Department of Veterans Affairs: Review of Alleged Transmission of Sensitive VA Data Over Internet Connections.

摘要

We conducted this review to determine the merits of an allegation that VA was transmitting sensitive data, including Personally Identifiable Information (PII) and internal network routing information, over unencrypted telecommunications carrier networks. The VA Midwest Health Care Network, also known as the Veterans Integrated Service Network (VISN) 23 within the Veterans Health Administration, serves more than 400,000 veterans enrolled to receive medical care residing in Iowa, Minnesota, Nebraska, North Dakota, South Dakota and portions of Illinois, Kansas, Missouri, Wisconsin, and Wyoming. In May 2012, a complainant contacted the VA Office of Inspector General (OIG) Hotline, alleging that certain VA medical centers (VAMCs) were transmitting sensitive information, including PII and internal network routing information, over unencrypted telecommunications carrier networks. More specifically, the complainant indicated that unencrypted data were transmitted among various VAMC networks using the South Dakota Network, which functions as the local telecommunications carrier network.The complainant alleged that these security violations occurred at VAMCs located in Fort Meade, SD; Omaha, NE; and Sioux Falls, SD, which are in VISN 23. To determine the merits of this Hotline allegation, we visited the three VAMCs identified in the complaint letter. We interviewed VA's Office of Information and Technology (OIT) personnel to gain an understanding of existing data transmission practices and associated controls.