Breadcrumb

Review of Alleged Transmission of Sensitive VA Data Over Internet Connections

Report Information

Issue Date
Report Number
12-02802-111
VA Office
Information and Technology (OIT)
Report Author
Office of Audits and Evaluations
Report Type
Audit
Recommendations
1
Questioned Costs
$0
Better Use of Funds
$0
Congressionally Mandated
No

Summary

Summary
The OIG evaluated the merits of an allegation that VA was transmitting sensitive data, including PII and internal network routing information, over unencrypted telecommunications carrier networks. We substantiated the allegation. OIT personnel disclosed VA typically transferred unencrypted sensitive data, such as electronic health records and internal Internet protocol addresses, among certain VA medical centers and outpatient clinics using an unencrypted telecommunications carrier network. OIT management acknowledged this practice, accepting the security risk of potentially losing or misusing the sensitive information exchanged via a waiver. However, the use of a system security waiver was not appropriate. Without controls to encrypt the sensitive VA data transmitted, veterans’ information may be vulnerable to interception and misuse by malicious users as it traverses unencrypted telecommunications carrier networks. Further, malicious users could obtain VA router information to identify and disrupt mission-critical systems.

Open Recommendation Image, SquareOpenClosed and Implemented Recommendation Image, CheckmarkClosed-ImplementedNot Implemented Recommendation Image, X character'Closed-Not Implemented
No. 2
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommend the Assistant Secretary for Information and Technology require that OIT personnel complete specialized training emphasizing the importance of encrypting sensitive VA data transmitted across public Internet connections.