Pop chanteuse Joni Mitchell famously sang, "You don't know what you've got 'til it's gone," but at the Veterans Affairs Departmentaccording to the Government Accountability Office and at least one hospital security experteven after it's gone, many healthcare organizations don't always know what they've lost.
Late last month, the GAO released a report saying the VA has made "significant progress" toward tightening up controls over its inventory of information technology equipment.
It was the second report on IT inventory security at the VA by the congressional watchdog agency since a laptop computer with 26 million patient records on its hard drive was stolen two years ago from a VA employee, making the VA the poster child for data security breaches in the healthcare industry.
Of 12 security recommendations contained in a 2007 GAO report, released in the wake of that laptop theft, the VA has completed 10 and partially completed one other, according to the GAO. Additionally, the GAO said the VA has completed four of six so-called "property-related" recommendations and has partially completed a fifth in a 2004 report issued before the incident.
On July 3, the VA assistant secretary for management ordered the early implementation of a handbook on logistics management procedures that, "if effectively implemented ... would address many of the control weaknesses we identified," the GAO said.
Still, even such progress did not deter GAO criticism of other security problems, reflected in the title of the 52-page document, "Continued Action Needed to Reduce IT Equipment Losses and Correct Control Weaknesses."
By its own admission, the VA's Information & Technology office found that following a 2007 IT equipment inventory and, subsequently, after "several months of searching and research of property records," as of May 15 this year "approximately 62,800 recorded IT equipment items could not be located, of which over 9,800 could have stored sensitive information," the GAO noted. Further, the GAO reported, "Because the VA does not know what, if any, sensitive information resided on the equipment, notifications to potentially affected individuals could not be made."
The latest GAO report was based on a sampling of IT equipment inventories at VA medical centers in Indianapolis, San Diego and Washington as well as the VA's headquarters, also in Washington. It found 123 missing pieces of IT equipment, including 53 computers that could have stored sensitive information.
Putting the VA's woes in perspective is Michael McMillan, a former Marine Corps intelligence officer who is now president and chief executive officer of Cynergistek, Austin, Texas, a security consulting firm that specializes in hospital IT. McMillan said that the VA has a lot of company when it comes to data security risks linked to poor IT asset security.
"In my mind it ranks way up there at the top," McMillan said. "For me to hack you, it takes a good deal of expertise. I run a high risk of getting caught, and then I have to know what to do with the system to exploit it. Hacking is not for the faint of heart. Hacking is really a big deal if you have the right person coming at you with the right resources, but those are few and far between.
"But the two ways people get hit are a disgruntled employee or someone who does something stupid. If you look at the number of breaches that are reported, I think what you'll find is it's extremely high that it is somebody that's lost an asset. I think the No. 1 and No. 2 contributors to data breaches are insider threats and loss of equipment."
McMillan said that the problem of asset loss gets compounded by a lack of other controls.
"Organizations are their own worst enemy in some ways when it comes to asset accountability," McMillan said. "In most organizations, there are several factors that contribute to the loss of equipment."
One of them is a misalignment of financial incentives. Most organizations, he said, have a percentage of lost assets that they write off every year, but most also have a write-off threshold, a dollar amount above which lost equipment is accounted for and below which it isn't.
"If that write-off threshold is items less than $1,000 or $2,000 (the value of a used laptop, for instance), it just isn't accountable," he said. "A lot of organizations have woken up to the fact that it's not the hardware that we care about, it's what's on the hardware that matters."
At the VA, the GAO reported in its 2004 and 2007 audits that during inventories some medical centers did not account for IT equipment valued under $5,000.
Also, employees often are not held financially responsible for lost equipment.
"One of the things I've always advocated, if they lose it, they dock their pay," McMillan said. "If more organizations did that, you'd have less people asking for devices because they wouldn't want to be responsible for it, but if they did get one, they'd be more responsible."
Even the best security efforts of an IT department can't protect equipment the department doesn't know exists, McMillan said, a problem that multiplies the bigger an organization gets.
"The larger the organization, the more decentralized the purchasing process becomes," McMillan said. "Sometimes a department will go out and buy a system and never tell IT about it, and the only time IT ever finds out about it is when they have a problem."
Other organizations choose to ignore the problem or refuse to allocate resources to security issues until there is a crisis.
"I got a call this week from a hospital asking me, and this is three years into HIPAA, 'Do I really need to do a risk assessment?' " McMillan said, referring to the compliance deadline for the security provision of the Health Insurance Portability and Accountability Act of 1996. "There are people still taking risks and betting on the chance that they won't get caught, they won't get an audit, that something bad won't happen to them in the event of a breach.
"They won't spend $89 to encrypt a laptop. Laptops and mobile devices can be encrypted, so there is no reason why they are not. With respect to mobile media, such as thumb drive, there are solutions that control the downloading of data," McMillan said.
"You can put rules around the data that doesn't allow the data to move over certain pathways. The technology is out there, but people take risks and have not universally accepted the fact that they need to take appropriate protection measures."
What do you think? Write us with your comments at [email protected]. Please include your name, title and hometown.