"This is an issue we're going to continue to deal with going forward," said Roger Baker, VA's chief information officer. (Thomas Brown / Staff file photo)
At least eight Veterans Affairs Department facilities in recent months were found to be violating the department's prohibition against using online tools like Google Docs to share private health information among facilities.
The latest incident, involving personal information of 878 patients, was detailed in http://www.va.gov/ABOUT_VA/docs/monthly_rfc_nov2010.pdf">VA's November data breach report to Congress.
Chicago Health Care System Orthopedics Department employees had been using Yahoo Calendar to share patients' information. The full names, dates of surgery, types of surgery and last four digits of their Social Security numbers had been stored in the calendar since July 2007. VA's policy is that no patient information be stored on systems outside its firewalls.
A review of the reported incident also found that four residents had been using the same user name and password for the past three years.
Access to the site was blocked a day after the incident was reported Nov. 23, and patients' information has since been deleted from the site. Notification letters were sent to the 878 patients.
"This is an issue we're going to continue to deal with going forward," said Roger Baker, VA's chief information officer.
The challenge is tracking usage of the tools, which most often becomes known by someone reporting activities they believe are privacy violations.
"The government, by itself, cannot keep up with Yahoo, Google, Apple and others that are creating great applications for medical usage," Baker said. VA is "spending a lot of time trying to figure out how to go from saying no to saying yes for these kinds of apps."
VA is looking at ways to bring the tools inside its firewall and increase access control or embrace the tools as is. The tools would have to meet a high Federal Information Security Management Act certification level to store VA's information, Baker said.
"I love the tools," he said. "I just wish I could better control what's stored on them."
In the past year, the department has taken steps to improve security and privacy.
There are fewer unencrypted laptops; desktops are also being encrypted; and the "visibility to the desktop" initiative will give VA greater oversight of all devices on its network.