b"<html>\n<title> - HEARING ON SAFEGUARDING VETERANS' MEDICAL INFORMATION WITH THE VETERANS HEALTH ADMINISTRATION</title>\n<body><pre>[House Hearing, 109 Congress]\n[From the U.S. Government Printing Office]\n\n\n\n                   HEARING ON SAFEGUARDING VETERANS'\n                MEDICAL INFORMATION WITHIN THE VETERANS\n                         HEALTH ADMINISTRATION\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                         SUBCOMMITTEE ON HEALTH\n\n                                 of the\n\n                     COMMITTEE ON VETERANS' AFFAIRS\n\n                        HOUSE OF REPRESENTATIVES\n\n                       ONE HUNDRED NINTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                             JUNE 21, 2006\n\n                               __________\n\n                           Serial No. 109-55\n\n                               __________\n\n       Printed for the use of the Committee on Veterans' Affairs\n\n\n\n\n\n\n\n\n\n\n\n\n                    U.S. GOVERNMENT PRINTING OFFICE\n\n28-451 PDF                  WASHINGTON : 2007\n------------------------------------------------------------------\nFor sale by Superintendent of Documents, U.S. Government Printing \nOffice Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800;\nDC area (202) 512-1800 Fax:  (202) 512-2250. Mail:  Stop SSOP, \nWashington, DC 20402-0001\n\n\n\n\n                     COMMITTEE ON VETERANS' AFFAIRS\n\n                    STEVE BUYER, Indiana, Chairman \nMICHAEL BILIRAKIS, Florida           LANE EVANS, Illinois,\nTERRY EVERETT, Alabama                 Ranking Member\nCLIFF STEARNS, Florida               BOB FILNER, California\nDAN BURTON, Indiana                  LUIS V. GUTIERREZ, Illinois\nJERRY MORAN, Kansas                  CORRINE BROWN, Florida\nRICHARD H. BAKER, Louisiana          VIC SNYDER, Arkansas\nHENRY E. BROWN, Jr., South Carolina  MICHAEL H. MICHAUD, Maine\nJEFF MILLER, Florida                 STEPHANIE HERSETH, South Dakota\nJOHN BOOZMAN, Arkansas               TED STRICKLAND, Ohio\nJEB BRADLEY, New Hampshire           DARLENE HOOLEY, Oregon\nGINNY BROWN-WAITE, Florida           SILVESTRE REYES, Texas\nMICHAEL R. TURNER, Ohio              SHELLEY BERKLEY, Nevada\nJOHN CAMPBELL, California            TOM UDALL, New Mexico\n                                     JOHN T. SALAZAR, Colorado\n                   James M. Lariviere, Staff Director\n\n                         SUBCOMMITTEE ON HEALTH\n\n             HENRY E. BROWN, Jr., South Carolina, Chairman\nCLIFF STEARNS, Florida               MICHAEL H. MICHAUD, Maine,\nRICHARD H. BAKER, Louisiana            Ranking Member\nJERRY MORAN, Kansas                  BOB FILNER, California\nJEFF MILLER, Florida                 LUIS V. GUTIERREZ, Illinois\nMICHAEL R. TURNER, Ohio              CORRINE BROWN, Florida\nJOHN CAMPBELL, California            VIC SNYDER, Arkansas\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n                            C O N T E N T S\n\n                              ----------                              \n\n June 21, 2006--Hearing on Safeguarding Veterans' Medical Information \n                with the Veterans Health Administration\n\n                                                                   Page\n\n                           OPENING STATEMENTS\n\nChairman Henry E. Brown..........................................     1\nPrepared statement of Chairman Brown.............................    23\nHon. Michael H. Michaud, Ranking Democratic Member...............     2\nPrepared statement of Congressman Michaud........................    30\n\n                        STATEMENT FOR THE RECORD\n\nHon. Corrine Brown...............................................    19\nPrepared statement of Congresswoman Brown........................    32\n\n                               WITNESSES\n\nKussman, Brig. Gen. Michael J., M.D., M.S., MACPP (US Army Ret), \n  Principal Deputy Under Secretary for Health, Veterans Health \n  Administration, Department of Veterans Affairs.................     4\nPrepared statement of Dr. Kussman................................    37\nSeliger, Robert, Chief Executive Officer and Co-Founder, \n  Sentillion, Inc., and Chair, Steering Committee for Integration \n  and Interoperability, Healthcare Information and Management \n  Systems Society (HIMSS)........................................     6\nPrepared statement of Mr. Seliger................................    46\n\n                 POST-HEARING QUESTIONS FOR THE RECORD\n\nHon. Michael H. Michaud..........................................    54\nHon. Corrine Brown...............................................    61\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n \nHEARING ON SAFEGUARDING VETERANS' MEDICAL INFORMATION WITH THE VETERANS \n                         HEALTH ADMINISTRATION\n\n                              ----------                              \n\n\n                        WEDNESDAY, JUNE 21, 2006\n\n                  House of Representatives,\n                            Subcommittee on Health,\n                            Committee on Veterans' Affairs,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to call, at 10 a.m., in room \n334, Cannon House Office Building, Hon. Henry Brown (chairman \nof the subcommittee) presiding.\n    Present: Representatives Brown of South Carolina, Michaud, \nTurner, Brown of Florida, and Snyder.\n    Mr. Brown of South Carolina. Good morning. The Subcommittee \nwill now come to order. We are holding this hearing today to \naddress the vulnerability of VA's electronic medical records \nsystem and examine the access and control policies VA employs \nand the compliance mechanism VA uses to safeguard sensitive, \npersonal veterans' health information from internal and \nexternal security threats.\n    The value of VA's electronic medical records system was \nevident in VA's response to Hurricane Katrina. During Hurricane \nKatrina, VA doctors and nurses were able to treat without \ninterruption patients transferred from VA facilities in New \nOrleans to VA hospitals in Houston. Because of the system's \nelectronic medical records, all patients' records were backed \nup, securely transported to Houston, and were back on line and \navailable almost immediately.\n    At the same time, however, there are risks with holding \nsuch sensitive and personal information electronically, and the \nlack of a solid VA information security program greatly \ntroubles me.\n    The personal and sensitive data of our nation's veterans \nmust be handled with the utmost care. The burglary of the home \nof a Department of Veterans Affairs employee that included a \ndata file with personal information on millions of veterans is \nsimply unacceptable.\n    The Department of Veterans Affairs is working with the FBI \nto thoroughly investigate this matter, and this Committee will \nbe closely monitoring this situation to help ensure that such \nan occurrence is not repeated.\n    We must make sure that there are explicit and clear \nsecurity and confidentiality policies to protect the health \ninformation of our nation's veterans. To that end, we are \ninterested today in hearing from those at the Department that \nthe most sensitive information, individually identifiable \nhealth information is currently being protected.\n    Additionally, in light of the recent theft, I am interested \nin knowing what the VA anticipates doing to better protect this \ninformation in the future and what steps, if any, have already \nbeen taken.\n    Through a series of hearings set up by the Chairman of our \nfull Committee, Chairman Buyer, we have been able to closely \nexamine data integrity and security issues from a number of \ndifferent perspectives, but today we have the opportunity to \nspecifically focus on health-related information.\n    In addition to having assembled the cast before us from the \nVA, we have also taken the opportunity to speak with folks from \nthe private sector. I for one welcome the opportunity to hear \nwhat is currently being considered state-of-the-art in the \nprivate sector and then benchmarking that standard against VA's \ncurrent practices. Today we have this opportunity.\n    I would like to personally thank all of our witnesses for \nbeing here today. And with that, I now yield to our Ranking \nMember, Mr. Michaud, for an opening statement.\n    [The statement of Henry Brown appears on p. 23]\n    Mr. Michaud. Thank you very much, Chairman Brown, and thank \nyou for holding this very important oversight hearing. VA's \nelectronic patient record system remains the technological \nforce behind VA's state-of-the-art care. It can save lives as \nwell as money.\n    Last week, the VA Inspector General issued a report on VA's \nprocedure for outsourcing medical record transcriptions. The \nreport showed that the VA had weak controls over the veterans' \nmedical records. In 2005, a subcontractor in India contacted \nthe IG and threatened to expose thousands of patients' records \nover the internet if the subcontractor was not paid.\n    This allegation and the IG audit showed the VA was \nincapable of controlling or detecting where a contractor had \nmedical information transcribed or who had access to it. VA's \nprocedure for acquiring medical transcription services from \ncontractors failed to address basic security requirements.\n    Of the VA facilities surveyed, 91 percent did not remove \npersonal identifiers such as patients' names and Social \nSecurity numbers before transmitting the data to contractors \nfor transcriptions.\n    I agree with the IG that the VA needs to do this work with \nVA staff because this is not a practical way to ensure that \ncontractors safeguard patients' protected health information.\n    As the IG report says, and I quote, ``The inability to \ncontrol confidential information in an era of global \noutsourcing leaves protected health information unprotected and \npatients subject to identity theft,'' end of quote.\n    Given the clear risk with outsourcing, I cannot understand \nwhy this Administration and the Office of Management and Budget \nidentified the jobs in medical information or records as ones \nthat should be studied for outsourcing.\n    I look forward to hearing from Dr. Kussman about the VA's \neffort to improve controls on medical transcriptions.\n    Chairman Brown, I commend you for your leadership in \nholding this hearing so that we can better understand what the \nVeterans Health Administration has done and what they will do \nto preserve the security and privacy of veterans' medical \nrecords.\n    Also, Mr. Chairman, I would like my full opening statement \nto be submitted for the record. Thank you.\n    Mr. Brown of South Carolina. Okay. Without objection. Thank \nyou, Mr. Michaud.\n    [The statement of Michael Michaud appears on p. 30]\n    Mr. Brown of South Carolina. Mr. Turner, do you have an \nopening statement?\n    Mr. Turner. Mr. Chairman, I want to thank you for holding \nthis hearing. I appreciate your continuing to give information \nto the Subcommittee members and the members of the full \nCommittee on this important issue, and I would like permission \nto submit an opening statement for the record.\n    Mr. Brown of South Carolina. Without objection.\n    [No statement was submitted.]\n    Mr. Brown of South Carolina. Dr. Snyder.\n    Mr. Snyder. No thank you.\n    Mr. Brown of South Carolina. Okay. On our first and only \npanel representing the Department of Veterans Affairs, we are \nhonored to have Brigadier General Michael J. Kussman. Dr. \nKussman was appointed Deputy Under Secretary of Health for the \nVeterans Health Administration on May 29, 2005.\n    In this capacity, he leads the clinical policy and programs \nfor the nation's largest integrated healthcare system. Among \nhis many accomplishments, Dr. Kussman served as the Army \nSurgeon Generals chief consultant in internal medicine and \ngovernor for the Army Region of the American College of \nPhysicians in 1988.\n    From March 1993 to August 2005, he commanded Martin Army \nCommunity Hospital at Ft. Benning, Georgia and later commanded \nthe Walter Reed healthcare system in Washington, DC, where he \nwas promoted to Brigadier General.\n    Following his tour at Walter Reed, Dr. Kussman served as \ncommander of the Europe Regional Medical Command and was \nresponsible for healthcare throughout Europe, the Middle East, \nand Africa.\n    Dr. Kussman is accompanied by Mr. Craig B. Luigart, VHA \nChief Information Officer; Dr. Robert Kolodner, Chief Health \nInformation Officer; Ms. Stephania Putt, VHA Privacy Officer; \nand Ms. Gail Belles, VHA Technical Security Advisor.\n    Also I want to welcome Mr. Robert Seliger. He's the CEO and \nCo-Founder of Sentillion. Mr. Seliger has led the company in \ncreating security solutions that improve information access and \nwork flow for customers in the healthcare information \ntechnology industry. He is widely recognized as a visionary at \nthe forefront of converging technical markets and clinical \ntrends in healthcare.\n    Prior to co-founding Sentillion, Mr. Seliger was a senior \nR&D manager and chief architect at an International Team \nresponsible for development of Hewlett Packard's medical \nproducts group's largest portfolio of clinical information \nsystems products.\n    Presently he chairs the Healthcare Information and \nManagement Systems Society Steering Committee for Integration \nand Interoperability. We are very pleased to have him at our \nhearing today.\n    Dr. Kussman, before you begin, I gave you all those \naccolades. I want to chastise you just a bit for the lateness \nof your prepared remarks to the Committee. We certainly wish \nyou would be a little bit more responsive and a little bit more \ntimely getting the information to us so we will have a better \nopportunity to review testimony before it is actually \npresented.\n    But with that, we will now start with you.\n\n STATEMENTS OF BRIG. GEN. MICHAEL J. KUSSMAN, M.D., PRINCIPAL \n       DEPUTY UNDER SECRETARY OF HEALTH, VETERANS HEALTH \nADMINISTRATION, DEPARTMENT OF VETERANS AFFAIRS; ACCOMPANIED BY \n ROBERT KOLODNER, M.D., CHIEF HEALTH INFORMATICS OFFICER, VHA, \n    DEPARTMENT OF VETERANS AFFAIRS; STEPHANIA PUTT, PRIVACY \n  OFFICER, VHA, DEPARTMENT OF VETERANS AFFAIRS; GAIL BELLES, \n    TECHNICAL SECURITY ADVISOR, VHA, DEPARTMENT OF VETERANS \n  AFFAIRS; AND ROBERT SELIGER, CHIEF EXECUTIVE OFFICER AND CO-\n   FOUNDER, SENTILLION, INC., CHAIR, STEERING COMMITTEE FOR \n INTEGRATION AND INTEROPERABILITY, HEALTHCARE INFORMATION AND \n                   MANAGEMENT SYSTEMS SOCIETY\n\n                STATEMENT OF MICHAEL J. KUSSMAN\n\n    Dr. Kussman. Good morning, Mr. Chairman, and Ranking \nMember, other members of the Committee.\n    First, let me say that I apologize for the lateness of the \nstatement, and I have talked to Counsel and we clearly need to \ndo better and we will.\n    Mr. Brown of South Carolina. Well, I know you are under a \nlot of pressure from a lot of different groups to prepare \nremarks, but we do need to try to resolve this problem we have. \nBut, anyway, we are grateful to have you here today.\n    Dr. Kussman. Yes, sir. This is a partnership and we need to \ndo better. So thank you for your comments.\n    Thank you for allowing me to provide an overview of the \ndata management and security procedures that the Veterans \nHealth Administration employs to ensure the safety and \nintegrity of veterans' electronic health records and to \nsafeguard sensitive personal veteran information from internal \nand external security threats.\n    Before I proceed with my review of our security and privacy \nprocedures, I want to assure both you and our nation's veterans \nthat the recent data breach did not include any of the Veterans \nHealth Administration's electronic health records.\n    VHA views data privacy and security as a fundamental \noperational pillar. We are committed not only to ensuring that \nour veterans receive the best healthcare but that we also fully \nprotect the security and privacy of their paper and electronic \nhealth records.\n    VHA is responsible for protecting data on all systems that \nfacilitate the delivery of healthcare benefits to our nation's \nveterans. Similar protections are provided for the databases \nthat contain the veteran health records exchanged between the \nDepartment of Defense and VA. We protect many important health \ndatabases and systems that enable us to provide quality care to \nour veterans.\n    Our core electronic health records system is VISTA. This \nwidely acclaimed system has saved the lives of thousands of \nveterans, but it was designed 20 years ago and, as such, it is \nprincipally hospital based and is deployed in more than 100 \nlocations. This distributed nature does not lend itself to \nsimple security compliance.\n    Today network and telecommunications standards and \nsolutions exist to assist in mitigating these risks while \ncreating greater efficiency and effectiveness, and a wide range \nof security and privacy procedures protect VISTA and other VHA \nsystems.\n    For years, VHA has required that all employees and \ncontractors complete annual privacy and security training. VA \npolicy is that anyone needing access to our data to perform \ntheir duties, whether a provider, a researcher, or veteran \nservice officer, must be granted explicit approval for that \naccess.\n    This is just the beginning. VHA also develops its own \npolicies and guidance focused on healthcare-specific issues and \nimplements sophisticated technical controls to protect the \nveterans' health records.\n    VHA carefully controls access to sensitive data. Only those \nwho have a legitimate and demonstrated need are granted access \nto sensitive information. Even then, users' access is limited \nto the information needed to do their jobs.\n    VHA also employs security measures to protect VA systems \nand data when VHA employees and contractors perform work \noutside of VA offices. All external connections into the VA \nnetwork are protected by a virtual private network, VPN, which \nprovides secure, remote access. VPN access requires management \napproval and approved users are required to sign and abide by a \nrules of behavior document that must be in place before access \nis granted.\n    Across this nationwide network of systems, VHA applies many \nother security controls. These include intrusion detection \nsystems that monitor and detect intruders, encryption of \nsensitive data exchanged with DoD, routine backups of data on \nour critical systems, and continuity of operations, processes, \nand procedures.\n    VHA is committed to continuing to strengthen our security \nand privacy controls. To this end, VA is investigating the use \nof encryption solutions appropriate for our information systems \nand data protection needs that will be adopted for use across \nVHA.\n    VHA is reengineering current applications that will broaden \nauditing capabilities. We are enhancing our current role-based \naccess control capabilities to provide granularity with user-\ndefined roles. And VHA has taken the lead in developing role-\nbased access control enhancements that are being evaluated for \nnational and international endorsement.\n    To further strengthen security and privacy, VHA has \nidentified a number of specific actions for strengthening data \nsecurity procedures that are in the planning stages or have \nbeen identified as a result of the data security breach as \nfollows:\n    Provide and mandate centrally deployed security solutions; \nimplement a department-wide encryption solution that encrypts \ndata that is sent across VA networks; increase the use of \nsecure web-based solutions for e-mail, scheduling, and other \nadministrative needs; require that portable media and laptops \nhave the capability to encrypt all sensitive data and that \nappropriate guidance tools training are provided to the users \nto implement these solutions effectively; and update VA and VHA \nsecurity policies to address changes in technology's current IT \nenvironments.\n    To further emphasize the importance of security, VA is \nplanning a department-wide Security Awareness Week for \nworkforce members from June 26 to 30 June with daily briefings \non proper security practices. VHA is taking the lead for \ncoordinating the week.\n    In addition, to help veterans, VA will set up information \nbooths across the VA so that veterans can get information on \nidentity theft and data protection.\n    In closing, let me reiterate that we see data privacy and \nsecurity as a fundamental operational pillar. We are committed \nto providing the best possible care to our nation's veterans, \nand we will do everything in our power to fully protect the \nsecurity and privacy of their health records. For our veterans, \nfor the men and women who have fought so bravely for our \ncountry, anything else is unacceptable.\n    And I might close, if you would not mind, sir, with a \npersonal comment. As a veteran and a retiree, I have received a \nletter from the Secretary as well. It was not a surprise to me \nobviously, but I did receive the letter. And I can assure you \nthat myself and others of us who are in that same situation \ntake this very, very seriously both on a personal and \nprofessional basis.\n    Thank you.\n    Mr. Brown of South Carolina. Thank you, Dr. Kussman, for \nyour testimony.\n    Dr. Kolodner, we will take your testimony next. I am sorry. \nMr. Seliger. We will get to you later. Okay.\n    [The statement of Michael Kussman appears on p. 37]\n\n                  STATEMENT OF ROBERT SELIGER\n\n    Mr. Seliger. Chairman Brown, Mr. Michaud, distinguished \nmembers of the Committee, thank you for the opportunity to \ntestify before you today on a subject of critical importance \nfor our Nation's veterans, but also to every citizen, how to \nsafeguard sensitive personal health and related information \nfrom external and internal security threats.\n    My name is Robert Seliger, and I am Co-Founder and CEO of \nSentillion. Sentillion is the industry leading provider of \nidentity and access management solutions to hospitals and \nhealthcare systems. Every day Sentillion helps hundreds of \ninstitutions and hundreds of thousands of physicians, nurses, \nand other caregivers at those institutions employ effective \nsecurity and privacy practices while also facilitating the \ncare-delivery process.\n    We are exceedingly proud to say that among these \ninstitutions are all 163 medical centers of the Departments of \nVeterans Affairs.\n    To further introduce myself, I have 26 years of experience \nin the field of health information technology. I have served on \nnumerous Standards Committees and have chaired a variety of \nhealthcare industry initiatives.\n    Recent activities include serving as Chair for the HIMSS \nSteering Committee for Integration and Interoperability and \nserving as an advisor on standards uptake for the Pan-Canadian \nElectronic Health Records Standard Steering Committee.\n    Today I want to focus on one aspect of the complex \nchallenge of safeguarding patient data in a clinical setting, \nand that is how can we safeguard patient data without also \nimpeding the care-delivery process? Practicing safe and \neffective medicine will always take precedence over concerns \nfor security and privacy.\n    Our nation's nurses and physicians are among the smartest, \nmost highly-trained people in the world. This fact coupled with \ntheir deep sense of mission will compel them to avoid, work \naround, and challenge policies that impede the care-delivery \nprocess. This is because the care-delivery process by its very \nnature requires immediate information access and the constant \nsharing of information with others.\n    As a simple example, consider the seemingly trivial tasks \nof logging onto a computer in order to access patient data and \nthen logging off the computer when done. These actions are \nalmost never performed in the hospital. Instead computer \naccounts are shared in order to avoid logging in and no one \nlogs off.\n    The reason is that a caregiver in a busy hospital might \nneed to log on and off 50 to 100 times a day. At a minute or \ntwo for each log on and log off, you can quickly see how this \nseemingly trivial best practice is avoided because it \ninterferes with the pace of providing care.\n    And so our nation's physicians and nurses practice good \nhealthcare, but leave millions of personal computers across the \ncountry open to access or even simple perusal by any passerby \nfrom other healthcare workers with no valid reason to view the \ninformation to other patients to people visiting patients to \nanyone else who might be in the hospital.\n    I would like to assert that the security and privacy \nchallenge that the healthcare industry faces are not just \nattacks from outside but also transgressions from within. The \nquestion is, how do we as a nation change the situation without \ncompromising the care-delivery process?\n    Data that we have from a study we conducted shows that \nunder circumstances in which log-on and log-off times were \nreduced to just a few seconds, nurses in one hospital who only \nlogged off 50 percent ofthe time were now doing so 100 percent \nof the time. And physicians who were not logging off at all were now \ndoing so 86 percent of the time.\n    This change in behavior was not due to a new policy or the \nthreat of punitive measures. Rather, we simply made it easier \nfor caregivers to behave as good security and privacy citizens.\n    The challenge we face is to make sure that the things we do \nto keep the bad guys out do not effectively prevent letting the \ngood guys in. This is about making sure we engineer security \nand privacy solutions from a work-flow perspective and not \nattempt to force upon healthcare organizations mechanisms that \nmake sense for other types of environments but which do not \nmake sense for healthcare.\n    Delivering effective healthcare is an intense and \ncomplicated process. It is also a truly mission-critical \nprocess. Our industry must find the right balance between \napplying security and privacy measures that are known to work \nand applying measures that could be detrimental to patient \ncare.\n    We can assert, for example, that every caregiver must have \na password for each application that they use, but what, in \nfact, are we asking our caregivers to do if they need to \nremember ten different passwords and enter each one in dozens \nof times a day?\n    To truly safeguard patient security and privacy requires a \nbroad set of measures. These measures include not only good \nnetwork security and the appropriate encryption of data but \nalso involves tools and mechanisms that enable good people, \nwell-meaning people to do their jobs without compromising \npatient health, patient security, or patient privacy.\n    Mr. Chairman, this concludes my remarks. Thank you for the \nprivilege of speaking before you today. I am happy to answer \nany questions the Committee may have.\n    [The statement of Robert Seliger appears on p. 46]\n    Mr. Brown of South Carolina. And I thank you very much for \nyour testimony and also Dr. Kussman. Have you all met before?\n    Mr. Seliger. I am sorry?\n    Mr. Brown of South Carolina. Have you all met before?\n    Mr. Seliger. No.\n    Mr. Brown of South Carolina. Okay. Well, I think you both \nbring a great perspective to the process. And, in fact, I will \nask you the first question if I might.\n    Your testimony makes a number of sound points. I wonder if \nyou could expand a bit on the relative importance of auditing \nelectronic access to records. I mean, security protocol and \naudit capabilities are one thing, but actually doing the audit \nand understanding who is using the data is quite another.\n    What security features should a healthcare system like the \nVA contain?\n    Mr. Seliger. Well, the audit process begins with being able \nto establish the identity of the people using the system. In \nthe example I just gave that people are not logging in, and I \nam using the same accounts as Dr. Kolodner or Dr. Kussman here, \nthen an audit is irrelevant because you do not really know who \nis actually using the computer.\n    So the best audit processes begin with establishing \nmechanisms that enable caregivers to want to, to easily sign on \nand sign off the computers, and do so in a secure manner, so \neach person is uniquely identified. Once we have that, we can \nthen record the access and make appropriate conclusions about \nwhether those accesses were appropriate or not.\n    Mr. Brown of South Carolina. Dr. Kussman, do you all have a \nsystem similar to this or how do you control and audit the \nusers?\n    Dr. Kussman. Yes, sir. Thank you for the question.\n    I believe we do have a process that identifies the people \nnot only that have access to the system but makes sure that the \npeople who have access need to have access.\n    You know, we talk in the security realm about need to know. \nThat is only part of it. The question is need to have. I mean, \na lot of people like to have access to things that they do not \nnecessarily need to have.\n    From a clinical perspective, obviously, as was mentioned, \nour primary mission is to provide the state-of-the-art care to \nour veterans, and the electronic health record is a modality of \ndelivery of care. For us, it is the same as a stethoscope or an \nEKG machine or CAT scan, and it has become part of our culture \nand used daily.\n    I might ask Dr. Kolodner, who is an expert on this, to \nmaybe illustrate further how that is done.\n    Dr. Kolodner. Yes. Thank you very much.\n    Each of our users has their own account and a two-level \npassword, both of which are private, so the physician or nurse \nwill log on and access the patient.\n    We also have a third password for the electronic signature. \nIf I am entering data, I have to add that additional password, \nwhich means that I cannot come in behind someone else and use \nthe system since I would not know their electronic signature \npassword.\n    We reinforce the importance of protecting passwords to our \nproviders on a regular basis, and we actually take action for \nthose who violate the log-off, log-on procedures in our \nfacilities.\n    Dr. Kussman. Sir, I might add just one other thing is that \nin many ways, the electronic health record has improved the \nsecurity dramatically and access to information or protection \nof information because many of us are old enough and dinosaurs \nbefore the electronic health record. And when we had hard copy, \nthe records would sit around, if you will. They would be on a \nnurse's station or on a doctor's desk or in a records room. And \nin many ways, anybody could come up and pick up that record and \nread something about the patient. It was very difficult to have \nphysical security on this.\n    So what Dr. Kolodner has been mentioning is a quantum leap \nimprovement, I think, in security in keeping that information \nprivate.\n    Mr. Brown of South Carolina. Is it password protected on \ndifferent segments so the record has different levels of \nauthority and certain controls over parts of the record?\n    Dr. Kolodner. Yes. We have a series of access controls in \nour current system. And based on the work that we have been \ndoing, we have been developing a much more sophisticated system \ncalled role-based access that defines what parts of the record \na particular individual should be allowed to read from or write \nto based on the role that they are serving or playing in the \nfacility.\n    We have taken that schema for the role-based access to the \nstandards development organizations, working in conjunction \nwith our Departmentof Defense and with Kaiser Permanente \ncolleagues, and it has passed the ballot for an international standard.\n    So we do already have a process in our current process for \ncontrolling that access, and we are devising and planning to \nimplement in our next generation system an even more \nsophisticated system.\n    Mr. Brown of South Carolina. Since the theft of those \nrecords, have you done anything different to put in place \npolicies that would further identify in the audit if there has \nbeen a breach within your own areas and indicate who might be \nusing this data? Are there other security measures you put in \nplace since the event?\n    Dr. Kussman. Yes, sir. As you know, that from a healthcare \nperspective, we always had a very sophisticated and controlled \nprogram known as the Health Information Portability and \nAccountability Act, the HIPAA, and that put in place a great \ndeal of standards different than nonhealthcare data.\n    And that has been inculcated into the culture of all \nhealthcare delivery systems because everyone knows if you \nbreach that, not only are you doing something wrong as far as \nan ethical, moral thing, but you can really be hurt financially \nand potentially go to jail for it.\n    So there is a great deal of sensitivity about controlling \nhealthcare information. So that was already the foundation. \nBecause of this breach of information, and as we have said, \nthank goodness it was not involved with healthcare data, but it \ncertainly has sensitized us immensely to that.\n    And I might ask Ms. Putt, who is our privacy manager, and \nGail, our security people, to comment on what are some of the \nnewer things that we have looked at in respect to the breach.\n    Ms. Belles. Actually, we have taken a number of steps to \naddress issues. One thing that we have done is to issue a data \naccess inventory to all of our VA personnel. We are identifying \nthe access to sensitive data for every individual in our \nworkforce, employees, contractors, students, residents, et \ncetera. That is a major undertaking for us. We are planning to \nget the results back from that access inventory at the end of \nJune.\n    The Security Awareness Week, we talked about. We are going \nout to the entire workforce to give briefings on the importance \nof security and privacy and the things that need to be done to \nprotect patient data so that it is not compromised at any time.\n    There has been policies that have been updated, rewritten \nto address remote access to our systems and data. We have \nactions to bring groups together to look at encryption \nmethodologies for laptops and portable media so that we can \naddress that area which we know is vulnerability.\n    So a number of good steps as a result of this.\n    Mr. Brown of South Carolina. Let me just follow-up on that \nstatement. The access inventory--you will not get a response \nuntil the end of June. How often would you get a report if \nsomebody accessed a file that should not be there? If somebody \naccessed a file, they would have to have access to some \npassword. But what does the access inventory do for you?\n    Ms. Belles. What that does is provides us with a list of \nthe entire workforce and the systems, the sensitive data that \nthey have, and how they access it. So if they access it \nremotely or if they access it from an office or they access it \nin paper form, we can identify that and we can also look very \nclosely at the appropriateness of those accesses.\n    As far as individuals accessing medical records, we have \naudit trails that are logged on a continuous basis and are \nreviewed by the facility information security officers on a \nregular basis to ensure that with managers that the individuals \naccessing these records or accessing these options have the \nneed to know.\n    Mr. Brown of South Carolina. And how timely is that review?\n    Ms. Belles. I am sorry?\n    Mr. Brown of South Carolina. How timely is that review?\n    Ms. Belles. It is a real-time recording of the audit.\n    Mr. Brown of South Carolina. Right.\n    Ms. Belles. I think it's probably a 30-day review by the \nISOs.\n    Dr. Kussman. Sir, if I might add to that. With our \ninventory review, we are going out and looking at not only who \nhave laptops but who have access to that virtual network that I \ntalked about, the VPN, because over a period of time, \norganizations, there may be more people who have access than we \nthink we really knew need to have.\n    Many people may be using it just for e-mail and they do not \nneed the laptop for that. We have Blackberries and other ways \nof doing that. So we are doing a very close scrub on who has \nlaptops and what are they doing with them, and then also \neducating people very closely on what their responsibility is \nif they have a laptop.\n    I mean, you can have it and need VPN access both when you \nare going some place. You have a responsibility to protect that \nlaptop in a hotel or a restaurant or even in your car. And on \ntop of that, you should not carry as much as possible any \ninformation that if indeed the laptop was stolen for some--I \nmean, obviously we cannot prevent somebody from holding \nsomebody up on the street and taking their laptop, but we \ncertainly would not want any information on there or as little \ninformation on there that would be incriminating or sensitive \nin any way.\n    Mr. Brown of South Carolina. That leads me to my next \nquestion, and this will be my last question. I notice that your \nwritten testimony referenced the Department's interest in \nstarting to encrypt the data that is sent between VA sites. Is \nthere some specific reason why that has never been seen as \nappropriate before?\n    Dr. Kussman. Yes, sir. Let me just make a comment that our \nVPN network is already encrypted. And so there is a significant \namount of encryption that goes forward. And if everybody stayed \nwithin the firewall, if you will, using the encryption, then \nindeed we have much less of a potential problem.\n    The question is that in data that even flows within the \nsystem or somebody downloaded something to their hard drive, \ncan that bypass the VPN encrypted nature? And so we are looking \nat that. But that really is not only a VHA responsibility, it's \na VA-wide responsibility to look at encryption, and we would \nwant to coordinate that with the VA CIO so we have one system \nof encryption.\n    Would either one of you like to add to that?\n    Ms. Belles. I will just add that several years ago, we \ntransformed from what we had in place for our network was IDCU, \nwhich is a private network, and we have gone to a more open \nnetwork.\n    So at the time we had the IDCU, we did not require any \nencryption between the facilities. But now that we are in this \nenvironment where we have a more open network, we need to look \nat encryption between the facilities.\n    Mr. Brown of South Carolina. Thank you very much for your \ntestimony.\n    And, Mr. Michaud.\n    Mr. Michaud. Thank you, Mr. Chairman.\n    Dr. Kussman, I just want to reiterate what Chairman Brown \nhad mentioned in his opening as far as questioning. I, too, was \nconcerned about the lateness of your testimony, and have not \nhad a chance to go through it.\n    And I know next week, we have a hearing on Tuesday and VA's \ntestimony is supposed to be in tomorrow. So hopefully we will \nbe able to, you know, have your testimony tomorrow for next \nweek's hearing.\n    Dr. Kussman, in your testimony, you state that VA contracts \nforbid the transfer of veterans' protected health information \noutside the jurisdiction of the United States. A couple of \nquestions.\n    How will you monitor compliance with that provision? Can \nyou give us total and complete assurance that absolutely no VA \ncontractor will use an overseas subcontractor to transcribe \nveterans' medical information?\n    Dr. Kussman. Yes.\n    Mr. Michaud. How will you monitor the provision?\n    Dr. Kussman. Sir, that is written into the contract and the \ncontractors have to abide by the same security issues that we \nhave in-house that is part of the contract.\n    The issue that you are describing, I am well aware of, that \ntook place. We did not realize, quite frankly, that the \ncontractor had subcontracted. When we found out, we stopped \nthat and we have prohibited that from occurring again.\n    Mr. Michaud. Okay. Thank you.\n    And are you confident that the VA can control veterans' \nprivate and personal medical information while it is outsourced \nfor medical transcriptions here in the United States?\n    Dr. Kussman. Yes, sir. As you are well aware of, we are a \nlarge organization. We talked about the need to balance the \ndelivery of healthcare with safety. They are not mutually \nexclusive. I mean, they are together.\n    We with our contractors will leave no stone unturned, no \nprocess unlooked at to protect the privacy and security of all \nour veterans. And if indeed there is a mishap, we will have in \nplace processes that will aggressively and quickly address \nthose issues and be sure that we inform the veterans.\n    As you know, we have a very elaborate safety program that \nwe do. We have briefed you and others on similar types of \nissues related to safety. We have an open environment. There \nare no secrets. We try to make sure that both you and other \nsupervising entities as well as the patients know what we are \ndoing.\n    So I believe we have in place and we will aggressively \nenforce all the security needs to protect our patients.\n    Having said that, as you know, the gold standard in this \ncountry is the airline industry and FAA, as I mentioned to you \nearlier, and we all feel fairly secure when we get on an \nairplane. Unfortunately, even with everything, airplanes do not \nwork the way that they are supposed to and there are accidents.\n    We will put in and aggressively put in all the processes \nthat would minimize and mitigate any situations that we can \nanticipate. But to tell you a hundred percent that it will \nnever happen again, you know as well as I that that would be \ndifficult to do.\n    Mr. Michaud. Thank you.\n    Also in your testimony, you state that the VA conducts an \nannual system-wide ongoing assessment and review strategy \ncalled SOARS.\n    What did SOARS identify to be the most significant privacy \nand security threat to VA's medical health data system both \ninternal and external?\n    Ms. Putt. Mr. Congressman, I do not have that information \nat this time on the finding of the SOARS assessment \nspecifically. I do have information on other assessments.\n    Mr. Michaud. Would you be able to provide the Committee \nwith the SOARS assessment?\n    Ms. Putt. I think we can.\n    Dr. Kussman. Yes, sir. The SOARS has been a very successful \nprogram for us. It has been a self-induced, self-initiated \nprogram that looks at a whole gamut of things much like a mini \njoint commission assessment would volunteer. And it was \noriginally volunteers. The facilities were not required to do \nthis. But it has been successful, everybody asks for it. So \neffectively it is a guaranteed program.\n    One of the things that we have always looked at but will \nlook at more closely is the issue of data security. I am not \naware that that has been a major problem for us that has come \nup in the SOARS, but we will look back at that. And with your \nindulgence, we will report back to you for the record on that.\n    Mr. Michaud. Thank you.\n    VA researchers can have access to databases with Social \nSecurity numbers identifying veterans. I understand that \nresearchers must go through an approval process to get access \ncodes to this database.\n    What does VA do after a researcher has access to ensure \nthat such data is not downloaded, put on a laptop or extended \nhard drive or otherwise put at risk of being lost or stolen and \nhow do you enforce this policy?\n    Dr. Kussman. Yes, sir. Thank you for the question.\n    We are aware of that situation. We monitor it very closely. \nAs you alluded to, that anybody who does research has to apply \nfor that. There are standards that have to be met. It is part \nand parcel of the approval in the Institutional Review Boards \nat the facilities that approve the human research and protect \nthe patients, and it is not only protection for their clinical \nthings, but it is also protection of their information and \ntheir rules and regulations on what the researcher can do and \nwhat they can transport.\n    But I will ask Gail or Stephania to elaborate on that.\n    Ms. Putt. Thank you.\n    As stated, researchers/investigators do have to follow the \nprivacy and security of protecting their research information \nas outlined in their research protocol that is approved by the \nInstitutional Review Board.\n    The data that they use and collect cannot be used for any \nother purpose without going back to the Institutional Review \nBoard for approval. They must also follow policies regarding \nthe protection of human subjects and their data for research to \nensure that the information is not shared with affiliates or \ncolleagues who are not VA employees or do not have legal \nauthority to see the information, and they have to safeguard it \nin accordance with policies if it is placed on any laptops or \nother devices.\n    Mr. Michaud. But the question was, what does the VA do \nafter they do all the research? What does the VA do after the \nresearcher has access to all this information? How do you know \nthat they do not download it or make copies on another CD?\n    Ms. Putt. VA researchers should follow policies that \nprohibit them keeping the data after the research study has \nconcluded. Once the study has concluded and they have maybe \npublished their results, they are supposed to destroy the data \nor return the data. They are not to keep it to use for future \nresearch projects.\n    Mr. Michaud. On that same line of questioning, how does the \nVA enforce a policy for researchers from taking the stuff home?\n    Ms. Putt. There is a Research Compliance Office that is \nresponsible for reviewing researchers' activities in terms of \ntheir research protocols and what they are doing in terms of \ntheir studies, along the same lines with the protection and \nsecurity of their information.\n    I do not have any more information on the processes of the \nResearch Compliance Office, but facilities do actually have \nResearch Compliance Officers at some of the facilities who are \nresponsible for reviewing the researchers' activities.\n    Mr. Michaud. Not being a computer whiz, how confident are \nyou that the researchers do not take this information home? Is \nthere any way that you can find out? I mean, just how confident \nare you?\n    Dr. Kussman. I guess I got the look to answer the question.\n    Sir, through the Office of Research Oversight, they do \nrandom samples. They look at that. They look at a process under \nwhich people adhere to the processes. We set that up--it used \nto be called ORCA. It is now the ORO, the Office of Research \nOversight--to really look at this.\n    Part of the reason was to look at this issue because the \nresearchers do research. And sometimes, just like anybody else, \nyou could get a little lax about what you are doing. And so we \nneeded to have a process under which we looked at that.\n    Does every protocol need to be looked at? No. We believe \nthat the process is valid. Because of this, we will relook at \nour thing to see if it needs further strengthening. But to some \ndegree, we have to trust the people who signed the pieces of \npaper who say that they are following what we have told them to \ndo.\n    We believe that the process that we have in place works \npretty well because I am not aware of a significant or any \nepisodes where things have been lost or sensitive data has been \ncompromised. It is not to say that it could not have happened.\n    Mr. Michaud. My last question for you, Dr. Kussman, not \nknowing whether it can be done or not, can you prevent any \ninformation, any of the data that you have from being \ndownloaded? Is the technology available to do that and, if so, \nare you doing that?\n    Dr. Kussman. Whether it is research or otherwise?\n    Mr. Michaud. That is correct.\n    Dr. Kussman. Using the VPN network, and I might ask Dr. \nKolodner to comment on it, my understanding--and I am a \ndinosaur when it comes to this stuff too. I can just use e-mail \nand that is about--or a little WordPerfect and that is it. But \nit is not easy to download using the VPN process, and it is \nencrypted.\n    The issue of downloading, as we said, that at the place of \nwork, people can download things into their computer. We are \naggressively looking at an encryption process that would \nprotect that as well. So whatever was downloaded and making the \npresumption that the person had need to have this information, \nit was not done for any other spurious reason, that it would be \nencrypted and very difficult to get access to if the computer \nwas compromised in any way, shape, or form.\n    So we are clearly getting better and learning as we move \nalong.\n    Rob, would you like to comment?\n    Dr. Kolodner. The downloading that might occur would take \nplace mostly inside the firewalls at the office, and there are \nsome business reasons why one might need to do that.\n    As part of this access review, we are examining who has \naccess to bulk data, confirming if they need access, and, what \nconstraints we have on that access.\n    To reiterate, there are business reasons why sometimes \nsomeone needs to download such data. We just need to know about \nthat and to know that the proper controls are in place, the \nproper agreements have been signed, and a periodic review is \ndone.\n    Mr. Michaud. So if there is a business reason why they have \nto download information, would they have to get approval first?\n    Dr. Kolodner. Yes. They would have to have requested \napproval, had their supervisor present that request to their \ninformation security officer, and then been given approval \nbased on that justification.\n    Mr. Michaud. Great. Thank you.\n    My last question which will go to Mr. Seliger, again not \nbeing familiar with technology, I have seen situations, and as \nyou described in your testimony, when going through a hospital, \nyou see someone's medical record up there on the screen, people \ncan see it.\n    And I can understand where it would be cumbersome to log \noff, log on quite frequently, which will take time, but I have \nalso seen technology, particularly actually in Maine, with \nBangor Mental Health, where when the employees punch in to go \nto work, they use their finger which identifies the employee.\n    Is the technology available so if someone wants to access \nquickly a medical record that you can use your thumbprint to \nopen up the system and then a certain time frame, it \nautomatically goes off? Is that something that your \norganization has looked at and might be available?\n    Mr. Seliger. The answer is yes. We have a number of \nhospitals and healthcare organizations in the private sector \nusing technology exactly as you described. For the record, I \nwould like to point out it is not your thumbprint but any of \nthe other three fingers that one tends to use for technical \nreasons.\n    But having said that, we have caregivers who are using \ninteresting combinations of devices. So fingerprint, as you \nsaid, for authentication, but also devices that are called \nactive proximity devices, not much bigger than my card holder \nhere, and they detect your arrival or departure from a \nworkstation. And the operative word here is departure. When you \nleave the vicinity of a computer, it locks it up. Okay?\n    So having to remember--and this is the kind of technologies \nI was alluding to in my testimony, being able to accommodate \nthe caregiver work flow. Imagine yourself in an emergency room \ncoming and going, patients coming and going, computers all over \nthe place. Even if it was fast, you still have to remember to \ndo it.\n    And by equipping caregivers with devices to make the log-on \nprocess fast and easy, to make the log-off process implicit by \njust leaving, we can achieve the kind of safeguards I alluded \nto and actually facilitatethe care-delivery process. People are \nactually going to use the computers rather than paper as Dr. Kussman \nreferred to, which is still the primary source of information data in \nmost healthcare organizations in a general sense.\n    Now, the VA itself has made a number of steps to be, I \nguess the better way of putting it, quite pioneering in a \nnumber of regards relative to information security in the \ncaregiver workplace.\n    And as recently as this summer, we are proud to be working \nwith the VA at its Hines Facility on a project that has been \ncode named Medical Sign-On which is about taking this process, \nthese work flows with good security to a whole other level. We \nwill pilot at Hines, work out the kinks, make sure it works \nproperly, and then hopefully have a basis to roll this out to \nthe other VA medical centers.\n    Dr. Kussman. Sir, we also have instituted a program where \nthe computers would automatically log off in five minutes is \nwhat we are doing. It drives me crazy in my office because I \nwill have logged on, I will answer the phone, and then I have \ngot to log back in and things. But it certainly works, I can \nassure you, because it logs off and then I have to log back in.\n    That would be the same thing around the system, whether it \nis a nurse's station or anything else, that if a nurse walks \naway or a physician walks away, if they do not get back on and \nthey are not sitting there within five minutes, it \nautomatically logs off. It is an irritant to people, but it is \na protection.\n    Mr. Michaud. If I might, Mr. Chairman.\n    Is the VA looking at the same technology that was just \ntalked about as far as using your----\n    Dr. Kussman. We are looking at that and I think it will be \nlooked at as an agency issue with the CIO of whether we are \ngoing to embark on that technology or not. I do not have enough \ninformation. I do not think any of us know how much that would \ncost or whatever.\n    Would you like to comment on that?\n    Ms. Belles. We are working on a Medical Sign-On pilot with \nSentillion at Hines as Mr. Seliger said. We are looking at all \nkinds of technologies that can improve that interface for \nclinicians and nurses so that we do not have a situation where \npeople just get up and walk away because they are called out \nfor an emergency or other things.\n    You know, we have been in the position where the clinicians \ncome to us and say you have got to make this process better for \nus. And Sentillion is partnering with us to find out the right \nmethods to do that.\n    Mr. Michaud. Thank you very much.\n    Thank you, Mr. Chairman.\n    Mr. Brown of South Carolina. Okay. Thank you, Mr. Michaud.\n    Dr. Snyder, do you have a question?\n    Mr. Snyder. I do. Thank you, Mr. Chairman.\n    Dr. Kussman, it is good to see you again and your \ncolleagues there.\n    You got me curious, Dr. Kussman, with what I thought was a \nbit of a cryptic response when you were gently chastised for \nyour tardy statement here, which I know you try to get them \nhere, when you made some mention of lawyers or legal opinions \nor something.\n    And I always remember the old Art Linkletter show, Kids Say \nThe Darnedest Things, and his best question always was, is \nthere anything your mother did not want you to talk about to \ntell us on the show today.\n    And so now I am curious. Did your statement get overly \nscrubbed by OMB and you had to redo it or were there things \nthat you had included in your original statement that caused \nyou to make that reference to lawyers or legal folks?\n    Dr. Kussman. I am sorry. I do not remember what I said.\n    Mr. Snyder. But was there some delay in the process? The \nCongress has lots of problems with folks that want to do \nopening statements and tell us things, and the statements, \nanything written goes through OMB and gets scrubbed, and we do \nnot get the information we want.\n    And I was just curious if there were some things that you \nhad intended to tell us that got removed in the process of your \nstatement being approved for delivery to the Congress.\n    Dr. Kussman. Not that I am aware of. So I am not even sure \nI can give you a thorough explanation of why, other than people \nbeing busy as the Chairman mentioned and lots of hearings. And \nall I can say is they apologize for the delay and we will do \neverything we can to prevent that from happening.\n    Mr. Snyder. You had mentioned the days of written records \nwhich a lot of medical facilities still rely on. And I \nremember, and I do not know how long ago, it was 15 years ago \nor so when I was still practicing medicine. I had seen this \nyoung boy. I can still see him in the exam room. He was about \neight. And his grandmother asked me about some behavioral \nthings that he was doing.\n    And sometimes medicine is like doing a crossword puzzle. \nYou know, a week later, you think, oh, that is what that answer \nwas. Well, I knew right away that the kid had Tourette's and I \njust did not--it did not come to my mind when I was talking to \nthe grandmother.\n    Well, we had an all-handwritten medical section. I could \nnot remember anything. We could not figure out who the boy was. \nSo I had one staff member who over several Saturdays, because \nwe were slow, it was a slower day, went through every medical \nrecord, opened up and tried to find the chart.\n    Now, if we had had a computerized system, we could put in \nan approximate age range. I think I even remember what the \ndiagnosis was I actually saw him for. We could have pulled up \nthose charts. We never did find the chart.\n    I always felt bad about that because I can still see that \nlittle boy sitting there probably being chastised by his \ngrandmother for some of his behavioral stuff. I suspect that he \nhad Tourette's.\n    So my point is, while we had those written records, there \nwas a built-in protection which is it is a pain in the butt to \ngo through those written records trying to find something \ncompared to having access to a CD that holds, you know, 500,000 \nSocial Security numbers of veterans or something, which is the \nissue that we are dealing with.\n    I want to pick up on what Mr. Michaud said, was asking \nabout the research aspect of this and the ability of people to \ntake information off.\n    My first question is, why does the VA--and this is years \nand decades before you got there, Dr. Kussman--why does the VA \nhave to use Social Security numbers? Why do your researchers \nhave to use Social Security? Why do they even have to have \nthat? Why do the researchers even have to have the name? Why \ncan you not develop a program for the researchers that would \ndelete name, birth date, Social Security numberthroughout the \nmedical record, pretty much throughout the medical record?\n    There might be a reference in a note that, well, he was \nborn in the same year as his, you know, twin sister. But they \ndo not have to have the name or Social Security number or birth \ndate. All they need is an identifying, this is subject number \none whose age is 23.\n    Have you all considered that as part of your security, of \ngetting away from using Social Security numbers and what \ninformation those researchers have to have?\n    Dr. Kussman. Thank you for that question.\n    As you probably know, it was not so long ago when we did \nnot use Social Security numbers. The military had a military ID \nnumber that transposed to the VA when the person left----\n    Mr. Snyder. Though we all still remember, right?\n    Dr. Kussman. Yes, I remember. I had a military ID. I am old \nenough to have one of those, just like I would not say you are \nold, sir, but----\n    Mr. Snyder. No. And I also got a letter by the way.\n    Dr. Kussman. And I think it was 1970 or 1971, and somebody \ncorrect me, where the military decided to go to Social Security \nnumbers, and we went along with that. I do not think anybody \nanticipated the second, third, fourth level effects of the \nSocial Security number and it became so valuable.\n    It was not so long ago that when you tried to cash a check \nin the military PX or something, you had to write your Social \nSecurity number on the check to get it. They have stopped doing \nthat because people rose up in righteous indignation. But the \nSocial Security number became the key to almost everything, and \nwe kind of went along.\n    I think there are a lot of people looking at this now to \ndetermine whether or not we ought to just get away from the \nSocial Security number for one thing and go back to some other \ntype of identification number, and that would have to be done \nin conjunction with a government-wide thing, I think, \nparticularly with DoD for us.\n    The other part of the question was do we need to have that \ninformation in research things or any sensitive information, \nand the answer is I do not think we need it in each case.\n    And another thing that we are looking at is what \ninformation is needed for people to do their job, whether it is \nresearch or administrative things. Do they need to have dates \nof birth, Social Security numbers, and things like that?\n    And I might ask Ms. Belles to add to that.\n    Ms. Belles. I do not think I have much to add to that. As \nDr. Kussman said, there are a lot of groups that are looking at \nthe issue of SSNs as identifiers.\n    I know that in our environment, we use the SSN for patient \nsafety reasons, to ensure that we have got the right veteran \nwhen we are providing care. But outside of that, it is an \nissue. I know it has been an issue for a number of years, \ntalked about across government agencies.\n    And at this point, I do not think we have come to a \nresolution. But certainly with everything that is going on \naround us related to identity theft and the importance of \nprotecting SSNs, we need to address it.\n    Dr. Kussman. I think, Doctor, you hit the nail on the head. \nThe good thing about the electronic health record and other \nelectronic process is you do not have to carry big things. I \nmean, nobody is going to go out of the office with two tons of \nrecords to get anything or it limited what you did.\n    So electrifying the records is a good thing. The bad thing \nis now we are confronted with the challenge of protecting that \ninformation because people in a small thumb thing can walk out \nwith lots of records. So it is a balance and we are learning \nhow to handle that.\n    Mr. Snyder. I notice the clock. The only comment I would \nmake is I think the reality is we are not going to be able to \nprotect that information. We are all going to try and try and \ntry.\n    The reality is, I think we are going to have to get to the \npoint where financial institutions will not accept some \nhandwritten things scrawled out by the new person who moves \ninto the house that I lived in ten years ago and some mass \nmailing got there ten years too late and they will accept that.\n    I think we are going to have to go to--I mean, I would \nthink banks would want to go where we have to walk in and have \na picture made and three fingerprints just to get a card \nbecause there is no way we are going to protect this \ninformation.\n    Thank you, Mr. Chairman.\n    Mr. Brown of South Carolina. Thank you, Dr. Snyder.\n    Ms. Brown, do you have a question?\n    Ms. Brown of Florida. Yes, sir. Thank you, Mr. Chairman and \nRanking Member, for hosting this hearing on this subject.\n    And I got to tell you it is very disturbing to me, 26 and a \nhalf million veterans' information compromised. And I know \nsomeone close to me had this happen to them in this area and it \ntook them 18 months to get it cleared up. They went to co-sign \nfor someone and they said you need a co-signer.\n    So my question to you--and I do not feel that this is an \nisolated incident. I mean, it may be an incident that we found \nout about it, members of Congress and the public. But I do not \nthink it is just isolated. If this has happened, it has \nhappened before.\n    And what I want to know is, what have you done to ensure \nthe safety of the data since the loss of this data and how can \nyou assure us that this is just a one-time major incident?\n    Dr. Kussman. As we mentioned earlier, ma'am, the----\n    Ms. Brown of Florida. And that is okay. You can tell us \nover and over again because I am not convinced that you all get \nit.\n    Dr. Kussman. The issue that came up was not data that was \nrelated to the Veterans Health Administration or health \nrecords. We have programs in place that we believe \nsignificantly protect our patients from loss of data both from \na security and privacy perspective.\n    We operate under the principles of the Health Information \nPortability and Accountability Act that puts very stringent \nrequirements in and holds people accountable both from an \nethical, moral perspective, but as well as a legal and \nfinancial perspective. So we believe we have inplace situations \nthat will protect our patients from loss of information and protection \nor privacy.\n    Ms. Brown of Florida. So you are saying that none of the \nveterans', in the healthcare system, information have been \ncompromised in the past and you can assure us it is not going \nto be compromised in the future?\n    Dr. Kussman. No. I think as I mentioned to Mr. Michaud \nearlier, it is a very large organization with lots of people. \nJust like the FAA and its gold standard in the airline industry \nof protecting patients and making flyers and making people \nassured, but even in spite of that, there are airplane \naccidents.\n    Our process and our goal is to put in place processes that \nwould minimize or mitigate as much as conceivable the loss of \ninformation. But could I promise you that there would never be \nor that there has never been a loss of information? No. That \nwould be impossible to do.\n    Ms. Brown of Florida. Yes. But with FAA, we put in certain \nsafeguards. And so I guess I am asking you what additional \nsafeguards have you all put in place since this incident \noccurred?\n    Ms. Belles. We talked about this earlier as well. We have \ndone a number of things as a result of the data breach. A \ncouple of things that we have done is we have instituted a \nSecurity Awareness week to raise the awareness with our entire \nworkforce about the importance of data security, data \nprotections.\n    We have got a technical group that is being convened to \nlook at encryption. One of the areas that we recognize is a \nvulnerability as a result of this is that the data, we do not \nhave guards at the door. We are not stopping people from \nwalking out the door with this because we do not check these \npeople as they walk out the door.\n    But what we can do is put technical controls in place to \nprotect that data. We can put encryption on laptops and we can \nrequire encryption of files so that if that data is on a \nlaptop, that if anyone accesses it, if it is stolen, then the \ndata is protected, that people cannot use it or cannot see it.\n    Ms. Brown of Florida. A lot of people work from home. What \nkind of safeguards do you have there? I am not a technical \nperson, but the amount of information that they can pull down, \nhow does that work?\n    Ms. Belles. We do have what is called a virtual private \nnetwork in place, and everyone who is an approved telework \nstatus is able to dial into our networks via that VPN \nconnection. That is an encrypted connection between the \nindividual's laptop and the computer systems.\n    We also allow on a very limited basis some of our \ncontractors and business partners to access that VPN as well, \nand they are held to specific systems based on IP address so \nthat they can only go to that system. The same with myself and \neverybody around the table. I have a VPN connection. I can only \ngo to those systems that I would access if I were sitting at my \ndesk at work.\n    Ms. Brown of Florida. Do you have extra safeguards for \nthose private contractors that you all contract with?\n    Ms. Belles. We have business associate agreements that \ndiscuss the date use, the protection of that data. We have \ncontracts in place that have the security language in them that \nrequires background investigations at the same level as VA \nworkforce members. We have requirements for them to take \nsecurity and privacy training just like our workforce members.\n    Ms. Brown of Florida. Thank you, Mr. Chairman.\n    I guess the only other follow-up question I would have was \nwhat kind of penalties if someone breached the agreement.\n    Mr. Brown of South Carolina. I assume that the person that \nwas involved before, Dr. Kussman, lost his job. Is that kind of \nthe penalty?\n    Dr. Kussman. I have not been directly involved in that as \nyou probably know. But, yeah, that is my understanding.\n    But to answer the question that was asked, there is a whole \nhuman resource protocol for actions that are inconsistent with \nour policies and programs all the way from letters of \nadmonition to firing and fines and things. So that process \nwould be used in this instance if somebody violated our \nprocedures and policies as well.\n    Mr. Brown of South Carolina. Thank you, Ms. Brown.\n    Mr. Michaud, you have a question?\n    Mr. Michaud. Just two quick questions, Dr. Kussman. You had \nmentioned that we can have all the policies we want and it is \nnot a hundred percent. There is one area where when you look at \nmedical transcription when you contract that out, which \nactually you can help, is by going to, I believe it is called \nvoice recorders versus contracting out. I think that will \ndefinitely be more secure.\n    Are you seriously looking at doing that sort of thing \nversus contracting out? Yes or no?\n    Dr. Kussman. Yes.\n    Mr. Michaud. The second one is, the VA and when you look at \nDepartment of Defense for our active military, when they deal \nwith medical records, are you working closely with the DoD \nparticularly when you look at medical records?\n    Dr. Kussman. Yes, sir. The transfer of information for the \nFHIE and the BHIE, the forward flow and the backward flow of \ninformation, the working together of the two agencies, as you \nknow, is unprecedented with the partnering that is going on.\n    All that information, and it is my understanding, and I \nwill ask Dr. Kolodner to confirm, is that all that information \nis encrypted.\n    Dr. Kolodner. The systems have not only met VA's standards \nand government standards, but also DoD standards for security, \nand all the data moving back and forth is encrypted as we move \nit between the Departments.\n    Mr. Brown of South Carolina. Thank you very much, Mr. \nMichaud.\n    I remind all members they have five legislative days to \nsubmit questions.\n    And, panel, thank you very much for coming. I hope that we \nwere able to gather some information from you that the VA might \nbe able to use. I know you are working already with them, and \nlook forward to a continued dialogue on this. Dr. Kussman, keep \nus abreast of what you come up with in order to prevent a \nbreach similar to what we have just experienced.\n    Dr. Kussman. Yes, sir. Thank you very much for inviting us.\n    Mr. Brown of South Carolina. I also might remind members \nthey have five legislative days to submit opening statements.\n    And with that, the meeting stands adjourned.\n\n\n\n                            A P P E N D I X \n\n\n\n[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n\n\x1a\n</pre></body></html>\n"