VA sets aside $20 million to handle latest data breach
Money to pay for credit monitoring will come out of cybersecurity budget, agency official says.
The Veterans Affairs Department has set aside more than $20 million to respond to its latest data breach, the agency's top technology officer said Thursday.
The department does not expect to spend the full $20 million, but designated that much because the breach potentially puts the identities of nearly a million physicians and VA patients at risk, said Bob Howard, the department's chief information officer. Howard spoke at The E-Gov Institute's Government Health IT Conference and Exhibition in Washington.
"We have no evidence that [information is at risk]. None whatsoever, but we don't take the chance," Howard said. "The attitude of the VA right now is if we think we've put anybody's information at risk, then we need to step up to the plate and try to remedy that."
The breach occurred in January, when a hard drive went missing from a Birmingham, Ala., VA medical research facility. The drive contained highly sensitive information on nearly all U.S. physicians and medical data for more than a half million VA patients. Any physician who billed Medicaid and Medicare through 2004 could be affected.
The hard drive has not been recovered. The VA estimates that about half of the 1.3 million doctors whose information was on the hard drive, and 254,000 veterans, are potentially at risk. This group was notified by mail at the end of May. The letters noted that VA is providing credit monitoring services through a General Services Administration blanket purchase agreement from the multiple award schedules program.
The credit monitoring funds will come out of the VA's fiscal 2007 cybersecurity budget, but Congress included an extra $15 million in the recently passed emergency supplemental bill for funding the wars in Iraq and Afghanistan (H.R. 2206), Howard said.
Because the January data breach occurred in a medical research facility, the technology office tried to get health care-related funds reprogrammed to cover the credit monitoring, Howard noted, but the effort was unsuccessful.
"We were very worried about using cyber money that was needed to fix other things so they listened to us and helped us out [through the supplemental]," Howard said. "I'm spending my life in the protection of information. The fact of the matter is that it is a very important aspect to us."
Investigators are still trying to locate the hard drive and the FBI has offered a $25,000 reward for information leading to its return.
In May 2006, the VA shocked Congress, the veterans community and the military by announcing that a laptop computer containing personal data on 26.5 million veterans and active-duty military personnel had been stolen. This prompted multiple hearings and legislation intended to better protect the government's sensitive information.
Howard said the department's health care information system, known as VistA, has weaknesses since it was built at a time when the VA did not worry as much about security.
Department officials are looking at ways of speeding up the modernization of VistA, which is scheduled to take until at least 2015, Howard said. The update is intended to make the medical records stored on the system available worldwide via the Internet but at the same time protect security.
"We're not satisfied with the timeline we've laid out for VistA," Howard said. "We want to accelerate it, and it may take additional money, but we're not sure. The biggest concern we have is money. You don't want to just throw money at the problem unless you know what you're doing."
Currently the system is "facility centric," revolving around the department's 1,400 locations. With patients moving out of the Defense Department's health system and in and out of private health care systems, VA has to be able to access the medical information through a single portal from anywhere, Howard said.
The modernization of VistA is "enormously complex," since the system was "built internally over time by the officials who work with the requirements," Howard said. The modernization will be approached incrementally, rather than with a "big bang approach," he said.
"We are not there by any sense of the imagination," he said. "That's a tall order, but that's the vision that we're focused on and hopefully we can figure out how to do that at some point."
Howard said the fact the department is now working with the Defense Department to build a joint electronic health system has improved the prospects of securing resources from Congress to hasten the VistA upgrade.
In addition, the centralization of IT authority around the CIO's office has improved the VA's ability to implement the upgrade, Howard said.
"We've got it all now. We've got the people. We've got the money. The IT appropriation. But we've also got the problems," Howard said. "Centralization has already begun to help us get things done faster, improve standardization, improve compatibility -- all of the things that will help us modernize our electronic health records."