Report Summary

Title: Veterans Data Integration and Federation Enterprise Platform Lacks Sufficient Security Controls
Report Number: 21-01123-97 Download
Report
Issue Date: 6/1/2022
City/State:
VA Office: Veterans Health Administration (VHA)
Report Author: Office of Audits and Evaluations
Report Type: Audit
Release Type: Unrestricted
Summary:

The Veterans Data Integration and Federation Enterprise Platform (VDIF) allows VA to share sensitive health information with the Department of Defense and community care providers. VA is required by law to ensure the safe sharing of veterans’ sensitive personal information. Linking information across an extremely diverse and highly fragmented healthcare system can create technical challenges and increase vulnerabilities. Therefore, establishing the appropriate security categorization for VDIF is essential. Moreover, veterans who do not trust VA to protect their information may be more reluctant to seek treatment.

The Office of Inspector General (OIG) audited whether VA’s Office of Information and Technology (OIT) developed and implemented sufficient security controls for VDIF to ensure confidentiality, data integrity, and the safeguarding of veterans’ sensitive health information in accordance with federal standards.

The OIG found OIT allowed VDIF to become operational without effectively executing all the risk management framework steps developed by the National Institute of Standards and Technology (NIST). While OIT followed the steps, it inappropriately categorized the confidentiality and availability security objectives. This resulted in 22 important security controls not being applied, increasing the risk to personal health information within more than 10 million veteran records. Furthermore, OIT did not adequately determine whether the implemented controls were executed correctly and produced the desired security outcome. OIT did not properly follow NIST and VA policy requirements because of ineffective oversight. Consequently, VDIF became operational with inadequate security controls.

The assistant secretary for information and technology did not concur with two OIG recommendations to ensure VDIF’s security objectives are set at high and to reestablish VDIF, instead proposing a privacy overlay as sufficient. The OIG disagrees and also recommended OIT develop appropriate oversight for following proper program management processes and protocols when establishing and monitoring security controls. VA concurred with this recommendation.