesses at the Department of Veterans Affairs (VA) placed critical operations, including health care delivery, at risk of misuse and disruption. Although two VA health care systems have corrected most of the computer security weaknesses identified in 1998, serious computer security problems persist throughout the Veterans Health Administration (VHA) and the Department. These problems persist because VA had not yet fully implemented an integrated security management program and VHA had not devoted adequate resources to effectively manage computer security at its medical facilities. Consequently, financial transaction data and personal information continue to face increased risk of inadvertent or deliberate misuse, fraudulent use, improper disclosure, or destruction. GAO recommends that VA: (1) ensure that remaining computer security weaknesses at each health care system are corrected in accordance with action plans developed by each of the medical facilities; and (2) provide security oversight resources as prescribed in VHA policy to effectively implement and oversee VA's computer security management program through assessing risk, implementing policies and controls, promoting awareness, and evaluating the effectiveness of information system controls at VHA facilities.

GAO noted that: (1) in September 1998, GAO reported that computer security weaknesses placed critical VA operations, including health care delivery, at risk of misuse and disruption; (2) since then, VA's New Mexico and North Texas health care systems have corrected most of the specific computer security weaknesses that were identified in 1998; (3) however, serious computer security problems persist throughout VHA and the department because: (a) VA has not yet fully implemented an integrated security management program; and (b) VHA had not devoted adequate resources to effectively manage computer security at its medical facilities; (4) consequently, financial transaction data and personal information on veteran medical records continue to face increased risk of inadvertent or deliberate misuse, fraudulent use, improper disclosure, or destruction, possibly occurring without detection; (5) GAO identified additional computer security problems at the New Mexico and North Texas health care systems and also found similar serious weaknesses at the VA Maryland Health Care System; (6) these medical facilities had not adequately controlled access granted to authorized users, prevented employees from performing incompatible duties, secured access to networks, restricted physical access to computer resources, or ensured the continuation of computer processing operations in case of unexpected interruption; (7) the access and service continuity weaknesses GAO found are similar to problems consistently identified since 1998 at VHA medical facilities by VA's Office of Inspector General (OIG), internal VHA reviews, and consultant studies; (8) VA's OIG has reported departmentwide information system security as a material internal control weakness since the FY 1997 consolidated financial statement reporting period; (9) VA recognized the significance of these problems and began reporting information system security as a material weakness in its Federal Managers' Financial Integrity Act of 1982 report for 1998; (10) one reason for VA's continuing information system control problems is that the department had not implemented a comprehensive, integrated security management program; (11) initiating a process to review and build on security practices developed by other VA organizations could expedite VA efforts to develop departmentwide guidance in these areas; and (12) until VA develops and implements a comprehensive, coordinated security management program and ensures that adequate resources are devoted to this program, it will have limited assurance that financial information and sensitive veteran medical records are adequately protected from misuse, unauthorized disclosure, and destruction.

Recommendations

Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.

Director: Team: Phone: