VA looks beyond multi-factor authentication to secure extended telework

For the VA, multifactor authentication has been around for years. But the pandemic is now pushing the agency to fully embrace it and think beyond.
VA, Department of Veterans Affairs, EHRs
The Department of Veterans Affairs. (Tajha Chappellet-Lanier)

The pandemic has pushed the Department of Veterans Affairs to think beyond multifactor authentication to keep bad actors out of VA systems as it anticipates extended work-from-home policies.

One of the federal government’s largest agencies, the VA has fully embraced multi-factor authentication across the board and is now exploring additional ways to authenticate users and improve security, VA CISO Paul Cunningham said Thursday during CyberTalks, presented by CyberScoop.

“Anything to [bring] the risk posture down … is going to be a good thing,” Cunningham said, as the VA handles sensitive medical information and other data on benefits services and more from veterans.

In specific, the VA has been looking at “bump and go” options for user authentication, referring to physical tokens that can be used as an added layer of security, the VA CISO said.


Cunningham’s comments come after the VA recently suffered a breach in a financial system that comprised information on at least 46,000 veterans. The breach was due to unauthorized access to an application for financial assistance that veterans are entitled to, the department said when it announced the hack. The VA said malicious actors used “social engineering techniques” and exploited “authentication protocols” to gain access to the system.

Multi-factor authentication has existed in the VA and government for many years. But the pandemic has forced the department to broaden its security controls to properly credential people logging in from home, Cunningham said.

Similarly, the VA faced the challenge of developing proper security protocols for medical staff to ensure those critical systems are secure but also that staff don’t get locked out of the systems during procedures.

“If you are a radiologist, you can’t stop in the middle,” Cunningham said. That impacts the configuration of some of the auto-logout features or token-based systems the department is considering.

Transactions involving pharmaceutical requests and medical visits are another top security priority, Cunningham said. “To the greatest extent possible, we want to use multi-factor authentication,” he said of those types of transactions.


Cunningham spoke alongside Ross Foard, senior engineer at the Cybersecurity and Infrastructure Security Agency, during the CyberTalks event. He said that collaboration with agencies such as CISA has dramatically increased during the pandemic as risks to the department’s IT enterprise have surged.

Sharing best practices, technical advice and new tech for authenticating users has been beneficial to the VA, Cunningham said. “We see them as partners.”

Latest Podcasts