The Veterans Affairs Department has been routinely transmitting veterans' personal data -- including medical information and Social Security numbers -- over unsecured Internet connections, leaving the information vulnerable to hacking and fraud, according to an internal watchdog that faults the agency for violating the government's own security requirements.
"Without controls to encrypt the sensitive VA data transmitted, veterans’ information may be vulnerable to interception and misuse by malicious users as it traverses unencrypted telecommunications carrier networks," the VA's Office of Inspector General reported.
The types of data that the VA Office of Information Technology (OIT) sent over unencrypted networks included the names of veterans and their dependents, Social Security numbers, dates of birth and protected health information, the IG said.
And top officials approved waivers to security rules to allow the unencrypted transmissions, the report found. The failure to protect the information violated the VA's own security regulations as well as parts of the American Recovery and Reinvestment Act of 2009, which required "the encryption of electronically transmitted health information," investigators said.
VA officials acknowledged the waivers, but disputed that the information faced much risk of being intercepted. Although it was not encrypted, it was still sent through private channels, they argued.
"The network links in question are not currently employing encryption but these transmissions are crossing only the private VA network and are not exposed to or traversing the Internet," said Roger Baker, the Assistant Secretary for Information Technology.
Baker added that OIT conducted its own investigation and concluded that at no time was information vulnerable or sent over public networks.
The inspector general acknowledged the VA had been keeping the information separate from the public Internet at large, but said "the risk remains that sensitive VA data and router information can be compromised when it is transmitted across unencrypted telecommunications carrier networks outside of VA’s span of technical control."
Investigators discovered the problem after inspecting medical facilities in South Dakota and Nebraska, but they believe the issue could be widespread. Sending information unencrypted to community health centers and business partners "was a common practice" in that region, according to OIT officials the inspector general interviewed.
The unsecured information originated from the VA Midwest Health Care Network, which serves 400,000 veterans in Iowa, Minnesota, Nebraska, North Dakota, South Dakota and portions of Illinois, Kansas, Missouri, Wisconsin, and Wyoming, the report said.
Top VA officials, including the Assistant Secretary for Information and Technology and the Acting Under Secretary for Health, Veterans Health Administration, signed waivers allowing OIT to skip "implementing encryption controls in the near term," the report said. But investigators said those waivers can only be used in "exceptional circumstances" and said the department isn't following laws regarding the protection of information.
"VA and federal information security requirements clearly call for the encryption of sensitive VA data and emphasize the importance of safeguarding this information," the IG said.
And investigators are worried about the situation snowballing. Instead of stealing veterans' information, hackers could learn enough about the VA's infrastructure to shut down its computer networks, the inspector general warned.
Furthermore, in an era of budget cuts where each agency is trying to tighten its belt, investigators said the VA could potentially face fines for violating federal policy regarding cybersecurity.