[House Hearing, 110 Congress] [From the U.S. Government Publishing Office] INFORMATION SECURITY MANAGEMENT AT THE U.S. DEPARTMENT OF VETERANS AFFAIRS-- CURRENT EFFECTIVENESS AND THE NEED FOR CULTURAL CHANGE ======================================================================= HEARING before the SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS of the COMMITTEE ON VETERANS' AFFAIRS U.S. HOUSE OF REPRESENTATIVES ONE HUNDRED TENTH CONGRESS FIRST SESSION __________ FEBRUARY 28, 2007 __________ Serial No. 110-5 __________ Printed for the use of the Committee on Veterans' Affairs U.S. GOVERNMENT PRINTING OFFICE 34-307 PDF WASHINGTON DC: 2007 --------------------------------------------------------------------- For sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866)512-1800 DC area (202)512-1800 Fax: (202) 512-2250 Mail Stop SSOP, Washington, DC 20402-0001 COMMITTEE ON VETERANS' AFFAIRS BOB FILNER, California, Chairman CORRINE BROWN, Florida STEVE BUYER, Indiana, Ranking VIC SNYDER, Arkansas CLIFF STEARNS, Florida MICHAEL H. MICHAUD, Maine DAN BURTON, Indiana STEPHANIE HERSETH, South Dakota JERRY MORAN, Kansas HARRY E. MITCHELL, Arizona RICHARD H. BAKER, Louisiana JOHN J. HALL, New York HENRY E. BROWN, JR., South PHIL HARE, Illinois Carolina MICHAEL F. DOYLE, Pennsylvania JEFF MILLER, Florida SHELLEY BERKLEY, Nevada JOHN BOOZMAN, Arkansas JOHN T. SALAZAR, Colorado GINNY BROWN-WAITE, Florida CIRO D. RODRIGUEZ, Texas MICHAEL R. TURNER, Ohio JOE DONNELLY, Indiana BRIAN P. BILBRAY, California JERRY McNERNEY, California DOUG LAMBORN, Colorado ZACHARY T. SPACE, Ohio GUS M. BILIRAKIS, Florida TIMOTHY J. WALZ, Minnesota Malcom A. Shorter, Staff Director ______ Subcommittee on Oversight and Investigations HARRY E. MITCHELL, Arizona, Chairman ZACHARY T. SPACE, Ohio GINNY BROWN-WAITE, Florida TIMOTHY J. WALZ, Minnesota CLIFF STEARNS, Florida CIRO D. RODRIGUEZ, Texas BRIAN P. BILBRAY, California Pursuant to clause 2(e)(4) of Rule XI of the Rules of the House, public hearing records of the Committee on Veterans' Affairs are also published in electronic form. The printed hearing record remains the official version. Because electronic submissions are used to prepare both printed and electronic versions of the hearing record, the process of converting between various electronic formats may introduce unintentional errors or omissions. Such occurrences are inherent in the current publication process and should diminish as the process is further refined. C O N T E N T S __________ February 28, 2007 Page Information Security Management at the U.S. Department of Veterans Affairs--Current Effectiveness and the Need for Cultural Change................................................ 1 OPENING STATEMENTS Chairman, Harry E. Mitchell...................................... 1 Prepared statement of Chairman Harry E. Mitchell............. 54 Hon. Ginny Brown-Waite, Ranking Republican Member................ 3 Prepared statement of Congresswoman Brown-Waite.............. 55 Hon. Timothy J. Walz............................................. 4 Hon. Ciro D. Rodriguez........................................... 5 Hon. Cliff Stearns............................................... 7 Hon. Spencer Bachus.............................................. 5 Hon. Artur Davis................................................. 6 WITNESSES U.S. Department of Veterans Affairs: Hon. Gordon H. Mansfield, Deputy Secretary................... 9 Prepared statement of Secretary Mansfield................ 56 Hon. Robert T. Howard, Assistant Secretary for Information Technology and Chief Information Officer................... 11 Prepared statement of Mr. Howard......................... 58 James P. Bagian, M.D., P.E., Chief Patient Safety Officer and Director, National Center for Patient Safety, Veterans Health Administration...................................... 12 Prepared statement of Dr. Bagian......................... 58 Maureen Regan, Counselor to the Inspector General, Office of the Inspector General...................................... 34 Prepared statement of Ms. Regan.......................... 60 Arnaldo Claudio, Director of Oversight and Compliance, Office of Information Technology.................................. 36 Leonard M. Pogach, M.D., Director, Research and Enhancement Award Program, VA New Jersey Health Care System, East Orange, NJ................................................. 46 Warren Blackburn, M.D., ACOS/R&D Coordinator, VA Medical Center, Birmingham, Alabama................................ 47 Y.C. Parris, Facility Director, VA Medical Center, Birmingham, Alabama................................................... 48 U.S. Government Accountability Office, Gregory C. Wilshusen, Director, Information Security Issues.......................... 32 Prepared statement of Mr. Wilshusen...................... 63 SUBMISSION FOR THE RECORD Hon. Zackary T. Space, a Representative in Congress from the State of Ohio.................................................. 69 INFORMATION SECURITY MANAGEMENT AT THE U.S. DEPARTMENT OF VETERANS AFFAIRS--CURRENT EFFECTIVENESS AND THE NEED FOR CULTURAL CHANGE ---------- WEDNESDAY, FEBRUARY 28, 2007 U.S. House of Representatives, Committee on Veterans' Affairs, Subcommittee on Oversight and Investigations, Washington, DC. The Subcommittee met, pursuant to notice, at 2:36 p.m., in Room 334, Cannon House Office Building, Hon. Harry E. Mitchell [Chairman of the Subcommittee] presiding. Present: Representatives Mitchell, Walz, Rodriguez, Davis, Brown- Waite, Stearns. OPENING STATEMENT OF CHAIRMAN MITCHELL Mr. Mitchell. The Subcommittee on Oversight and Investigations hearing of February 28, 2007, will begin. Let me just say right off that Congressman Zach Space is absent because of a family emergency. Otherwise, he would be here. I have accelerated our Subcommittee's review of the VA information security management for several reasons. I thank all three panels of witnesses and our Subcommittee Members for their cooperation despite the somewhat short notice we were able to provide. It is my belief that when the subject matter justifies some sort of review that such a review should be thorough, balanced, and timely. This topic was on the Subcommittee agenda for later this year, but it is a recurring and nonpartisan topic for the Veterans' Affairs Committee. The events regarding a data loss at Birmingham and other circumstances have led me to advance this hearing on our Subcommittee docket. In this hearing, I wish to determine the current status of information security management at the VA. Admittedly the Birmingham incident holds powerful sway over the landscape. If the Birmingham incident stood alone against the backdrop of a sound information security management program, perhaps we could address a one-time-only incident with more patience. However, the record reflects a host of material weaknesses identified in consolidated financial statements, audits and the ``Federal Information Security Management Act,'' FISMA, their audits over the recent years. The Inspector General's Office and the Government Accountability Office have both reviewed VA and found deficiencies in the information security management program over the last 8 years. VA has been slow to correct these deficiencies. For example, the VA IG made 16 recommendations with regard to information security management in 2004. All 16 remained open in 2006. During our full Committee review of the May 3, 2006, data loss, we discovered a general attitude regarding information security at VA that our current Committee Chairman Bob Filner once referred to as a culture of indifference. Today I wish to address this issue of culture and the need for cultural change with regard to information security at the VA. Last year, the Committee reviewed cultural problems at several levels at VA. We looked at the very top levels of the VA leadership and were critical. We looked at the program leadership levels and were critical. We looked at the promulgation of information security policy in VA and were critical of the various methods employed by some program leaders and advisors to gut those policies to avoid accountability of the weakened information security practices. We were critical of the lack of checks and balances in the information security management system at VA. Guidance was being followed, but did oversight occur? We were critical of delay by VA in providing congressional notice of the May 2006 incidents. We were critical of the slow escalation and notice of the magnitude of that problem. VA mailed notices to millions of veterans addressing the data compromise and made a public commitment to become the ``gold standard'' in information protection within the Federal Government. Eight months after the initial data loss, VA reports another loss of significant magnitude associated with Birmingham VA Research Program. That a weakness existed in this area surprised no one. That it happened at all serves to precipitate this type of congressional oversight hearing. While the actual loss of the external hard drive and the limited electronic protections on that missing equipment should be considered the 800 pound gorilla in this room, there were some silver linings with the Birmingham story as we now know. For example, the loss was reported in VA and quickly relayed to the appropriate people. Mr. Howard notified congressional oversight staff and Secretary Nicholson called the Chairmen and Ranking Members of the VA Committees. The Office of Inspector General was quickly involved and opened an investigation. In similar examples from May 2006, VA took days or weeks to accomplish those tasks. In the Birmingham incident of January 9, 2007, VA took hours or days to accomplish the same task. Staff was notified within 1 day and calls from the Secretary followed a few days afterward. The investigative trail was reasonably fresh for the IG to follow. What of VA culture with regard to this issue? The IG made five recommendations to the Secretary in the review of issues related to the loss of VA information involving the identity of millions of veterans on July 11, 2006. As of today, all five of those recommendations remain open. Why? After the 2006 series of hearings, VA issued a series of tough-sounding declarations, but problems still remain and another major incident has happened. After the Birmingham incident, the Secretary issued some tough guidance, but what impact will it have? Will history repeat itself? How deep are the cultural barriers? I believe that it is important to review all aspects of this issue. We need to hear from VA leadership and in that regard, we are pleased that Deputy Secretary Mansfield has agreed to testify. He, Secretary Nicholson, the Under Secretaries are key to setting policy. They represent the Department in this matter. But we also need to look at the problem through the eyes of the remaining 200,000 plus people in the VA. Do leadership actions throughout the management hierarchy match policy guidelines everywhere in the VA? Do the rules say no, but the culture beckons, ah, go ahead, make an extra copy of that data and your own life will be easier? Take a shortcut. No one will follow up. If we change the culture of VA, we can begin to fix the problem. But people have different cultural perspectives. Those of the VA leaders on panel one may differ from those of the researchers in the field. Leadership's policy guidance may now be spot on, but the question is how the policy is received at the user end. For that reason, this Subcommittee requires testimony across the spectrum of people who in any way handle sensitive information about our veterans. Let us approach this with open minds, consider other perspectives, and be able to put this problem to rest for a long time. Before I recognize the Ranking Republican Member for her remarks, I ask unanimous consent that Congressman Artur Davis from Alabama and Congressman Spencer Bachus be invited to sit at the dais for the Subcommittee hearing today. Without objection. Thank you. I now recognize Ms. Brown-Waite for her opening remarks. [The statement of Harry E. Mitchell appears on pg. 54.] OPENING STATEMENT OF HON. GINNY BROWN-WAITE Ms. Brown-Waite. I thank the Chairman very much for giving me this opportunity and also for the expedited manner in which this hearing was held. As the Chairman has indicated, it is more about information security management at the Department of Veterans Affairs and in particular the current effectiveness of information security at the Department and the need for cultural change. Since the data breach in May 2006, which was the second largest in the nation and actually the largest in the Federal Government, we have seen VA's centralization of the VA's information management, including information security. I appreciate the Secretary's desire to make the VA the ``gold standard'' for information technology and information security management in the Federal Government. From what we have seen, however, adherence to the ``Federal Information Security Management Act'' or FISMA has not been adequately addressed government-wide as Congress intended when writing the law. This is why our Committee worked so hard last Congress to pass measures such as H.R. 5835 and the final version which was S. 3421 which eventually became Public Law 109-461. We have tried to give the Department, and in particular the Secretary, all the tools that he needs to mandate change within the entire Department to make certain that such security breaches are few, if any. I served on this Committee now, this is my fifth year, and recently have been selected as the Ranking Member of this Subcommittee. Over the years, however, I have seen a blatant lack of resolve within the underlying culture at the Department and particularly at the facility level to change the way senior management view IT security. We know it is very difficult to embrace change, but this is what we need to address in this hearing. I was involved at one point in my life in installing a new financial management system for my employer, and I can just tell you that the employees were kicking and screaming because change does not come easily. They were used to their little silos and they really did not adapt very well to any kind of IT change. I realize that this is a problem that is out there in the VA, but it is not one that with very strong leadership we cannot overcome. We have got to protect our veterans and provide them with the services that we need. We need to remove that cultural bias against change. I appreciate the witnesses who have come to this hearing, particularly those who have traveled great distances to be here. And I look forward to hearing your testimony. I thank the Chairman, and I yield back the balance of my time. [The statement of Ginny Brown-Waite appears on pg. 55.] Mr. Mitchell. Thank you. Mr. Walz. OPENING STATEMENT OF HON. TIMOTHY J. WALZ Mr. Walz. Thank you, Mr. Chairman. Just briefly, thank you for holding this important hearing. As a veteran who has received the letter earlier on lost data, this is obviously one that is personal to me and it is also one that everybody in this room cares deeply about. Mr. Mansfield, thanks so much for coming here. And I know that everyone in this room and at the table care as deeply as anybody about our veterans and making sure everything is done right. So I hope that in this hearing, and in the spirit of the Chairman's words, that we are here to find solutions, that we know that the intent of every member of the VA is always to provide the best quality care, the best quality protection to our veterans. So I thank you for being here. The one thing I would say, I guess for me, I am a cultural studies teacher, so this idea of culture and the things that we talk about, all those learned and shared values, beliefs, and ideas, I think is critical. Whether it is a safety issue or whether in this case it is data security, that I do believe culture plays a roll in it. And we are here today to figure out what we can do if it is a resource issue or what we can do. And I truly appreciate your willingness to come and all you do for veterans. And together we can get this thing worked out and get it going in the right direction. So thank you. And I yield back my time, Mr. Chairman. Mr. Mitchell. Thank you. Congressman Rodriguez. OPENING STATEMENT OF HON. CIRO D. RODRIGUEZ Mr. Rodriguez. Thank you very much. And I was just going over the report from the Inspector General and it is pretty startling information there in terms of the fact that there is still a great deal at risk. I know the Attorney General in Texas just ruled that all county clerks that release Social Security numbers would be committing a felony. And so somehow we need to come to grips with that. And if I have to, I will make some of those comments at that time, but I am hoping that we can direct it in the right direction. And I hope that the approach that is taken is that if you need some help, if you need some assistance, to come forward in order for us to correct this as quickly as possible. Thank you. Mr. Mitchell. Thank you. Mr. Bachus. OPENING STATEMENT OF HON. SPENCER BACHUS Mr. Bachus. Thank you, Mr. Chairman. I would say this to the panel. Since at least 1997, there have been reports about inadequacies at the VA, about the protection of information, veterans' information. And in 2001, there were multiple recommendations made, 17 security recommendations made in the ``Federal Information Security Management Act'' for veterans to do. Yet, in May of 2006, when you had the security loss, Ms. Brown-Waite mentioned that none of those had been implemented at that time. Now, since that time, you have given testimony to Congress that you fixed most of those problems. But what we had in Birmingham, it is my understanding, was just a laptop computer with information on it that was carried offsite. And to me, that is one of the most elementary types of things to prevent, simply by having a rule that they do not do that. Now, you have also since last May, you required all veterans' employees to go to security seminars, as I understand it. So I would just be curious in my questions following up on whether that was done or not and whether this employee was prohibited from taking it offsite. I know the IG's report says that the information that is available to all the employees is hard to understand and uses words like appropriate and other words which really will not limit them, you know, do not use the information inappropriately without clearly defining what may be appropriate and inappropriate. But there are other issues. I know it was 21 days before it was announced that this breach had occurred. Another problem that I had with this as a Member of Congress, Congressman Davis and I represent the Birmingham area and a lot of this information was shared with us, but we were told we could not share any of the information with anyone else, that it was critical to the investigation. And one occasion, after we were specifically told we could not share any of the information, it was critical to the investigation, within an hour, the Veterans Administration issued a press release with a lot of that information on it. So we wonder about that. But I came here to listen, but I did come, and I have made this point to you gentlemen since this breach, that encrypting of information is a pretty elementary step. And I wonder why, you know, is there a rule that this information should be encrypted. I mean, a lot of this information was not encrypted which ought to, by 2007, ought to be standard operating procedure on any sensitive information. And so I look forward to hearing from you. But it does appear that since 1997, at least 2001, everybody has known what problems were, that these were accidents waiting to happen, yet nothing. You know, if you did something as a practical matter, it did not work. So I would just be interested to know what you did. Mr. Mitchell. Thank you. Mr. Davis. OPENING STATEMENT OF HON. ARTUR DAVIS Mr. Davis. Thank you, Mr. Chairman. I am glad to see that freshmen can become Subcommittee Chairs so quickly and I congratulate you on that. I must be on the wrong Committee. Thank you for giving leave to my friend from Alabama and myself to come here. We are not regular Members of the Veterans' Affairs Committee, and I thank you for letting us participate because our City of Birmingham is affected. I want us to get to the question section as soon as we can so I will be very limited in my comments. But I begin by saying this, Mr. Mansfield. I think all of us take it for granted that the leadership at the VA has good intentions, but good intentions are usually not enough to change a culture. Better laws help. Better regulations help. And I received the correspondence that you sent to me in which I asked a number of questions about what the procedures are at the VA regarding encryption, what the procedures are at the VA regarding notification, and it is clear to me from looking at your answers that there are gaps there. And, frankly, that is where this institution comes into play. Some of us have been advocates on this Committee for having stronger protections for civilians regarding potential losses of data, regarding data security issues in the private sector. It seems self-evident to me that whatever the standard ought to be for individuals in the private sector, if anything, it ought to be stronger for our veterans. And I am disappointed. But if I understand the law and the regulations today, it is weaker. And understand some of us believe the consumer protections are not strong enough for civilians either. Second point that I want to make, I have a very strong hunch, Mr. Mansfield, that the only reason we are in this room having this hearing, the only reason that the public knows about any of this is simply by pure luck. And I do not mean to second guess, but I will make this point to you. Your office called my office on the late afternoon of February 2nd, 2007, and you told us that you wanted us to have information about a data breach in Birmingham and you told us that a news organization was about to run with the story, so you wanted to give us a heads up. I have a strong hunch, Mr. Mansfield, that but for you all believing this information was about to come in the public domain that you never would have released it. Second of all, after the Office of Inspector General met with me at my request, we lodged a very strong demand of the VA that the VA go forward and release the additional information about the amount of names that had been compromised, about the fact that physician information had been compromised. Frankly, I have a hunch that but for that demand, the additional information would not have been released. So I will end with this point. Changes need to be made, in my opinion, in the way that your organization reacts to this kind of a problem. I am going to ask you during my question time during the hearing how many data breaches are suspected by the VA since the incident of May 2006. We know about that incident. I am going to ask you during my Q and A session how much has been suspected in the year since. Are there other instances where there has been a loss of data? Are there other instances where there is a suspected loss of data? So I thank you for being here, and I look forward to answers to your questions. Mr. Chairman, thank you again. Mr. Mitchell. Thank you. Mr. Stearns. OPENING STATEMENT OF HON. CLIFF STEARNS Mr. Stearns. Thank you, Mr. Chairman, and thank you for holding this critical and timely hearing. When you look at the GAO report, it says from 1998 to 2005, there were over 150 recommendations to the VA on implementing effective controls and developing a robust information security program. And then if you just look at the VA's own Office of the Inspector General, they publish reports. They made 16 recommendations from the fiscal year 2004 and they remained unaddressed. So we have here critical areas that are being highlighted by the GAO as well as the Office of Inspector General clearly saying the VA is vulnerable to denial of service attacks, disruption of mission-critical systems, and unauthorized access to sensitive data. So all this has been documented. The Member before me talked about it is just by luck we have information about this. But I think we have known about this for some time, at least since January. And so the question is with the GAO and the Office of Inspector General, why in the world are all these recommendations and all these suggestions not being implemented? There has been a lot in the news recently regarding unauthorized access violations at the VA. Last March, there was an incident we had where 26 million veterans' information, personal information, personal, identifiable information was lost. I congratulate the VA for finally getting the computer and getting the protection it needed, but, you know, it took a while to find it. And as I understand it, a lot of this information was not even encrypted. And, however, now, in the recent breach that my colleagues have mentioned in Birmingham this January, the proper agencies were informed the very next day, an improvement that I would like to highlight, yet it is a mixed bag of praise and condemnation for we have yet another breach of information security. This Birmingham hardware involved the personal medical records, Social Security numbers, personal information of veterans and many medical personnel in the VA system itself. And this information again was not even encrypted. So it seems to me at this point, this information should be encrypted at the very least. There are clearly areas that the VA needs to improve. And I guess for the life of me, I do not understand. If you go back to 1998 and you have got 150 recommendations from the GAO, why are you folks not implementing them? In Congress, we responded to the data breach of last March. We enacted the new law, the ``Veterans Benefit Healthcare and Information Technology Act'' of 2006. The primary purpose of this legislation was to strengthen IT practices at the VA. It also contained internal processing requirements regarding security management with a mandate, with a mandate for the VA to develop interim regulations for improving security within 180 days of the law's enactment. So, Mr. Chairman, I think that the hearing is timely. I look forward to the witnesses, and I hope the strategy will be for improving security for our veterans in the very near future. Mr. Mitchell. Thank you. We will now proceed to panel one. We are pleased to have Deputy Secretary Gordon Mansfield as the principal presenter for the panel. This Committee has a long and professional working relationship with Mr. Mansfield in all his roles at VA, from his time serving as the Assistant Secretary for Congressional and Legislative Affairs to his present position as Deputy Secretary. Mr. Mansfield is a highly decorated military combat veteran, having served two tours of duty in Vietnam. His military awards include the distinguished Service Cross, the Bronze Star, two Purple Hearts, and the Combat Infantry's Badge. Mr. Secretary, would you please introduce your team. Mr. Mansfield. Thank you, Mr. Chairman. If I may, before I start, a point of personal privilege. With your permission, I wanted to take a brief moment to comment on Len Sisteck's departure from the Committee. May I have your permission, sir? Mr. Mitchell. Yes. Mr. Mansfield. Len and I had a chance to talk the other day in my office, and he told me that he still had ``the sense of service to one's country'' that we have seen up to this date. And I am pleased that he will continue as a public servant. Many may say it, but Len has lived the concept of leaving political and ideological differences aside in order to serve veterans. He also got out and saw the VA operations in the field in a real hands-on way. I mentioned he was in my office, on the tenth floor. I also want to make the point that Len has also been with us in our operations center down in lower basements, the bowels of the VA, so he has been with us from top to bottom. I, for one, am glad that he will still be here on the Hill watching out for the interests of the Department and for veterans, just in a different capacity. Fairness and loyalty to the constituency are his, and I appreciated his service on this Committee. And I want to extend to him the congratulations and best wishes of the entire Department. Len, thank you very much. Mr. Mitchell. Thank you, Len, very much. STATEMENTS OF HON. GORDON H. MANSFIELD, DEPUTY SECRETARY, U.S. DEPARTMENT OF VETERANS AFFAIRS; ACCOMPANIED BY MICHAEL J. KUSSMAN, M.D., ACTING UNDER SEC- RETARY FOR HEALTH, VETERANS HEALTH ADMINISTRATION, U.S. DEPARTMENT OF VETERANS AFFAIRS; HON. ROBERT HOWARD, ASSISTANT SECRETARY FOR INFORMATION AND TECHNOLOGY AND CHIEF INFORMATION OFFICER, U.S. DEPARTMENT OF VETERANS AFFAIRS; AND JAMES BAGIAN, M.D., CHIEF PATIENT SAFETY OFFICER, DIRECTOR, NATIONAL CENTER FOR PATIENT SAFETY, VETERANS HEALTH ADMINISTRATION, U.S. DEPARTMENT OF VETERANS AFFAIRS STATEMENT OF HON. GORDON MANSFIELD Mr. Mansfield. Mr. Chairman, if I may, I have a statement to submit for the record. Mr. Chairman, I am here today with Mr. Howard, our Assistant Secretary for IT; the acting Under Secretary, Dr. Kussman; and Dr. Bagian. I am here today to talk about the status of our IT security program and the reorganization of our Office of Information Technology. We have done a lot of work and we have come a long way since last May's major incident occurred. And I have to admit that that was probably the wake-up call for the Department. But we still have an awfully long way to go. We are well into the reorganization of the Office of Information and Technology to include an initial transfer of some 4,600 individual employees now under the control and direction of the CIO, Assistant Secretary Bob Howard. That reorganization also includes ensuring that Mr. Howard has the full authority as delegated by the Secretary to deal with security issues throughout the Department. Mr. Howard also has the authority to oversee the total IT budget for the Department. In the information security area, we have gone forward with preliminary revisions that have led us to issue a number of new directives to ensure that the workforce understands what their specific responsibilities are. We have brought management pressure from the top to ensure that the required change in culture is instituted and that we are moving forward to achieve the goals set by the Secretary for the VA to be a gold standard for the Federal Government. As I have stated, I think we have come a long way in both the reorganization and changes demanded by information security requirements to protect our veterans. I will be the first to acknowledge that we have not finished with either of these chores. We are continuing the reorganization with more transfers of people taking place next month, with more budget, more program, and more people responsibilities under the control of the CIO. The Security Operations Center or the SOC is now receiving daily reports of incidents, large and small, from across the Department which allow us to understand and educate the people that we are responsible for when they do the job wrong, and also it will allow management to get a better picture of the problem areas across the Department. The Birmingham incident, while evidence of major lapses in judgment in operations, was handled in such a way that VA management was informed in a timely manner and the report moved quickly up the chain of command to the top. We also started an investigation as did the Inspector General's Office in conjunction with the FBI. Notifications of the incident were made to the Hill in a timely manner. As well, updates on the information were provided as received. I want to make a point here that as we get into these investigations and as the IG and the FBI move into it, we are requested that we keep this information on hold as they start into their investigation and start looking for areas of approach, and we try to follow the FBI's request and the IG's request in that area. We have been notifying this Committee and other Committees of jurisdiction on the Hill on a weekly basis of the reports that do come in to us that are reported up the chain of command. Another area of concern is sanctions applied to those who fail to conform to the requirements. The Secretary has said there are still too many VA employees at every level to include senior positions who either still do not comprehend the seriousness of this issue or who consciously disregard it. This laxity is unacceptable and no longer will be tolerated. In appropriate cases and where justified, there must be serious consequences for failure to properly secure veterans' data. We owe our veterans no less. And that is a quote from the Secretary in a meeting of senior executives held here in Washington, D.C., on February 21, 2007. We are involved in cultural change in a serious way. From the highest leadership on down, in meetings and communications and site visits, the Secretary and I have endeavored to communicate the need to protect data and how we can make that happen. As the Secretary indicated, given the circumstances of each case, we need to go forward with further education and assistance with our employees to understand what the need is and what they have to do or get involved in considering whether sanctions should be considered and applied as required. In closing, let me say that I sincerely wish that I could promise you that no other incident will occur. I cannot do that now, but I can promise you that we are working hard throughout the Department to get the message to our 235,000 plus employees to do everything we can to get this problem under control. We have succeeded in many areas. We still have a large job to finish the effort. We are committed to doing that. Mr. Chairman, I am prepared to answer questions, and I would ask Mr. Howard, as I understand the sequence, to go forward with his comments. Mr. Mitchell. Correct. [The statement of Gordon Mansfield appears on pg. 56.] STATEMENT OF HON. ROBERT HOWARD Mr. Howard. Thank you, sir. And thank you, Mr. Chairman and Members of the Committee. I would like to expand on Deputy Secretary Mansfield's comments regarding the changes underway in the area of information and technology. There are two specific areas I would like to focus on. First is the extensive reorganization taking place and second is the over-arching program we have established to provide focus to all of our remediation efforts. The IT realignment program to transition the VA's IT management system remains on track and is scheduled to be fully implemented by July 2008. By April 1, 2007, software development employees and programs will be permanently reassigned to the CIO. This action follows the consolidation of operations and maintenance under the CIO which was finalized beginning this fiscal year. We are implementing a process-based organizational structure rooted in best practice processes that are aimed at correcting IT deficiencies that resulted in a loss of standardization, compatibility, interoperability, and fiscal discipline. There are 38 such processes that are being introduced with the assistance of IBM from a best practices standpoint. We have also developed a different organizational framework to provide focus in key areas. The Office of Information and Technology is now comprised of five major organizational elements. These will all report to the CIO. We have a chart of this organization with us today in the event you would like to discuss this structure in more detail. Each of the five major organizational elements is led by a Deputy Chief Information Officer. One Deputy Chief Information Officer, in fact, in the first column, is charged with directing the information protection and privacy programs in VA. This official is also responsible for risk assessment, risk mitigation, evaluation and assessment as it relates to information protection. The DCIO for information protection and risk management has drafted the interim final regulation on credit monitoring and credit protection as required by the ``Veterans Benefits Healthcare and Information Technology Act of 2006.'' This regulation, which is now being reviewed throughout the Department, will address notification, data mining, fraud alerts, data breach analysis, credit monitoring, identity theft insurance, and credit protection services. To achieve the gold standard as directed by the Secretary, we have implemented an over-arching program to assess information protection controls, to develop plans to strengthen the controls where necessary, to enforce the controls, and continuously monitor the information protection program. This action plan we have developed includes development and issuance of policies and procedures, training and education, securing of devices, encryption of data, enhanced data security for VA's sensitive information, enhanced protections for shared data in interconnected systems, and incident management and monitoring. A number of the specific requirements of the new law have already been introduced into our comprehensive action plan. I personally review progress on these actions on a weekly basis. In closing, I believe we have made progress in improving IT operations in VA and we are working hard in partnership with the administrations and staff offices to improve our business practices to ensure the protection of sensitive information throughout the Department. Mr. Chairman, that concludes my testimony. I would be pleased to answer any questions the Committee may have. Mr. Mitchell. Thank you. Dr. Bagian. [The statement of Robert Howard appears on pg. 58.] STATEMENT OF DR. JAMES BAGIAN Dr. Bagian. Thank you, Mr. Chairman, members of the Committee, for inviting me here today. My comments will be confined more to cultural aspects, especially with respect to some of the observations of what we've done in the patient safety area, as I've talked to some of you in the past. Let me just say at the outset, there has been some indication by some of the previous comments that people are wondering if people take the issue of IT security seriously. I can tell you unequivocally, they take it very seriously. There's nobody I see--and I am out in the field quite a bit-- that is not fully aware that this is an important issue. There's no question about that. I'll come back to that, but, let me just assure you that's a fact. The big issue is about culture and how we look at this. And I would say one of the big issues--and I'll talk about it from the frame of patient safety--because while our goal in patient safety is to prevent harm to the patient, and generally we think about that with regard to the medical care that we deliver, the fact is that if people suffer, for instance, the outcome of identity theft, for example, that harms them as well--as it harms our ability to provide care for them because that consumes fiscal resources and attention that could otherwise be focused to our primary mission, which in the VHA is delivering medical care. So we understand that. In the safety area, patient safety area, when we started to do this some 8, 9 years ago, the culture certainly wasn't geared toward patient safety, and we were starting this before anybody did it anywhere in medicine, quite frankly. And we found that it was very important to be able to establish for them what our real goal was in terms that were understandable by them and how it met what they thought they needed to do. To create an expectation was relevant to them that they thought was real. And then we had to go through an understanding when things did happen, it wasn't enough strictly just to have--and as Mr. Howard talked about, policies and training is important, but he talked about other things like encryption and other modalities. It's a multiplicity of these things. It's not just telling people, ``follow the rules,'' because if that is all it took to do anything, we'd write rules and go home. And we know it takes more than that. So, when problems occurred or we had close calls--as we have had IT close calls as well--it was to look and say what happened here, why did it happen, and what do we do to prevent it in the future? And without understanding those underlying causes, it's really impossible to come up with sustainable solutions. So we really dwelled on that quite a bit, and I think you see some of that same thing in what's going on with the IT organization today. The other thing is you have to take out the fear. One of the things that goes on with any organization, as was mentioned by Ms. Brown-Waite during her comments, is that change is hard for all organizations. And people have to feel that the change is in their interest, too, whatever that change is, and communicate to them what they believe it is. And I think we can do that, and we're trying to do it. But it doesn't happen overnight. We then need to supply tools, and that's being done. You've heard about encryption. You've heard about other things that go in those areas. And then we have to do it in a way that changes their behavior, and when that behavior works and is not at cross purposes with their goal--and in VHA, the goal is delivering clinical care; that's the main goal--information security is embedded in that, but that's not the reason they come to work. A physician doesn't come to work to achieve IT security. It's a component thing they need to worry about, but their main goal is that they want to take care of the patient. We have to understand how we make that real to them, that they understand that that's important not just because we say it is, because they believe it is. And I think that's trying to be done. So when that attitude changes, then you begin to change culture. Now, one of the things that we found that was extremely important when we began was we thought everybody got it about patient safety. We did a cultural survey--the first one ever done--on attitude toward patient safety, and we found some very remarkable results which changed the way we ran the entire program and in fact, I would say we are singularly responsible for it being successful versus failing miserably. We found that when we asked people, ``Do you think patient safety is important?'' Twenty-seven percent of all our people at the VHA system said ``five'' on a one-to-five scale. Patient safety is super important, most important it could be. Twenty- four percent said ``one''--absolutely irrelevant. We were shocked. How could that be? But when we stopped and talked to them more--we've had focus groups come in to understand why that was--the reason they said ``one,''--that is, unimportant, was because they said, ``Well, I thought you meant was it important for me? It is not important for me, because I know I am safe. It is all those other people that aren't. And the same thing can happen here if you don't understand what motivates them. It's not they do not want to do it. They think somebody else is doing it. Until you really answer those questions to enable you to understand people's underlying assumptions, it's impossible to correct it effectively. So I think we need to look at that and look at the culture where it is and not just talk about it, but actually measure some of it to understand where the leverage points are. And I'm not sure we know all those things yet. But we're moving in that direction. One of the things we worked with the IT system back in 2003 when the Blaster Worm--some of you may recall the Blaster Worm, a big problem--we went and worked with IT at that time. In fact, one of Mr. Howard's deputies--we talked last on the 21st, just last week, about how we worked with them with root cause analysis where we looked at these, what happened, why did it happen, what do we do about it--and he remarked that since that time we've never had a major denial of service attack, since we looked at this with a very systems-based approach. And they want to work with us more doing that, and we look forward to those kinds of things. And we think this mode of collaboration across not just the IT world, but across all VA--DVA, NCA, VHA--working together to look at this and look at the real causes will get us there, and I think that's where the real hope lies, and it is not just having a knee jerk response to the bad events, which none of us want, but really take the time to understand why it isn't where we want it to be and fix it and really nail it. [The statement of James Bagian appears on pg. 58.] Mr. Mitchell. Thank you all for your statements. Clearly the VA is attempting a number of different avenues to address the problems associated with information security management at VA. We are aware of the poor track record the VA has in this area and note that implementing a program does not guarantee a successful outcome by itself. Mr. Mansfield, I have a question. In 2006 and in earlier years, we saw information security policy guidance languish in various VA offices. The IG advises us in testimony that the VA still lacks a clear, concise policy in several key areas of information security. It has been 7 months since their report was issued. Why do they say that and how do the views of the Department differ with the views of the IG? Mr. Mansfield. Mr. Chairman, let me start by saying that we have proceeded and gone forward in a large number of areas and issued a large number of directives that deal with some of the issues that the IG is talking about. The Secretary has issued directives and I have issued directives. I think what the IG is saying is that we have not been able to finalize this thing across the entire organization. And I would make the point that in some of these areas, we are still learning about exactly what is happening out there, and we need to be able to find out what the issues are and, as Dr. Bagian said, what happened, why did it happen, and what are we going to do to fix it. I would make another point which is that we still have out there a largely decentralized system. It is nonstandardized. There are not any simple fixes that we can plug in. Like with the blaster worm, you were able to put one fix in and put it across the system if you have a standardized system. But we do not have that, so there are not any simple fixes. The other issue we have here is that for the most part, 190 some thousand of those 235,000 employees are in the veterans health arena and that is where we have the responsibility to deliver healthcare. And as I have testified before this Committee in many previous hearings, we have approached this from the start with the principle, ``do no harm.'' Do no harm is a part of the way you have to approach this. We cannot afford to shut down a hospital system where patients are being taken care of. Plus, we are a government agency. We deal with civil service rules. We deal with contracting rules, and we go forward with all those issues. So that is part of the explanation, sir. Let me make the point, too, that I understand exactly where you are coming from and where the Committee is coming from, and it has been a long time. There are a number of issues out there. But as I said, we are working, and I think the centralization and reorganization of this office which the Secretary has directed will allow us to provide, in addition to what we had before, for education and information to be provided, that we use our VA Learning University as an additional effort to bring information and education to bear. And the other part of it is the inspection part goes forward where we have just started inspections, some announced, some unannounced, to be able to go out and find out what is going on out there so we are not surprised. Mr. Mitchell. Just a quick followup. You mentioned your study and you are looking at why people do the things they do. When do you expect this study to be over? When do you expect to finally implement all of these recommendations? How long is it going to take? Mr. Mansfield. Sir, I cannot give you a final date right now. I am sorry. I wish I could. I wish I could tell you that we have got this problem solved. We cannot do it. As I indicated and as Secretary Howard indicated and as I believe Dr. Bagian indicated, it is a continuous ongoing effort where we are going to have to continue to work on all the different issues until we know that we have got every single part of this understood and we have got a fix prepared for it. We put the fix in and we make it work. The final word I would say here is again that it is not a question of technology or machines or software. It is a question of people. And we are going to be dealing with people across this system, the 235,000 employees, the tens of thousands of contractors, all the people in the 105 medical schools that we deal with where you have residents and interns in the thousands coming in and going out of our system every year. So we are going to have to work on this continuously, sir. Mr. Mitchell. Thank you. One last question before I call on the Ranking Member. Mr. Howard, how long will the VA be without a cyber security chief? Mr. Howard. Sir, we actually had selected one, a female, very well-qualified. We had selected her. Several days before she was to show up, she decided to take another job. So I have now had to go back through and announce that position over again. I assure you we will move as fast as we can. But the process has to be done correctly. Mr. Mitchell. Thank you. Ms. Brown-Waite. Ms. Brown-Waite. Thank you, Mr. Chairman. You know, maybe reducing this to parenthood might be relevant because I only have two children that I gave birth to. One you could talk to and reason with and you would get results. The other one, it was like sometimes you had to like look her eyeball to eyeball and threaten sincerely in order to get her attention. So I want to know what you are doing to really get the attention in this culture of where we did it before, so we are going to continue to do it, and I want to know also what is the VA's policy on using personal computers, i.e., you know, maybe a thumb drive and taking it home and working at home? And what happens to the employee who you might have to like take drastic steps to get their attention, i.e., dismiss them? Tell me what is going on because it is very frustrating to see the lack of progress here. Mr. Mansfield. Mr. Mansfield. Let me start with the last question, and that is the area of sanctions. And I think to approach that we have to understand that, as Dr. Bagian mentioned, that that is a part of a total spectrum of changing the culture. When you are talking about sanctions, I think you have to start with what are our responsibilities before you can get there, and that is I believe that you need to let the people know what you expect of them, why you expect that, give them a chance to ask questions if they have questions about what is expected, and then go forward from there. The second part of that is I think that you cannot have one single decision. You have to take each case, each individual and each situation in and of itself and you have to measure what happened in that case, why it happened, and perhaps what the results are. Ms. Brown-Waite. Sir, with all due respect, we are talking about thousands, hundreds of thousands of veterans whose information is just out there. Mr. Mansfield. Well, I understand that. I would tell you, Ms. Brown-Waite, that the last time I was admitted to a VA facility, which was not too long ago, one of the forms they gave me said you can check off up here, is this information available for VA research. So I understand that every veteran in this system is at risk, and I hope the point is coming across that we are attempting to do everything we can to make sure that that risk is mitigated, if not eliminated. Ms. Brown-Waite. Do you have written policies that say one time and one time only, if it happens again, you are out, or is it no strikes and you are out? What is VA's policy at this point on taking a risk with individuals' information that may put it at risk outside of the premises of the VA offices and hospitals? Mr. Mansfield. Well, let me caution that, as I mentioned before, we live within the civil service rules and we have to recognize those and go forward and ensure that we carry out all the responsibilities we have there and ensure that each and every employee's personal rights are protected or else whatever we do is going to be overturned by an oversight body. And the other point again is that I think we have to take each case in itself and look at what are the issues involved here, how much harm was involved, and exactly how egregious or, as you mentioned, repetitive was the issue, and go forward from there. And we cannot just put it down simply as these three issues or these rules apply to each and every situation. We have to look at what the individual situation is and go from there. Ms. Brown-Waite. Sir, I have more concern for the employees and the veterans' information that is out there. That worries me. Put something in writing that is distributed to the employees that at least they will know exactly what the ground rules are. You take the stuff off campus and you have violated a rule. You are put on probation. It does not happen again. Put it in writing some place. Let me get to the specific Birmingham issue. I have a large number of seniors and I have the highest number of people on Social Security and Medicare. Should I be alerting citizens that their doctors' information on that patient may also have been compromised in the Birmingham breach or are you doing it? What are we doing to protect not just the veterans but people who are on Medicare and Medicaid? Mr. Mansfield. We are following through with the requirements the previous legislation referred to. Part of what we have to do there is a risk analysis, and our initial attempt was to have the IG do it. The IG just last week informed me that they do not believe they have the capabilities to do it. They also have raised some legal issues. I brought that issue of risk analysis to the President's Identity Task Force at their last meeting, and we are moving forward in an attempt to find some, as required by the law, independent body to do the analysis in order to make a determination of who to notify in that case. I would make the point, too, that I have seen some reports that talk about 1.3 million physicians. That is not the correct number. What was it, 196, I think we are down to? Mr. Howard. Sir, 565 that we think are---- Mr. Mansfield. Why don't you---- Mr. Howard. To just comment a bit more on the list of providers, in the case of Birmingham, there were 1.3 million on the list. A large number were deceased. I believe several hundred thousand. But in every case, we believe two elements of information were on the particular piece of data, name and date of birth. That concerns us obviously. But the most critical was a population of about 565,000 where there also appeared a number not identified as such, but it happened to be a Social Security number. And so in the case of the 1.3 million providers, that is where we have pursued an official risk analysis on that to get specific guidance on how to approach it as the Deputy mentioned. Mr. Mansfield. Let me just clarify that the providers are not all medical doctors. Mr. Howard. They are not all medical doctors. Some are nurses. There is a variety of providers on the list. Ms. Brown-Waite. But, sir, it is very easy--and I would ask the Chairman's indulgence---- Mr. Mitchell. Yes. Ms. Brown-Waite [continuing]. It is so easy, once you have a provider number, to engage in Medicare and Medicaid fraud. It is out there. And, you know, I do not know how long your risk analysis is going to take. You know, the frustration that I have is that we have people's identities and medical information and Social Security numbers. Now we have physicians' information also at risk. And the ability of somebody to go in and set up a post office box and do Medicare or Medicaid fraud, that is a dangerous situation. Mr. Mansfield. I fully agree with you and understand it. I would make the point that it has taken us a number of days to do the analysis that the OIT Office has done to find out who has been on those records and how many names there actually are and who they are and what information is attached to that in an effort to go forward and find out what we have to do to answer the questions you raise which are so important. Ms. Brown-Waite. One last question. I promise this will be the last. Do you have a breakdown by State of the providers and have they been even notified of this, because I will tell you, nothing will send a more chilling effect to a physician or another healthcare provider if they think somebody may be out there billing in their name because once CMS gets on their case, you cannot get them off? Mr. Mansfield. We do not now have the addresses. The file that we obtained from CMS was scrubbed down to a certain degree, they thought including removing of Social Security numbers, and that means that we are going to have to go back because when we get the full identity of the individuals to CMS and get them to provide us the addresses as we go forward in notifications. Ms. Brown-Waite. Thank you, Mr. Chairman. I am sorry. Mr. Mitchell. That is fine. Mr. Stearns, I understand you have to leave immediately. Mr. Stearns. Well, not immediately. Can I follow up on my colleague's--what I had is something that follows right after my colleague. My colleague from Florida mentioned this Unique Provider Number (UPN). Tell me what that means. She touched on it, but from your perspective, what does that mean for a person, a lay person? Tell me the significance if a doctor had their unique provider number. Mr. Mansfield. Sir, Mr. Howard has been working with these files, and I will let him explain what the UPN is. Mr. Howard. Sir, it is an identifier, you know, for the physician. Quite frankly, though, it is the presence of that Social Security number that is probably even more critical. Mr. Stearns. If you had the UPN number plus the Social Security number, does it give you authenticity and credibility, or if you just had the UPN number without it, you would not have it? Mr. Howard. Sir, I do not believe the UPN number alone would provide you what you need to set up a fraudulent situation on Medicare. But I might ask---- Mr. Stearns. Are you absolutely sure that if I sent HEAD some fake stationery and I used a UPN number, could I not start billing for Medicare based upon that without a Social Security number? Yes or no? If you do not know, just say you do not. Mr. Howard. I am not sure, sir. The information I have, that is not enough, but I am not a physician. Mr. Stearns. Because in addition to the loss of personal identifiable information which means we have hurt the identity of veterans as well as physicians and physician providers, you have another avenue here of fraud dealing with the Medicare program which we did not have. When we had 26 million veterans, we were worried about loss of personal information. But now having compounded on this, what I hear from my colleague and this UPN is that the possibility could be you take this information and forget trying to steal a person's personal information. Just go to the source and start billing Medicare for thousands and thousands of dollars. And do it from 50 states before you get caught, you could collect a lot of money. Am I exaggerating or is that a possibility? Mr. Howard. Sir, the UPN number, to my knowledge anyway, is publicly available. That is why I say you would need more information to actually set up a successful---- Mr. Stearns. So I could find out the UPN number for my physician? It is accessible. Okay. Mr. Mansfield. Web site, right? Mr. Howard. It is on a Web site. Mr. Stearns. It is on a Web site. So that is not critical information. Okay. Mr. Howard. No, sir. Mr. Stearns. Okay. The gentle lady, I will yield to her if you have any additional--go ahead. I am just going to yield a minute to her. Ms. Brown-Waite. What I said to my colleague is the provider number, the Medicare provider number is something that they would need to set up a storefront and start billing, because we had exactly that problem in Florida. Mr. Stearns. Right. And that was part of the loss of 1.3 million, right, what she is talking about. The other thing I cannot understand, this occurred on January 22nd. Why have you not given Members of Congress or at least put a profile of this information by State? I mean, at what point are you going to decide to notify these people? In California, there is a law that once you lose this information, you have got to notify the people immediately. How long are you going to take and why have you not come up with a plan and a date when you are going to do this? Are you just going to wait until you get it back, which might be 6 months? It seems to me there is a time where people should be notified that you have compromised their personal identifiable information. Mr. Mansfield. Let me make the point, sir, that since we became aware of this, we have been in communications with CMS and talking to them and their legal people and others in an effort to determine what we need to do to go forward. I would also make the point that it has been a question of attempting to find out what the information was because it does not show up as a Social Security number. It is in a box over here that has a name on it and it took our people a lot of work to---- Mr. Stearns. So you have to go in each individual box for a name to find it? Mr. Mansfield. You have to go through that to find out, you know, if that number matches a Social Security number, we believe. And we have had to go back and do the forensic information to get that. That has taken some time. And I would make the point that we frankly concentrated on the veterans in an effort to get them identified and to get the notifications to them. We are continuing to go through the process of pulling all these large files together to get those names of the veterans and to notify them. Mr. Stearns. In any corporation, they have a security protocol which says that only certain individuals get access to this information. I cannot understand why your agency has not developed a protocol so that this veteran would not get access to that. And the second question I have and I will complete is CMS, are they not derelict for giving you access to this information without it being encrypted? Shouldn't CMS at the very least encrypt all this information before so that this person that you put on the protocol would have a password and either an iris or a fingerprint before he or she could get this information? So my two questions are, is there not some culpability on CMS for not encrypting and, two, why do you not have some kind of protocol with that massive information? Mr. Mansfield. Sir, part of the problem is that this list was available for our medical researchers under a memorandum of understanding that we had with CMS. And actually my understanding is that they gave us the wrong list that was put into the custody of a person that we had responsible for receiving that and responsible for making the decision to release it to the proper people who have authority and permission to be released to. In the process of looking at the list that we got, we found out that there was more information, including Social Security numbers, that were on there and identified as such and we got those removed from it. But we did not realize that this other number potentially could be a Social Security number also. So that is part of the problem. Mr. Stearns. Thank you, Mr. Chairman. Mr. Mitchell. Thank you. Mr. Walz. Mr. Walz. Thank you, Mr. Chairman. Once again, Mr. Mansfield and the panel, I do not intend to bore you with my personal history. But having been one of those veterans who lost their data in the first breach and having received the letter, I give it to you more as a person at the time who was not in Congress but who was a veteran and got the letter and got notification on the news that this happened and watched this unfold. And it was very damaging because the first thing it did it made me lose some faith in the credibility of the VA. That was really critical to me because I want to believe and, as I said in the beginning in my opening statements, your intentions are unquestionable. You are there to serve our veterans. You have done that. But when I am listening to my colleagues and I listen to what is coming out on this, outcomes matter more than intentions. There is no doubt about that. And as a veteran, I know my first instinct was just get this right, whatever it takes to get this right. And I hear you say, you talked about, well, you have got civil service issues and contracting issues and things like that. Dr. Bagian was talking about, and I am sure you did, your organizational analysis and you went through, you know, gap analysis or whatever you did. If you were given free reign--this may be more hypothetical, but maybe it gets to where we need to get with this--what are these constraints that are stopping you from getting this fixed? When I hear you say you have these civil service contracting issues and so forth, what would you change if you were unrestrained by those? What would fix it? Mr. Mansfield. Sir, I have to make the point that, you know, I come down here as a representative of the Administration, and there are some other constraints that apply also. Let me go as far as I can and push up against the fence. One of the constraints we have with this reorganization to make sure that we shrink down the amount of responsibility so the people in those boxes can actually get their hands around it and do it instead of having too much to do, which I think we had previously, is to change the law that is set up at the Department of Veterans Affairs as a cabinet agency, because IBM, a respected contractor that came in to help us figure out what this reorganization could be, said that some of those positions should be Deputy Assistant Secretaries in order to get the people that we want to get that maybe took another job because they had a better offer. And the law that established this Department established a number of Assistant Secretaries and then put a ratio of Deputy Assistant Secretaries. The IBM recommendation is that we have a significantly larger amount of Deputy Assistant Secretaries. So I would ask you to amend the law. That is an issue that we have to deal with, and I am trying to answer your question and again play by the rules. Mr. Walz. I appreciate your candidness. Mr. Mansfield. The other issue is that we have a limited number of SES positions. And when the 4,600 people were transferred in here from the field to put together an organization, how many SES positions were transferred in? Mr. Howard. None with those transfers. Mr. Mansfield. None. So that is an issue that we are dealing with, and that means that in my responsibility to allocate those positions across the Department, I have to pluck them from somewhere else, which I have done, but there are more requests for that on the table too. And we have to go through things like that. So that means we are going back to OPM and trying to get that number raised up. And then the other part is as the Assistant Secretary indicated, with this person that was hopefully going to be in the job out of the picture, then we have to go back and what, do we have to post it again? Mr. Howard. Uh-huh. Mr. Mansfield. So we have to go through a long, lengthy process that just is there. I am making the point. We live by those rules, and those rules were put in place and that is the law and those are the regulations. We live by them and we try and, you know, push as far as we can on those, but there are restrictions involved here. Mr. Walz. Well, I appreciate your candor, and I will finish up on my last bit of time here. Are you optimistic inside the parameters you have to operate it that we can get security on this data? Can we get this done or are we simply chasing after our tails on this because of the parameters that are put on you and we are never going to get there? Mr. Mansfield. We will get it done, sir. We will get it done. The problem we have is time and people. We can work with the people. We can do a better job of educating them. We can make sure they understand what they need to do. We can follow Ms. Brown-Waite's suggestion and make sure they understand if they do a wrong, then there are sanctions available. But we have got 235,000 individuals out there and we have got tens of thousands of contractors and every June, we have got how many thousand residents and interns coming in the door? Mr. Howard. Tens of thousands. Mr. Mansfield. Tens of thousands there, so we have got to go through that. I wish I could tell you we could line everyone up and zap them and it would take place. Mr. Walz. Thanks, Mr. Mansfield. Thank you, Mr. Chairman. Mr. Mitchell. Thank you. Mr. Rodriguez. Mr. Rodriguez. Mr. Chairman, if I could follow-up on the same, if it is okay. What I am getting and what I am seeing is a bureaucratic nightmare, and I can just assume in terms of what you are having to go through. So I am thinking you almost need an external group coming in, you know, in terms of cyber security to go in there and take care of it for you. You say no, but, my God, you almost need someone, a task force to deal with it and come and tell you where the gaps are and what you need to do that is external from you to be able to tell them how to protect that. And I am just going to share with you, you know, I was engaged in one of the few exercises prior to 2000 on that glitch referred to as dark screen out of San Antonio. And as a result of that, there is a whole group, you know, and I think Senator Hutchinson and them came up with--because we did not have enough people in cyber security--they came up with a Master's Degree there. And there is a group there that has been going around the country helping both the private sector and the public sector on cyber security. And, you know, you almost need somebody in all honesty because you have got to pull this off as quickly as possible, and they can tell you where the gaps are. They can tell you what you need to do. They could even tell you that they can break into it now or not. And so, I hate to do something like that but I think that that would be something that is probably almost needed where you need an external task force to come in there and take care of it. And I think that would really be helpful not only to you, but to all the veterans that you are serving, because I know that you are sincere about wanting to do that. But I also sense your frustration and the fact that in some areas, you are having some--you know, look at that chart. My God, you have got a mess. And so you need an external group to come in there and tell you gaps that you are probably not aware of that you already have and how to correct it. Mr. Mansfield. Well, sir, I would agree with you and make the point that in the process of getting to here, we did that. As a part of the reorganization, we brought in IBM and we brought in subsidiary contractors under that, and they came up with many of the recommendations from an outside view looking at our system, taking a chance to go around and look at it and help us understand what we needed to do. And part of that chart that you see there is as a result of that. Also some of the processes and policies that we need to put in place were recommended by them. Mr. Rodriguez. Mr. Chairman, I apologize. I would presume that if this continues, I would ask if maybe there is some way that as a Committee, we can force an external group to go in there as a task force to look at the whole--and people that are trained in cyber security to protect the agencies and to protect the Department of Energy. There are groups out there, because we get hit, you know, through cyber space. And those same people that hit us are real good at also being able to protect us, but also learn where the gaps are at. And at some point in time when the agency continues to have difficulty that we take that into consideration. Mr. Stearns. Will the gentleman yield? Mr. Rodriguez. Yes, sir. Mr. Stearns. I think your suggestion is excellent. And the GAO has made recommendations since 1998, 150 recommendations, and they have not been implemented. Even their Inspector General of the Veterans, there are 16 recommendations from 2004 that have not been implemented. So I think your idea is absolutely on target that we need to have an outside group. And there are outside agencies, like accounting firms, that went in and checked Enron. You could have these outside security firms go in there and give you the information you want. And right now they have thousands of computers they have not even inventoried or encrypted. So I think your suggestion is right on target. Mr. Rodriguez. Thank you. Mr. Mitchell. Just one comment that I think will help everyone. Looking at this chart, I can see why things are not really moving, because no one up here can read it. I do not think anybody can. And I would suggest next time that you bring a picture chart and also provide all the Members with a chart because I have no idea what that says. I can see, I think, it is yellow and blue and white boxes, but that is it. So I would suggest that next time you make a presentation like that that you provide us all with---- Mr. Howard. Mr. Chairman, we have---- Mr. Mitchell. That would be nice. Mr. Mansfield. Secretary Howard mentioned in his comments that if you want to discuss it that we would go forward and do that. I apologize for---- Mr. Mitchell. You keep referring to it, so I assume you wanted us to be able to see it. Mr. Mansfield. Yes, sir. Mr. Mitchell. Mr. Rodriguez. Mr. Rodriguez. Yeah. One last comment. And I sense you are sincere in terms of wanting to do the right thing. But I also pick up in terms of the fact that I am sure there is some frustration on your part in terms of trying to accomplish what you need to get done. And so with that, I will stop. Mr. Mitchell. Thank you. Mr. Davis. Mr. Davis. Thank you, Chairman, for letting me participate again. Mr. Mansfield, let me use March 2006 as the trigger for this question. That was, as I understand it, the time in which there was a fairly significant data security breach at the VA. Have I got the timeframe right, March 2006? Mr. Mansfield. Sir, it was May of 2006. Mr. Davis. May 2006. Since May 2006, how many data breaches are believed to have occurred at VA facilities? Mr. Mansfield. Sir, I can tell you that from the SOC report that we get, and I do not have a number with me, I will provide that to you as a followup to this hearing, but we know that there have been hundreds of them in the sense of actual violations of either the law or the regulations. Mr. Davis. And you mean hundreds just in that timeframe since May of 2006? Mr. Mansfield. Yes, sir. Since we put this new SOC reporting system into place following the May incident. Mr. Davis. What would you estimate the largest amount of information that has been compromised in any of those hundreds of breaches? Mr. Mansfield. How many were in the---- Mr. Howard. It was Birmingham. Mr. Mansfield. I think the Birmingham incident where we are talking about---- Mr. Howard. It is number two. Mr. Mansfield [continuing]. Is the second one, approximately a half a million veterans and approximately the same number of providers. Mr. Davis. Well, give me a general estimate in what you describe as the hundreds of breaches that have happened since May of 2006. Give me an estimate of the amount of information that you think has been compromised collectively. Mr. Mansfield. Again, sir, let me go back for the record. Some of these reports involve two veterans' information or---- Mr. Davis. That is what I am asking you. I understand that. Mr. Mansfield. Yeah. I mean, I do not have that in front of me. Well, I can get it and have it provided for you. Mr. Davis. I am certainly not empowered to make requests on behalf of the Committee, but I suspect the Committee would be interested in having that information, and leads to my next question. Mr. Mitchell. Absolutely. Mr. Davis. Other than the Birmingham breach, how many of these breaches have resulted in a public notification? Mr. Mansfield. The UNISYS? Mr. Howard. Sir, let us get back to you on that. There have been a number of them. But to give you a precise answer, we need to go back and check. Mr. Davis. Mr. Mansfield? Mr. Mansfield. I would just make the point that in some cases, there has been lower numbers here. The veterans have been notified that or possibly also employees that might have been identified, but not necessarily the public. So we have to go back again and sift through all that and then followup. Many of these decisions can be made at the facility level. Mr. Davis. Is it safe to say that the Birmingham incident is the only instance in which a press release has gone out from the VA notifying the public of a breach since May 2006? Mr. Mansfield. No, sir. Mr. Davis. How many other times has a press release gone out notifying the public? Mr. Mansfield. I will have to go back and check. I do know on the UNISYS, there were a number of press releases. That was the one where one of our contractors--I am not sure how many-- -- Mr. Davis. That leads to my next set of questions. I do not get a sense that there is a hard and fast policy regarding when you notify, when your agency notifies and when you do not. Can you give me a short, quick sense of what is the trigger, when do you all engage in public notification? Mr. Mansfield. It is a combination of events. I think at-- -- Mr. Davis. Is there a statute you can point me to or regulation that you can point me to by number? Mr. Mansfield. I am going to have to go to my general counsel, sir. I cannot point to a statute. Mr. Davis. Let me ask the general counsel. I am seeing if there is a particular place that contains the relevant policy. Mr. Mansfield. Well, I think again, it becomes a question of what is the size of the event, what is the information given out. In some cases, it may be that there is incorrect information given out in the press and there may be an attempt to try and correct that. Let me also make the point that in any serious breach where the IG moves in and accepts the responsibility to go forward with a recommendation, they generally request us not to make any public notification. Mr. Davis. Let me ask you about that, Mr. Mansfield. And to me, that is one of the major problems here. I understand that there was a request from the IG, wait, let us do a more thorough investigation. I understand that at some level, but here is the problem. Every moment of delay is a moment in which information can be compromised. Every moment of delay is a moment in which information can be misused or misbilled. And it would seem to me that the balance would err in favor of notification, and that does not appear to be where the balance was in this case. Am I wrong? Mr. Mansfield. I will not say that you are wrong, sir. I will say that---- Mr. Davis. Why shouldn't the benefit of the doubt be given to the veteran? Mr. Mansfield. Part of it is, sir, in those early instances--for example, in this case, we did not have the information available to go notify the veterans or know how many veterans there were actually involved or know who they were and where they were and how we can get in touch with them. Mr. Davis. Once you got that information, did notification occur? Mr. Mansfield. Yes, sir. Mr. Davis. Well, I am not sure if that is accurate, but let me move on if the Chair would indulge me to have just a few more seconds here. You made a reference in your opening statement to the Birmingham facility, and I looked for your written statement and I did not find a reference characterizing the conduct or the performance of the Birmingham facility. So let me ask you. Would you grade for me the Birmingham facility with respect to its handling of this matter? Would you give them an assessment or grade? Mr. Mansfield. Well, obviously with the problem that we have here, there is some concern about what happened. I am still waiting for the IG to hand me an investigative report. Mr. Davis. What is the nature of the concern? I understand there is an individual who is compromised, and I do not want to get into the details of that if there is an ongoing investigation. But beyond that individual, would you assess the performance of the VA in Birmingham? Mr. Mansfield. No, sir. I am not going to do that now. Mr. Davis. And the reason? Mr. Mansfield. I would be happy to go off line and away from the domain here and have a conversation. Mr. Davis. Is that not a matter relevant to the public? What is your position, sir? Mr. Mansfield. I am trying to follow the directions and orders that I have and perform the job that I am supposed to perform for my boss, who is the Secretary of the Department of Veterans Affairs, and allow him the ability to make what decisions he has to make in the proper forum. Mr. Davis. Mr. Chairman, I am sensing the fact that my time is out. If I can just wrap up with one observation. I am concerned by that answer, Mr. Mansfield, because this is the people's business. This is the ultimate public domain, a congressional hearing, and if it is the assessment of senior management at the VA that the Birmingham facility is not meeting its obligations with respect to data security or some other aspect of this matter, I would like my constituents in Birmingham to know that and I think that that is not a privileged matter. It is not a matter of national security. It is something they are entitled to know. Mr. Mansfield. When that decision is made, sir, I will make sure that I let you know and that we let the people know. And I would state for the record that notification of veterans started on 5 February of 2007. Mr. Mitchell. Thank you. Before I call on Mr. Bachus, I was just made aware that Public Law 109-461 enacted in December of 2006 permits the Secretary of the Veterans Administration to determine when to announce and make public any information of this kind. Mr. Bachus. Mr. Bachus. Thank you. Mr. Mansfield or Secretary Mansfield, my father was a veteran who was treated at the VA facility. He is now deceased, but my mother received notification that his records were among those lost. And I will tell you if he were here today, the first thing he would say is thank you for the medical care he received at the VA hospital. It was first rate. He had Alzheimer's, and he had the veterans facility there, partners with the UAB Medical Center, and he received medical care that was second to none. Mr. Mansfield. Thank you for those comments, sir. Mr. Bachus. Wonderful staff there. Y.C. Parris, I see is on the third panel. It is a wonderful staff. So I do think, to put this in perspective, this is one employee. Did he violate a VA written rule? I mean, is there---- Mr. Mansfield. The individual that reported the incident and---- Mr. Bachus. Yes. Mr. Mansfield. Yes. Mr. Bachus. What has been reported is he downloaded the entire system on a hard drive and then took the hard drive off premises; is that correct? Mr. Mansfield. Yes. And the rules state that you can do that, but to do it, you need your supervisor's permission and they have to be encrypted. And the original report we received through the SOC, we were told that the numbers were less than eventually turned out to be true. I think he reported somewhere around 48,000 to 56,000 and reported that the information had been encrypted. But when the forensic people from the FBI with the IG went in and did the forensic examination, that is when we started to find out that we had these mega numbers involved in the-- potentially had these--we still do not know what they are, but potentially had these mega numbers involved. Mr. Bachus. You know, I think maybe a problem may be what is the policy on either downloading information on a hard drive or thumb devices and then walking out of the VA with those devices. To me, there ought to be a pretty firm rule that you do not do that or that all information is encrypted. Mr. Mansfield. That is the current status in Directive 6504 which has been published as a followup to the May incident. There is a requirement, as I stated, to get permission and then have it encrypted. Mr. Bachus. You know, this Committee, I am not on the Committee, but they receive a weekly update on any security breaches, and one of those breaches that they received was an instance where a staff member was checking software on various machines at a VA facility and found that many of the workstations were logged on. There was no one at the desk and they had not logged out. And you could take that computer and go into the entire NT system. Is that a violation of the rules? Mr. Mansfield. Yes, that is, sir. When that station is not being used, it has to be shut down. Mr. Bachus. There are no locks in place? Mr. Mansfield. There are time-outs where, you know, after a certain period of time, and I do not know exactly on those machines you are referring to, but that the machine will shut itself down. That is a new thing we have---- Mr. Bachus. Yeah. The person involved here was actually a computer programmer, was it not? Mr. Mansfield. I am not sure which one you are referring to. Mr. Bachus. In Birmingham. Mr. Mansfield. Oh, I am sorry. Yeah. In that incident, yes. Mr. Bachus. I am sorry. I did confuse you. Mr. Mansfield. Yes, you are right, that was the person that we are talking about. It was a status 2210 computer. Mr. Bachus. So he certainly knew the risk involved. Mr. Mansfield. He reported the issue because he knew that, you know, there was a problem. There are other issues that apply to it too that---- Mr. Bachus. Was it not in the report that it was lost off premises though? Mr. Mansfield. Actually, I just know that it was reported lost. Mr. Bachus. I will say this. The day that the VA in Birmingham discovered it, they notified the IG, which was the next, you know---- Mr. Mansfield. They notified the SOC, which is us, and we notified the IG. Mr. Bachus. I am sorry. The SOC. So their notification to you was immediate? Mr. Mansfield. Well, yes. Mr. Bachus. One last question, if I could. The thing that probably disturbs me that I heard today that, you know, of course, you shared it with us February 9th, which you asked us not to make it public, you know, obviously has come out in this hearing. Is the 1.3 million medical health providers, and it is not all doctors--I know some are dead, but most are alive and, you know, therapist, anyone that bills the VA basically is what we are talking about here, is that right, or does research for the VA or medical care, 1.3 million healthcare providers? Mr. Mansfield. Excuse me. Could you restate that? Is the question, are any of those private providers people that would bill the VA? Mr. Bachus. Yeah. Mr. Mansfield. Potentially could. Mr. Bachus. No. I mean, is it---- Mr. Mansfield. I mean, I do not know, but potentially they could be. Mr. Bachus. Okay. Well, now, the physicians, I will just say that, you know, was it their names were on there, their date of birth, their credentials also, right? Mr. Mansfield. Their specialties, yes, sir. Mr. Bachus. Their specialties. The schools they studied at were on there? Mr. Mansfield. I am sorry, sir? Mr. Bachus. The schools they studied at would have been on there because that is the HHS form, is that correct? Mr. Mansfield. Sir, we will double check for you, sir. I believe that you are right. Mr. Bachus. Yeah. Yeah, the form that you have identified as being the HHS form has the school they studied at, their provider numbers, their billings, license. And somebody mentioned a medical license number. That is a tremendous amount of information. Mr. Mansfield. I think that may be the M link number which again is potentially another number. Mr. Bachus. Okay. All right. Mr. Howard. The school they graduated from is also on there, sir. Mr. Bachus. What? Mr. Howard. The school they graduated from---- Mr. Bachus. Where they graduated medical school. Mr. Howard. We have a picture we can actually show you. Mr. Bachus. And I actually have pulled up what is on that HHS--it is HHS information. But you mentioned a medical license. Is that different? What is the medical license? Is their medical license number included there? Mr. Howard. Are you referring to the M link? Mr. Bachus. No. I do not know. Someone in this hearing mentioned the word medical license. Mr. Howard. State license, yes. Mr. Bachus. Oh, okay. Their State medical license. Okay. All right. Mr. Stearns. Is it medical license number? Mr. Bachus. Yeah, their number, their license or State license. Okay. Now, the provider numbers, their billing licenses is all on there? Mr. Mansfield. No. Mr. Howard. I do not see it. Mr. Bachus. Okay. All right. You know, all that information surely puts them at very high risk for Medicare billing fraud. I mean, someone else could bill for their services. But what I am hearing today is that they have not been notified? Mr. Mansfield. Sir, not yet, sir. We are still trying to identify. Much of this information is available to the general public on other Web sites, too, also. So we are trying to figure out what additional risk do we have to deal with here based on what information is provided on this document. Mr. Bachus. But now, I guess you could not go publicly. Could you go in and get all that including their Social Security numbers and their billing license, their provider numbers? Mr. Mansfield. Go ahead. Mr. Bachus. I would hope that is not public. Mr. Mansfield. I would ask General Howard to answer that question, sir. Mr. Howard. Sir, in the case of physicians, the name and date of birth, in fact, the date of birth of physicians can be found on Web sites. For the other providers, that may not be the case. So in the case of physicians, there is at least two items of information that we would consider sensitive that is available, you know, the name and the date of birth. Mr. Bachus. And I guess it begs the question. I will end with this. As a result of that, you have got all this disclosure out there. And I do not know whether it has fallen into anyone else's hands or not, but it seems like at least one question you might be asking is do you change these numbers in the national system. But I know you are in touch with CMS, but have there been any reports of any fraudulent billings? Mr. Mansfield. No, sir, not to our knowledge. Mr. Bachus. Thank you. Mr. Mitchell. Thank you. There are two people who said they wanted a followup question real quickly. Mr. Stearns, did you want to have a followup very quickly and then Mr. Davis, and then we are going to take a 5-minute break? Mr. Stearns. My colleague, Mr. Bachus, had mentioned that he is concerned about fraud. And, Mr. Chairman, the only thing I think, you cannot get all that information in one fell swoop like that. And it seems to me that you have got to make an assessment here for CMS and the veterans of the degree of fraud that could be instigated because you have all this information. You would set up a dummy office as well as stationery and you could say I am billing for John Miller, a followup, because you obviously can send with all this information and how would Medicare not know if you put together a bill and sent it forward? Why would Medicare not pay it with all that information available? So I think there is a danger of loss of personal identifiable information for veterans, but also you have a possibility of fraud on CMS. And that is just an area that I think somehow you have got to get a handle on. And I am not sure except one of my colleagues suggested having an expert outside auditing firm come in and help you assess the risk as well as to try and implement some procedures. Thank you, Mr. Chairman. Mr. Mansfield. That is, as I mentioned, sir, a requirement of the statute and does require independent analysis. We have a responsibility within 180 days of passage of the law to write the regulation that would make that work since we do not have that regulation written yet. We are in the process, as I indicated, in discussions with CMS, CMS lawyers, and how do we go forward in attempting to do that. And I would make the point that, as mentioned earlier, that we do have to be--we have had discussions, many discussions about this, and we do have to be aware and we do have to take it very seriously. But part of the problem is, you know, we have been working on the effort to identify whose identities actually are in there and, you know, as mentioned, which ones are alive and then exactly how many are physicians versus other providers. And then we have to do a process to get the addresses if we go forward. So we are working on these issues internally. Mr. Stearns. One other thing I would caution you about is I understand you have not done a full audit of all your computers and you have not instigated an encryption procedure. So, you know, the staff showed me you have had other incidents of loss or breach of information and it is going to continue to happen unless you get a handle on this which means you have got to complete your audit on these computers, you have got to put encryption protocol that I mentioned, or you are going to have this on your watch again and again. Mr. Mansfield. As I mentioned earlier, we are aware of that, sir. And as I mentioned earlier that with a decentralized system that we have and the fact that we are not standardized, we do need to move toward standardization, that there are not any simple fixes that allow us to just punch in the answer and go forward. We have to make sure in each of the many very different systems that we have across the VA, across all these hospitals and healthcare systems, that it is going to work and not shut down a system. And it is a lot more involved than I understood it was when we started this. And we are going forward as fast as we can to make sure that we get it done. But, again, the lead word is still do no harm and make sure that we get the veterans that are coming in for treatment treated and taken care of. Mr. Mitchell. Thank you. Mr. Davis has one question, then Ms. Brown-Waite has one question. We want to get to the second panel. Please ask the one question. Mr. Davis. Thank you, Mr. Chairman. Mr. Mansfield, with respect to the hundreds of breaches that you say have occurred since just May of 2006, has a single VA employee been fired or disciplined as a result of any of those breaches? Mr. Mansfield. The answer I am told is yes, but let me, if I may, sir, go back and make a point. All these reports are not IT breaches. Some of them are paper records. Our Veterans Benefit Program is based on paper files of millions of veterans. Some of them are based on paper records in other incidents. So they are not all IT. Mr. Davis. Thank you. Mr. Mitchell. Ms. Brown-Waite. Ms. Brown-Waite. A quick question about the cyber security person that you were going to hire. If you had, you know, narrowed it down to the top three or the top five and the one person declined, is there a reason why you cannot go back and look at the second person? Do you have to rebid this? Mr. Howard. Yes. That is what the process is. Ms. Brown-Waite. Thank you. Thank you, Mr. Chairman. Mr. Mitchell. Thank you. We are going to take a 5-minute recess and then have the second panel come up. Thank you. Mr. Mansfield. Thank you, Mr. Chairman and Members. [Recess.] Mr. Mitchell. All right. We will continue this Subcommittee hearing. I want to welcome panel number two. I welcome panel two to the witness table. And these individuals provide our Subcommittee with a major service not only in their ability to provide independent assessments of VA program performances, the GAO and VA IG are able to place the performance of VA's information security management program in a historical context. This allows us to better understand if cultural resistance has developed in the program and how to cope with this resistance. I have asked Mr. Claudio in his newly-created role in the Office of IT Oversight and Compliance to sit in on panel two and to answer our questions. That his position was recently created by the Secretary to provide a feedback mechanism with regard to the information security program is laudable. We are interested in his grass-roots viewpoint. And we will begin with Mr. Wilshusen. STATEMENTS OF GREGORY C. WILSHUSEN, DIRECTOR, INFOR- MATION TECHNOLOGY SECURITY ISSUES, U.S. GOVERNMENT ACCOUNTABILITY OFFICE; MAUREEN REGAN, COUNSELOR TO THE INSPECTOR GENERAL, OFFICE OF THE INSPECTOR GENERAL, U.S. DEPARTMENT OF VETERANS AFFAIRS; ACCOMPANIED BY KENNETH SARDEGNA, DEPUTY ASSISTANT INSPECTOR GENERAL FOR AUDIT, OFFICE OF THE INSPECTOR GENERAL, U.S. DEPARTMENT OF VETERANS AFFAIRS; AND ARNALDO CLAUDIO, DIRECTOR OF OVERSIGHT AND COMPLIANCE, OFFICE OF INFORMATION TECHNOLOGY, U.S. DEPARTMENT OF VETERANS AFFAIRS STATEMENT OF GREG WILSHUSEN Mr. Wilshusen. Thank you very much, Chairman Mitchell, Ranking Member Brown-Waite, and Members of the Subcommittee. Thank you for inviting me today to participate in the hearing on information security management at the Department of Veterans Affairs. Recent well-publicized security breaches at the Department have highlighted the importance of effective information security controls in protecting sensitive and personal information not only at VA but throughout government. As we have reported on many occasions, poor information security is a widespread problem that can have devastating consequences, such as disruption of critical operations and unauthorized disclosure of highly sensitive information. Today I will discuss the recurring security weaknesses that have been reported at VA and the actions taken by the Department in response. I will also discuss our ongoing work at the Department. Since 1998, GAO and the Inspector General have reported on wide-ranging deficiencies in the Department's information security controls, including a lack of effective control to prevent individuals from gaining unauthorized access to computer systems and sensitive data and to detect them if they do. In addition, the Department had not consistently provided adequate physical security for its computer facilities, assigned duties in a manner that is segregated, incompatible functions, controlled changes to its operating systems, and updated and tested its contingency and disaster recovery plans. These deficiencies existed in part because VA had not implemented key components of a comprehensive integrated information security program, including the lack of centralized management and approach for addressing security challenges. VA has taken important steps to improve security, including realigning its security functions and personnel under the Department's CIO Office. It has also developed a data security corrective action plan that is to guide and track the Department's efforts in implementing its information security program and controls. However, many of these efforts have not yet been implemented. For example, key policies such as those for assessing risk and implemented enterprise patch management have not yet been developed. In addition, the Department has not established a track record of proactively mitigating known weaknesses across all of its systems. As a result, sensitive information remains vulnerable to inadvertent or deliberate misuse, loss, or improper disclosure as the breaches demonstrate, nor has the Department consistently satisfied the provisions of the ``Federal Information Security Management Act'' (FISMA). OMB requires agencies to annually report on their progress implementing FISMA by October 1. Although it sent a draft report to OMB, the Department has not yet submitted its official annual report for 2006. It is the only one of the 24 ``CFO Act'' agencies that has not yet done so. At the request of this Subcommittee and other congressional requesters, GAO is presently reviewing the Department's lessons learned on notifying officials and affected individuals on data breaches, actions to strengthen information security, inventory and accountability controls over IT equipment, and efforts in implementing the VA's IT realignment initiative. These reviews are ongoing and will be completed later this year. In summary, longstanding control weaknesses at VA have placed its information systems and information at increased risk of misuse and unauthorized disclosure. Although VA has made progress in mitigating previously reported weaknesses, it has not taken all the steps needed to address these serious issues. Only through strong leadership, sustained management commitment, and vigilant oversight can VA implement a comprehensive information security program that can effectively manage risk on an ongoing basis. Mr. Chairman, this concludes my statement. I would be happy to answer questions. Mr. Mitchell. Thank you. Ms. Regan. [The statement of Gregory Wilshusen appears on pg. 63.] STATEMENT OF MAUREEN REGAN Ms. Regan. Thank you. I would like to have our full statement submitted for the record. And before beginning, on behalf of the OIG I would like to second the Deputy Secretary's comments regarding Mr. Sistek's retirement or move from the Committee. We have really enjoyed working with him over the years, and we will miss him. Mr. Chairman, Members of the Subcommittee, thank you for the opportunity to address OIG oversight efforts of the VA's information security program, its effectiveness, and the need for cultural change within VA. To answer questions regarding these issues, I am joined by Ken Sardegna, our Deputy Assistant Inspector General for Auditing. Issues related to information security are twofold. The first is the protection of sensitive information maintained on VA automated systems from unauthorized access. The second is whether individuals who are authorized access to sensitive information adequately protect it from loss, theft, or inappropriate disclosure. Today I will highlight that there have been longstanding problems in VA with respect to protecting sensitive information that have not been fully addressed. Our FISMA audits have identified information security vulnerabilities every year since fiscal year 2001. VA's efforts to address these vulnerabilities in a timely manner have been hampered by the magnitude of the problems and aging IT infrastructure and the lack of standardized IT systems throughout VA. To address these vulnerabilities, we have recommended that VA pursue a more centralized approach to IT management, apply appropriate resources, and establish a clear chain of command to enforce internal controls and hold individuals accountable for not protecting information. In our ongoing 2006 FISMA audit, we determined that all 17 recommendations cited in prior FISMA reports remained unimplemented. In addition to the 17 unimplemented recommendations, we anticipate identifying several new high- risk areas associated with certification and accreditation of VA systems, remote access, and access to sensitive information by non-VA employees. Until all matters are fully addressed, VA systems and VA data remain at risk. The May 2006 theft of an employee's personal hard drive containing protected information on at least 26 million veterans and active military highlighted how vulnerable VA is to compromising information on veterans. In reviewing how this incident occurred, we found a patchwork of policies that were fragmented and difficult to locate. None of the policies prohibited removal of protected information from the work site or storing protected information on personally owned computers. These policies also did not provide safeguards for electronic data stored on portable media, such as laptops. We also found information provided to VA employees and contractors needed to be better safeguarded. Background investigations were not always required or done. Procedures for reporting potential data losses needed to be improved. We made five recommendations to VA to correct these problems. To date, all five recommendations remain open. As a result of this incident and subsequent actions taken by the Subcommittee, there is greater awareness in VA regarding the issue of information security. However, VA still lacks effective internal controls and accountability. Since July 2006, the VA Security Operations Center has received reports of approximately 3,600 incidents. The incidents included unauthorized access, missing, stolen, or lost laptop computers, improper disposal, and numerous incidents involving unencrypted e-mail messages containing sensitive information. Of the 3,600 incidents, 250 were referred to the Office of Inspector General. Of these, we opened 46 investigations. One of the most significant is our current investigation of the data loss at Birmingham, Alabama. Information security remains a major challenge for VA. For example, VA has not yet determined how many employees and contractors use non-VA computers to access VA systems. VA does not know what VA data is being stored on these computers, external hard drives, and other portable devices. VA also has no means to monitor whether access to data is limited to the information needed to conduct business. And much of VA's databases and e-mail remains unencrypted. VA will not be able to safeguard data unless three important actions are taken: Hold individuals accountable for compliance with policies and procedures; provide employees with VA-owned computers and encryption software; continue to enhance employee awareness of the need for a cultural change. Equally important, VA must find a way to implement these actions without impacting VA's ability to fulfill its mission. Thank you again for this opportunity to update you on the status of our ongoing work. We will be happy to answer any questions you may have. Mr. Mitchell. Thank you very much. [The statement of Maureen Regan appears on pg. 60.] Mr. Mitchell. I have a question for Mr. Claudio. You essentially are able to provide a fresh new perspective with regard to field-level activities in information security management at the VA. We welcome your perspective. Do you believe that policy guidance to the field is comprehensive and unambiguous with regard to information security management and do you believe that the policy guidance is rigorously enforced by field-level managers? STATEMENT OF ARNALDO CLAUDIO Mr. Claudio. First of all, sir, thank you very much. And before I start, I want to say that I am honored and privileged to be here today and to you, Mr. Chairman and Members of the Subcommittee, I appreciate the opportunity to come in here and speak truthfully of what I have seen out in the field to you. Actually, I am very pleased to hear that Mr. Rodriguez and Mrs. Brown-Waite have basically talked about accountability and have talked about putting the point into who is the person to be looked at when we are talking about breaches of data, so forth and so on. My office was created and actually executed on the 22nd of January. It is an office that is called the Oversight and Compliance. And I do not know. It was not discussed that much over here, but I am the person with my organization to go out there and do assessments on policies, assessments on validation of laws, assessments and safeguard and maintaining in the areas of cyber security, the areas of record management, and privacy. Within the last 30 days, and by 15 March, we will have completed 16 assessments. To answer specifically your question, I think the IG basically brought up some very important points in terms of lack of accountability, enhancement of awareness in part. I have gone out and I have reviewed 6504. I have looked at every policy there is. And if you are a person that belongs to VA and you have an understanding of what you are reading in pure English, it is very easy to follow instructions because they are very clear. There are memos to the memos to the memo. There is policy to the policy to the policy and it is all written there. What there is a lack of, and I think it was brought in, is looking at a person and holding that person accountable for his or her action of what has occurred. And that is really lacking out there. So to be pointed on this is the personal accountability is lacking, number one. So the policy is there. What it is, and we talked about change of mindset, is change of environment. I have sat in groups where there are 20 to 30 doctors and these doctors, we talked about and discussed how to safeguard the I, which is the information. Still, some of them, even with their high level of understanding of other things, will probably fight the fact that the information is probably not as important as their research. So what we are looking at is a change of mentality here, which is going to take effect as we go through, and I think the wake-up call obviously on the 6 May and then on the Birmingham piece will definitely change attitudes. Mr. Mitchell. Thank you. I have one other question. Mr. Claudio. Yes, sir. Mr. Mitchell. Do you believe all incidents are reported and do you believe that there are unauthorized reproduction of databases and what is the threat associated with a hypothetical action like this? Mr. Claudio. Sir, I have been a cop for over 30 years. Mr. Mitchell. You have been what? Mr. Claudio. A cop, a policeman. My last job, I was the Chief of Staff for the Joint Force Headquarters, National Capitol Region, also the senior Military Police in the military district of Washington. And prior to that, I was in Iraq. I was the senior Military Police as an advisor to General Casey. I will tell you that you have to make some determinations of what you are going to report. There are cases that are insignificant. Your data breaches where they are insignificant of one or two person, that can be handled right there and then and remediation can be taken care of. So to tell you that every incident is reported, I do not think so. I think with the change of mindset that is occurring right now, you will see the volume of SOC reports actually increasing, doubling, and even tripling because a lot of people are putting conscience into what is going on. So in that term, you are going to see an increase of SOC reports coming into the fact. So that is the first part. Can you repeat the second part of the question, sir? Mr. Mitchell. Yes, sir. Do you believe that there was unauthorized reproduction of the databases and what would be the threat associated with this type of action? Mr. Claudio. Sir, there is not so much a reproduction. There is a possibility, based on the assessment that I have done, that data is being passed on through unencrypted computers. And because that is done right now, it definitely creates a tremendous risk for the veterans. Yes, sir. Mr. Mitchell. Thank you. Ms. Brown-Waite. Ms. Brown-Waite. I thank the Chairman. I have a question for Mr. Wilshusen. I am not picking on the VA, but they happen to be our Committee's jurisdiction. If you could tell me of the 150 some recommendations that have been made, what would you say are the top five? And if you--I will let you answer that. Mr. Wilshusen. Okay. First I would like to clarify a couple of things regarding the 150 recommendations. We made these recommendations back in 1998 to 2002. Many of our reviews and our recommendations are very specific, detailed configuration items on computer systems that identify specific computer control vulnerabilities. VA has to a large extent corrected many of them. However, what they have not done is that they have not taken the next step and proactively looked at the vulnerabilities that we identified on those systems because typically they would just correct the action on a particular system or device that we identified the vulnerability. They did not take the next step to look for and identify other devices or systems that are similar that could have the same vulnerabilities. And we would find those vulnerabilities on similar devices at other locations. So I would just like to clarify that. But I would say the key recommendation that they still need to address is implementing a robust, centralized information security program. They are starting to make progress in terms of centralizing some of the information security functions and personnel within the CIO's office, but they have not yet implemented all of the key activities associated with a comprehensive information security program in terms of being able to adequately assess their risk of the impact that could result from an unauthorized security breach to developing the policies and procedures that effectively mitigate those risks, including those configuration, management, and requirements for specific systems and operating platforms. They also need to assure that their staffs and their security personnel are adequately trained in security requirements as well as security awareness so they know what the threats are and their responsibilities are for implementing the policies and procedures for testing and assessing the effectiveness of controls on their systems and protecting the information on a regular and ongoing basis. And once they have done those tests, they need to develop remedial action plans to correct and mitigate known weaknesses not just on those devices where they have been identified but across the entire Department. Ms. Brown-Waite. Are other organizations as resistant to change and do other agencies have as much of a problem with breach of sensitive personal information as the VA does? Mr. Wilshusen. Well, I will say that certainly the security breaches at VA have been remarkable and, in fact, stunning in their scope and magnitude. However, they are by no means unique in the Federal Government. Other Federal agencies have suffered and have been exposed to security breaches and data breaches as well. In fact, one of the reviews that we have ongoing right now is to look at some of the lessons learned regarding similar data breaches at other Federal agencies, particularly as they relate to notification to government officials and effective individuals when such breaches occur. But certainly VA is not unique in the sense that other agencies also have security and data breaches. With regard to how robust their security controls are and program as compared to other agencies, I would say that they probably are near the bottom of the 24 ``CFO Act'' agencies. And this is based upon a couple of facts. One is on the FISMA report analysis, our analysis of their reports have consistently shown that in terms of at least meeting the performance measures that they are required to report under by OMB is that they generally have not fared as well as other agencies. In addition, the IG and its contractors have consistently reported that they have a material weakness in their information system controls as part of the financial statement audit and in the agency's performance and accountability report, which is another indication that their controls are lacking. Mr. Mitchell. Thank you. Mr. Bachus. Mr. Bachus. Thank you. I will direct this question, I guess, to Ms. Regan. The VA has failed its annual ``Federal Information Security Act'' review for 6 years in a row, is that right? Ms. Regan. I would have Mr. Sardegna answer that question. He is much more familiar with the audits. Mr. Sardegna. I believe we have been doing this since 2001. And, yes, as far as I understand, the VA has never been in compliance with the ``Federal Information Security Management Act.'' Mr. Bachus. What happens when you fail that? Are there remedial measures or---- Mr. Sardegna. Our past reports have identified 17 different issue areas that we have been reporting for a number of years now. Our reports go to the Office of Management and Budget, and as required we provide OIG information to be included in a joint report with the Department that we send forward. We also do a separate independent assessment which we provide to what now would be the Assistant Secretary for Information and Technology at the CIO and the different Administration heads of the agency. Mr. Bachus. Okay. But, you know, I think everybody, both panels agreed that the VA is not doing, you know, what they should do at the headquarters level at least. And, Ms. Regan, you mentioned three things they ought to do, is that right? Ms. Regan. Yes. Mr. Bachus. One was encrypting data? Ms. Regan. Yes. Mr. Bachus. Is the technology there to have encrypted the data on the hard drive in Birmingham? Ms. Regan. You can encrypt the data that you store on the hard drive. There is software that allows you to encrypt the data when you transfer it or work with it on the hard drive. It encrypts the hard drive in itself. The data that you put on there is encrypted through the software. Mr. Bachus. Is that made available to the employees in the VA who are downloading this information? Ms. Regan. It has not been made available yet to my knowledge. That is one of the issues with our second point. VA needs to provide VA-owned computers so that you can control what security measures are on the computer and buy this encryption software. Mr. Bachus. Now, that seems pretty simple really, does it not? I mean, the technology is there. It is not provided. And if it were, it would in this case and many others have resulted in the information that was lost not being subject to misuse or criminal intent. Mr. Sardegna. Well, if I may, Congressman, there are some complicating factors with the Department's IT infrastructure. As the Deputy Secretary has testified, there are multiple platforms. There are many really aging information systems and technologies that VA is trying to bring up to date by adding these new technologies for encryption. Ms. Regan. I also believe one of the main issues with respect to this is the cost. We have---- Mr. Bachus. Is what? Ms. Regan. The cost. Mr. Bachus. Cost. Ms. Regan. I mean, there is a price tag to providing the VA computers, particularly with the emphasis on telework. If you want people to work at home or you have people working at home, VA would have to buy them VA laptops and have the software installed on them. Mr. Bachus. Of course, every time they work at home or every time they have a hard drive, there is a case where somebody could steal that hard drive or they could lose it. I mean, that is going to happen every time, right? Ms. Regan. Whatever it is, whether it is a laptop or even a desktop at home or whether it is a hard drive or other portable media device, they can get lost. They can get stolen. It is happening all over the country. I think it gives some sense of security when the hardware or the data was either encrypted or password protected which makes it difficult for somebody to access that data. Mr. Bachus. Yeah. And that had not been done to date, right? Ms. Regan. That has not been done. Some VA entities have implemented encryption for e-mails but most of VA has not. Mr. Bachus. Okay. Let me just close by saying Congressman Mitchell asked, you know, in how many cases is it not reported. And, Mr. Claudio, you said you were a law enforcement officer. Mr. Claudio. Yes, sir, I was. Mr. Bachus. I used to be Assistant State's Attorney General. I can tell you this employee, I do not know him, I do not know anything other than what I read in the newspaper, he reported it. That leads me to believe that is inconsistent with selling it or an intentional act. I mean, and I would say that probably by reporting it, he probably is in the minority of my experience with human beings. In most cases, they do not report it. Mr. Claudio. Actually, sir, we have seen a change in conduct on that. Like I said before, the SOC report is growing by the minute. There is a conscience out there and a great effort made by the leadership to pass on the message how serious this whole thing is. And, again, just by going around and assessing what is going on, I think there is being some very heart-to-heart talk from the leadership. As I go around, I meet first with the hospital director and I spend 15 to 20 minutes trying to assess where he or she is in terms of policies, in terms of regulations. But you can see a definite shift. We are not there yet. It is going to take some time. I think the reorganization is going to pay its fruit. We just got to give some time for that to happen. Mr. Bachus. Now, in this case, you had a director of the hospital who immediately notified headquarters---- Mr. Claudio. Yes, sir. Mr. Bachus [continuing]. Knowing about the publicity, the consequences. He did his job. I worry about probably for every one of those directors one that says look for it some more, are you sure, you know, or an employee who does not come and report it. Mr. Claudio. Yeah. Mr. Bachus. And I think the answer to that is encryption and policies on, you know, certain information should not be shared with people. You know, I think that probably too many employees have too much information that they do not need to do their job, number one. Number two, I think this idea of taking stuff home and working on it on your computer ought to have some severe limitations because, you know, things happen on the way to and from work or at home. And, number three, encryption technology, a big cost, but, you know, we are going to be here having hearings once a month if you do not have it. Mr. Claudio. Sir, I could not agree with you more. I think the ultimate thing is that all data from the veterans is collected, distributed within the confinements of that facility period. And then there is enough space inside that server that can handle that so you do not have to go to an external drive, that you do not have to go and plug in a USB port and so forth. Mr. Bachus. Or put it on a thumb device or put it on a hard drive and take it home. Mr. Claudio. Correct, sir. Mr. Mitchell. Thank you. I have just a couple very quick questions for Mr. Wilshusen. First, do you believe that the VA is on the road to achieving the gold standard in information security management? Mr. Wilshusen. If they are, they are at the early stages of that. Certainly since the May 3rd data theft, there appears to have been a change in attitude, at least at the very top. Secretary Nicholson has testified as well as, of course, now Mr. Mansfield, that it is important that the agency set the tone at the top in terms of what will be tolerated, what will not. And it seems at present at least that they are making that effort. However, attendant with that is the requirement that you adequately and unambiguously communicate what the expectations are for the employees throughout the entire organization at all levels on what their security requirements are and have that tied then to their performance standards, their position descriptions, communicate that through various forms of directives, handbooks as the VA is attempting to do. And then once you have communicated what those expectations are and provided training to the staff is to make sure then that there are accountability measures in place that reward those that do perform and address those that do not. Mr. Mitchell. Earlier, Mr. Claudio said there were memos on memos. There was every written rule in the world. I mean, that is not the problem. So I do not know how these employees could not know what is expected of them unless their supervisors are not doing their job. Mr. Wilshusen. Well, that is exactly right. You need to have the enforcement and accountability mechanisms in place, be that through performance mechanisms, through their ratings, and where it affects them in either the paycheck or have other administrative actions. The other thing that you have to do because people are only one part of the overall equation related to information security effectiveness in an organization, you also have process and technologies. Often people will be your weak link in many cases, but you need to have controls and other disciplines through the technology, make sure you have appropriate technology controls to include things like encryption, to include strong access controls on your systems. You also need to have appropriate processes and part of that is making sure that those individuals only have access to the information that they need to perform their job and that they control that information and do not allow it on laptops or removable media when it is not needed to perform their job. And if it is, to make sure you have the appropriate technical controls to help protect that information when it is at risk because the information can be at risk at multiple places, both at rest when it is on the hard drive, when it is on a server, or when it is being transmitted across a network or over the Internet. So there needs to be appropriate controls and policies in place. And by policies, I mean technical security control policies in place to protect that information. Mr. Mitchell. And a couple other quick questions. How does the VA compare with other agencies with regard to information security management programs? Mr. Wilshusen. Well, I would say that, you know, based upon the reporting mechanisms afforded by FISMA, the ``Federal Information Security Management Act,'' and based upon the results of audits and reviews of information system controls performed during financial statement audits that VA is probably near the bottom. Just to illustrate, VA has had, I guess, a material weakness in their performance and accountability report and information system controls since 1997 each year. In addition, for 4 of the last 5 years, the House Committee on Government Reform has been issuing computer security report cards based upon an analysis of the annual FISMA reports. And VA has received a failing grade for 4 of the last 5 years. And as I mentioned earlier, VA has not yet submitted its official draft or its official copy of its annual report this year. Mr. Mitchell. Can you tell us of the successful agencies best practice? Mr. Wilshusen. In terms of agencies which have done that? Mr. Mitchell. Right. Mr. Wilshusen. Well, by those same standards and criteria that I just laid out, some would include perhaps like Social Security Administration. They have not had a material weakness or reportable condition on their financial statement audits. They have consistently scored higher on the review of the FISMA reports. A couple other ones would include, I think, National Science Foundation. But I would also caution that though they have done well on the FISMA reports and also as part of the financial statement audits, because those reports and audits are somewhat limited in scope does not necessarily mean that they have full and highly secure systems. Mr. Mitchell. Ms. Brown-Waite. Ms. Brown-Waite. Thank you. Earlier during the previous panel, my colleagues, Mr. Davis and Mr. Stearns, had suggested an outside audit and investigation group come into the VA. And I do not know who can answer this. If they are ignoring the IG and the GAO, why would an outside group perform any magic and results that are not exactly being accomplished here with your report and the followups? Mr. Wilshusen. Well, one, first of all, I think it is always appropriate to have independent reviews of an information security program or the information security controls in place at an agency are all on particular systems. Indeed, that is what GAO and the IG have done on many reviews in the past. The basic problem is they have not implemented an appropriate information security program. And it will take probably a sea change for them in order to do that. You know, certainly an independent review from an outside source could provide other skills perhaps, but at the same time, I think the reviews that the IG and we have performed highlighted significant vulnerabilities and gaps in security controls. Ms. Brown-Waite. If I may ask a followup question. Would it be better for Congress to say--I know this is a terrible word to use--to earmark, to make sure that money is set aside specifically for the kind of security, data security that we need with no ifs, ands, or buts about it, take money from their existing budget and say, ``you will do this?'' Ms. Regan. I was going to say I think it would depend on what you are going to ask them to do with the money. If it is going to be this money will be set aside for encryption and laptops, that is one thing. I think what needs to be done first is to have the resources put to those needs. So I think you would have to identify what aspects and how much money to begin with. One other issue, if I could follow up on the contractor issue, I think as we noted in our report last summer, the July report, VA still has serious problems with contractors and access to our data. If you remember, the UNISYS computer got stolen that had VA data on it. I think, though, the Department is making head way to do this. I would be concerned that the scope of any contract would have to be defined, and I am not sure how long it would take to define the requirements. VA does not have a good history with IT contracts. And I think it would have to be defined, but I am not sure it would be done in the very near future. I think you may be looking down the road for a while, unless it was a narrow scope contract on one issue. Ms. Brown-Waite. I think Mr. Claudio---- Mr. Claudio. Yes, ma'am. I think it is a matter of capability. If you look in the past, the question is, did we have the capability to do such an assessment. We did not. Thirty days ago, that organization was put together. It is the organization of Oversight and Compliance. Basically it is an organization that covers the entire United States, including Alaska, Hawaii, Puerto Rico, Guam, and the Philippines. It will do about 16 to 20 assessments per month once the full capable organization. So we probably will have to ask that that capability to get function and go ahead to see how productive that is. We have met with the IG, the organization. We have discussed this point. And if you look at, there is about 266 medical centers. There is about 63 regional centers. It is about 300 plus. All those regional centers and medical centers will be assessed about in a year and a half. So the assessment capability is now there and we just got to give it some time to see where we get from here to there. Mr. Mitchell. Thank you. Mr. Bachus. Mr. Bachus. Yeah. I would like to just ask two followup questions. My first one is about the Birmingham breach, but it is not directed at Birmingham because I would bet you this information went out to a bunch of other sites too. But why would anyone in the VA, in VA research or VA in general, need access to the entire CMS database on everyone that ever billed CMS for healthcare, including all that information, or if they were, you know, why could that not have been encrypted or why could it not have been under some very tight supervision? Ms. Regan. That issue is actually being addressed in our administrative investigation. We are looking at this point as to why that individual had that data. We are also looking at why the individual was given all the fields that are in that data set and whether they were necessary. We are also looking at whether or not CMS should have given that database to the VA to start with, there are key factors of the database that VA was never given or that were not given to the facility. But why that information on that many physicians? Was it necessary at various levels? It did not go to this individual initially. It went to somebody else who he works with. But we are looking at all of those various issues regarding that database. Mr. Bachus. Okay. Thank you. Has the VA inventoried or restricted employee access to sensitive veterans' personal information on a need-to-know basis? Ms. Regan. The VA has not inventoried it as far as I know. But I do know that when you access a database, you need to explain and get it approved to have access to the database and usually what part of the database and for how long, and whether you are just going to review it, if you are going to copy it, there are various questions that are asked. It gets down to the individual level. Is the individual ISO, information security officer, or the CIO who has responsibility at a facility asking the right questions? Is it for a limited time period? Do you need all the fields in the database? All those issues should be addressed. So it gets down to an individual level, but there are measures in VA to do that. It is whether or not people comply with it. Mr. Bachus. All right. Thank you. Mr. Mitchell. Thank you. One quick followup. Mr. Wilshusen, you mentioned some paperwork that the Veterans' Administration has not completed for information security. Could you repeat what that is again? Mr. Wilshusen. Yes. The ``Federal Information Security Management Act'' requires agencies to report annually on their progress in implementing the provisions of the Act. They are required to report in accordance with OMB's instructions on reporting for this. OMB has set up a number of performance measures and a reporting format for that and requires the agencies to report by October 1. It is called the Annual FISMA Report. As of today, VA has not submitted its official copy of that report. Now, it has submitted a draft of that report to OMB, but has not yet submitted the official copy. And accordingly, because it is a draft, both GAO and Congress are also supposed to receive copies of these reports and we have not received them yet. Mr. Mitchell. Have you heard anything from the VA about why they have not done it? Mr. Wilshusen. I do not know precisely the reason why. As far as I know, perhaps--well, my colleagues might know why. Mr. Mitchell. Does anybody know? I understand. Assistant Secretary Howard, would you address that question? Mr. Howard. Sir? Mr. Mitchell. Why the paperwork has not been submitted. Mr. Howard. If it is the same report I am thinking about, it is in the Secretary's Office with signatures. Mr. Mitchell. And this is February, right, and it was due in October? I mean, this is March really. Mr. Howard. Yes. Mr. Mitchell. Thank you. Mr. Bachus. Could I ask one followup question? Mr. Mitchell. Yes. Mr. Bachus. I do not know if it was this panel or the last panel said that in the aftermath of that May 3, 2006, the massive breach there, that the VA issued a directive that you could not download sensitive personal information about veterans, maybe physician providers too--I do not know--onto-- it had to be a VA computer--I do now know exactly--or VA-owned equipment, I think. But that has been now waived, is that right? Ms. Regan. There was a subsequent memorandum that waived that provision for the three Administrations, which would be National Cemetery Administration, Veterans Health Administration, and Veterans Benefit Administration. Mr. Bachus. So which is about all of VA basically, right? Ms. Regan. Pretty much. It would not only just be the databases. It would just impact the people using those databases within those Administrations. People in OIG offices may have access to those databases for oversight purposes. It would not affect us. We have our own policy that only VA-owned computers can be used, not personal computers. Mr. Bachus. Was that just as a practical matter? Once they did that, they prohibited that, that the system just could not work? Ms. Regan. I do not have any knowledge as to why it was done. We have never seen the justification. Mr. Bachus. I mean, why it was waived. Ms. Regan. Why it was waived. The reason they put the policy in place---- Mr. Bachus. The prohibition. Ms. Regan. Right. Mr. Bachus. I can understand the prohibition. I do not understand why it was waived unless maybe as a practical matter, they could not pay benefits, they could not treat because, you know, maybe it interfered with their--but it would be interesting to know. Does any of the panel know why a temporary waiver was issued? Thank you. Mr. Mitchell. Any other questions? Thank you very much. I appreciate it. Ms. Regan. Thank you. Mr. Mitchell. And at this time, we are going to have the third panel, and this should go--they do not have opening statements. And I would like to, while they are getting ready, read a statement. The Minority Members had requested these witnesses for this panel so that we could gain better insight into information security management and research-related programs at VA. Ms. Regan, could you just hang around a little longer because I think I would like you to sit in on this if you would. This was an act of choice and I fully concur with the request. I do regret that we could not provide VA with more time to coordinate the appearance of one REAP Director, Dr. Pogach. I appreciate you responding in short notice. I would also like Ms. Regan, Counsel to the VA Inspector General, to sit in with panel three to advise us if in her opinion the questions or answers get too close to the nexus of the IG's ongoing investigation so as to jeopardize that investigation. I also welcome from the Birmingham VA MC, Mr. Parris and Dr. Blackburn. TESTIMONY OF LEONARD M. POGACH, M.D., DIRECTOR, RESEARCH AND ENHANCEMENT AWARD PROGRAM, VA NEW JERSEY HEALTH CARE SYSTEM, EAST ORANGE, NEW JERSEY; WARREN BLACKBURN, M.D., ACOS/R&D COORDINATOR, VA MEDICAL CENTER, BIRMINGHAM, ALABAMA; AND Y.C. PARRIS, FACILITY DIRECTOR, VA MEDICAL CENTER, BIRMINGHAM, ALABAMA And we are just going to open this up to questions. And, Dr. Pogach, did I pronounce your name right? Dr. Pogach. Yes, sir. Mr. Mitchell. Okay. Well, thank you for being here today. I appreciate it. And could you please explain what the REAP or REAP Program is and why researchers in that program require the use of large databases? Dr. Pogach. It is a Research and Enhancement Award Program. These are competitive center awards, mid-level center awards which are awarded by the VA Health Services Research and Development Program. I am not sure how long the program has been in existence. We were awarded, our center in New Jersey, in September 2003. The purpose of the center is each of them has a theme. We are interested in healthcare knowledge management which includes chronic illnesses and quality management. The REAPs are awarded to those facilities that have demonstrated certain research capacity and capability. And one of our specific interests, not the only one, is the use of large databases to basically look at the quality of care provided to veterans as well as their course over time in terms of looking at whether or not the quality of care provided results in improved outcomes, such as decreased morbidity, decreased mortality, for what I do especially with diabetes. The reason why large data sets are required is these types of outcomes, which are observational, often are not able to be attained through clinical research. For example, clinical randomized trials, especially when you are looking at the variation in outcomes among a wide variety of facilities across a national system. And this sort of data and analyses and publications certainly can result in not only publishable research, but the goal would be to provide information within the VA on where there is variation in care, variation in outcomes that might allow managers to be able to track where to look for interventions. And second of all, what we would really like to do with our quality improvement program, which most of you probably are aware of, the VA is a leader, is to actually determine if we can go beyond provision of--we did process. We lowered a value to something to really see if veterans are living longer and living healthier. Mr. Mitchell. One other question. Do you share any researchers with other non-VA organizations and, if you do, how would you assure with reasonable certainty that information security practices are being followed? Dr. Pogach. We do not share the data that we get for all large database analyses with other organizations. Mr. Mitchell. But do you share the researchers? Dr. Pogach. Do we share the researchers? Mr. Mitchell. Yeah. Dr. Pogach. We have WOCs who are shared with other universities, yes, but when they work with us they are working on-site and on VA grounds. The salaries may be shared. Mr. Mitchell. And you are fairly certain that the information security practices are being followed? Dr. Pogach. Yes. The security practices now that we have are very clear as to what we do. In part, we are also a relatively young REAP in terms of how we have been funded, and we did not have strong preexisting relationships with our organization. So we developed our program to be in-house. I understand that is not the case routinely across the entire VA system, but our capacities and our data systems are within our VA. Mr. Mitchell. Thank you. Ms. Brown-Waite. Ms. Brown-Waite. I thank the Chairman. Dr. Weeks, could you tell us why the REAP research was suspended at your facility? Dr. Blackburn. I think you mean me, Dr. Blackburn. Ms. Brown-Waite. Oh, okay. Dr. Blackburn. Yes. The Office of Research Oversight after finding out that the external hard drive had gone missing suspended the REAP research activities. Ms. Brown-Waite. I mean, will they resume? Dr. Blackburn. That is certainly our expectation and hope. To my understanding, the ORO's investigation is ongoing and has not been completed. Ms. Brown-Waite. And, Dr. Blackburn, as long as I have you there, do you know why this happened on your watch? Dr. Blackburn. The investigator or the programmer had an external hard drive within VA space. From what I have been told by him, it was stolen. Ms. Brown-Waite. Well, why was it not encrypted? I think that is part of the problem. Dr. Blackburn. Well, I think as panel two---- Ms. Brown-Waite. That is the problem. Dr. Blackburn [continuing]. Already VA has not provided at this point encryption software for external hard drives. We have gone ahead in Birmingham and taken additional actions that we have now banned external hard drives, and our VISN is in the process of banning all but a few thumb drives. Ms. Brown-Waite. And the repercussions if you violate the ban? Dr. Blackburn. I am sorry. I did not hear that question. Ms. Brown-Waite. The repercussions if the ban is violated. Dr. Blackburn. Well, I think the thing is we are responsible and we are aware of who buys hard drives. So we know where they are and we have gone ahead and collected them. The thumb drives are going to be, to my understanding, inoperable based upon a computer patch except the ones that are---- Ms. Brown-Waite. I want to make sure I understand what you are saying. Someone cannot go out and buy one at Office Depot and download onto it? Dr. Blackburn. That is my understanding of the plan of the IT folks within our VISN, correct. Ms. Brown-Waite. That is your understanding of the plan. Is that what the plan does? Dr. Blackburn. Is that what what? Ms. Brown-Waite. Is that what it actually does is it prohibits downloading on a thumb drive? Dr. Blackburn. Unless it is an encrypted thumb drive, that is correct. Ms. Brown-Waite. And for all three panel members and Ms. Regan, if you can contribute, I certainly would welcome that. The question is, you know, what did you individually do to implement the VA directives 6500 and 6504 on cyber security directly after last year's May 3rd incident? Mr. Parris. We strictly enforced that directive. We made sure that any external device was within that work space. The one area actually that was involved with this actually went above and beyond. They actually met with our staff on just a security, if you will, education program and they made their own policy that when the person who was using a drive was not in the vicinity of that drive, which is totally legal for it to be by the policy, that they actually lock that up in an additional locked area. So they went even beyond the policy within that particular area. Ms. Brown-Waite. Whenever I check into a hotel or motel when I am traveling and there is that big sign up there that says no swimming after ten o'clock, I always say to the owners what is the penalty if I go swimming after ten o'clock. So I want to know what you all do to actually implement and enforce this, because I am getting the impression that we have so many written policies out there, policy upon policy and directive upon directive that maybe that is part of the problem, that the employees may be totally confused when they have a directive de jure. But what is being done to implement and enforce the prohibitions where they do not swim after ten o'clock? Mr. Parris. We have gone through extensive education with our staff. We have gone as far as having an information security fair for a better term. We invited people up to a full day so that they could get trained on what we meant by information security. We have on our Web site all the policies. We have a question form for those policies for the ones who may not understand some of the questions. I do not know if I am answering your question with the look on your face, but, you know, I am trying to get to the gist of the question. Dr. Blackburn. Well, let me go ahead and add that we have required, as Mr. Parris indicated, training for every one of our employees who have access and it is real simple. If they did not go through the training, their access was cut off. Ms. Brown-Waite. So was this after the latest incident that happened at---- Dr. Blackburn. No, ma'am. Ms. Brown-Waite [continuing]. Birmingham? Dr. Blackburn. No. Ms. Brown-Waite. So it was before? Dr. Blackburn. That is correct. Mr. Bachus. Let me start by saying that I know Y.C. Parris. He is a great Director and operates a very good ship. So I ask these questions. I do not need to apologize to ask them, but I have an obligation to ask it. And what I kind of heard earlier was that you all complied with all the procedures and the directives from VA, is that correct? Mr. Parris. Yes, sir. Mr. Bachus. But now, am I confused or were the directives, did they not include that you all encrypt this information and that that was not done? Mr. Parris. No, sir. That is part of maybe what the Congresswoman was getting at, that there was a little bit of ambiguity. And if you look at the policy, it says within the external hard drive, which we do not have the software available to encrypt the external hard drive at this time, that if that hard drive is within that secured work space, that office space, whatever it is that is VA property, then that is okay. Mr. Bachus. It does not have to be encrypted? Mr. Parris. No, sir. Mr. Bachus. But I guess they say either keep it in a secure location or encrypt it? Mr. Parris. Yes, sir. Mr. Bachus. But then you do not have the software nor did they supply the software to encrypt it? Mr. Parris. That is correct, sir. Mr. Bachus. Which is almost a directive without the ability to comply, is it not? Mr. Parris. It makes it very difficult, yes, sir. Mr. Bachus. I mean, I guess you could go out at your own expense, and I do not know. But, you know, it would seem that if they would supply you with information, require you to encrypt it, they would provide the software and the means to do that as part of the system. That would have been an easy way to avoid what happened in February, I would think. Mr. Parris. Yeah. The horse and the cart. Mr. Bachus. What? Mr. Parris. The horse and the cart. And Bill Gates just had an article in the paper recently that illustrated that where he said that when you see how fast technology has moved, that our security system is like a stone castle with a moat around it and a drawbridge, but the technology is a jet plane with missiles on it. Mr. Bachus. Now, the IG reported that, you know, it would be good to encrypt this information. And I am hearing in this hearing that software is available to encrypt the information, but the VA up here, I will tell you, they are going to want to shift part of the blame and said you all should have encrypted it. We sent a directive to you to encrypt it, but you were not given the software. But you were also told that it could be within a secure area. And you are telling me it was within the work space. Mr. Parris. Yes, sir. Mr. Bachus. And the employee, when he discovered that it had been taken or that it was no longer there, he reported it promptly? Mr. Parris. Reported to my office, yes, sir. Mr. Bachus. And you reported it promptly to D.C.? Mr. Parris. Reported it to my network director, which is my protocol, who was in Atlanta, and he reported to D.C. the same timeframe. Mr. Bachus. Now, they have suspended your research and that of also six other centers which as they inquired, they discovered that they had not encrypted information, including, I guess, the White River Junction facility, is that right? Dr. Pogach. Actually, from New Jersey, but they suspended all the REAP programs. Mr. Bachus. I cannot hear. Dr. Pogach. I am sorry. We are from New Jersey. I am not from White River. Dr. Weeks could not make it today. But all the REAP programs---- Mr. Bachus. Are you from East Orange or where? Dr. Pogach. Yes, New Jersey. Mr. Bachus. Okay. Dr. Pogach. So all the REAP programs were suspended not specifically for any one issue but to allow for reassessment of all data security at those sites. Mr. Bachus. But was one reason it was suspended because the information was not encrypted? Dr. Pogach. I do not know the reasons why, if that could have been one reason or not. We were just basically told that all research is suspended so that we could basically make sure all policies---- Mr. Parris. No, sir. I think it was due diligence on the part of the organization. Mr. Bachus. I am not arguing with their decision to shut down the programs and assess whether that information should be out there in the first place and, if it is, it ought to be encrypted because people are going into places and steal things. Dr. Pogach. Right. Mr. Bachus. Thank you. Mr. Mitchell. Mr. Walz. Mr. Walz. Thank you, Mr. Chairman, and thank you, gentlemen, for joining us. I am sorry I missed your earlier testimony, Mr. Parris, when you--your initial statements on this. I was here earlier for Deputy Secretary Mansfield, and I am looking at some of the things he said. We had a long discussion in that first panel on the idea of what role culture plays, culture in an institution, as you are well aware of. And I am listening to my colleague, Mr. Bachus, talk about it. And I have no doubt. I am a veteran and I understand and I have the greatest respect for the VA and the work that you do. Absolutely critical. And as I stated in that first panel, the intentions, I am always operating from the assumption that the best intentions are always what is there. When looking at these data losses, I am just trying to get my mind around it as a veteran, as one of those people who got one of those letters, what can we do to prevent it, what can we do to stop it. And when I am looking at this and I think about my job, my former job as a high school teacher in public schools, data privacy is the air that we breathe. And we have got a lot of people in public schools, namely our students, who are pretty darn good with computers. And, yet, it is just stress to us. And there are password changes every 21 days. There is log- out timeouts and log-out restrictions. If your computer is shown as being idle and logged in, you get notified and you get called in and written letters on those types of things because they are really critical. There are student data that could get into health issues, too, that are on there. So my question is, and Deputy Secretary Mansfield was very candid and very open about some of the restrictions that were put on him, I understand your job, Mr. Parris, is to provide the highest quality healthcare you can to your patients. That is your number one priority. This data privacy issue is part of that and might be seen as a peripheral or distraction. We understand how important it is. I am still trying to figure out, in your mind or in your assessment, is this a resource issue or is this a cultural issue inside the VA on the importance of safeguarding this data? And I am asking you in the broad range because, as I said, I am operating from the assumption you want absolutely the best care for our patients and you want their data secured. I want the same thing. How do we get to that? Mr. Parris. Yes, sir. I agree with you about your last statement about wanting to secure the data and make sure we take care of our patients. I do not want to throw a wrench into this, but I think it is neither totally culture or resources. Both of those, you always deal with and they are always going to be there. But I think it is the growing pains. I am probably the only person in the room who has been around since Crew DHCP. That is where we had four contractors and we were testing computers and the only thing we had on there was a patient history. And we have grown to the most sophisticated medical record in the world right now in the VA system. And the growth of that, within the growth of the patients and the growth of the system we have, and then we have three major entities. Besides VHA, we have VBA, which is a huge entity, and then we have National Cemetery. And the things they do are different. And so I think it is growing pains as much as anything, is how do you stay up with the change in technology, the new software that is coming out. I do not know how many times I have sat at a table like this and talked about if we only had a patch on that software, we could get the patient what they need quicker. Can anybody write a patch for that? So you see the complexity of the system that we have. And I think that to have the people in the know to help keep up with the security part of that, as I talked about the castle and the airplane, that is really kind of the gap that we have, and how do we make those come together. How do we have a security system that runs parallel with the technology that we are installing on a daily basis? Mr. Walz. I appreciate that. There was a suggestion earlier, and I am just getting your feeling on this because we all want to solve this, whatever it is going to take, and I just see a massive need that the public wants this, because one of the things, as you well know, the biggest thing for me as a veteran that it is the loss of trust, which is critical to us. Of all the good work you do, you hate to see that happen. And it was suggested by Mr. Rodriguez that we just need to maybe provide a crack team of people that provide the best security or whatever it is from wherever they come from and drop them in here and get this thing done. Now, do you believe that is the solution or is this part of the growing pains, that that would not do it? They would not understand your organizational needs the way you understand them? Mr. Parris. With all due respect to that suggestion, sir, I do not think that would solve the problem. I think that would be another expenditure that probably could be spent on a solution to the problem internally. Mr. Walz. Thank you so much. Ms. Brown-Waite. If the gentleman would yield. I asked that question before because my fear is you bring an outside group in, they are going to ignore those recommendations as they have ignored the IG as well as the GAO. And I would rather see the money spent on some kind of a solution soon here. Mr. Walz. Software. Ms. Brown-Waite. Right. Software would be great. But, you know, also setting that what are the consequences of not securing that data. And it is not just in the VA. I think every agency is probably guilty of it. Mr. Mitchell. Thank you. I think that will be all. Just before we adjourn, I would just like to know and I think this Subcommittee would like to know when the Secretary signs the FISMA report. I would like to know that. So if somebody here could let us know when it is actually signed, I would appreciate that. And if there is nothing else, this meeting is adjourned. [Whereupon, at 5:30 p.m., the Subcommittee was adjourned.] A P P E N D I X ---------- Prepared Statement of Hon. Harry E. Mitchell Chairman, Subcommittee on Oversight and Investigations I have accelerated our Subcommittee's review of VA information security management for several reasons. I thank all three panels of witnesses and our Subcommittee Members for their cooperation despite the somewhat short notice we were able to provide. It is my belief that when the subject matter justifies some sort of review, that such a review should be thorough, balanced and timely. This topic was on the Subcommittee agenda for later in this year. While it is a recurring and non-partisan topic for our Veterans Affairs Committee, the events regarding the data loss at Birmingham and other circumstances have led me to advance this hearing on our Subcommittee docket. In this hearing I wish to determine the current status of information security management at VA. Admittedly, the Birmingham incident holds powerful sway over the landscape. If the Birmingham incident stood alone against a backdrop of a sound information security management program perhaps we could address a one-time-only incident with more patience. However, the record reflects a host of material weaknesses identified in Consolidated Financial Statement Audits and Federal Information Security Management Act [FISMA] audits over recent years. The Inspector General's Office and the Government Accountability Office have both reviewed VA and found deficiencies in the information security management program over the last 8 years. VA is slow to correct these deficiencies. For example, the VA IG made 16 recommendations with regard to information security management in 2004--all 16 remained open in 2006. During our full Committee review of the May 3rd, 2006 data loss, we discovered a general attitude regarding information security at VA that our current full Committee Chairman Bob Filner once referred to as a ``culture of indifference.'' Today, I wish to address this issue of ``culture'' and the need for cultural change with regard to information security at VA. Last year, the Committee reviewed cultural problems at several levels at VA. We looked at the very top levels of VA leadership and were critical. We looked at the program leadership level and were critical. We looked at the promulgation of information security policy in VA and were critical of the various methods employed by some program leaders and advisors to gut those policies, to avoid accountability and to weaken information security practices. We were critical of the lack of checks and balances in the information security management system at VA--was guidance being followed, did oversight occur? We were critical of the delay by VA in providing congressional notice of the May 2006 incident. We were critical of the slow escalation in notice of the magnitude of that problem. VA mailed notices to millions of veterans addressing the data compromise and made a public commitment to become the ``gold standard'' in information protection within the Federal Government. Eight months after the initial data loss, VA reports another loss of significant magnitude associated with a Birmingham VA research program. That a weakness existed in this area surprised no one. That it happened at all serves to precipitate this type of congressional oversight hearing. While the actual loss of the external hard drive and the limited electronic protections on that missing equipment should be considered the 800 pound gorilla in this room, there were some silver linings with the Birmingham story as we now know it. For example, the loss was reported in VA and quickly relayed to the appropriate people. Mr. Howard notified congressional oversight staff and Secretary Nicholson called the Chairmen and Ranking Members of the VA Committees. The Office of the Inspector General was quickly involved and opened an investigation. In similar examples from May 2006, VA took days or weeks to accomplish those tasks--in the Birmingham incident of January 2007, VA took hours or days to accomplish the same tasks. Staff was notified within 1 day, and calls from the Secretary followed a few days afterward. The investigative trail was reasonably fresh for the IG to follow. What of VA culture with regard to this issue? The IG made five recommendations to the Secretary in their ``Review of Issues Related to the Loss of VA Information Involving the Identity of Millions of Veterans'' on July 11, 2006. As of today, all five of those recommendations remain open. Why? After the 2006 series of hearings, VA issued a series of tough sounding declarations, but problems still remained and another major incident has happened. After the Birmingham incident, the Secretary issued some tough guidance, but what impact will it have? Will history repeat itself? How deep are the cultural barriers? I believe that it is important to review all aspects of this issue. We need to hear from VA leadership and in that regard we are pleased that Deputy Secretary Mansfield has agreed to testify. He, Secretary Nicholson, the Under Secretaries are key to setting policy--they represent the Department in this matter. But we also need to look at this problem through the eyes of the remaining 200,000 plus people in the VA. Do leadership actions throughout the management hierarchy match policy guidelines everywhere in VA? Do the rules say ``no'' but the culture beckons, ``Aw, go ahead-- make an extra copy of the data and your life will be easier.'' ``Take a short-cut, no one will follow up.'' If we change the culture at VA we can begin to fix the problem. But people have different cultural perspectives; those of the VA leaders on panel one may differ from those of the researchers in the field. Leadership's policy guidance may now be spot on, but the question is how that policy is received at the user-end. For that reason, this Subcommittee requires testimony across the spectrum of people who in any way handle sensitive information about our veterans. Let us approach this with open minds, consider other perspectives, and be able to put this problem to rest for a long time. Before I recognize the Ranking Republican Member for her remarks, I would ask our Members' consent for a guest and permit Congressman Artur Davis from Alabama to sit at the dais and be allowed to ask questions after all Subcommittee Members have had that opportunity. Without objection? I now recognize Ms. Brown-Waite for opening remarks.Prepared Statement of Hon. Ginny Brown-Waite, Ranking Republican Member, Subcommittee on Oversight and Investigations Thank you, Mr. Chairman. Our hearing today, as the Chairman indicated, is to learn more about the Information Security Management at the Department of Veterans Affairs, in particular, the current effectiveness of information security at the Department, and the need for cultural change. Since the data breach of May 2006, the second largest in the nation and the largest in the Federal Government, we have seen the VA's centralization of the VA's information management, including information security. I appreciate the Secretary's desire to make the VA the ``Gold Standard'' for information technology and information security management in the Federal Government. From what we have seen, adherence to the Federal Information Security Management Act (FISMA) has not been adequately addressed governmentwide, as Congress intended when writing the law. This is why our Committee worked so hard last Congress to pass measures such as H.R. 5835, and the final version of S. 3421, which became Public Law 109-461. We have tried to give the Department, and in particular, the Secretary, the tools he needs to mandate change within the entire Department to make certain that such security breaches are few, if any. I have served on this Committee for 4 years, and recently been selected as the Ranking Republican Member of this Subcommittee. Over the years, I have seen the lack of resolve within the underlying culture at the Department, particularly at the facility level, to change the way senior management view IT security. It is sometimes difficult to embrace change, and this is what we need to address in this hearing. In order to protect our veterans, and provide them with the services they need, we need to remove that cultural predilection against change. I appreciate the witnesses who have come to this hearing, particularly those who have traveled a distance to be here, and I look forward to hearing your testimony. Thank you, Mr. Chairman, and I yield back my time. Prepared Statement of Hon. Gordon H. Mansfield, Deputy Secretary, U.S. Department of Veterans Affairs Thank you, Mr. Chairman. I am here before this Committee on behalf of the Secretary and the Department to discuss with you the changes underway in the Department of Veterans Affairs Information Protection program. The Department has committed itself to becoming the ``gold standard'' in Information Protection within the Federal Government. We have made significant progress in a very short period of time to reach this goal. Nonetheless, we realize that there is much more to do, and we have positioned our Information Protection program to undertake the challenges before us . . . and to succeed. Early on, the Secretary recognized the need to reorganize our IT assets to give the Department's Chief Information Officer, and Assistant Secretary for Information and Technology, full control over our IT budget, people, and programs. This Committee was heavily invested in that decision. It held numerous hearings to assist the Department in addressing the many issues involved in centralizing our IT function. We created the Office of Information Technology and transferred over 4,500 employees to this new organization. These VA employees are under the supervision and direction of VA's CIO, Bob Howard. We are currently completing the final phase of our reorganization by bringing the full complement of IT programs, dollars, and people under Assistant Secretary Howard's control. This reorganization is a Departmental priority. All leadership elements--from Central Office to field locations from Maine to Manila-- have been briefed and instructed. Command emphasis is firmly on information security. And it is squarely focused on revamping our IT infrastructure--from practices and procedures . . . to our Department's data security culture. We are also committed to creating a dedicated IT career field that will help us to develop, recruit, and retain the bedrock of professional IT careerists we need today if we are to meet the challenges of tomorrow. I personally have spoken to departmental leaders on this critical issue. To improve the delivery of IT services as we transition to a centralized IT program, we brought in outside consultants, including IBM, to assist in professionalizing our systems. IBM recommended that we change the way we manage and direct IT. We have done that. We have reduced the scope of work and narrowed the span of control of our IT senior leaders. By telescoping their management focus, we expect more efficient execution of their responsibilities and, in turn, better results and outcomes. Significant issues remain in the area of Information Protection. We are addressing them head-on. We have begun to revamp our entire program, consistent with IBM recommendations. Over the past six months, I have spoken with many VA employees, at all levels, to underscore the Department's unqualified position on the IT reorganization. I have stressed the importance moving-out smartly to take charge of the difficult issues at hand. And I believe the vast majority of VA employees are now more aware . . . more sensitive about data management and security in both the administration . . . and in the delivery of services to veterans and their families. Previously, the head of our Office of Cyber and Information Security was assigned such a wide span of control that it was difficult to excel in all areas of responsibility. As a result, support of our Administrations and staff offices suffered. We have since created a more comprehensive approach by establishing an Office of Information Protection and Risk Management. Its management oversees several key areas. Cyber Security focuses on FISMA reporting and policy development. Risk Management and Incident Response addresses risk assessment, incident resolution and credit monitoring. Records Management and Privacy focuses on policy development and oversight of privacy and records. Data protection analysis and lessons learned are also an integral part of this new management focus. Our field-based Information Security Officers have been operationally realigned to report to the Office of Field Operations and Security. And finally, we consolidated several IT compliance programs within the Office of Oversight and Compliance, which reports directly to the Assistant Secretary for Information and Technology. This office will conduct rigorous assessments nationwide. Both announced and unannounced, these reviews rigorously evaluate facility compliance with legislative directives as well as policies, procedures, and practices relating to information protection, data management and control, data, records management, privacy, and IT security programs. This office will be the first responder to facilities where serious IT security incidents occur and that require the immediate review of records management, privacy, and cyber security business practices. I am confident that this office will provide the further assurance necessary to bolster our records management, privacy, and data security measures. On June 28, 2006, the Secretary delegated to the Assistant Secretary for Information and Technology the responsibility for Departmental Information Security. Since the May 2006 data security breach, VA has issued eight IT directives on specific IT security safeguard requirements. We have developed a comprehensive strategy to incident resolution that includes procedures for notifying veterans of incidents where personal information has been compromised. We have drafted a regulation to implement the Veterans Benefits, Health Care, and Information Technology Act of 2006. And our Oversight and Compliance Office, established this month, has already completed several facility assessments. We have launched a number of technology initiatives, both completed and underway, to protect sensitive information. We have encrypted over 15,000 VA laptops. We are minimizing the use of thumb drives and mobile devices. Where authorized, we are requiring them to be encrypted. Very importantly, we are in the process of testing technology that will check for proper encryption, codewords, and security credentials necessary to be permitted entry into VA's information network. The gravity of information security is undeniable. Data security incidents such as we have seen tarnish VA's reputation and the peace of mind of those we serve. We are aggressively instituting a VA-wide change in culture and mindset across the length and breadth of our facilities, urban and remote. VA has already committed time and resources to educate our workforce about the importance of data security. Through formal training, printed communications, and other media, the focus is on good stewardship of data privacy. Our employees are now more aware about data management and security in the administration . . . and in the delivery of services to veterans and their families. Our culture is changing. Change always takes great effort. It is disorienting and it is disruptive. But formerly acceptable business practices, as we have come to realize, are simply no longer acceptable. We are communicating this cultural reorientation across our Department, at all locations and at all levels. No one person, office, or Administration is exempt. On February 21st, the Secretary convened an offsite meeting attended by all VA's senior leadership. He reviewed the recently issued information security directives and procedures as well as the information protection incidents and vulnerabilities. The Secretary reiterated, in no uncertain terms, his order that all supervisors fully execute their responsibilities in the area of information protection. In late March there will be a data security `Update' seminar for our senior leaders. In April, VA's annual Information Security Conference will address the theme of ``Strengthening [IT] Capabilities to Achieve the Gold Standard.'' And in June, we will conduct Awareness Week and the systemic Security and Privacy Training ongoing across the Department. We are working hard to achieve our goal--full protection of VA's sensitive data and information. We have made substantial progress in a relatively short timeframe . . . and we expect nothing less than continuous improvement. We have implemented corrective policies and procedures. Deployed the necessary technologies. Trained our workforce. And we will not relent in our efforts to ensure that every veteran's personal data is safe and secure. While we have made great progress, we have clearly not fully achieved our objective. In our defense, I want to say that when data was lost, we did not stand still. We notified affected veterans by letter. We began investigations to determine root causes. We took preventive measures to improve security. And we communicated these incidents to the Congress. I don't believe there is any other Federal Department as forthcoming and public about this issue. I can assure you we will continue work to improve our processes. We know all too well that lapses in information security . . . such as the one that occurred last year, and recently in Birmingham, weaken the confidence of our veterans, their families, and the American public in our ability to perform the mission that has been entrusted to us. Mr. Chairman, that concludes my testimony. I will answer any questions that the Committee may have. Prepared Statement of Hon. Robert T. Howard, Assistant Secretary for Information and Technology, U.S. Department of Veterans Affairs Thank you, Mr. Chairman. I would like to expand on Deputy Secretary Mansfield's comments regarding the changes underway in the area of Information Technology. There are two specific areas I will focus on. First is the extensive reorganization taking place and second is the overarching program we have established to provide focus to all our remediation efforts. The IT Realignment Program to transition the VA's IT Management System remains on track and is scheduled to be fully implemented by July 2008. By April 1, 2007, software development employees and programs will be permanently reassigned to the CIO. This action follows the consolidation of operations and maintenance under the CIO, which was finalized beginning this FY. We are implementing a process based organizational structure, rooted in best practice processes that are aimed at correcting IT deficiencies that resulted in a loss of standardization, compatibility, interoperability and fiscal discipline. There are a total of four processes that are being introduced with the assistance of IBM, from a ``best practices'' standpoint. We have also developed a different organizational framework to provide focus in key areas. The Office of Information and Technology is now comprised of five major organizational elements, built around these core process areas. These will report to the CIO. Each of the five major organizational elements is led by a Deputy CIO. One Deputy CIO is charged with directing the information protection and privacy protection programs in VA. This official is also responsible for risk assessment, risk mitigation, evaluation and assessment as it relates to information protection. The DCIO for Information Protection and Risk Management has already drafted regulations as required by the Veterans Benefits, Healthcare and Information Technology Act of 2006. The regulations will address at minimum, notification, data mining, fraud alerts, data breach analysis, credit monitoring, identity theft insurance and credit protection services. To reach the ``Gold Standard,'' as directed by the Secretary, we have implemented a new program to assess our information protection controls, develop plans to strengthen the controls where necessary, enforce the controls, and continuously monitor the information protection program. The action plan we have developed includes Development and Issuance of Policies and Procedures, Training and Education, Securing of Devices, Encryption of Data, Enhanced Data Security for VA's Sensitive Information, Enhanced Protection for Shared Data in Interconnected Systems, and Incident Management and Monitoring. A number of the specific requirements of the new law have already been introduced into our comprehensive plan. Regarding this plan I personally review progress on a weekly basis. In closing, I believe we have made progress in improving IT operations in VA and we are working hard in partnership with the administrations and staff offices to improve our business practices to ensure the protection of veterans' sensitive information. Mr. Chairman, that concludes my testimony. I would be pleased to answer any questions that the Committee may have. Prepared Statement of James P. Bagian, M.D., P.E., Chief Patient Safety Officer, Director, National Center for Patient Safety, Veterans Health Administration, U.S. Department of Veterans Affairs Mr. Chairman and Members of the Committee, I am pleased to be here today to discuss the issues of IT security, patient safety, culture and their relationships. At the National Center for Patient Safety our mission is to prevent our patients being unintentionally harmed while under our care. This mission is quite large in scope and while most of our activities are concerned with direct clinical care they also address things that are a bit more removed such as safety during transport in vans, automatic doors and their potential to cause injury, and parking lot barrier design to name but a few. Similarly, the information system (IT) is also of great interest to us as our electronic health record (CPRS) is the tool that in large part is responsible for our ability to deliver the safe and high-quality care for which the VA has received many kudos and is a model for the country and world. While IT security is not intimately related to the direct clinical/physical safety of the patient we still view it as a relevant endeavor under the overall umbrella of preventing unintended harm to our patients, because issues such as identity theft can result in harm to our patients. In addition to direct harm, such as that which might be caused by someone successfully pretending to be a veteran getting care at VA facilities, a larger and more wide-ranging harm can come from the energies expended responding to IT security issues. This redirection of resources can detract from our ability to render the medical care that is our basic mission. The efforts of the National Center for Patient Safety have been based on creating an environment where problems can be identified in a timely manner, prioritized as to the appropriate action required, and analyzed to elicit the real underlying root causes and contributing factors. These steps result in the formulation of well-founded actions to mitigate risks. We often express this as three simple questions to be determined: What happened? Why did it happen? and What should be done to prevent it from happening in the future? We also have championed and implemented a system that promotes the extensive consideration of close calls, which are events where no significant harm befalls the patient. Studying close calls provides an opportunity to learn that is different from the traditional approach where learning begins only after a patient has suffered harm. The culture of the Veterans Health Administration has changed from one that was reactive to one that acts proactively to prevent undesirable outcomes. This did not happen overnight or by fiat. It happened through identifying problems that those at all levels of the organization perceived as real and worth tackling, and then removing the barriers that stood in the way of adopting more effective and risk-based strategies and techniques to prevent harm to patients. Through the implementation of a program that embraced these concepts and actively and aggressively solicited collaboration from all levels of the organization, as well as from stakeholders external to the organization such as Congressional committees, Veterans Service Organizations, and our unions, we have been able to make significant progress. There is general agreement that the VA IT security efforts to date have not achieved the level of success as quickly as desired. There is little doubt that the VA has committed much effort to enhance the security of its IT systems and that the Secretary and senior management are dedicated and serious in their efforts to improve things. The real question at hand is why problems are still occurring. There are a myriad of factors, but I would like to point out several factors that may be worthy of consideration based on my experience and perspective. Let me first state that there are no magic bullets here but there are some practices that have been applied in the area of patient safety as well as other areas that merit consideration. The use of root cause analysis (RCA) as developed by the VA National Center for Patient Safety (NCPS) has been a valuable tool that has identified the root causes and contributing factors behind many problems. These techniques include methodologies that go beyond the typical but ineffective initial questions such as ``whose fault is this'' to the three more meaningful and productive questions that I mentioned earlier: (1) What happened? (2) Why did it happen? and (3) What do we do to prevent it in the future? In fact, several years ago NCPS suggested to Secretary Principi that we be allowed to lead a multidisciplinary RCA team in response to the Blaster Worm problem that the IT world experienced. Secretary Principi agreed and chartered this team, and the result was extremely successful. In fact, on the 21st of February 2007 in a meeting between Mr. Howard and some of his top managers, including Mr. Shyshka, who worked with us on the Blaster Worm response, Mr. Shyshka brought up the fact that the group should currently consider employing the use of the RCA process on a widespread basis. The rationale he gave for this suggestion was the sustained success in preventing the reoccurrence of problems like that previously caused by the Blaster Worm. We agree with this suggestion and believe that the adoption of the RCA process might result in actions that are more effective than what we have experienced to date with regard to IT security. One important aspect of the RCA process is that it focuses on preventing future problems through understanding and mitigating the true underlying systems-based causative factors. Some have indicated that what is needed is a culture change. While this may be true, culture changes do not happen by fiat or written directives. They happen through the creation of a shared vision of a goal that is deemed worthy, identification of the barriers to success through discussion at all levels of the organization and removal of these barriers, creation of tools and provision of the appropriate resources to accomplish the goals, and constant and unfettered communication both up and down the chain of command that encourages the candid identification of problems and appropriate responses to those problems. At the meeting with Mr. Howard mentioned above, the issue of communication and collaboration before the implementation of directives was discussed in an effort by all parties to maximize the chances of success. If this leads to a more proactive, collaborative, systems- based process that balances the security risks versus the clinical risks I think that meaningful progress can be made. A suggestion would be to do a cultural/attitudinal survey of top and middle management that includes some frontline staff. A reason to survey senior leaders is that it is difficult to proceed, in this case toward improving culture and attitudes about IT security, if you don't know where you are starting from and why you are there. In order to enhance the likelihood of success I believe that this Committee together with senior VA leadership needs to clearly communicate the types of approaches to be adopted. VA management and staff need to understand the various ramifications of the actions to be implemented, including schedules to be met and the expectations as to tradeoffs to be made to reduce risk. This kind of understanding was pivotal to the planning and implementation of the Patient Safety Program at the VA and without it the Patient Safety Program would have failed. There should be public acknowledgement that some IT security risk will always exist and that perfection is not possible. If such changes do not occur I am concerned that the security issues will not be resolved, and that clinical care will also suffer. This would result in our veterans losing in two ways. Prepared Statement of Maureen Regan, Counselor to the Inspector General, Office of the Inspector General, U.S. Department of Veterans Affairs INTRODUCTION Mr. Chairman and Members of the Subcommittee, I am pleased to be here today to address the Office of Inspector General's (OIG's) oversight efforts of the Department of Veterans Affairs (VA) Information Security Program, its effectiveness, and the need for cultural change in VA to further improve and strengthen information security. Today, I will present our observations and identify the information security challenges VA must continue to address in order to ensure information security in VA. With me today is the Deputy Assistant Inspector General for Auditing, who will help answer questions about our audit work related to information security. To improve the Department's information security posture, VA's senior management needs to effectively secure the Department's information assets. This includes the entire set of information technology (IT) systems and technological infrastructure, as well as all sensitive information and data under VA's control. It is critical that effective controls and monitoring mechanisms be in place to ensure compliance with applicable Federal standards and all VA policy requirements. Protecting VA information and data is, and must remain, a primary focus of the Department. Our observations indicate that VA needs a culture change throughout the Department to gain reasonable assurance of VA-wide compliance with Federal and Department information security regulations, policies, procedures, and guidance. OIG HAS REPORTED CONTINUING WEAKNESSES IN INFORMATION SECURITY Our audits and evaluations on information security and IT systems have shown the need for continued improvements in addressing security weaknesses and support the need to change VA's culture. We reported VA information security controls as a material weakness in our annual Consolidated Financial Statements (CFS) audits since the fiscal year (FY) 1997 audit. Our annual Federal Information Security Management Act (FISMA) audits have identified continuing information security vulnerabilities every year since FY 2001. We have also reported IT security as a major management challenge for the Department from FY 2000 to the present. As a result of these vulnerabilities, we recommended that VA pursue a more centralized approach, apply appropriate resources, and establish a clear chain of command and accountability structure to implement and enforce internal controls. During the period 2000-2005, we reported that persistent repeat findings and weaknesses existed for physical, personnel, and electronic security and concluded that VA had not taken sufficient actions to correct the information weaknesses in our previous FISMA reports. Also, our work has continued to identify that corrective actions are not implemented at all VA facilities. We observed that management of data centers and several program offices have taken actions to remediate elements of information security control weaknesses reported in our prior reports. However, VA's program and financial data continue to be at risk due to significant weaknesses related to the lack of effective implementation and enforcement of agencywide security controls. These weaknesses place sensitive information, including financial data and veterans' medical and benefit information, at risk of unauthorized access, improper disclosure, alteration, theft, or destruction, possibly occurring without detection. Prior to the May 2006 data loss, VA's information security program showed significant security vulnerabilities. VA's CIO reported he did not have sole authority to implement all aspects of the VA-wide IT security program within VA's Administrations. IT infrastructure was decentralized because VA believed that decentralized operations provided better management of VA facilities. Finally, VA lacked adequate agencywide security control policies and procedures to provide effective guidance and organization standards. VA has not fully implemented any of the recommendations on information security from our previous FISMA reports. In our ongoing 2006 FISMA audit, we determined that all 17 recommendations cited in prior FISMA reports remained unimplemented. In addition, we anticipate identifying several new high-risk areas associated with certification and accreditation of VA systems, remote access, and access to sensitive information by non-VA employees. Until all matters are fully addressed by the Department, VA systems and VA data remain at risk. In some areas, however, the Department has made progress. Since the May 2006 data breach, VA has initiated positive steps focused on policies, awareness, and training. For example, all VA employees were mandated to complete information security awareness training. In addition, in 2006, VA took initial steps toward implementing a more centralized Departmentwide IT security program under the direction of the Department's CIO. However, establishing and implementing an effective centralized Departmentwide IT security program will require more time and effort. VA DOES NOT ADEQUATELY PROTECT SENSITIVE INFORMATION FROM DISCLOSURE The May 2006 theft of an employee's personal hard drive containing personal information on at least 26.8 million veterans, active military, and dependents, has been characterized as the largest data breach ever in the government. The employee, who was authorized access to the data, copied large amounts of protected information onto portable devices and took it home without authorization. The data was not encrypted or password-protected. The incident was a wake-up call for VA because it identified the lack of effective policy and internal controls to protect sensitive information from theft, loss, or misuse by VA and contract employees. Our review found a patchwork of policies that were difficult to locate and fragmented. None of the policies prohibited the removal of protected information from the worksite or storing protected information on a personally owned computer, and did not provide safeguards for electronic data stored on portable media, such as laptop computers. The potential loss of protected information not stored on a VA automated system highlighted a gap between VA policies implementing information laws and those implementing information security laws. We found that policies implementing information laws focused on identifying what information is to be protected and the conditions for disclosure; whereas, policies implementing information security laws focused on protecting VA automated systems from unauthorized intrusions and viruses. As a result, VA did not have policies in place at the time of the incident to safeguard protected information not stored on a VA automated system. We found that policies implemented by the Secretary since the incident were a positive step in the right direction; however, we determined that more needed to be done to ensure protected information is adequately safeguarded. We determined that VA needed to enhance its policies for identifying and reporting incidents involving information violations and information security violations to ensure that incidents are promptly and thoroughly investigated; the magnitude of the potential loss is properly evaluated; and that VA management, appropriate law enforcement entities, and individuals and entities potentially affected by the incident are notified in a timely manner. To address these deficiencies, we recommended that the Secretary take the following actions in our report, Review of Issues Related to the Loss of VA Information Involving the Identity of Millions of Veterans (Report Number 06-02238-63, July 11, 2006). Establish one clear, concise VA policy on safeguarding protected information when stored or not stored in VA automated systems, ensure that the policy is readily accessible to employees, and that employees are held accountable for non-compliance. Modify the mandatory Cyber Security and Privacy Awareness training to identify and provide a link to all applicable laws and VA policy. Ensure that all position descriptions are evaluated and have proper sensitivity level designations, that there is consistency nationwide for positions that are similar in nature or have similar access to VA protected information and automated systems, and that all required background checks are completed in a timely manner. Establish VA-wide policy for contracts for services that requires access to protected information and/or VA automated systems, that ensures contractor personnel are held to the same standards as VA employees, and that information accessed, stored, or processed on non- VA automated systems is safeguarded. Establish VA policy and procedures that provide clear, consistent criteria for reporting, investigating, and tracking incidents of loss, theft, or potential disclosure of protected information or unauthorized access to automated systems, including specific timeframes and responsibilities for reporting within the VA chain-of-command and, where appropriate, to OIG and other law enforcement entities, as well as appropriate notification to individuals whose protected information may be compromised. The Secretary concurred with the findings and recommendations in our report and agreed to implement the recommendations. On February 9, 2007, the Assistant Secretary for Information and Technology and his staff provided us with a briefing on the status of the recommendations in the report. Although an implementation process was discussed using an electronic database with a matrix that showed what issues needed to be addressed, we were not provided an implementation plan or any supporting documentation, such as draft policies, to show progress made in implementing the recommendations. To date, all 5 recommendations remain open, although VA has developed a new Privacy Awareness training module. It was circulated to all VA Privacy Officers, including the OIG's Privacy Officer, for review and comment. We reviewed the module and confirmed that it provides a link to applicable laws and VA policy. When implemented, the module will meet the intent of one of our recommendations. Shortly after the May 2006 incident, VA issued policies to address information security. On June 7, 2006, the Secretary issued VA Directive 6504, Restrictions on Transmission, Transportation and Use of, and Access to, VA Data Outside VA Facilities, and it is available to all employees on VA's directives Web site. VA Directive 6504 contains policy for 23 different items. As stated in our report, we found that the Directive was difficult to understand; too technical for the average employee to understand; used terms, such as ``appropriate'' that were too vague to ensure compliance; and made reference to other applicable policies, guidelines, and laws without identifying them. Notwithstanding these concerns, we considered VA Directive 6504 to be a step in the right direction. The Directive prohibits the use of non-VA owned equipment to access the VA Intranet remotely or to process VA protected information except as provided in the Directive. In addition to requiring the use of encryption software on computers used outside VA facilities, a key provision in the Directive is that only VA-owned equipment, including laptops and handheld computers, may be used when accessing VA systems remotely. However, these requirements have not been implemented throughout VA. On October 5, 2006, VA issued a Memorandum, IT Directive 06-5, approving a temporary waiver for all three VA Administrations. Although the VA personnel were required to use approved encryption software when using non-VA hardware, VA does not provide the software. In addition, neither VA Directive 6504 nor IT Directive 06-5 contain provisions stating how VA will ensure compliance. There is a greater awareness in VA regarding the issue. However, VA still lacks effective internal controls and accountability which leaves sensitive information at risk. VA CONTINUES TO REPORT ONGOING DATA INCIDENTS VA's Security Operations Center (SOC) is responsible for managing, protecting, and monitoring the cyber security posture of the agency. In July 2006, VA began sending us information on incidents from the SOC, providing information on a variety of incidents such as unauthorized access; missing, stolen, or lost laptop computers; improper disposal; and numerous incidents involving unencrypted e-mail messages containing sensitive information. To date, these reports have covered about 3,600 incidents and the SOC has referred over 250 incidents to us, which resulted in us opening 46 cases to investigate. SOC reports do not always include indications of the magnitude of the data breach, that is, the number of individuals with personally identifiable information related to the incident. We have no way to determine the number and magnitude of incidents that occurred and were not reported to the SOC, nor can we verify the accuracy on the reported number of individuals affected by data incidents listed in SOC reports. Since the May 2006 incident, the OIG has remained committed to investigating significant data loss cases that show that VA or contract employees are not taking the steps necessary to protect sensitive information. For example, the incident involving the theft of a computer owned and maintained by Unisys, containing sensitive VA information, shows that information provided to contractors is also at risk. In our ongoing investigation of the data loss at Birmingham, Alabama, we continue to find that VA sensitive information was not protected. CONTINUING CHALLENGES Information security weaknesses persist at VA despite the findings and recommendations made in our reports. Most VA data remains unencrypted, including data transmitted by electronic mail over the Internet. Although the Department has begun action, it still does not know how many VA employees and contractors use non-VA computers to remotely access VA systems. In addition, VA has not determined how many external hard drives or other portable devices are in use throughout VA. Finally, VA does not know what VA data is stored on these computers, external hard drives, or other portable devices. VA also has no means to monitor whether access to data by employees and contractors is limited to the information needed to conduct business. Policies and procedures issued to safeguard protected information will not be effective unless there is compliance by all employees and contract personnel who have access to the information. Local management needs to conduct adequate oversight to ensure compliance and hold employees and contractors accountable for noncompliance. VA must ensure that managers and supervisors are held accountable for implementing the policies and procedures. In addition, VA must invest in the resources needed to provide employees with the hardware and software needed to conduct business and, at the same time, protect sensitive information. Implementing the controls needed to ensure that sensitive information is protected will require that VA employees change the manner in which they currently conduct business. VA must find a way to implement these controls without impacting VA's ability to meet its mission. In closing, I would like the Subcommittee to know that oversight and reviews of the effectiveness of VA's information security will remain a priority for the OIG until these issues are addressed. We remain committed to assessing the adequacy of information security controls and we will remain dedicated to protecting our Nation's veterans along with their personal and sensitive information. Mr. Chairman and Members of the Subcommittee, thank you again for this opportunity to update you on the status of our ongoing work. We are happy to answer any questions. Prepared Statement of Gregory C. Wilshusen, Director, Information Security Issues, U.S. Government Accountability Office Mr. Chairman and Members of the Subcommittee: Thank you for inviting me to participate in today's hearing on information security management at the Department of Veterans Affairs (VA). For many years, GAO has identified information security as a governmentwide high-risk issue \1\ and emphasized its criticality for protecting the government's information assets. GAO has issued over 15 reports and testimonies and made over 150 recommendations from 1998 to 2005 related to VA's information security program. --------------------------------------------------------------------------- \1\ GAO, High-Risk Series: An Update, GAO-07-310 (Washington, D.C.: January 2007); Information Security: Weaknesses Persist at Federal Agencies Despite Progress Made in Implementing Related Statutory Requirements, GAO-05-552 (Washington, D.C.: July 15, 2005). --------------------------------------------------------------------------- Today I will address VA's information security management, including weaknesses that GAO and others have reported, as well as actions that the Department has taken to resolve these deficiencies. I will also discuss ongoing audit work that GAO is conducting at VA. To describe VA's information security management, we reviewed our previous work in this area, as well as reports by the Department and its Office of Inspector General (IG). To provide additional context, we have included, as an attachment, a list of key GAO publications related to VA security issues. All GAO work conducted for this testimony is in accordance with generally accepted government auditing standards. Results in Brief Significant concerns have been raised over the years about VA's information security--particularly its lack of a robust information security program, which is vital to avoiding the compromise of government information. We have previously reported on wide-ranging deficiencies in VA's information security controls.\2\ For example, VA had not consistently implemented appropriate controls for (1) limiting, preventing, and detecting electronic access to sensitive computerized information; (2) restricting physical access to computer and network equipment to authorized individuals; (3) segregating incompatible duties among separate groups or individuals; (4) ensuring changes to computer software were authorized and timely; and (5) providing continuity of computerized systems and operations. The Department's IG has recently identified similar weaknesses. These longstanding deficiencies existed, in part, because VA had not implemented key components of a comprehensive, integrated information security program. Although the Department has taken steps to implement components of its security program, its efforts have not been sufficient to effectively protect its information and information systems. As a result, sensitive information remains vulnerable to inadvertent or deliberate misuse, loss, or improper disclosure. --------------------------------------------------------------------------- \2\ See attachment 1. --------------------------------------------------------------------------- We have several ongoing engagements to perform work at VA to review the Department's efforts in improving its information security and information technology management. Our ongoing work is examining data breach notification, actions to strengthen information security controls, controls over information technology equipment, and implementation of an information technology realignment initiative. Background Information security is a critical consideration for any organization that depends on information systems and networks to carry out its mission or business. The security of these systems and data is essential to prevent data tampering, disruptions in critical operations, fraud, and the inappropriate disclosure of sensitive information. Recognizing the importance of securing Federal systems and data, Congress passed the Federal Information Security Management Act (FISMA) in 2002, which set forth a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets.\3\ --------------------------------------------------------------------------- \3\ FISMA, Title III, E-Government Act of 2002, Pub. L. 107-347 (Dec. 17, 2002). --------------------------------------------------------------------------- Under FISMA, agencies are required to provide sufficient safeguards to cost-effectively protect their information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction, including controls necessary to preserve authorized restrictions on access and disclosure. The Act requires each agency to develop, document, and implement an agencywide information security program that is to include assessing risk; developing and implementing policies, procedures, and security plans; providing security awareness and training; testing and evaluating the effectiveness of controls; planning, implementing, evaluating, and documenting remedial action to address information security deficiencies; detecting, reporting, and responding to security incidents; and ensuring continuity of operations. In providing health care and other benefits to veterans and their dependents, VA relies on a vast array of computer systems and telecommunications networks to support its operations and store sensitive information, including personal information on veterans. Effectively securing these computer systems and networks is critical to the Department's ability to safeguard its assets and sensitive information. VA's Information Security Weaknesses Are Long Standing VA has faced longstanding challenges in achieving effective information security across the Department. Our previous reports and testimonies \4\ have identified wide-ranging, often recurring deficiencies in the Department's information security controls. For example, VA had not consistently implemented appropriate controls for (1) limiting, preventing, and detecting electronic access to sensitive computerized information; (2) restricting physical access to computer and network equipment to authorized individuals; (3) segregating incompatible duties among separate groups or individuals; (4) ensuring changes to computer software were authorized and timely; and (5) providing continuity of computerized systems and operations. Figure 1 details the information security control weaknesses we identified at VA from 1998 through 2005. --------------------------------------------------------------------------- \4\ Attachment 1 includes a list of our products related to information technology vulnerabilities at VA. --------------------------------------------------------------------------- Figure 1: Chronology of Information Security Weaknesses Identified by GA O [GRAPHIC] [TIFF OMITTED] 34307A.001 Notes: Hines is a suburb of Chicago. Full citations are provided in attachment 1. These weaknesses existed, in part, because VA had not implemented key components of a comprehensive information security program. Specifically, VA's information security efforts lacked: Clearly delineated security roles and responsibilities; Regular, periodic assessments of risk; Security policies and procedures that addressed all aspects of VA's interconnected environment; An ongoing security monitoring program to identify and investigate unauthorized, unusual, or suspicious access activity; and A process to measure, test, and report on the continued effectiveness of computer system, network, and process controls. We made a number of recommendations in 2002 that were aimed at improving VA's security management.\5\ Among the primary elements of these recommendations were that VA centralize its security management functions and perform other actions to establish an information security program, including actions related to risk assessments, security policies and procedures, security awareness, and monitoring and evaluating computer controls.\6\ --------------------------------------------------------------------------- \5\ GAO, Veterans Affairs: Sustained Management Attention Is Key to Achieving Information Technology Results, GAO-02-703 (Washington, D.C.: June 12, 2002). \6\ We based our recommendations on guidance and practices provided in GAO, Federal Information System Controls Audit Manual, GAO/AIMD- 12.19.6 (Washington, D.C.: January 1999); Information Security Management: Learning from Leading Organizations, GAO/AIMD-98-68 (Washington, D.C.: May 1998); Information Security Risk Assessment: Practices of Leading Organizations, GAO/AIMD-00-33 (Washington, D.C.: November 1999); and Chief Information Officer Council, Federal Information Technology Security Assessment Framework (Washington, D.C.: Nov. 28, 2000). The provisions of FISMA (passed in late 2002) and associated guidance were generally consistent with this earlier guidance. --------------------------------------------------------------------------- Since our report in 2002, VA's independent auditors and its IG have continued to report serious weaknesses with the Department's information security controls. In the auditors' report on internal controls prepared at the completion of VA's 2006 financial statement audit, information technology security controls were identified as a material weakness because of serious weaknesses related to access control, segregation of duties, change control, and service continuity.\7\ These areas of weakness are virtually identical to those that we had identified years earlier. --------------------------------------------------------------------------- \7\ The auditor's report is included in VA's FY 2006 Annual Performance and Accountability Report. --------------------------------------------------------------------------- The Department's FY 2006 Annual Performance and Accountability Report states that the IG continues to identify the same vulnerabilities and make the same recommendations year after year. The IG's September 2006 audit of VA's information security program noted that 16 previously reported recommendations remained unimplemented; it also identified a new weakness and made an additional recommendation. The IG has reported information technology security as a major management challenge for the Department each year for the past 6 years. VA's Efforts to Address Information Security Weaknesses Have Been Limited Despite having taken steps to address the weaknesses described in our earlier work, VA has not yet resolved these weaknesses on a Departmentwide basis or implemented a comprehensive information security program.\8\ For example: --------------------------------------------------------------------------- \8\ This result is also reflected in the Department's failing grade in the annual report card on computer security that was issued by the then House Committee on Government Reform: Computer Security Report Card (Washington, D.C.: Mar. 16, 2006). Central security management function: In October 2006, the Department moved to a centralized management model. The Department has also contracted for project support in helping to frame a security governance structure and provide tools to assist management with controls over information technology assets. This work is scheduled to be completed in March 2007. Periodic risk assessments: VA is implementing a commercial tool to identify the level of risk associated with system changes and also to conduct information security risk assessments. It also created a methodology that establishes minimum requirements for such risk assessments. However, it has not yet completed its risk assessment policy and guidance. While the policy and guidance were originally scheduled to be completed by the end of 2006, the completion date was extended to April 2007. Security policies and procedures: VA is in the process of developing policies and directives to strengthen security controls as part of its action plan. For example, VA planned to develop directives by the end of 2006 on access controls and media protection, standards for restricting use of portable and mobile devices, and policies regarding physical access to VA computer rooms. However, the completion date for development of these policies has been extended to April 2007. Security awareness: VA has taken steps to improve security awareness training. It holds an annual Department information security conference, and it has developed a Web portal for security training, policy, and procedures, as well as a security awareness course that VA employees are required to review annually. However, VA has not demonstrated that it has a process to ensure compliance. Monitoring and evaluating computer controls: VA has taken steps to improve the monitoring and evaluating of computer controls by developing policies and procedures. For example, VA planned to develop by the end of 2006 criteria for system security control testing at least every 3 years and planned to identify key system security controls for testing on a routine basis. However, the completion dates for development of these policies have been extended to April 2007. To fulfill our recommendations in these areas, VA must not only complete and document the policies, procedures, and plans that it is currently developing, but also implement them effectively. With regard to its IG's findings and recommendations, the Department has established an action plan to address the material weakness in information security (Data Security--Assessment and Strengthening of Controls), which is to correct deficiencies and eliminate vulnerabilities in this area. Despite these actions, the Department has not implemented the key elements of a comprehensive security management program, and its efforts have not been sufficient to effectively protect its information systems and information, including personal information, from unauthorized disclosure, misuse, or loss. GAO Has Ongoing Reviews of Information Technology and Security Issues at VA We have several ongoing engagements to perform work at VA to review the Department's efforts in improving its information security and information technology management. These engagements address: Data breach notification: We are conducting a study to determine the lessons that can be learned from the VA data breach with respect to notifying government officials and affected individuals about data breaches. For this evaluation, we are examining similar data breach cases at other Federal agencies, as well as analyzing Federal guidance on data breach notification procedures. Actions to strengthen information security controls: We are conducting a review to evaluate VA's efforts to implement prior GAO and IG information security-related recommendations and to assess actions VA has taken since the data breach of May 3, 2006, to strengthen information security and protect personal information. As part of this engagement, we are examining VA's timeline of planned efforts to strengthen controls. Controls over information technology equipment: We are conducting a followup audit \9\ at selected VA locations to determine the risk of theft, loss, or misappropriation of information technology equipment. To perform our audit, we are assessing the effectiveness of physical inventory controls and the property disposal process at four VA locations. --------------------------------------------------------------------------- \9\ This is a followup audit to work reported in GAO, VA Medical Centers: Internal Control Over Selected Operating Functions Needs Improvement, GAO-04-755 (Washington, D.C.: July 21, 2004). --------------------------------------------------------------------------- VA's information technology realignment initiative: We are conducting a review to determine whether VA's realignment plan for its Office of Information and Technology includes critical factors for successful implementation of a centralized management model. We are also looking at how the realignment will ensure that under the centralized management approach, the chief information officer is accountable for the entire information technology budget (including those funds that had been administered by the Veterans Health Administration and Veterans Benefits Administration). In performing this evaluation, we are analyzing governance and implementation plans, as well as budgetary and other relevant documentation. In summary, longstanding information security control weaknesses at VA have placed its information systems and information at increased risk of misuse and unauthorized disclosure. Although VA has taken steps to mitigate previously reported weaknesses, the Department has not yet resolved these weaknesses, implemented the recommendations of GAO and the IG, or implemented a comprehensive information security program, which it needs in order to effectively manage risks on an ongoing basis. Much work remains to be done. Only through strong leadership, sustained management commitment and effort, disciplined processes, and consistent oversight can VA address its persistent, longstanding control weaknesses. Mr. Chairman, this concludes my statement. I would be happy to answer any questions you or other Members of the Subcommittee may have. Contact and Acknowledgments If you have any questions concerning this statement, please contact Gregory C. Wilshusen, Director, Information Security Issues, at (202) 512-6244, [email protected]. Other individuals who made key contributions include Barbara Collier, Mary Hatcher, Valerie Hopkins, Leena Mathew, and Charles Vrabel. Attachment 1: Selected GAO Products Information Security: Leadership Needed to Address Weaknesses and Privacy at Veterans Affairs. GAO-06-897T. Washington, D.C.: June 20, 2006. Veterans Affairs: Leadership Needed to Address Security Weaknesses and Privacy Issues. GAO-06-866T. Washington, D.C.: June 14, 2006. Privacy: Preventing and Responding to Improper Disclosures of Personal Information. GAO-06-833T. Washington, D.C.: June 8, 2006. Information Security: Weaknesses Persist at Federal Agencies Despite Progress Made in Implementing Related Statutory Requirements. GAO-05-552. Washington, D.C.: July 15, 2005. Veterans Affairs: Sustained Management Attention is Key to Achieving Information Technology Results. GAO-02-703. Washington, D.C.: June 12, 2002. Major Management Challenges and Program Risks: Department of Veterans Affairs. GAO-01-255. Washington, D.C.: January 2001. VA Information Systems: Computer Security Weaknesses Persist at the Veterans Health Administration. GAO/AIMD-00-232. Washington, D.C.: September 8, 2000. Information Systems: The Status of Computer Security at the Department of Veterans Affairs. GAO/AIMD-00-5. Washington, D.C.: October 4, 1999. VA Information Systems: The Austin Automation Center Has Made Progress in Improving Information System Controls. GAO/AIMD-99-161. Washington, D.C.: June 8, 1999. Information Systems: VA Computer Control Weaknesses Increase Risk of Fraud, Misuse, and Improper Disclosure. GAO/AIMD-98-175. Washington, D.C.: September 23, 1998. GAO Highlights Information Security: Veterans Affairs Needs to Address Long-Standing Weaknesses Why GAO Did This Study Security breaches at the Department of Veterans Affairs (VA) and other public and private organizations have highlighted the importance of well-designed and implemented information security programs. GAO was asked to testify on its past work on VA's information security program, as well as ongoing reviews that it is conducting at VA. In developing its testimony, GAO drew on over 15 of its previous reports and testimonies, as well as reports by the Department's Inspector General (IG). What GAO Recommends To ensure that security issues are adequately addressed, GAO has previously made over 150 recommendations to VA on implementing effective controls and developing a robust information security program. What GAO Found For many years, GAO has raised significant concerns about VA's information security--particularly its lack of a comprehensive information security program, which is vital to safeguarding government information. The figure below details information security weaknesses that GAO identified from 1998 to 2005. As shown, VA had not consistently implemented appropriate controls for (1) limiting, preventing, and detecting electronic access to sensitive computerized information; (2) restricting physical access to computer and network equipment to authorized individuals; (3) segregating incompatible duties among separate groups or individuals; (4) ensuring that changes to computer software were authorized and timely; or (5) providing continuity of computerized systems and operations. The Department's IG has also reported recurring weaknesses throughout VA in such areas as access controls, physical security, and segregation of incompatible duties. In response, the Department has taken actions to address these weaknesses, but these have not been sufficient to establish a comprehensive information security program. As a result, sensitive information has remained vulnerable to inadvertent or deliberate misuse, loss, or improper disclosure. Without an established and implemented security program, the Department will continue to have major challenges in protecting its systems and information from security breaches. GAO has several ongoing engagements to review the Department's efforts in improving its information security and information technology management. These engagements address: Data breach notification; Actions to strengthen information security controls; Controls over information technology equipment; and VA's information technology realignment effort. SUBMISSION FOR THE RECORD Prepared Statement of Hon. Zackary T. Space, a Representative in Congress from the State of Ohio Dear Members of the Subcommittee and Panelists, I would like to submit for the record my most sincere apologies for my absence this afternoon. An unexpected family emergency has called me away from my congressional duties. While I would like very much to be in attendance today to review the important information and security management procedures in place at the VA, I must be with my mother on the loss of her husband. I appreciate your understanding on this matter. Please know that I remain committed as ever to the important work of this Subcommittee and those that it serves. Sincerely, Zack Space.