The Veterans Affairs Department this summer launched a cybersecurity initiative to verify whether a variety of security tools are being used on each of its computers.
When it comes to a veteran's electronic health records, that means VA will verify the security of the computer used by a VA physician entering a diagnosis, a pharmacist filling a prescription, or a billing clerk making note of a patient's co-pays.
"Ongoing attacks against VA systems, coupled with pressure to use Web 2.0 technology, compelled the VA to augment desktop visibility in order to provide adequate enterprise protection, and ultimately, safeguard the personal information of our nation's veterans," said Jerry Davis, deputy assistant secretary of information protection and risk management in VA's Office of Information and Technology.
The tool also applies to laptops and servers, and so far, VA has almost 30,000 laptops tracked by the tool, he said.
"The Visibility to Desktop Initiation is the ability to, at any given time, look at the status of all 333,000 machines in the network from a central location." Davis said. "This includes the hardware, software, patch level, level of security compliance, and membership of the administrative group. Full visibility will enable us to see what is out there on our networks, identify problems and risks, and provide the field with resources needed to tackle emerging issues."
Within the next 12 months, VA will expand the tool to all devices on its network — things like BlackBerrys and thumb drives. "That will put us on a par with the best-managed private-sector organizations," Davis said.
The tool will not remedy all security problems at VA, which experienced the largest data breach in government history in 2006 when a laptop containing personal information on 26.5 million veterans and military members was lost. As recently as August, VA found itself missing 10 laptops.
Reports of potential data breaches are up in 2010 compared with last year — from 6,403 to 6,535 — Davis said. But this is likely due to better reporting by the increased number of privacy security officers, he said. VA now reports security breaches on its website — www4.va.gov/about_va/va_notices.asp.
Recently, VA learned that some medical residents and employees had been using external web applications to store patient information, Davis said. But now these web applications require an account and a unique password for access.
External applications "open the door to a potential data breach," Davis said. "Non-VA websites are not under the administrative control of the department. Therefore it is unknown if these sites have security controls in place to protect personally identifiable information and patient health information."
However, "VA has to trust its users to properly use accessible external websites, and that includes following VA policy not to improperly generate, handle or store VA sensitive information," Davis said.
Among the companies helping VA secure its data is Systems Made Simple, a service-disabled, veteran-owned small business headquartered in Syracuse, N.Y., which has installed encryption software on thousands of VA computers since 2006.
"We implanted full disk encryption on all the disks," said Bob Sheahan, the company's senior vice president. "It automatically encrypts all that is stored on that disk so if someone gets a hold of a disk drive, they would not be able to read the data."
Systems Made Simple installed 30,000 such encryption programs in the first 60 days of its contract, eventually encrypting most of VA's laptops. Just this year it received another order to encrypt up to 100,000 more computers and devices, many of which VA has not yet purchased.
"When completed, that should mean close to total coverage for all of their devices," Sheahan said. "Of course, one of the hardest things at the VA is trying to understand what they have. There are 300,000 workers there and some of their doctors work part time — and these probably have their own computers."
Given VA's size, securing its electronic health data is especially challenging.
Threats to VA data security are probably not much different from threats to health records at other agencies and institutions, said Dr. Bart Harmon, chief medical officer at Harris Healthcare Solutions, a VA contractor based in Falls Church, Va.
"But there is a difference quantitatively because it is so large," Harmon said. "The large number of applications and personnel mean vulnerabilities that can come in electronically or result from someone walking off with something. There is an increasing rate of change in the sophistication of approaches that [hackers] are taking, so there is an obvious need to keep pace with new approaches to breaching the system."
Working to that end is Document Storage Systems Inc., a Juno Beach, Fla., software company that has installed administrative and electronic medical records tools at all VA medical facilities. One of those tools is a release-of-information software package. The software tracks all requests for the release of information by insurance companies, patients or physicians, as required by the 1996 Health Insurance Portability and Accountability Act (HIPAA). The software tracks a variety of data, including how many times certain information was requested, and whether the requested information is sensitive. It could signal an alert if an illicit attempt were made to access data.
"We've been doing this for the VA for about eight years, and it is constantly modified and upgraded," said Joe Byers, vice president of sales and marketing for Document Storage Systems Inc.
Document Storage Systems' approach is twofold: It secures the network that data resides on, and it also secures how data is stored on and retrieved from its database.
"It would be tough for a hacker to break through," Byers said.
For all that, one of the biggest obstacles to the adoption of electronic health records is security and privacy concerns, said Alisoun Moore, Northrop Grumman's director of state and local health and human services.
"Having secure communication is critical," Moore said. "And that includes all the back-end communication like billing agencies and reimbursement agencies."
To that end, Northrop Grumman is working on the Nationwide Health Information Network (NHIN) — an initiative led by the Health and Human Services Department to compile patient information from all sources, VA, other government agencies and private health-care providers. The company is developing a consent registry that would enable patients to control access to their records. The registry will authenticate that the patient giving his consent for the release of data is who he says he is, Moore said.
In addition, Northrop Grumman is working with VA and the Defense Department to establish a Virtual Lifetime Electronic Record of each member of the armed services, Moore said.
"The goal is to have the records of each serviceman, from the time he entered to the time he exited the service, right at their fingertips," Moore said. "Security and privacy is part of this agenda."
VA security concerns usually revolve around three areas, Moore said: the physical and electronic security of records; assurance of privacy; and exchange of data between agencies and with outside entities.
Software called CONNECT, which helps run NHIN, encrypts all data entered into the system and then checks to ensure that all security and privacy policies are enforced, said Tony Galluscio, senior program executive for health care interoperability at Harris Healthcare Solutions, which built CONNECT.
There are five demographic data, such as age and sex, that can be used to check if the person in question is the person he is believed to be. "If someone is in the emergency room and is unconscious, a doctor, using such checks, can query the NHIN to get health information not otherwise available," Galluscio said. And this information is encrypted.
To further ensure privacy and accuracy of electronic health data, VA in August awarded a four-year contract to adopt bar-code scanning technology that will ensure positive patient identification, according to John Leon, program manager of the company's Bar Code Expansion Positive Patient program.
Provided by MicroTech of Vienna, Va., another service-disabled veteran-owned business, the bar codes prevent mislabeling of blood and laboratory specimens and will provide clinicians with the ability to view, monitor and record patient information in real time via a wireless device.
"The bar code will be worn on the wrist, making it a point-and-click solution," Leon said. "No one personally will be able to see the data on the bar code because it will all be encrypted. Once received, it goes into the server and the servers are also encrypted."
The bar-code devices — Bar Code Medication Administration devices (BCMA) — are among those VA devices that have yet to be fully encrypted, said VA's Davis. VA is studying ways to encrypt bar codes, though.
"We are continuing testing on BCMA laptops, and a number of sites already have encrypted their BCMA devices," he said.
"VA also is studying whether thin client computing [where a majority of sensitive data is stored on a protected server rather than a hard drive] can be a more appropriate business process solution than encryption."