VA readies scheduling RFP amid onslaught of security challenges

The Department of Veterans Affairs plans to release the long-awaited request for proposals next week for the replacement to its patient scheduling system, the agency’s chief information officer confirmed today.

Stephen Warren, the VA’s CIO, told reporters the department is planning to release the RFP for a commercial scheduling system no later than Nov. 21. The new system will replace the current scheduling component within VA’s main electronic health record system known as the Veterans Health Information Systems and Technology Architecture, or VistA. VA plans to take 30 days to evaluate written proposals before selecting the best options. Finalists will then be required to develop full demonstration versions of their system for evaluation by VA schedulers, Warren said.

The announcement of the pending release of the RFP comes just days after the VA’s inspector general notified Warren that information security will remain a material weakness in the agency’s financial statement audit for at least another year. “I was disappointed, and I know the team was disappointed,” Warren said, adding that security officials have “redoubled” their efforts to ensure VA can show “constant improvement” to auditors when they return next year.

Meanwhile, Warren is scheduled to testify Nov. 18 before the House Committee on Veterans Affairs on VA’s continued cybersecurity problems. The committee is investigating longstanding cybersecurity gaps that may have allowed VA patient scheduling data to be manipulated as well as unanswered questions surrounding the department’s inability to respond to the committee’s repeated requests for information about its cybersecurity posture.


2014_11_Screen-Shot-2014-11-14-at-4.15.54-PM (Credit: Information Security Monthly Activity Report)

According to VA’s latest monthly information security report for October, released by Warren, the agency blocked more than 12 million intrusion attempts and blocked or contained more than 206 million pieces of malware. In at least 27 cases, malware was discovered on various medical devices, such as heart monitors. The department also reported at least 765 incidents involving the potential compromise of personally identifiable information belonging to veterans. Of those, 536 veterans were offered credit monitoring services by the VA, Warren said.

In addition to the monthly information security activity report, Warren’s office also released 18 pages of incident summaries that detail the locations and types of security incidents that occurred. Although the vast majority of cases involved unintentional mishandling of data or errors in mailing prescriptions, at least one involved inappropriate access to personal information by VA insiders.

That case, which occurred Oct. 1 at a VA facility in Dallas, involved at least a dozen employees in VA’s Human Resources Management Service who accessed electronic personnel folders and data from the Office of Personnel Management’s USA Staffing database containing employment information belonging to 90 individuals, some of whom were not VA employees. “Some access the records for better preparation, and some for curiosity,” the incident report states. “Also, the one person who looked at management eOPFs may have done it maliciously to share information with the Union,” the report states.


In another case, an employee from a community-based outpatient clinic in Hawaii discovered VistA reports containing personal health information, including full names and social security numbers, belonging to 55 veterans on the bottom of a magazine holder that had been setup at the Maui County fair from Oct. 2 through Oct. 5. A similar incident occurred Oct. 17 at a VA facility in Mountain Home, Tennessee, where a pharmacist is suspected to have discarded 109 pages of information containing the names and patient ID numbers of 106 veterans, as well as details about their medications. The documents were discovered by a housekeeper in a recycling bin located in the parking lot of the facility.

The events that led to the potential exposure of veterans’ personal information “follow the process, paper and people route,” Warren said. “The area where we continue to have to do more work and we continue to do more work is on the human side, in terms of individuals doing things they should not do or a process failure.  A lot of time is spent training and educating the workforce.”

2014_11_Screen-Shot-2014-11-14-at-4.16.26-PM (Credit: Information Security Monthly Activity Report)




Latest Podcasts