EXCLUSIVE: VA downplays risk assessment report
A 2013 internal security risk assessment of the Department of Veterans Affairs’ main electronic health record system that warned a data breach was “practically unavoidable” did not take into account various security mitigation actions the department had already taken to address a very specific vulnerability, according to VA officials.
The heavily redacted assessment of the Veterans Health Information Systems and Technology Architecture, or VistA, first reported last week by CNBC and obtained by FedScoop, warned it was “practically unavoidable that a data breach to financial, medical and personal veteran and employee protected information may occur within the next 12 to 18 months.”
But a VA official familiar with the risk assessment, speaking on background, told FedScoop the draft report was proposed last year by staff to address “a very specific but narrow risk, and its contentions were not intended to apply to all VA IT systems.”
The official said the report “did not take into account all of the defense-in-depth, mitigating security factors VA already has in place on its systems and network.” In addition, the report was reviewed by senior VA leadership, who “initiated actions to either validate existing mitigation controls or to put in place additional protections,” the official said.
Publicly, a VA spokesperson said the agency “has in place a strong, multilayered defense to combat evolving cybersecurity threats … [and] is committed to protecting veteran information, continuing its efforts to strengthen information security and putting in place the technology and processes to ensure veteran data at VA are secure.”
VA’s public response, however, has not settled the issue as far as some members of the House Committee on Veterans Affairs are concerned. Late Friday, Rep. Jackie Walorski, R-Ind., issued a statement pressing VA for answers on what portions of the risk assessment are no longer valid and what the agency has done to fix the vulnerabilities contained in the report.
“It’s incumbent upon VA to clarify what specific portions of this report were inaccurate and what changes have been made since the report has been finalized,” Walorski said. “Is a data breach to veterans’ financial, medical and personal information ‘practically unavoidable’ as the report states? If not, how likely is it? VA owes it to America’s veterans and American taxpayers to answer these questions in short order.”