Report Summary

Title: Review of Alleged Transmission of Sensitive VA Data Over Internet Connections
Report Link: http://www.va.gov/oig/pubs/VAOIG-12-02802-111.pdf
Report Number: 12-02802-111
Issue Date: 3/6/2013
City/State:
VA Office: Office of Information and Technology (OIT)
Report Author: Office of Audits and Evaluations
Report Type: Audits, Reviews & Evaluations
Release Type: Unrestricted
Summary: The OIG evaluated the merits of an allegation that VA was transmitting sensitive data, including PII and internal network routing information, over unencrypted telecommunications carrier networks. We substantiated the allegation. OIT personnel disclosed VA typically transferred unencrypted sensitive data, such as electronic health records and internal Internet protocol addresses, among certain VA medical centers and outpatient clinics using an unencrypted telecommunications carrier network. OIT management acknowledged this practice, accepting the security risk of potentially losing or misusing the sensitive information exchanged via a waiver. However, the use of a system security waiver was not appropriate. Without controls to encrypt the sensitive VA data transmitted, veterans’ information may be vulnerable to interception and misuse by malicious users as it traverses unencrypted telecommunications carrier networks. Further, malicious users could obtain VA router information to identify and disrupt mission-critical systems.