VA systems called 'open door'
By Judi Hasson
Published on September 25, 2000
A private auditing firm hired by the Department of Veterans Affairs' inspector
general easily broke into computers at the agency "dozens of times" this
year, gaining total control of data and creating a phantom veteran to fraudulently
collect benefits.
Testifying before the House Veterans Affairs Committee's Oversight and
Investigations Subcommittee last week, lawmakers and VA officials expressed
frustration regarding the failure to protect the records of 7 million veterans
who count on the system for health and other benefits.
The security problems plaguing the system have been known for at least
five years, a period during which the VA has spent more than $5 billion
on information technology.
"We need a system that's more like a rock than a mushroom," said Rep.
Terry Everett (R-Ala.), subcommittee chairman.
Rep. Corrine Brown (D-Fla.), the ranking Democrat on the panel, said
the security problems at VA represent "an open door to the U.S. Treasury."
The security audit, performed by PricewaterhouseCoopers, found major
weaknesses in the firewalls at computers operated by the Veterans Benefits
Administration and the Veterans Health Administration.
Michael Slachta Jr., the VA's assistant inspector general for auditing,
said the agency's programs and financial data are "vulnerable to destruction,
manipulation and fraud."
Slachta said virtually any VA information is available for the picking,
and hackers could enter the system through a back door to access VA computer
systems.
"We were able to get to the individual veteran's record," Slachta said.
Hackers could obtain a veteran's Social Security number, which could be
used to open checking accounts and verify identity, and could access a veteran's
master identification record and cull information about a veteran's family.
Slachta said the VA did not even detect that its systems had been hacked.
PricewaterhouseCoopers did not try to break into VHA systems, but Slachta
said VHA records are no more secure than those at the VBA.
"VHA's program and financial data continue to be vulnerable to error
or fraud because of serious weaknesses in automated data processing general
controls throughout VHA," Slachta said.
K. Adair Martinez, the VBA's chief information officer, said the VA
has been able to detect and thwart some attacks. The VBA detected and blocked
two attacks on the system the week of Sept. 10.
In the past six months, she said, the VA has installed software to detect
hackers and fortify its firewalls. Whenever there is a problem, she said,
IT staffers are notified by beeper at home.
"No system is totally bulletproof," she said, "but we're putting patches
on all the time."
Veterans groups expressed indignation at the security breaches at the
VA.
"We're appalled that the medical records of veterans were subject to
being compromised," said Dick Mannemacher, spokesman for Disabled American
Veterans. "We feel medical records and information systems have to be tightened
to protect those persons who became sick and disabled in the nation's defense."
In its latest report on VA computer problems, the General Accounting
Office said the VA has failed to provide leadership to develop a seamless
computer system.
"Until the department develops and implements a coordinated system,
there is little assurance that the records are protected," said Joel Willemssen,
GAO's director of Civil Agencies Information Systems, who also testified
at the hearing.
Everett said VA's decentral——ized environment with a classic stove-pipe
architecture is partly to blame for the lax security. VA CIOs responsible
for benefits, health and national veteran cemeteries operate independently.
"It is a prime example of people protecting their turf," Everett said.
Nevertheless, the White House last month named Edward Meagher, an industry
IT expert, as the first assistant secretary for information and technology
to serve as the VA's CIO. Meagher awaits confirmation by Congress and is
working as a special assistant to the VA secretary.
|
