Audit of VA’s Systems Interconnections with Research and University Affiliates

Report Information

Issue Date
Report Number
11-01823-294
VA Office
Veterans Health Administration (VHA)
Information and Technology (OIT)
Report Author
Office of Audits and Evaluations
Report Type
Audit
Recommendations
5
Questioned Costs
$0
Better Use of Funds
$0
Congressionally Mandated
No

Summary

Summary
We conducted this audit to determine the effectiveness of VA’s management of its systems interconnections and data exchanges with external research and university affiliates. We found VA has not effectively managed its network interconnections and data exchanges with its external research partners. VA could not readily account for various systems linkages and sharing arrangements. VA also could not provide an accurate inventory of research data exchanged, where data were hosted, or the sensitivity levels of the data. We also identified unsecured electronic and hardcopy research data at VAMCs and in co-located research facilities. VA’s data governance approach has been ineffective to ensure that research data exchanged are adequately controlled and protected throughout the data life cycle. We recommended OIT and VHA implement a centralized data governance model and ensure formal agreements are established requiring research partners to implement controls commensurate with VA standards for securing and protecting sensitive data.

Open Recommendation Image, SquareOpenClosed and Implemented Recommendation Image, CheckmarkClosed-ImplementedNot Implemented Recommendation Image, X character'Closed-Not Implemented
No. 1
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommend the Assistant Secretary for Information and Technology establish or update all Memoranda of Understanding and Interconnection Security Agreements needed to accurately reflect operational environments and require that research partners implement information security controls commensurate with VA's information security standards.
No. 2
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommend the Assistant Secretary for Information and Technology support the Under Secretary for Health by providing the information technology infrastructure needed to implement a centralized data governance and storage model to securely manage research information over the data life cycle.
No. 3
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommend the Assistant Secretary for Information and Technology direct Information Security Officers to partner with the Veterans Health Administration's Institutional Review Boards, research personnel, and research partners to routinely conduct joint oversight and monitoring of research labs to ensure security of sensitive veterans' data, compliance of data collections with research protocols, and fulfillment of the Department's information security requirements.
No. 4
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommend the Under Secretary for Health develop and implement a centralized data governance and storage model that ensures accurate inventory of all research data collected, data collection compliance with research protocols, and secure management of research information over the data life cycle.
No. 5
Closed and Implemented Recommendation Image, Checkmark
to Veterans Health Administration (VHA)
We recommend the Under Secretary for Health require the Office of Research and Development to partner with Information Security Officers to routinely conduct joint oversight and monitoring of research labs to ensure security of sensitive veterans' data, compliance of data collections with research protocols, and fulfillment of the Department's information security requirements.