Joint Hearing of the Committee on Homeland Security and Governmental Affairs of the U.S. Senate and the Committee on Veterans’ Affairs of the U.S. House of Representatives at 1:00 p.m. CDT.
Hearing Transcript on Information Security Management at the U.S. Department of Veterans Affairs – Current Effectiveness and the Need for Cultural Change
INFORMATION SECURITY MANAGEMENT AT THE U.S. DEPARTMENT OF VETERANS AFFAIRS— CURRENT EFFECTIVENESS AND THE NEED FOR CULTURAL CHANGE
SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS
COMMITTEE ON VETERANS' AFFAIRS
U.S. HOUSE OF REPRESENTATIVES
ONE HUNDRED TENTH CONGRESS
FEBRUARY 28, 2007
Printed for the use of the Committee on Veterans' Affairs
SERIAL No. 110-5
U.S. GOVERNMENT PRINTING OFFICE
For sale by the Superintendent of Documents, U.S. Government Printing Office
COMMITTEE ON VETERANS' AFFAIRS
CORRINE BROWN, Florida
STEVE BUYER, Indiana, Ranking
Malcom A. Shorter, Staff Director
SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS
Pursuant to clause 2(e)(4) of Rule XI of the Rules of the House, public hearing records of the Committee on Veterans' Affairs are also published in electronic form. The printed hearing record remains the official version. Because electronic submissions are used to prepare both printed and electronic versions of the hearing record, the process of converting between various electronic formats may introduce unintentional errors or omissions. Such occurrences are inherent in the current publication process and should diminish as the process is further refined.
C O N T E N T S
February 28, 2007
Information Security Management at the U.S. Department of Veterans Affairs—Current Effectiveness and the Need for Cultural Change
Chairman Harry E. Mitchell
Prepared Statement of Chairman Mitchell
Hon. Ginny Brown-Waite, Ranking Republican Member
Prepared Statement of Congresswoman Brown-Waite
Hon. Timothy J. Walz, a Representative in Congress from the State of Minnesota
Hon. Ciro D. Rodriguez, a Representative in Congress from the Texas
Hon. Cliff Stearns, a Representative in Congress from the State of Florida
Hon. Spencer Bachus, a Representative in Congress from the State of Alabama
Hon. Artur Davis, a Representative in Congress from the State of Alabama
SUBMISSION FOR THE RECORD
Hon. Zackary T. Space, a Representative in Congress from the State of Ohio
U.S. Department of Veterans Affairs:
Hon. Gordon H. Mansfield, Deputy Secretary
Prepared statement of Secretary Mansfield
Hon. Robert T. Howard, Assistant Secretary for Information Technology and Chief Information Officer
Prepared statement of Mr. Howard
James P. Bagian, M.D., P.E., Chief Patient Safety Officer and Director, National Center for Patient Safety, Veterans Health Administration
Prepared statement of Dr. Bagian
Maureen Regan, Counselor to the Inspector General, Office of the Inspector General
Prepared statement of Ms. Regan
Arnaldo Claudio, Director of Oversight and Compliance, Office of Information Technology
Leonard M. Pogach, M.D., Director, Research and Enhancement Award Program, VA New Jersey Health Care System, East Orange, NJ
Warren Blackburn, M.D., ACOS/R&D Coordinator, VA Medical Center, Birmingham, Alabama
Y.C. Parris, Facility Director, VA Medical Center, Birmingham, Alabama
INFORMATION SECURITY MANAGEMENT AT THE U.S. DEPARTMENT OF VETERANS AFFAIRS— CURRENT EFFECTIVENESS AND THE NEED FOR CULTURAL CHANGE
Wednesday, February 28, 2007
U. S. House of Representatives,
Subcommittee on Oversight and Investigations,
Committee on Veterans' Affairs,
The Subcommittee met, pursuant to notice, at 2:36 p.m., in Room 334, Cannon House Office Building, Hon. Harry E. Mitchell [Chairman of the Subcommittee] presiding.
Present: Representatives Mitchell, Walz, Rodriguez, Davis, Brown-Waite, Stearns.
Mr. MITCHELL. The Subcommittee on Oversight and Investigations hearing of February 28th, 2007, will begin.
Let me just say right off that Congressman Zach Space is absent because of a family emergency. Otherwise, he would be here.
I have accelerated our Subcommittee's review of the VA information security management for several reasons.
I thank all three panels of witnesses and our Subcommittee members for their cooperation despite the somewhat short notice we were able to provide. It is my belief that when the subject matter justifies some sort of review that such a review should be thorough, ballanced, and timely.
This topic was on the Subcommittee agenda for later this year, but it is a recurring and nonpartisan topic for the Veterans' Affairs Committee. The events regarding a data loss at Birmingham and other circumstances have led me to advance this hearing on our Subcommittee docket.
In this hearing, I wish to determine the current status of information security management at the VA. Admittedly the Birmingham incident holds powerful sway over the landscape. If the Birmingham incident stood alone against the backdrop of a sound information security management program, perhaps we could address a one-time-only incident with more patience.
However, the record reflects a host of material weaknesses identified in consolidated financial statements, audits and the “Federal Information Security Management Act,” FISMA, their audits over the recent years.
The Inspector General's Office and the Government Accountability Office have both reviewed VA and found deficiencies in the information security management program over the last eight years. VA has been slow to correct these deficiencies.
For example, the VA IG made 16 recommendations with regard to information security management in 2004. All 16 remained open in 2006.
During our full Committee review of the May 3rd, 2006, data loss, we discovered a general attitude regarding information security at VA that our current Committee Chairman Bob Filner once referred to as a culture of indifference.
Today I wish to address this issue of culture and the need for cultural change with regard to information security at the VA.
Last year, the Committee reviewed cultural problems at several levels at VA. We looked at the very top levels of the VA leadership and were critical. We looked at the program leadership levels and were critical. We looked at the promulgation of information security policy in VA and were critical of the various methods employed by some program leaders and advisors to gut those policies to avoid accountability of the weakened information security practices. We were critical of the lack of checks and balances in the information security management system at VA.
Guidance was being followed, but did oversight occur? We were critical of delay by VA in providing congressional notice of the May 2006 incidents. We were critical of the slow escalation and notice of the magnitude of that problem.
VA mailed notices to millions of veterans addressing the data compromise and made a public commitment to become the "gold standard" in information protection within the Federal Government. Eight months after the initial data loss, VA reports another loss of significant magnitude associated with Birmingham VA Research Program.
That a weakness existed in this area surprised no one. That it happened at all serves to precipitate this type of congressional oversight hearing. While the actual loss of the external hard drive and the limited electronic protections on that missing equipment should be considered the 800 pound gorilla in this room, there were some silver linings with the Birmingham story as we now know.
For example, the loss was reported in VA and quickly relayed to the appropriate people. Mr. Howard notified congressional oversight staff and Secretary Nicholson called the Chairmen and Ranking Members of the VA Committees. The Office of Inspector General was quickly involved and opened an investigation.
In similar examples from May 2006, VA took days or weeks to accomplish those tasks. In the Birmingham incident of January 9th, 2007, VA took hours or days to accomplish the same task.
Staff was notified within one day and calls from the Secretary followed a few days afterward. The investigative trail was reasonably fresh for the IG to follow.
What of VA culture with regard to this issue? The IG made five recommendations to the Secretary in the review of issues related to the loss of VA information involving the identity of millions of veterans in July 11th, 2006. As of today, all five of those recommendations remain open. Why?
After the 2006 series of hearings, VA issued a series of tough-sounding declarations, but problems still remain and another major incident has happened.
After the Birmingham incident, the Secretary issued some tough guidance, but what impact will it have? Will history repeat itself? How deep are the cultural barriers?
I believe that it is important to review all aspects of this issue. We need to hear from VA leadership and in that regard, we are pleased that Deputy Secretary Mansfield has agreed to testify. He, Secretary Nicholson, the Under Secretaries are key to setting policy. They represent the Department in this matter.
But we also need to look at the problem through the eyes of the remaining 200,000 plus people in the VA. Do leadership actions throughout the management hierarchy match policy guidelines everywhere in the VA? Do the rules say no, but the culture beckons, ah, go ahead, make an extra copy of that data and your own life will be easier? Take a shortcut. No one will follow-up.
If we change the culture of VA, we can begin to fix the problem. But people have different cultural perspectives. Those of the VA leaders on panel one may differ from those of the researchers in the field. Leadership's policy guidance may now be spot on, but the question is how the policy is received at the user end.
For that reason, this Subcommittee requires testimony across the spectrum of people who in any way handle sensitive information about our veterans. Let us approach this with open minds, consider other perspectives, and be able to put this problem to rest for a long time.
Before I recognize the Ranking Republican Member for her remarks, I ask unanimous consent that Congressman Arthur Davis from Alabama and Congressman Spencer Bachus be invited to sit at the dais for the Subcommittee hearing today. Without objection. Thank you.
I now recognize Ms. Brown-Waite for her opening remarks.
[The statement of Harry E. Mitchell appears in the Appendix.]
Ms. BROWN-WAITE. I thank the Chairman very much for giving me this opportunity and also for the expedited manner in which this hearing was held.
As the Chairman has indicated, it is more about information security management at the Department of Veterans Affairs and in particular the current effectiveness of information security at the Department and the need for cultural change.
Since the data breach in May 2006, which was the second largest in the nation and actually the largest in the Federal Government, we have seen VA's centralization of the VA's information management, including information security.
I appreciate the Secretary's desire to make the VA the “gold standard” for information technology and information security management in the Federal Government. From what we have seen, however, adherence to the “Federal Information Security Management Act” or FISMA has not been adequately addressed government-wide as Congress intended when writing the law.
This is why our Committee worked so hard last Congress to pass measures such as H.R. 5835 and the final version which was S. 3421 which eventually became Public Law 109-461.
We have tried to give the Department, and in particular the Secretary, all the tools that he needs to mandate change within the entire Department to make certain that such security breaches are few, if any.
I served on this Committee now, this is my fifth year, and recently have been selected as the Ranking Member of this Subcommittee. Over the years, however, I have seen a blatant lack of resolve within the underlying culture at the Department and particularly at the facility level to change the way senior management view IT security.
We know it is very difficult to embrace change, but this is what we need to address in this hearing. I was involved at one point in my life in installing a new financial management system for my employer, and I can just tell you that the employees were kicking and screaming because change does not come easily. They were used to their little silos and they really did not adapt very well to any kind of IT change.
I realize that this is a problem that is out there in the VA, but it is not one that with very strong leadership that we cannot overcome. We have got to protect our veterans and provide them with the services that we need. We need to remove that cultural bias against change.
I appreciate the witnesses who have come to this hearing, particularly those who have traveled great distances to be here. And I look forward to hearing your testimony.
I thank the Chairman, and I yield back the balance of my time.
[The statement of Ginny Brown-Waite appears in the Appendix.]
Mr. MITCHELL. Thank you.
Mr. WALZ. Thank you, Mr. Chairman. Just briefly, thank you for holding this important hearing.
As a veteran who has received the letter earlier on lost data, this is obviously one that is personal to me and it is also one that everybody in this room cares deeply about.
Mr. Mansfield, thanks so much for coming here. And I know that everyone in this room and at the table care as deeply as anybody about our veterans and making sure everything is done right.
So I hope that in this hearing ,and in the spirit of the Chairman's words, that we are here to find solutions, that we know that the intent of every member of the VA is always to provide the best quality care, the best quality protection to our veterans. So I thank you for being here.
The one thing I would say, I guess for me, I am a cultural studies teacher, so this idea of culture and the things that we talk about, all those learned and shared values, beliefs, and ideas, I think is critical. Whether it is a safety issue or whether in this case it is data security, that I do believe culture plays a roll in it.
And we are here today to figure out what we can do if it is a resource issue or what we can do. And I truly appreciate your willingness to come and all you do for veterans. And together we can get this thing worked out and get it going in the right direction. So thank you.
And I yield back my time, Mr. Chairman.
Mr. MITCHELL. Thank you.
Mr. RODRIGUEZ. Thank you very much.
And I was just going over the report from the Inspector General and it is pretty startling information there in terms of the fact that there is still a great deal at risk.
I know the Attorney General in Texas just ruled that all county clerks that release Social Security numbers would be committing a felony. And so somehow we need to come to grips with that. And if I have to, I will make some of those comments at that time, but I am hoping that we can direct it in the right direction.
And I hope that the approach that is taken is that if you need some help, if you need some assistance, to come forward in order for us to correct this as quickly as possible.
Mr. MITCHELL. Thank you.
Mr. BACHUS. Thank you, Mr. Chairman.
I would say this to the panel. Since at least 1997, there have been reports about inadequacies at the VA, about the protection of information, veterans' information.
And in 2001, there were multiple recommendations made, 17 security recommendations made in the "Federal Information Security Management Act" for veterans to do. Yet, in May of 2006, when you had the security loss, Ms. Brown-Waite mentioned that none of those had been implemented at that time.
Now, since that time, you have given testimony to Congress that you fixed most of those problems. But what we had in Birmingham, it is my understanding, was just a laptop computer with information on it that was carried off-site. And to me, that is one of the most elementary types of things to prevent, simply by having a rule that they do not do that.
Now, you have also since last May, you required all veterans' employees to go to security seminars, as I understand it. So I would just be curious in my questions following up on whether that was done or not and whether this employee was prohibited from taking it off-site.
I know the IG's report says that the information that is available to all the employees is hard to understand and uses words like appropriate and other words which really will not limit them, you know, do not use the information inappropriately without clearly defining what may be appropriate and inappropriate.
But there are other issues. I know it was 21 days before it was announced that this breach had occurred. Another problem that I had with this as a member of Congress, Congressman Davis and I represent the Birmingham area and a lot of this information was shared with us, but we were told we could not share any of the information with anyone else, that it was critical to the investigation. And one occasion, after we were specifically told we could not share any of the information, it was critical to the investigation, within an hour, the Veterans Administration issued a press release with a lot of that information on it. So we wonder about that.
But I came here to listen, but I did come, and I have made this point to you gentlemen since this breach, that encrypting of information is a pretty elementary step. And I wonder why, you know, is there a rule that this information should be encrypted. I mean, a lot of this information was not encrypted which ought to, by 2007, ought to be standard operating procedure on any sensitive information.
And so I look forward to hearing from you. But it does appear that since 1997, at least 2001, everybody has known what problems were, that these were accidents waiting to happen, yet nothing. You know, if you did something as a practical matter, it did not work. So I would just be interested to know what you did.
Mr. MITCHELL. Thank you.
Mr. DAVIS. Thank you, Mr. Chairman. I am glad to see that freshmen can become Subcommittee Chairs so quickly and I congratulate you on that. I must be on the wrong Committee.
Thank you for giving leave to my friend from Alabama and myself to come here. We are not regular members of the Veterans' Affairs Committee, and I thank you for letting us participate because our City of Birmingham is affected.
I want us to get to the question section as soon as we can so I will be very limited in my comments. But I begin by saying this, Mr. Mansfield. I think all of us take it for granted that the leadership at the VA has good intentions, but good intentions are usually not enough to change a culture. Better laws help. Better regulations help.
And I received the correspondence that you sent to me in which I asked a number of questions about what the procedures are at the VA regarding encryption, what the procedures are at the VA regarding notification, and it is clear to me from looking at your answers that there are gaps there. And, frankly, that is where this institution comes into play.
Some of us have been advocates on this Committee for having stronger protections for civilians regarding potential losses of data, regarding data security issues in the private sector.
It seems self-evident to me that whatever the standard ought to be for individuals in the private sector, if anything, it ought to be stronger for our veterans. And I am disappointed. But if I understand the law and the regulations today, it is weaker. And understand some of us believe the consumer protections are not strong enough for civilians either.
Second point that I want to make, I have a very strong hunch, Mr. Mansfield, that the only reason we are in this room having this hearing, the only reason that the public knows about any of this is simply by pure luck. And I do not mean to second guess, but I will make this point to you.
Your office called my office on the late afternoon of February 2nd, 2007, and you told us that you wanted us to have information about a data breach in Birmingham and you told us that a news organization was about to run with the story, so you wanted to give us a heads up.
I have a strong hunch, Mr. Mansfield, that but for you all believing this information was about to come in the public domain that you never would have released it.
Second of all, after the Office of Inspector General met with me at my request, we lodged a very strong demand of the VA that the VA go forward and release the additional information about the amount of names that had been compromised, about the fact that physician information had been compromised.
Frankly, I have a hunch that but for that demand, the additional information would not have been released.
So I will end with this point. Changes need to be made, in my opinion, in the way that your organization reacts to this kind of a problem.
I am going to ask you during my question time during the hearing how many data breaches are suspected by the VA since the incident of May 2006. We know about that incident. I am going to ask you during my Q and A session how much has been suspected in the year since. Are there other instances where there has been a loss of data? Are there other instances where there is a suspected loss of data?
So I thank you for being here, and I look forward to answers to your questions.
Mr. Chairman, thank you again.
Mr. MITCHELL. Thank you.
Mr. STEARNS. Thank you, Mr. Chairman, and thank you for holding this critical and timely hearing.
When you look at the GAO report, it says from 1998 to 2005, there were over 150 recommendations to the VA on implementing effective controls and developing a robust information security program.
And then if you just look at the VA's own Office of the Inspector General, they publish reports. They made 16 recommendations from the fiscal year 2004 and they remained unaddressed.
So we have here critical areas that are being highlighted by the GAO as well as the Office of Inspector General clearly saying the VA is vulnerable to denial of service attacks, disruption of mission-critical systems, and unauthorized access to sensitive data.
So all this has been documented. The member before me talked about it is just by luck we have information about this. But I think we have known about this for some time, at least since January.
And so the question is with the GAO and the Office of Inspector General, why in the world are all these recommendations and all these suggestions not being implemented?
There has been a lot in the news recently regarding unauthorized access violations at the VA. Last March, there was an incident we had where 26 million veterans' information, personal information, personal, identifiable information was lost.
I congratulate the VA for finally getting the computer and getting the protection it needed, but, you know, it took a while to find it. And as I understand it, a lot of this information was not even encrypted.
And, however, now, in the recent breach that my colleagues have mentioned in Birmingham this January, the proper agencies were informed the very next day, an improvement that I would like to highlight, yet it is a mixed bag of praise and condemnation for we have yet another breach of information security.
This Birmingham hardware involved the personal medical records, Social Security numbers, personal information of veterans and many medical personnel in the VA system itself. And this information again was not even encrypted.
So it seems to me at this point, this information should be encrypted at the very least. There are clearly areas that the VA needs to improve. And I guess for the life of me, I do not understand. If you go back to 1998 and you have got 150 recommendations from the GAO, why are you folks not implementing them?
In Congress, we responded to the data breach of last March. We enacted the new law, the "Veterans Benefit Healthcare and Information Technology Act" of 2006. The primary purpose of this legislation was to strengthen IT practices at the VA. It also contained internal processing requirements regarding security management with a mandate, with a mandate for the VA to develop interim regulations for improving security within 180 days of the law's enactment.
So, Mr. Chairman, I think that the hearing is timely. I look forward to the witnesses, and I hope the strategy will be for improving security for our veterans in the very near future.
Mr. MITCHELL. Thank you.
We will now proceed to panel one. We are pleased to have Deputy Secretary Gordon Mansfield as the principal presenter for the panel.
This Committee has a long and professional working relationship with Mr. Mansfield in all his roles at VA, from his time serving as the Assistant Secretary for Congressional and Legislative Affairs to his present position as Deputy Secretary.
Mr. Mansfield is a highly decorated military combat veteran, having served two tours of duty in Vietnam. His military awards include the distinguished Service Cross, the Bronze Star, two Purple Hearts, and the Combat Infantry's Badge.
Mr. Secretary, would you please introduce your team.
Mr. MANSFIELD. Thank you, Mr. Chairman. If I may, before I start, a point of personal privilege with your permission, I wanted to take a brief moment to comment on Len Sisteck's departure from the Committee.
May I have your permission, sir?
Mr. MITCHELL. Yes.
Mr. MANSFIELD. Len and I had a chance to talk the other day in my office, and he told me that he still had "the sense of service to one's country" that we have seen up to this date. And I am pleased that he will continue as a public servant.
Many may say it, but Len has lived the concept of leaving political and ideological differences aside in order to serve veterans. He also got out and saw the VA operations in the field in a real hands-on way.
I mentioned he was in my office, on the tenth floor. I also want to make the point that Len has also been with us in our operations center down in lower basements, the bowels of the VA, so he has been with us from top to bottom.
I for one am glad that he will still be here on the Hill watching out for the interests of the Department and for veterans, just in a different capacity. Fairness and loyalty to the constituency are his, and I appreciated his service on this Committee. And I want to extend to him the congratulations and best wishes of the entire Department.
Len, thank you very much.
Mr. MITCHELL. Thank you, Len, very much.
STATEMENTS OF HON. GORDON H. MANSFIELD, DEPUTY SECRETARY, U.S. DEPARTMENT OF VETERANS AFFAIRS; ACCOMPANIED BY MICHAEL J. KUSSMAN, M.D., ACTING UNDER SECRETARY FOR HEALTH, VETERANS HEALTH ADMINISTRATION, U.S. DEPARTMENT OF VETERANS AFFAIRS; HON. ROBERT HOWARD, ASSISTANT SECRETARY FOR INFORMATION AND TECHNOLOGY AND CHIEF INFORMATION OFFICER, U.S. DEPARTMENT OF VETERANS AFFAIRS; AND JAMES BAGIAN, M.D., CHIEF PATIENT SAFETY OFFICER, DIRECTOR, NATIONAL CENTER FOR PATIENT SAFETY, VETERANS HEALTH ADMINISTRATION, U.S. DEPARTMENT OF VETERANS AFFAIRS
Mr. MANSFIELD. Mr. Chairman, if I may, I have a statement to submit for the record.
Mr. Chairman, I am here today with Mr. Howard, our Assistant Secretary for IT; the acting Under Secretary, Dr. Kussman; and Dr. Bagian.
I am here today to talk about the status of our IT security program and the reorganization of our Office of Information Technology.
We have done a lot of work and we have come a long way since last May's major incident occurred. And I have to admit that that was probably the wake-up call for the Department. But we still have an awfully long way to go.
We are well into the reorganization of the Office of Information and Technology to include an initial transfer of some 4,600 individual employees now under the control and direction of the CIO, Assistant Secretary Bob Howard.
That reorganization also includes ensuring that Mr. Howard has the full authority as delegated by the Secretary to deal with security issues throughout the Department. Mr. Howard also has the authority to oversee the total IT budget for the Department.
In the information security area, we have gone forward with preliminary revisions that have led us to issue a number of new directives to ensure that the workforce understands what their specific responsibilities are.
We have brought management pressure from the top to ensure that the required change in culture is instituted and that we are moving forward to achieve the goals set by the Secretary for the VA to be a gold standard for the Federal Government.
As I have stated, I think we have come a long way in both the reorganization and changes demanded by information security requirements to protect our veterans. I will be the first to acknowledge that we have not finished with either of these chores.
We are continuing the reorganization with more transfers of people taking place next month, with more budget, more program, and more people responsibilities under the control of the CIO.
The Security Operations Center or the SOC is now receiving daily reports of incidents, large and small, from across the Department which allow us to understand and educate the people that we are responsible for when they do the job wrong, and also it will allow management to get a better picture of the problem areas across the Department.
The Birmingham incident, while evidence of major lapses in judgment in operations, was handled in such a way that VA management was informed in a timely manner and the report moved quickly up the chain of command to the top.
We also started an investigation as did the Inspector General's Office in conjunction with the FBI. Notifications of the incident were made to the Hill in a timely manner. As well, updates on the information were provided as received.
I want to make a point here that as we get into these investigations and as the IG and the FBI move into it, we are requested that we keep this information on hold as they start into their investigation and start looking for areas of approach, and we try to follow the FBI's request and the IG's request in that area.
We have been notifying this Committee and other Committees of jurisdiction on the Hill on a weekly basis of the reports that do come in to us that are reported up the chain of command.
Another area of concern is sanctions applied to those who fail to conform to the requirements. The Secretary has said there are still too many VA employees at every level to include senior positions who either still do not comprehend the seriousness of this issue or who consciously disregard it.
This laxity is unacceptable and no longer will be tolerated. In appropriate cases and where justified, there must be serious consequences for failure to properly secure veterans' data. We owe our veterans no less. And that is a quote from the Secretary in a meeting of senior executives held here in Washington, D.C., on February 21st, 2007.
We are involved in cultural change in a serious way. From the highest leadership on down, in meetings and communications and site visits, the Secretary and I have endeavored to communicate the need to protect data and how we can make that happen.
As the Secretary indicated, given the circumstances of each case, we need to go forward with further education and assistance with our employees to understand what the need is and what they have to do or get involved in considering whether sanctions should be considered and applied as required.
In closing, let me say that I sincerely wish that I could promise you that no other incident will occur. I cannot do that now, but I can promise you that we are working hard throughout the Department to get the message to our 235,000 plus employees to do everything we can to get this problem under control.
We have succeeded in many areas. We still have a large job to finish the effort. We are committed to doing that.
Mr. Chairman, I am prepared to answer questions, and I would ask Mr. Howard, as I understand the sequence, to go forward with his comments.
Mr. MITCHELL. Correct.
[The statement of Gordon Mansfield appears in the Appendix.]
Mr. HOWARD. Thank you, sir.
And thank you, Mr. Chairman and members of the Committee.
I would like to expand on Deputy Secretary Mansfield's comments regarding the changes underway in the area of information and technology.
There are two specific areas I would like to focus on. First is the extensive reorganization taking place and second is the over-arching program we have established to provide focus to all of our remediation efforts.
The IT realignment program to transition the VA's IT management system remains on track and is scheduled to be fully implemented by July 2008.
By April 1st, 2007, software development employees and programs will be permanently reassigned to the CIO. This action follows the consolidation of operations and maintenance under the CIO which was finalized beginning this fiscal year.
We are implementing a process-based organizational structure rooted in best practice processes that are aimed at correcting IT deficiencies that resulted in a loss of standardization, compatibility, interoperability, and fiscal discipline.
There are 38 such processes that are being introduced with the assistance of IBM from a best practices standpoint. We have also developed a different organizational framework to provide focus in key areas.
The Office of Information and Technology is now compromised of five major organizational elements. These will all report to the CIO. We have a chart of this organization with us today in the event you would like to discuss this structure in more detail.
Each of the five major organizational elements is led by a Deputy Chief Information Officer. One Deputy Chief Information Officer, in fact, in the first column, is charged with directing the information protection and privacy programs in VA. This official is also responsible for risk assessment, risk mitigation, evaluation and assessment as it relates to information protection.
The DCIO for information protection and risk management has drafted the interim final regulation on credit monitoring and credit protection as required by the “Veterans Benefits Healthcare and Information Technology Act of 2006.”
This regulation, which is now being reviewed throughout the Department, will address notification, data mining, fraud alerts, data breach analysis, credit monitoring, identity theft insurance, and credit protection services.
To achieve the gold standard as directed by the Secretary, we have implemented an over-arching program to assess information protection controls, to develop plans to strengthen the controls where necessary, to enforce the controls, and continuously monitor the information protection program.
This action plan we have developed includes development and issuance of policies and procedures, training and education, securing of devices, encryption of data, enhanced data security for VA's sensitive information, enhanced protections for shared data in interconnected systems, and incident management and monitoring.
A number of the specific requirements of the new law have already been introduced into our comprehensive action plan. I personally review progress on these actions on a weekly basis.
In closing, I believe we have made progress in improving IT operations in VA and we are working hard in partnership with the administrations and staff offices to improve our business practices to ensure the protection of sensitive information throughout the Department.
Mr. Chairman, that concludes my testimony. I would be pleased to answer any questions the Committee may have.
Mr. MITCHELL. Thank you.
[The statement of Robert Howard appears in the Appendix.]
Dr. BAGIAN. Thank you, Mr. Chairman, members of the Committee, for inviting me here today.
My comments will be confined more to cultural aspects, especially with respect to some of the observations of what we've done in the patient safety area, as I've talked to some of you in the past.
Let me just say at the outset, there has been some indication by some of the previous comments that people are wondering if people take the issue of IT security seriously. I can tell you unequivocally, they take it very seriously. There's nobody I see—and I am out in the field quite a bit—that is not fully aware that this is an important issue. There's no question about that. I'll come back to that, but, let me just assure you that's a fact.
The big issue is about culture and how we look at this. And I would say one of the big issues—and I'll talk about it from the frame of patient safety—because while our goal in patient safety is to prevent harm to the patient, and generally we think about that with regard to the medical care that we deliver, the fact is that if people suffer, for instance, the outcome of identity theft, for example, that harms them as well—as it harms our ability to provide care for them because that consumes fiscal resources and attention that could otherwise be focused to our primary mission, which in the VHA is delivering medical care. So we understand that.
In the safety area, patient safety area, when we started to do this some eight, nine years ago, the culture certainly wasn't geared towards patient safety, and we were starting this before anybody did it anywhere in medicine, quite frankly.
And we found that it was very important to be able to establish for them what our real goal was in terms that were understandable by them and how it met what they thought they needed to do. To create an expectation was relevant to them that they thought was real.
And then we had to go through an understanding when things did happen, it wasn't enough strictly just to have—and as Mr. Howard talked about, policies and training is important, but he talked about other things like encryption and other modalities. It's a multiplicity of these things.
It's not just telling people, "follow the rules," because if that is all it took to do anything, we'd write rules and go home. And we know it takes more than that. So, when problems occurred or we had close calls—as we have had IT close calls as well—it was to look and say what happened here, why did it happen, and what do we do to prevent it in the future?
And without understanding those underlying causes, it's really impossible to come up with sustainable solutions. So we really dwelled on that quite a bit, and I think you see some of that same thing in what's going on with the IT organization today.
The other thing is you have to take out the fear. One of the things that goes on with any organization, as was mentioned by Ms. Brown-Waite during her comments, is that change is hard for all organizations. And people have to feel that the change is in their interest, too, whatever that change is, and communicate to them what they believe it is. And I think we can do that, and we're trying to do it. But it doesn't happen overnight.
We then need to supply tools, and that's being done. You've heard about encryption. You've heard about other things that go in those areas. And then we have to do it in a way that changes their behavior, and when that behavior works and is not at cross purposes with their goal—and in VHA, the goal is delivering clinical care; that's the main goal—information security is embedded in that, but that's not the reason they come to work. A physician doesn't come to work to achieve IT security. It's a component thing they need to worry about, but their main goal is that they want to take care of the patient.
We have to understand how we make that real to them, that they understand that that's important not just because we say it is, because they believe it is. And I think that's trying to be done. So when that attitude changes, then you begin to change culture.
Now, one of the things that we found that was extremely important when we began was we thought everybody got it about patient safety. We did a cultural survey—the first one ever done—on attitude toward patient safety, and we found some very remarkable results which changed the way we ran the entire program and in fact, I would say we are singularly responsible for it being successful versus failing miserably.
We found that when we asked people, "Do you think patient safety is important?" Twenty-seven percent of all our people at the VHA system said "five" on a one-to-five scale. Patient safety is super important, most important it could be. Twenty-four percent said "one"—absolutely irrelevant. We were shocked. How could that be?
But when we stopped and talked to them more—we've had focus groups come in to understand why that was—the reason they said "one,"—that is, unimportant, was because they said, "Well, I thought you meant was it important for me? It is not important for me, because I know I am safe. It is all those other people that aren't.
And the same thing can happen here if you don't understand what motivates them. It's not they do not want to do it. They think somebody else is doing it.
Until you really answer those questions to enable you to understand people's underlying assumptions, it's impossible to correct it effectively. So I think we need to look at that and look at the culture where it is and not just talk about it, but actually measure some of it to understand where the leverage points are. And I'm not sure we know all those things yet. But we're moving in that direction.
One of the things we worked with the IT system back in 2003 when the Blaster Worm—some of you may recall the Blaster Worm, a big problem—we went and worked with IT at that time. In fact, one of Mr. Howard's deputies—we talked last on the 21st, just last week, about how we worked with them with root cause analysis where we looked at these, what happened, why did it happen, what do we do about it—and he remarked that since that time we've never had a major denial of service attack, since we looked at this with a very systems-based approach. And they want to work with us more doing that, and we look forward to those kinds of things.
And we think this mode of collaboration across not just the IT world, but across all VA—DVA, NCA, VHA—working together to look at this and look at the real causes will get us there, and I think that's where the real hope lies, and it is not just having a knee jerk response to the bad events, which none of us want, but really take the time to understand why it isn't where we want it to be and fix it and really nail it.
[The statement of James Bagian appears in the Appendix.]
Mr. MITCHELL. Thank you all for your statements.
Clearly the VA is attempting a number of different avenues to address the problems associated with information security management at VA. We are aware of the poor track record the VA has in this area and note that implementing a program does not guarantee a successful outcome by itself.
Mr. Mansfield, I have a question. In 2006 and in earlier years, we saw information security policy guidance languish in various VA offices. The IG advises us in testimony that the VA still lacks a clear, concise policy in several key areas of information security. It has been seven months since their report was issued.
Why do they say that and how do the views of the Department differ with the views of the IG?
Mr. MANSFIELD. Mr. Chairman, let me start by saying that we have proceeded and gone forward in a large number of areas and issued a large number of directives that deal with some of the issues that the IG is talking about.
The Secretary has issued directives and I have issued directives. I think what the IG is saying is that we have not been able to finalize this thing across the entire organization.
And I would make the point that in some of these areas, we are still learning about exactly what is happening out there, and we need to be able to find out what the issues are and, as Dr. Bagian said, what happened, why did it happen, and what are we going to do to fix it.
I would make another point which is that we still have out there a largely decentralized system. It is nonstandardized. There are not any simple fixes that we can plug in. Like with the blaster worm, you were able to put one fix in and put it across the system if you have a standardized system. But we do not have that, so there are not any simple fixes.
The other issue we have here is that for the most part, 190 some thousand of those 235,000 employees are in the veterans health arena and that is where we have the responsibility to deliver healthcare. And as I have testified before this Committee in many previous hearings, we have approached this from the start with the principle, "do no harm." Do no harm is a part of the way you have to approach this. We cannot afford to shut down a hospital system where patients are being taken care of.
Plus, we are a government agency. We deal with civil service rules. We deal with contracting rules, and we go forward with all those issues. So that is part of the explanation, sir.
Let me make the point, too, that I understand exactly where you are coming from and where the Committee is coming from, and it has been a long time. There are a number of issues out there. But as I said, we are working, and I think the centralization and reorganization of this office which the Secretary has directed will allow us to provide, in addition to what we had before, for education and information to be provided, that we use our VA Learning University as an additional effort to bring information and education to bear.
And the other part of it is the inspection part goes forward where we have just started inspections, some announced, some unannounced, to be able to go out and find out what is going on out there so we are not surprised.
Mr. MITCHELL. Just a quick follow-up. You mentioned your study and you are looking at why people do the things they do. When do you expect this study to be over? When do you expect to finally implement all of these recommendations? How long is it going to take?
Mr. MANSFIELD. Sir, I cannot give you a final date right now. I am sorry. I wish I could. I wish I could tell you that we have got this problem solved. We cannot do it.
As I indicated and as Secretary Howard indicated and as I believe Dr. Bagian indicated, it is a continuous ongoing effort where we are going to have to continue to work on all the different issues until we know that we have got every single part of this understood and we have got a fix prepared for it. We put the fix in and we make it work.
The final word I would say here is again that it is not a question of technology or machines or software. It is a question of people. And we are going to be dealing with people across this system, the 235,000 employees, the tens of thousands of contractors, all the people in the 105 medical schools that we deal with where you have residents and interns in the thousands coming in and going out of our system every year. So we are going to have to work on this continuously, sir.
Mr. MITCHELL. Thank you.
One last question before I call on the Ranking Member. Mr. Howard, how long will the VA be without a cyber security chief?
Mr. HOWARD. Sir, we actually had selected one, a female, very well-qualified. We had selected her. Several days before she was to show up, she decided to take another job. So I have now had to go back through and announce that position over again. I assure you we will move as fast as we can. But the process has to be done correctly.
Mr. MITCHELL. Thank you.
Ms. BROWN-WAITE. Thank you, Mr. Chairman.
You know, maybe reducing this to parenthood might be relevant because I only have two children that I gave birth to. One you could talk to and reason with and you would get results. The other one, it was like sometimes you had to like look her eyeball to eyeball and threaten sincerely in order to get her attention.
So I want to know what you are doing to really get the attention in this culture of where we did it before, so we are going to continue to do it, and I want to know also what is the VA's policy on using personal computers, i.e., you know, maybe a thumb drive and taking it home and working at home? And what happens to the employee who you might have to like take drastic steps to get their attention, i.e., dismiss them? Tell me what is going on because it is very frustrating to see the lack of progress here.
Mr. MANSFIELD. Let me start with the last question, and that is the area of sanctions. And I think to approach that we have to understand that, as Dr. Bagian mentioned, that that is a part of a total spectrum of changing the culture.
When you are talking about sanctions, I think you have to start with what are our responsibilities before you can get there, and that is I believe that you need to let the people know what you expect of them, why you expect that, give them a chance to ask questions if they have questions about what is expected, and then go forward from there.
The second part of that is I think that you cannot have one single decision. You have to take each case, each individual and each situation in and of itself and you have to measure what happened in that case, why it happened, and perhaps what the results are.
Ms. BROWN-WAITE. Sir, with all due respect, we are talking about thousands, hundreds of thousands of veterans whose information is just out there.
Mr. MANSFIELD. Well, I understand that. I would tell you, Ms. Brown-Waite, that the last time I was admitted to a VA facility, which was not too long ago, one of the forms they gave me said you can check off up here, is this information available for VA research.
So I understand that every veteran in this system is at risk, and I hope the point is coming across that we are attempting to do everything we can to make sure that that risk is mitigated, if not eliminated.
Ms. BROWN-WAITE. Do you have written policies that say one time and one time only, if it happens again, you are out, or is it no strikes and you are out? What is VA's policy at this point on taking a risk with individuals' information that may put it at risk outside of the premises of the VA offices and hospitals?
Mr. MANSFIELD. Well, let me caution that, as I mentioned before, we live within the civil service rules and we have to recognize those and go forward and ensure that we carry out all the responsibilities we have there and ensure that each and every employee's personal rights are protected or else whatever we do is going to be overturned by an oversight body.
And the other point again is that I think we have to take each case in itself and look at what are the issues involved here, how much harm was involved, and exactly how egregious or, as you mentioned, repetitive was the issue, and go forward from there. And we cannot just put it down simply as these three issues or these rules apply to each and every situation. We have to look at what the individual situation is and go from there.
Ms. BROWN-WAITE. Sir, I have more concern for the employees and the veterans' information that is out there. That worries me. Put something in writing that is distributed to the employees that at least they will know exactly what the ground rules are. You take the stuff off campus and you have violated a rule. You are put on probation. It does not happen again. Put it in writing some place.
Let me get to the specific Birmingham issue. I have a large number of seniors and I have the highest number of people on Social Security and Medicare. Should I be alerting citizens that their doctors' information on that patient may also have been compromised in the Birmingham breach or are you doing it? What are we doing to protect not just the veterans but people who are on Medicare and Medicaid?
Mr. MANSFIELD. We are following through with the requirements the previous legislation referred to. Part of what we have to do there is a risk analysis, and our initial attempt was to have the IG do it. The IG just last week informed me that they do not believe they have the capabilities to do it. They also have raised some legal issues.
I brought that issue of risk analysis to the President's Identity Task Force at their last meeting, and we are moving forward in an attempt to find some, as required by the law, independent body to do the analysis in order to make a determination of who to notify in that case.
I would make the point, too, that I have seen some reports that talk about 1.3 million physicians. That is not the correct number. What was it, 196, I think we are down to?
Mr. HOWARD. Sir, 565 that we think are—
Mr. MANSFIELD. Why don't you—
Mr. HOWARD. To just comment a bit more on the list of providers, in the case of Birmingham, there were 1.3 million on the list. A large number were deceased. I believe several hundred thousand. But in every case, we believe two elements of information were on the particular piece of data, name and date of birth. That concerns us obviously.
But the most critical was a population of about 565,000 where there also appeared a number not identified as such, but it happened to be Social Security number. And so in the case of the 1.3 million providers, that is where we have pursued an official risk analysis on that to get specific guidance on how to approach it