[House Hearing, 109 Congress]
[From the U.S. Government Publishing Office]



                   HEARING ON SAFEGUARDING VETERANS'
                MEDICAL INFORMATION WITHIN THE VETERANS
                         HEALTH ADMINISTRATION

=======================================================================

                                HEARING

                               before the

                         SUBCOMMITTEE ON HEALTH

                                 of the

                     COMMITTEE ON VETERANS' AFFAIRS

                        HOUSE OF REPRESENTATIVES

                       ONE HUNDRED NINTH CONGRESS

                             SECOND SESSION

                               __________

                             JUNE 21, 2006

                               __________

                           Serial No. 109-55

                               __________

       Printed for the use of the Committee on Veterans' Affairs












                    U.S. GOVERNMENT PRINTING OFFICE

28-451 PDF                  WASHINGTON : 2007
------------------------------------------------------------------
For sale by Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800;
DC area (202) 512-1800 Fax:  (202) 512-2250. Mail:  Stop SSOP, 
Washington, DC 20402-0001




                     COMMITTEE ON VETERANS' AFFAIRS

                    STEVE BUYER, Indiana, Chairman 
MICHAEL BILIRAKIS, Florida           LANE EVANS, Illinois,
TERRY EVERETT, Alabama                 Ranking Member
CLIFF STEARNS, Florida               BOB FILNER, California
DAN BURTON, Indiana                  LUIS V. GUTIERREZ, Illinois
JERRY MORAN, Kansas                  CORRINE BROWN, Florida
RICHARD H. BAKER, Louisiana          VIC SNYDER, Arkansas
HENRY E. BROWN, Jr., South Carolina  MICHAEL H. MICHAUD, Maine
JEFF MILLER, Florida                 STEPHANIE HERSETH, South Dakota
JOHN BOOZMAN, Arkansas               TED STRICKLAND, Ohio
JEB BRADLEY, New Hampshire           DARLENE HOOLEY, Oregon
GINNY BROWN-WAITE, Florida           SILVESTRE REYES, Texas
MICHAEL R. TURNER, Ohio              SHELLEY BERKLEY, Nevada
JOHN CAMPBELL, California            TOM UDALL, New Mexico
                                     JOHN T. SALAZAR, Colorado
                   James M. Lariviere, Staff Director

                         SUBCOMMITTEE ON HEALTH

             HENRY E. BROWN, Jr., South Carolina, Chairman
CLIFF STEARNS, Florida               MICHAEL H. MICHAUD, Maine,
RICHARD H. BAKER, Louisiana            Ranking Member
JERRY MORAN, Kansas                  BOB FILNER, California
JEFF MILLER, Florida                 LUIS V. GUTIERREZ, Illinois
MICHAEL R. TURNER, Ohio              CORRINE BROWN, Florida
JOHN CAMPBELL, California            VIC SNYDER, Arkansas






















                            C O N T E N T S

                              ----------                              

 June 21, 2006--Hearing on Safeguarding Veterans' Medical Information 
                with the Veterans Health Administration

                                                                   Page

                           OPENING STATEMENTS

Chairman Henry E. Brown..........................................     1
Prepared statement of Chairman Brown.............................    23
Hon. Michael H. Michaud, Ranking Democratic Member...............     2
Prepared statement of Congressman Michaud........................    30

                        STATEMENT FOR THE RECORD

Hon. Corrine Brown...............................................    19
Prepared statement of Congresswoman Brown........................    32

                               WITNESSES

Kussman, Brig. Gen. Michael J., M.D., M.S., MACPP (US Army Ret), 
  Principal Deputy Under Secretary for Health, Veterans Health 
  Administration, Department of Veterans Affairs.................     4
Prepared statement of Dr. Kussman................................    37
Seliger, Robert, Chief Executive Officer and Co-Founder, 
  Sentillion, Inc., and Chair, Steering Committee for Integration 
  and Interoperability, Healthcare Information and Management 
  Systems Society (HIMSS)........................................     6
Prepared statement of Mr. Seliger................................    46

                 POST-HEARING QUESTIONS FOR THE RECORD

Hon. Michael H. Michaud..........................................    54
Hon. Corrine Brown...............................................    61





















 
HEARING ON SAFEGUARDING VETERANS' MEDICAL INFORMATION WITH THE VETERANS 
                         HEALTH ADMINISTRATION

                              ----------                              


                        WEDNESDAY, JUNE 21, 2006

                  House of Representatives,
                            Subcommittee on Health,
                            Committee on Veterans' Affairs,
                                                    Washington, DC.
    The subcommittee met, pursuant to call, at 10 a.m., in room 
334, Cannon House Office Building, Hon. Henry Brown (chairman 
of the subcommittee) presiding.
    Present: Representatives Brown of South Carolina, Michaud, 
Turner, Brown of Florida, and Snyder.
    Mr. Brown of South Carolina. Good morning. The Subcommittee 
will now come to order. We are holding this hearing today to 
address the vulnerability of VA's electronic medical records 
system and examine the access and control policies VA employs 
and the compliance mechanism VA uses to safeguard sensitive, 
personal veterans' health information from internal and 
external security threats.
    The value of VA's electronic medical records system was 
evident in VA's response to Hurricane Katrina. During Hurricane 
Katrina, VA doctors and nurses were able to treat without 
interruption patients transferred from VA facilities in New 
Orleans to VA hospitals in Houston. Because of the system's 
electronic medical records, all patients' records were backed 
up, securely transported to Houston, and were back on line and 
available almost immediately.
    At the same time, however, there are risks with holding 
such sensitive and personal information electronically, and the 
lack of a solid VA information security program greatly 
troubles me.
    The personal and sensitive data of our nation's veterans 
must be handled with the utmost care. The burglary of the home 
of a Department of Veterans Affairs employee that included a 
data file with personal information on millions of veterans is 
simply unacceptable.
    The Department of Veterans Affairs is working with the FBI 
to thoroughly investigate this matter, and this Committee will 
be closely monitoring this situation to help ensure that such 
an occurrence is not repeated.
    We must make sure that there are explicit and clear 
security and confidentiality policies to protect the health 
information of our nation's veterans. To that end, we are 
interested today in hearing from those at the Department that 
the most sensitive information, individually identifiable 
health information is currently being protected.
    Additionally, in light of the recent theft, I am interested 
in knowing what the VA anticipates doing to better protect this 
information in the future and what steps, if any, have already 
been taken.
    Through a series of hearings set up by the Chairman of our 
full Committee, Chairman Buyer, we have been able to closely 
examine data integrity and security issues from a number of 
different perspectives, but today we have the opportunity to 
specifically focus on health-related information.
    In addition to having assembled the cast before us from the 
VA, we have also taken the opportunity to speak with folks from 
the private sector. I for one welcome the opportunity to hear 
what is currently being considered state-of-the-art in the 
private sector and then benchmarking that standard against VA's 
current practices. Today we have this opportunity.
    I would like to personally thank all of our witnesses for 
being here today. And with that, I now yield to our Ranking 
Member, Mr. Michaud, for an opening statement.
    [The statement of Henry Brown appears on p. 23]
    Mr. Michaud. Thank you very much, Chairman Brown, and thank 
you for holding this very important oversight hearing. VA's 
electronic patient record system remains the technological 
force behind VA's state-of-the-art care. It can save lives as 
well as money.
    Last week, the VA Inspector General issued a report on VA's 
procedure for outsourcing medical record transcriptions. The 
report showed that the VA had weak controls over the veterans' 
medical records. In 2005, a subcontractor in India contacted 
the IG and threatened to expose thousands of patients' records 
over the internet if the subcontractor was not paid.
    This allegation and the IG audit showed the VA was 
incapable of controlling or detecting where a contractor had 
medical information transcribed or who had access to it. VA's 
procedure for acquiring medical transcription services from 
contractors failed to address basic security requirements.
    Of the VA facilities surveyed, 91 percent did not remove 
personal identifiers such as patients' names and Social 
Security numbers before transmitting the data to contractors 
for transcriptions.
    I agree with the IG that the VA needs to do this work with 
VA staff because this is not a practical way to ensure that 
contractors safeguard patients' protected health information.
    As the IG report says, and I quote, ``The inability to 
control confidential information in an era of global 
outsourcing leaves protected health information unprotected and 
patients subject to identity theft,'' end of quote.
    Given the clear risk with outsourcing, I cannot understand 
why this Administration and the Office of Management and Budget 
identified the jobs in medical information or records as ones 
that should be studied for outsourcing.
    I look forward to hearing from Dr. Kussman about the VA's 
effort to improve controls on medical transcriptions.
    Chairman Brown, I commend you for your leadership in 
holding this hearing so that we can better understand what the 
Veterans Health Administration has done and what they will do 
to preserve the security and privacy of veterans' medical 
records.
    Also, Mr. Chairman, I would like my full opening statement 
to be submitted for the record. Thank you.
    Mr. Brown of South Carolina. Okay. Without objection. Thank 
you, Mr. Michaud.
    [The statement of Michael Michaud appears on p. 30]
    Mr. Brown of South Carolina. Mr. Turner, do you have an 
opening statement?
    Mr. Turner. Mr. Chairman, I want to thank you for holding 
this hearing. I appreciate your continuing to give information 
to the Subcommittee members and the members of the full 
Committee on this important issue, and I would like permission 
to submit an opening statement for the record.
    Mr. Brown of South Carolina. Without objection.
    [No statement was submitted.]
    Mr. Brown of South Carolina. Dr. Snyder.
    Mr. Snyder. No thank you.
    Mr. Brown of South Carolina. Okay. On our first and only 
panel representing the Department of Veterans Affairs, we are 
honored to have Brigadier General Michael J. Kussman. Dr. 
Kussman was appointed Deputy Under Secretary of Health for the 
Veterans Health Administration on May 29, 2005.
    In this capacity, he leads the clinical policy and programs 
for the nation's largest integrated healthcare system. Among 
his many accomplishments, Dr. Kussman served as the Army 
Surgeon Generals chief consultant in internal medicine and 
governor for the Army Region of the American College of 
Physicians in 1988.
    From March 1993 to August 2005, he commanded Martin Army 
Community Hospital at Ft. Benning, Georgia and later commanded 
the Walter Reed healthcare system in Washington, DC, where he 
was promoted to Brigadier General.
    Following his tour at Walter Reed, Dr. Kussman served as 
commander of the Europe Regional Medical Command and was 
responsible for healthcare throughout Europe, the Middle East, 
and Africa.
    Dr. Kussman is accompanied by Mr. Craig B. Luigart, VHA 
Chief Information Officer; Dr. Robert Kolodner, Chief Health 
Information Officer; Ms. Stephania Putt, VHA Privacy Officer; 
and Ms. Gail Belles, VHA Technical Security Advisor.
    Also I want to welcome Mr. Robert Seliger. He's the CEO and 
Co-Founder of Sentillion. Mr. Seliger has led the company in 
creating security solutions that improve information access and 
work flow for customers in the healthcare information 
technology industry. He is widely recognized as a visionary at 
the forefront of converging technical markets and clinical 
trends in healthcare.
    Prior to co-founding Sentillion, Mr. Seliger was a senior 
R&D manager and chief architect at an International Team 
responsible for development of Hewlett Packard's medical 
products group's largest portfolio of clinical information 
systems products.
    Presently he chairs the Healthcare Information and 
Management Systems Society Steering Committee for Integration 
and Interoperability. We are very pleased to have him at our 
hearing today.
    Dr. Kussman, before you begin, I gave you all those 
accolades. I want to chastise you just a bit for the lateness 
of your prepared remarks to the Committee. We certainly wish 
you would be a little bit more responsive and a little bit more 
timely getting the information to us so we will have a better 
opportunity to review testimony before it is actually 
presented.
    But with that, we will now start with you.

 STATEMENTS OF BRIG. GEN. MICHAEL J. KUSSMAN, M.D., PRINCIPAL 
       DEPUTY UNDER SECRETARY OF HEALTH, VETERANS HEALTH 
ADMINISTRATION, DEPARTMENT OF VETERANS AFFAIRS; ACCOMPANIED BY 
 ROBERT KOLODNER, M.D., CHIEF HEALTH INFORMATICS OFFICER, VHA, 
    DEPARTMENT OF VETERANS AFFAIRS; STEPHANIA PUTT, PRIVACY 
  OFFICER, VHA, DEPARTMENT OF VETERANS AFFAIRS; GAIL BELLES, 
    TECHNICAL SECURITY ADVISOR, VHA, DEPARTMENT OF VETERANS 
  AFFAIRS; AND ROBERT SELIGER, CHIEF EXECUTIVE OFFICER AND CO-
   FOUNDER, SENTILLION, INC., CHAIR, STEERING COMMITTEE FOR 
 INTEGRATION AND INTEROPERABILITY, HEALTHCARE INFORMATION AND 
                   MANAGEMENT SYSTEMS SOCIETY

                STATEMENT OF MICHAEL J. KUSSMAN

    Dr. Kussman. Good morning, Mr. Chairman, and Ranking 
Member, other members of the Committee.
    First, let me say that I apologize for the lateness of the 
statement, and I have talked to Counsel and we clearly need to 
do better and we will.
    Mr. Brown of South Carolina. Well, I know you are under a 
lot of pressure from a lot of different groups to prepare 
remarks, but we do need to try to resolve this problem we have. 
But, anyway, we are grateful to have you here today.
    Dr. Kussman. Yes, sir. This is a partnership and we need to 
do better. So thank you for your comments.
    Thank you for allowing me to provide an overview of the 
data management and security procedures that the Veterans 
Health Administration employs to ensure the safety and 
integrity of veterans' electronic health records and to 
safeguard sensitive personal veteran information from internal 
and external security threats.
    Before I proceed with my review of our security and privacy 
procedures, I want to assure both you and our nation's veterans 
that the recent data breach did not include any of the Veterans 
Health Administration's electronic health records.
    VHA views data privacy and security as a fundamental 
operational pillar. We are committed not only to ensuring that 
our veterans receive the best healthcare but that we also fully 
protect the security and privacy of their paper and electronic 
health records.
    VHA is responsible for protecting data on all systems that 
facilitate the delivery of healthcare benefits to our nation's 
veterans. Similar protections are provided for the databases 
that contain the veteran health records exchanged between the 
Department of Defense and VA. We protect many important health 
databases and systems that enable us to provide quality care to 
our veterans.
    Our core electronic health records system is VISTA. This 
widely acclaimed system has saved the lives of thousands of 
veterans, but it was designed 20 years ago and, as such, it is 
principally hospital based and is deployed in more than 100 
locations. This distributed nature does not lend itself to 
simple security compliance.
    Today network and telecommunications standards and 
solutions exist to assist in mitigating these risks while 
creating greater efficiency and effectiveness, and a wide range 
of security and privacy procedures protect VISTA and other VHA 
systems.
    For years, VHA has required that all employees and 
contractors complete annual privacy and security training. VA 
policy is that anyone needing access to our data to perform 
their duties, whether a provider, a researcher, or veteran 
service officer, must be granted explicit approval for that 
access.
    This is just the beginning. VHA also develops its own 
policies and guidance focused on healthcare-specific issues and 
implements sophisticated technical controls to protect the 
veterans' health records.
    VHA carefully controls access to sensitive data. Only those 
who have a legitimate and demonstrated need are granted access 
to sensitive information. Even then, users' access is limited 
to the information needed to do their jobs.
    VHA also employs security measures to protect VA systems 
and data when VHA employees and contractors perform work 
outside of VA offices. All external connections into the VA 
network are protected by a virtual private network, VPN, which 
provides secure, remote access. VPN access requires management 
approval and approved users are required to sign and abide by a 
rules of behavior document that must be in place before access 
is granted.
    Across this nationwide network of systems, VHA applies many 
other security controls. These include intrusion detection 
systems that monitor and detect intruders, encryption of 
sensitive data exchanged with DoD, routine backups of data on 
our critical systems, and continuity of operations, processes, 
and procedures.
    VHA is committed to continuing to strengthen our security 
and privacy controls. To this end, VA is investigating the use 
of encryption solutions appropriate for our information systems 
and data protection needs that will be adopted for use across 
VHA.
    VHA is reengineering current applications that will broaden 
auditing capabilities. We are enhancing our current role-based 
access control capabilities to provide granularity with user-
defined roles. And VHA has taken the lead in developing role-
based access control enhancements that are being evaluated for 
national and international endorsement.
    To further strengthen security and privacy, VHA has 
identified a number of specific actions for strengthening data 
security procedures that are in the planning stages or have 
been identified as a result of the data security breach as 
follows:
    Provide and mandate centrally deployed security solutions; 
implement a department-wide encryption solution that encrypts 
data that is sent across VA networks; increase the use of 
secure web-based solutions for e-mail, scheduling, and other 
administrative needs; require that portable media and laptops 
have the capability to encrypt all sensitive data and that 
appropriate guidance tools training are provided to the users 
to implement these solutions effectively; and update VA and VHA 
security policies to address changes in technology's current IT 
environments.
    To further emphasize the importance of security, VA is 
planning a department-wide Security Awareness Week for 
workforce members from June 26 to 30 June with daily briefings 
on proper security practices. VHA is taking the lead for 
coordinating the week.
    In addition, to help veterans, VA will set up information 
booths across the VA so that veterans can get information on 
identity theft and data protection.
    In closing, let me reiterate that we see data privacy and 
security as a fundamental operational pillar. We are committed 
to providing the best possible care to our nation's veterans, 
and we will do everything in our power to fully protect the 
security and privacy of their health records. For our veterans, 
for the men and women who have fought so bravely for our 
country, anything else is unacceptable.
    And I might close, if you would not mind, sir, with a 
personal comment. As a veteran and a retiree, I have received a 
letter from the Secretary as well. It was not a surprise to me 
obviously, but I did receive the letter. And I can assure you 
that myself and others of us who are in that same situation 
take this very, very seriously both on a personal and 
professional basis.
    Thank you.
    Mr. Brown of South Carolina. Thank you, Dr. Kussman, for 
your testimony.
    Dr. Kolodner, we will take your testimony next. I am sorry. 
Mr. Seliger. We will get to you later. Okay.
    [The statement of Michael Kussman appears on p. 37]

                  STATEMENT OF ROBERT SELIGER

    Mr. Seliger. Chairman Brown, Mr. Michaud, distinguished 
members of the Committee, thank you for the opportunity to 
testify before you today on a subject of critical importance 
for our Nation's veterans, but also to every citizen, how to 
safeguard sensitive personal health and related information 
from external and internal security threats.
    My name is Robert Seliger, and I am Co-Founder and CEO of 
Sentillion. Sentillion is the industry leading provider of 
identity and access management solutions to hospitals and 
healthcare systems. Every day Sentillion helps hundreds of 
institutions and hundreds of thousands of physicians, nurses, 
and other caregivers at those institutions employ effective 
security and privacy practices while also facilitating the 
care-delivery process.
    We are exceedingly proud to say that among these 
institutions are all 163 medical centers of the Departments of 
Veterans Affairs.
    To further introduce myself, I have 26 years of experience 
in the field of health information technology. I have served on 
numerous Standards Committees and have chaired a variety of 
healthcare industry initiatives.
    Recent activities include serving as Chair for the HIMSS 
Steering Committee for Integration and Interoperability and 
serving as an advisor on standards uptake for the Pan-Canadian 
Electronic Health Records Standard Steering Committee.
    Today I want to focus on one aspect of the complex 
challenge of safeguarding patient data in a clinical setting, 
and that is how can we safeguard patient data without also 
impeding the care-delivery process? Practicing safe and 
effective medicine will always take precedence over concerns 
for security and privacy.
    Our nation's nurses and physicians are among the smartest, 
most highly-trained people in the world. This fact coupled with 
their deep sense of mission will compel them to avoid, work 
around, and challenge policies that impede the care-delivery 
process. This is because the care-delivery process by its very 
nature requires immediate information access and the constant 
sharing of information with others.
    As a simple example, consider the seemingly trivial tasks 
of logging onto a computer in order to access patient data and 
then logging off the computer when done. These actions are 
almost never performed in the hospital. Instead computer 
accounts are shared in order to avoid logging in and no one 
logs off.
    The reason is that a caregiver in a busy hospital might 
need to log on and off 50 to 100 times a day. At a minute or 
two for each log on and log off, you can quickly see how this 
seemingly trivial best practice is avoided because it 
interferes with the pace of providing care.
    And so our nation's physicians and nurses practice good 
healthcare, but leave millions of personal computers across the 
country open to access or even simple perusal by any passerby 
from other healthcare workers with no valid reason to view the 
information to other patients to people visiting patients to 
anyone else who might be in the hospital.
    I would like to assert that the security and privacy 
challenge that the healthcare industry faces are not just 
attacks from outside but also transgressions from within. The 
question is, how do we as a nation change the situation without 
compromising the care-delivery process?
    Data that we have from a study we conducted shows that 
under circumstances in which log-on and log-off times were 
reduced to just a few seconds, nurses in one hospital who only 
logged off 50 percent ofthe time were now doing so 100 percent 
of the time. And physicians who were not logging off at all were now 
doing so 86 percent of the time.
    This change in behavior was not due to a new policy or the 
threat of punitive measures. Rather, we simply made it easier 
for caregivers to behave as good security and privacy citizens.
    The challenge we face is to make sure that the things we do 
to keep the bad guys out do not effectively prevent letting the 
good guys in. This is about making sure we engineer security 
and privacy solutions from a work-flow perspective and not 
attempt to force upon healthcare organizations mechanisms that 
make sense for other types of environments but which do not 
make sense for healthcare.
    Delivering effective healthcare is an intense and 
complicated process. It is also a truly mission-critical 
process. Our industry must find the right balance between 
applying security and privacy measures that are known to work 
and applying measures that could be detrimental to patient 
care.
    We can assert, for example, that every caregiver must have 
a password for each application that they use, but what, in 
fact, are we asking our caregivers to do if they need to 
remember ten different passwords and enter each one in dozens 
of times a day?
    To truly safeguard patient security and privacy requires a 
broad set of measures. These measures include not only good 
network security and the appropriate encryption of data but 
also involves tools and mechanisms that enable good people, 
well-meaning people to do their jobs without compromising 
patient health, patient security, or patient privacy.
    Mr. Chairman, this concludes my remarks. Thank you for the 
privilege of speaking before you today. I am happy to answer 
any questions the Committee may have.
    [The statement of Robert Seliger appears on p. 46]
    Mr. Brown of South Carolina. And I thank you very much for 
your testimony and also Dr. Kussman. Have you all met before?
    Mr. Seliger. I am sorry?
    Mr. Brown of South Carolina. Have you all met before?
    Mr. Seliger. No.
    Mr. Brown of South Carolina. Okay. Well, I think you both 
bring a great perspective to the process. And, in fact, I will 
ask you the first question if I might.
    Your testimony makes a number of sound points. I wonder if 
you could expand a bit on the relative importance of auditing 
electronic access to records. I mean, security protocol and 
audit capabilities are one thing, but actually doing the audit 
and understanding who is using the data is quite another.
    What security features should a healthcare system like the 
VA contain?
    Mr. Seliger. Well, the audit process begins with being able 
to establish the identity of the people using the system. In 
the example I just gave that people are not logging in, and I 
am using the same accounts as Dr. Kolodner or Dr. Kussman here, 
then an audit is irrelevant because you do not really know who 
is actually using the computer.
    So the best audit processes begin with establishing 
mechanisms that enable caregivers to want to, to easily sign on 
and sign off the computers, and do so in a secure manner, so 
each person is uniquely identified. Once we have that, we can 
then record the access and make appropriate conclusions about 
whether those accesses were appropriate or not.
    Mr. Brown of South Carolina. Dr. Kussman, do you all have a 
system similar to this or how do you control and audit the 
users?
    Dr. Kussman. Yes, sir. Thank you for the question.
    I believe we do have a process that identifies the people 
not only that have access to the system but makes sure that the 
people who have access need to have access.
    You know, we talk in the security realm about need to know. 
That is only part of it. The question is need to have. I mean, 
a lot of people like to have access to things that they do not 
necessarily need to have.
    From a clinical perspective, obviously, as was mentioned, 
our primary mission is to provide the state-of-the-art care to 
our veterans, and the electronic health record is a modality of 
delivery of care. For us, it is the same as a stethoscope or an 
EKG machine or CAT scan, and it has become part of our culture 
and used daily.
    I might ask Dr. Kolodner, who is an expert on this, to 
maybe illustrate further how that is done.
    Dr. Kolodner. Yes. Thank you very much.
    Each of our users has their own account and a two-level 
password, both of which are private, so the physician or nurse 
will log on and access the patient.
    We also have a third password for the electronic signature. 
If I am entering data, I have to add that additional password, 
which means that I cannot come in behind someone else and use 
the system since I would not know their electronic signature 
password.
    We reinforce the importance of protecting passwords to our 
providers on a regular basis, and we actually take action for 
those who violate the log-off, log-on procedures in our 
facilities.
    Dr. Kussman. Sir, I might add just one other thing is that 
in many ways, the electronic health record has improved the 
security dramatically and access to information or protection 
of information because many of us are old enough and dinosaurs 
before the electronic health record. And when we had hard copy, 
the records would sit around, if you will. They would be on a 
nurse's station or on a doctor's desk or in a records room. And 
in many ways, anybody could come up and pick up that record and 
read something about the patient. It was very difficult to have 
physical security on this.
    So what Dr. Kolodner has been mentioning is a quantum leap 
improvement, I think, in security in keeping that information 
private.
    Mr. Brown of South Carolina. Is it password protected on 
different segments so the record has different levels of 
authority and certain controls over parts of the record?
    Dr. Kolodner. Yes. We have a series of access controls in 
our current system. And based on the work that we have been 
doing, we have been developing a much more sophisticated system 
called role-based access that defines what parts of the record 
a particular individual should be allowed to read from or write 
to based on the role that they are serving or playing in the 
facility.
    We have taken that schema for the role-based access to the 
standards development organizations, working in conjunction 
with our Departmentof Defense and with Kaiser Permanente 
colleagues, and it has passed the ballot for an international standard.
    So we do already have a process in our current process for 
controlling that access, and we are devising and planning to 
implement in our next generation system an even more 
sophisticated system.
    Mr. Brown of South Carolina. Since the theft of those 
records, have you done anything different to put in place 
policies that would further identify in the audit if there has 
been a breach within your own areas and indicate who might be 
using this data? Are there other security measures you put in 
place since the event?
    Dr. Kussman. Yes, sir. As you know, that from a healthcare 
perspective, we always had a very sophisticated and controlled 
program known as the Health Information Portability and 
Accountability Act, the HIPAA, and that put in place a great 
deal of standards different than nonhealthcare data.
    And that has been inculcated into the culture of all 
healthcare delivery systems because everyone knows if you 
breach that, not only are you doing something wrong as far as 
an ethical, moral thing, but you can really be hurt financially 
and potentially go to jail for it.
    So there is a great deal of sensitivity about controlling 
healthcare information. So that was already the foundation. 
Because of this breach of information, and as we have said, 
thank goodness it was not involved with healthcare data, but it 
certainly has sensitized us immensely to that.
    And I might ask Ms. Putt, who is our privacy manager, and 
Gail, our security people, to comment on what are some of the 
newer things that we have looked at in respect to the breach.
    Ms. Belles. Actually, we have taken a number of steps to 
address issues. One thing that we have done is to issue a data 
access inventory to all of our VA personnel. We are identifying 
the access to sensitive data for every individual in our 
workforce, employees, contractors, students, residents, et 
cetera. That is a major undertaking for us. We are planning to 
get the results back from that access inventory at the end of 
June.
    The Security Awareness Week, we talked about. We are going 
out to the entire workforce to give briefings on the importance 
of security and privacy and the things that need to be done to 
protect patient data so that it is not compromised at any time.
    There has been policies that have been updated, rewritten 
to address remote access to our systems and data. We have 
actions to bring groups together to look at encryption 
methodologies for laptops and portable media so that we can 
address that area which we know is vulnerability.
    So a number of good steps as a result of this.
    Mr. Brown of South Carolina. Let me just follow-up on that 
statement. The access inventory--you will not get a response 
until the end of June. How often would you get a report if 
somebody accessed a file that should not be there? If somebody 
accessed a file, they would have to have access to some 
password. But what does the access inventory do for you?
    Ms. Belles. What that does is provides us with a list of 
the entire workforce and the systems, the sensitive data that 
they have, and how they access it. So if they access it 
remotely or if they access it from an office or they access it 
in paper form, we can identify that and we can also look very 
closely at the appropriateness of those accesses.
    As far as individuals accessing medical records, we have 
audit trails that are logged on a continuous basis and are 
reviewed by the facility information security officers on a 
regular basis to ensure that with managers that the individuals 
accessing these records or accessing these options have the 
need to know.
    Mr. Brown of South Carolina. And how timely is that review?
    Ms. Belles. I am sorry?
    Mr. Brown of South Carolina. How timely is that review?
    Ms. Belles. It is a real-time recording of the audit.
    Mr. Brown of South Carolina. Right.
    Ms. Belles. I think it's probably a 30-day review by the 
ISOs.
    Dr. Kussman. Sir, if I might add to that. With our 
inventory review, we are going out and looking at not only who 
have laptops but who have access to that virtual network that I 
talked about, the VPN, because over a period of time, 
organizations, there may be more people who have access than we 
think we really knew need to have.
    Many people may be using it just for e-mail and they do not 
need the laptop for that. We have Blackberries and other ways 
of doing that. So we are doing a very close scrub on who has 
laptops and what are they doing with them, and then also 
educating people very closely on what their responsibility is 
if they have a laptop.
    I mean, you can have it and need VPN access both when you 
are going some place. You have a responsibility to protect that 
laptop in a hotel or a restaurant or even in your car. And on 
top of that, you should not carry as much as possible any 
information that if indeed the laptop was stolen for some--I 
mean, obviously we cannot prevent somebody from holding 
somebody up on the street and taking their laptop, but we 
certainly would not want any information on there or as little 
information on there that would be incriminating or sensitive 
in any way.
    Mr. Brown of South Carolina. That leads me to my next 
question, and this will be my last question. I notice that your 
written testimony referenced the Department's interest in 
starting to encrypt the data that is sent between VA sites. Is 
there some specific reason why that has never been seen as 
appropriate before?
    Dr. Kussman. Yes, sir. Let me just make a comment that our 
VPN network is already encrypted. And so there is a significant 
amount of encryption that goes forward. And if everybody stayed 
within the firewall, if you will, using the encryption, then 
indeed we have much less of a potential problem.
    The question is that in data that even flows within the 
system or somebody downloaded something to their hard drive, 
can that bypass the VPN encrypted nature? And so we are looking 
at that. But that really is not only a VHA responsibility, it's 
a VA-wide responsibility to look at encryption, and we would 
want to coordinate that with the VA CIO so we have one system 
of encryption.
    Would either one of you like to add to that?
    Ms. Belles. I will just add that several years ago, we 
transformed from what we had in place for our network was IDCU, 
which is a private network, and we have gone to a more open 
network.
    So at the time we had the IDCU, we did not require any 
encryption between the facilities. But now that we are in this 
environment where we have a more open network, we need to look 
at encryption between the facilities.
    Mr. Brown of South Carolina. Thank you very much for your 
testimony.
    And, Mr. Michaud.
    Mr. Michaud. Thank you, Mr. Chairman.
    Dr. Kussman, I just want to reiterate what Chairman Brown 
had mentioned in his opening as far as questioning. I, too, was 
concerned about the lateness of your testimony, and have not 
had a chance to go through it.
    And I know next week, we have a hearing on Tuesday and VA's 
testimony is supposed to be in tomorrow. So hopefully we will 
be able to, you know, have your testimony tomorrow for next 
week's hearing.
    Dr. Kussman, in your testimony, you state that VA contracts 
forbid the transfer of veterans' protected health information 
outside the jurisdiction of the United States. A couple of 
questions.
    How will you monitor compliance with that provision? Can 
you give us total and complete assurance that absolutely no VA 
contractor will use an overseas subcontractor to transcribe 
veterans' medical information?
    Dr. Kussman. Yes.
    Mr. Michaud. How will you monitor the provision?
    Dr. Kussman. Sir, that is written into the contract and the 
contractors have to abide by the same security issues that we 
have in-house that is part of the contract.
    The issue that you are describing, I am well aware of, that 
took place. We did not realize, quite frankly, that the 
contractor had subcontracted. When we found out, we stopped 
that and we have prohibited that from occurring again.
    Mr. Michaud. Okay. Thank you.
    And are you confident that the VA can control veterans' 
private and personal medical information while it is outsourced 
for medical transcriptions here in the United States?
    Dr. Kussman. Yes, sir. As you are well aware of, we are a 
large organization. We talked about the need to balance the 
delivery of healthcare with safety. They are not mutually 
exclusive. I mean, they are together.
    We with our contractors will leave no stone unturned, no 
process unlooked at to protect the privacy and security of all 
our veterans. And if indeed there is a mishap, we will have in 
place processes that will aggressively and quickly address 
those issues and be sure that we inform the veterans.
    As you know, we have a very elaborate safety program that 
we do. We have briefed you and others on similar types of 
issues related to safety. We have an open environment. There 
are no secrets. We try to make sure that both you and other 
supervising entities as well as the patients know what we are 
doing.
    So I believe we have in place and we will aggressively 
enforce all the security needs to protect our patients.
    Having said that, as you know, the gold standard in this 
country is the airline industry and FAA, as I mentioned to you 
earlier, and we all feel fairly secure when we get on an 
airplane. Unfortunately, even with everything, airplanes do not 
work the way that they are supposed to and there are accidents.
    We will put in and aggressively put in all the processes 
that would minimize and mitigate any situations that we can 
anticipate. But to tell you a hundred percent that it will 
never happen again, you know as well as I that that would be 
difficult to do.
    Mr. Michaud. Thank you.
    Also in your testimony, you state that the VA conducts an 
annual system-wide ongoing assessment and review strategy 
called SOARS.
    What did SOARS identify to be the most significant privacy 
and security threat to VA's medical health data system both 
internal and external?
    Ms. Putt. Mr. Congressman, I do not have that information 
at this time on the finding of the SOARS assessment 
specifically. I do have information on other assessments.
    Mr. Michaud. Would you be able to provide the Committee 
with the SOARS assessment?
    Ms. Putt. I think we can.
    Dr. Kussman. Yes, sir. The SOARS has been a very successful 
program for us. It has been a self-induced, self-initiated 
program that looks at a whole gamut of things much like a mini 
joint commission assessment would volunteer. And it was 
originally volunteers. The facilities were not required to do 
this. But it has been successful, everybody asks for it. So 
effectively it is a guaranteed program.
    One of the things that we have always looked at but will 
look at more closely is the issue of data security. I am not 
aware that that has been a major problem for us that has come 
up in the SOARS, but we will look back at that. And with your 
indulgence, we will report back to you for the record on that.
    Mr. Michaud. Thank you.
    VA researchers can have access to databases with Social 
Security numbers identifying veterans. I understand that 
researchers must go through an approval process to get access 
codes to this database.
    What does VA do after a researcher has access to ensure 
that such data is not downloaded, put on a laptop or extended 
hard drive or otherwise put at risk of being lost or stolen and 
how do you enforce this policy?
    Dr. Kussman. Yes, sir. Thank you for the question.
    We are aware of that situation. We monitor it very closely. 
As you alluded to, that anybody who does research has to apply 
for that. There are standards that have to be met. It is part 
and parcel of the approval in the Institutional Review Boards 
at the facilities that approve the human research and protect 
the patients, and it is not only protection for their clinical 
things, but it is also protection of their information and 
their rules and regulations on what the researcher can do and 
what they can transport.
    But I will ask Gail or Stephania to elaborate on that.
    Ms. Putt. Thank you.
    As stated, researchers/investigators do have to follow the 
privacy and security of protecting their research information 
as outlined in their research protocol that is approved by the 
Institutional Review Board.
    The data that they use and collect cannot be used for any 
other purpose without going back to the Institutional Review 
Board for approval. They must also follow policies regarding 
the protection of human subjects and their data for research to 
ensure that the information is not shared with affiliates or 
colleagues who are not VA employees or do not have legal 
authority to see the information, and they have to safeguard it 
in accordance with policies if it is placed on any laptops or 
other devices.
    Mr. Michaud. But the question was, what does the VA do 
after they do all the research? What does the VA do after the 
researcher has access to all this information? How do you know 
that they do not download it or make copies on another CD?
    Ms. Putt. VA researchers should follow policies that 
prohibit them keeping the data after the research study has 
concluded. Once the study has concluded and they have maybe 
published their results, they are supposed to destroy the data 
or return the data. They are not to keep it to use for future 
research projects.
    Mr. Michaud. On that same line of questioning, how does the 
VA enforce a policy for researchers from taking the stuff home?
    Ms. Putt. There is a Research Compliance Office that is 
responsible for reviewing researchers' activities in terms of 
their research protocols and what they are doing in terms of 
their studies, along the same lines with the protection and 
security of their information.
    I do not have any more information on the processes of the 
Research Compliance Office, but facilities do actually have 
Research Compliance Officers at some of the facilities who are 
responsible for reviewing the researchers' activities.
    Mr. Michaud. Not being a computer whiz, how confident are 
you that the researchers do not take this information home? Is 
there any way that you can find out? I mean, just how confident 
are you?
    Dr. Kussman. I guess I got the look to answer the question.
    Sir, through the Office of Research Oversight, they do 
random samples. They look at that. They look at a process under 
which people adhere to the processes. We set that up--it used 
to be called ORCA. It is now the ORO, the Office of Research 
Oversight--to really look at this.
    Part of the reason was to look at this issue because the 
researchers do research. And sometimes, just like anybody else, 
you could get a little lax about what you are doing. And so we 
needed to have a process under which we looked at that.
    Does every protocol need to be looked at? No. We believe 
that the process is valid. Because of this, we will relook at 
our thing to see if it needs further strengthening. But to some 
degree, we have to trust the people who signed the pieces of 
paper who say that they are following what we have told them to 
do.
    We believe that the process that we have in place works 
pretty well because I am not aware of a significant or any 
episodes where things have been lost or sensitive data has been 
compromised. It is not to say that it could not have happened.
    Mr. Michaud. My last question for you, Dr. Kussman, not 
knowing whether it can be done or not, can you prevent any 
information, any of the data that you have from being 
downloaded? Is the technology available to do that and, if so, 
are you doing that?
    Dr. Kussman. Whether it is research or otherwise?
    Mr. Michaud. That is correct.
    Dr. Kussman. Using the VPN network, and I might ask Dr. 
Kolodner to comment on it, my understanding--and I am a 
dinosaur when it comes to this stuff too. I can just use e-mail 
and that is about--or a little WordPerfect and that is it. But 
it is not easy to download using the VPN process, and it is 
encrypted.
    The issue of downloading, as we said, that at the place of 
work, people can download things into their computer. We are 
aggressively looking at an encryption process that would 
protect that as well. So whatever was downloaded and making the 
presumption that the person had need to have this information, 
it was not done for any other spurious reason, that it would be 
encrypted and very difficult to get access to if the computer 
was compromised in any way, shape, or form.
    So we are clearly getting better and learning as we move 
along.
    Rob, would you like to comment?
    Dr. Kolodner. The downloading that might occur would take 
place mostly inside the firewalls at the office, and there are 
some business reasons why one might need to do that.
    As part of this access review, we are examining who has 
access to bulk data, confirming if they need access, and, what 
constraints we have on that access.
    To reiterate, there are business reasons why sometimes 
someone needs to download such data. We just need to know about 
that and to know that the proper controls are in place, the 
proper agreements have been signed, and a periodic review is 
done.
    Mr. Michaud. So if there is a business reason why they have 
to download information, would they have to get approval first?
    Dr. Kolodner. Yes. They would have to have requested 
approval, had their supervisor present that request to their 
information security officer, and then been given approval 
based on that justification.
    Mr. Michaud. Great. Thank you.
    My last question which will go to Mr. Seliger, again not 
being familiar with technology, I have seen situations, and as 
you described in your testimony, when going through a hospital, 
you see someone's medical record up there on the screen, people 
can see it.
    And I can understand where it would be cumbersome to log 
off, log on quite frequently, which will take time, but I have 
also seen technology, particularly actually in Maine, with 
Bangor Mental Health, where when the employees punch in to go 
to work, they use their finger which identifies the employee.
    Is the technology available so if someone wants to access 
quickly a medical record that you can use your thumbprint to 
open up the system and then a certain time frame, it 
automatically goes off? Is that something that your 
organization has looked at and might be available?
    Mr. Seliger. The answer is yes. We have a number of 
hospitals and healthcare organizations in the private sector 
using technology exactly as you described. For the record, I 
would like to point out it is not your thumbprint but any of 
the other three fingers that one tends to use for technical 
reasons.
    But having said that, we have caregivers who are using 
interesting combinations of devices. So fingerprint, as you 
said, for authentication, but also devices that are called 
active proximity devices, not much bigger than my card holder 
here, and they detect your arrival or departure from a 
workstation. And the operative word here is departure. When you 
leave the vicinity of a computer, it locks it up. Okay?
    So having to remember--and this is the kind of technologies 
I was alluding to in my testimony, being able to accommodate 
the caregiver work flow. Imagine yourself in an emergency room 
coming and going, patients coming and going, computers all over 
the place. Even if it was fast, you still have to remember to 
do it.
    And by equipping caregivers with devices to make the log-on 
process fast and easy, to make the log-off process implicit by 
just leaving, we can achieve the kind of safeguards I alluded 
to and actually facilitatethe care-delivery process. People are 
actually going to use the computers rather than paper as Dr. Kussman 
referred to, which is still the primary source of information data in 
most healthcare organizations in a general sense.
    Now, the VA itself has made a number of steps to be, I 
guess the better way of putting it, quite pioneering in a 
number of regards relative to information security in the 
caregiver workplace.
    And as recently as this summer, we are proud to be working 
with the VA at its Hines Facility on a project that has been 
code named Medical Sign-On which is about taking this process, 
these work flows with good security to a whole other level. We 
will pilot at Hines, work out the kinks, make sure it works 
properly, and then hopefully have a basis to roll this out to 
the other VA medical centers.
    Dr. Kussman. Sir, we also have instituted a program where 
the computers would automatically log off in five minutes is 
what we are doing. It drives me crazy in my office because I 
will have logged on, I will answer the phone, and then I have 
got to log back in and things. But it certainly works, I can 
assure you, because it logs off and then I have to log back in.
    That would be the same thing around the system, whether it 
is a nurse's station or anything else, that if a nurse walks 
away or a physician walks away, if they do not get back on and 
they are not sitting there within five minutes, it 
automatically logs off. It is an irritant to people, but it is 
a protection.
    Mr. Michaud. If I might, Mr. Chairman.
    Is the VA looking at the same technology that was just 
talked about as far as using your----
    Dr. Kussman. We are looking at that and I think it will be 
looked at as an agency issue with the CIO of whether we are 
going to embark on that technology or not. I do not have enough 
information. I do not think any of us know how much that would 
cost or whatever.
    Would you like to comment on that?
    Ms. Belles. We are working on a Medical Sign-On pilot with 
Sentillion at Hines as Mr. Seliger said. We are looking at all 
kinds of technologies that can improve that interface for 
clinicians and nurses so that we do not have a situation where 
people just get up and walk away because they are called out 
for an emergency or other things.
    You know, we have been in the position where the clinicians 
come to us and say you have got to make this process better for 
us. And Sentillion is partnering with us to find out the right 
methods to do that.
    Mr. Michaud. Thank you very much.
    Thank you, Mr. Chairman.
    Mr. Brown of South Carolina. Okay. Thank you, Mr. Michaud.
    Dr. Snyder, do you have a question?
    Mr. Snyder. I do. Thank you, Mr. Chairman.
    Dr. Kussman, it is good to see you again and your 
colleagues there.
    You got me curious, Dr. Kussman, with what I thought was a 
bit of a cryptic response when you were gently chastised for 
your tardy statement here, which I know you try to get them 
here, when you made some mention of lawyers or legal opinions 
or something.
    And I always remember the old Art Linkletter show, Kids Say 
The Darnedest Things, and his best question always was, is 
there anything your mother did not want you to talk about to 
tell us on the show today.
    And so now I am curious. Did your statement get overly 
scrubbed by OMB and you had to redo it or were there things 
that you had included in your original statement that caused 
you to make that reference to lawyers or legal folks?
    Dr. Kussman. I am sorry. I do not remember what I said.
    Mr. Snyder. But was there some delay in the process? The 
Congress has lots of problems with folks that want to do 
opening statements and tell us things, and the statements, 
anything written goes through OMB and gets scrubbed, and we do 
not get the information we want.
    And I was just curious if there were some things that you 
had intended to tell us that got removed in the process of your 
statement being approved for delivery to the Congress.
    Dr. Kussman. Not that I am aware of. So I am not even sure 
I can give you a thorough explanation of why, other than people 
being busy as the Chairman mentioned and lots of hearings. And 
all I can say is they apologize for the delay and we will do 
everything we can to prevent that from happening.
    Mr. Snyder. You had mentioned the days of written records 
which a lot of medical facilities still rely on. And I 
remember, and I do not know how long ago, it was 15 years ago 
or so when I was still practicing medicine. I had seen this 
young boy. I can still see him in the exam room. He was about 
eight. And his grandmother asked me about some behavioral 
things that he was doing.
    And sometimes medicine is like doing a crossword puzzle. 
You know, a week later, you think, oh, that is what that answer 
was. Well, I knew right away that the kid had Tourette's and I 
just did not--it did not come to my mind when I was talking to 
the grandmother.
    Well, we had an all-handwritten medical section. I could 
not remember anything. We could not figure out who the boy was. 
So I had one staff member who over several Saturdays, because 
we were slow, it was a slower day, went through every medical 
record, opened up and tried to find the chart.
    Now, if we had had a computerized system, we could put in 
an approximate age range. I think I even remember what the 
diagnosis was I actually saw him for. We could have pulled up 
those charts. We never did find the chart.
    I always felt bad about that because I can still see that 
little boy sitting there probably being chastised by his 
grandmother for some of his behavioral stuff. I suspect that he 
had Tourette's.
    So my point is, while we had those written records, there 
was a built-in protection which is it is a pain in the butt to 
go through those written records trying to find something 
compared to having access to a CD that holds, you know, 500,000 
Social Security numbers of veterans or something, which is the 
issue that we are dealing with.
    I want to pick up on what Mr. Michaud said, was asking 
about the research aspect of this and the ability of people to 
take information off.
    My first question is, why does the VA--and this is years 
and decades before you got there, Dr. Kussman--why does the VA 
have to use Social Security numbers? Why do your researchers 
have to use Social Security? Why do they even have to have 
that? Why do the researchers even have to have the name? Why 
can you not develop a program for the researchers that would 
delete name, birth date, Social Security numberthroughout the 
medical record, pretty much throughout the medical record?
    There might be a reference in a note that, well, he was 
born in the same year as his, you know, twin sister. But they 
do not have to have the name or Social Security number or birth 
date. All they need is an identifying, this is subject number 
one whose age is 23.
    Have you all considered that as part of your security, of 
getting away from using Social Security numbers and what 
information those researchers have to have?
    Dr. Kussman. Thank you for that question.
    As you probably know, it was not so long ago when we did 
not use Social Security numbers. The military had a military ID 
number that transposed to the VA when the person left----
    Mr. Snyder. Though we all still remember, right?
    Dr. Kussman. Yes, I remember. I had a military ID. I am old 
enough to have one of those, just like I would not say you are 
old, sir, but----
    Mr. Snyder. No. And I also got a letter by the way.
    Dr. Kussman. And I think it was 1970 or 1971, and somebody 
correct me, where the military decided to go to Social Security 
numbers, and we went along with that. I do not think anybody 
anticipated the second, third, fourth level effects of the 
Social Security number and it became so valuable.
    It was not so long ago that when you tried to cash a check 
in the military PX or something, you had to write your Social 
Security number on the check to get it. They have stopped doing 
that because people rose up in righteous indignation. But the 
Social Security number became the key to almost everything, and 
we kind of went along.
    I think there are a lot of people looking at this now to 
determine whether or not we ought to just get away from the 
Social Security number for one thing and go back to some other 
type of identification number, and that would have to be done 
in conjunction with a government-wide thing, I think, 
particularly with DoD for us.
    The other part of the question was do we need to have that 
information in research things or any sensitive information, 
and the answer is I do not think we need it in each case.
    And another thing that we are looking at is what 
information is needed for people to do their job, whether it is 
research or administrative things. Do they need to have dates 
of birth, Social Security numbers, and things like that?
    And I might ask Ms. Belles to add to that.
    Ms. Belles. I do not think I have much to add to that. As 
Dr. Kussman said, there are a lot of groups that are looking at 
the issue of SSNs as identifiers.
    I know that in our environment, we use the SSN for patient 
safety reasons, to ensure that we have got the right veteran 
when we are providing care. But outside of that, it is an 
issue. I know it has been an issue for a number of years, 
talked about across government agencies.
    And at this point, I do not think we have come to a 
resolution. But certainly with everything that is going on 
around us related to identity theft and the importance of 
protecting SSNs, we need to address it.
    Dr. Kussman. I think, Doctor, you hit the nail on the head. 
The good thing about the electronic health record and other 
electronic process is you do not have to carry big things. I 
mean, nobody is going to go out of the office with two tons of 
records to get anything or it limited what you did.
    So electrifying the records is a good thing. The bad thing 
is now we are confronted with the challenge of protecting that 
information because people in a small thumb thing can walk out 
with lots of records. So it is a balance and we are learning 
how to handle that.
    Mr. Snyder. I notice the clock. The only comment I would 
make is I think the reality is we are not going to be able to 
protect that information. We are all going to try and try and 
try.
    The reality is, I think we are going to have to get to the 
point where financial institutions will not accept some 
handwritten things scrawled out by the new person who moves 
into the house that I lived in ten years ago and some mass 
mailing got there ten years too late and they will accept that.
    I think we are going to have to go to--I mean, I would 
think banks would want to go where we have to walk in and have 
a picture made and three fingerprints just to get a card 
because there is no way we are going to protect this 
information.
    Thank you, Mr. Chairman.
    Mr. Brown of South Carolina. Thank you, Dr. Snyder.
    Ms. Brown, do you have a question?
    Ms. Brown of Florida. Yes, sir. Thank you, Mr. Chairman and 
Ranking Member, for hosting this hearing on this subject.
    And I got to tell you it is very disturbing to me, 26 and a 
half million veterans' information compromised. And I know 
someone close to me had this happen to them in this area and it 
took them 18 months to get it cleared up. They went to co-sign 
for someone and they said you need a co-signer.
    So my question to you--and I do not feel that this is an 
isolated incident. I mean, it may be an incident that we found 
out about it, members of Congress and the public. But I do not 
think it is just isolated. If this has happened, it has 
happened before.
    And what I want to know is, what have you done to ensure 
the safety of the data since the loss of this data and how can 
you assure us that this is just a one-time major incident?
    Dr. Kussman. As we mentioned earlier, ma'am, the----
    Ms. Brown of Florida. And that is okay. You can tell us 
over and over again because I am not convinced that you all get 
it.
    Dr. Kussman. The issue that came up was not data that was 
related to the Veterans Health Administration or health 
records. We have programs in place that we believe 
significantly protect our patients from loss of data both from 
a security and privacy perspective.
    We operate under the principles of the Health Information 
Portability and Accountability Act that puts very stringent 
requirements in and holds people accountable both from an 
ethical, moral perspective, but as well as a legal and 
financial perspective. So we believe we have inplace situations 
that will protect our patients from loss of information and protection 
or privacy.
    Ms. Brown of Florida. So you are saying that none of the 
veterans', in the healthcare system, information have been 
compromised in the past and you can assure us it is not going 
to be compromised in the future?
    Dr. Kussman. No. I think as I mentioned to Mr. Michaud 
earlier, it is a very large organization with lots of people. 
Just like the FAA and its gold standard in the airline industry 
of protecting patients and making flyers and making people 
assured, but even in spite of that, there are airplane 
accidents.
    Our process and our goal is to put in place processes that 
would minimize or mitigate as much as conceivable the loss of 
information. But could I promise you that there would never be 
or that there has never been a loss of information? No. That 
would be impossible to do.
    Ms. Brown of Florida. Yes. But with FAA, we put in certain 
safeguards. And so I guess I am asking you what additional 
safeguards have you all put in place since this incident 
occurred?
    Ms. Belles. We talked about this earlier as well. We have 
done a number of things as a result of the data breach. A 
couple of things that we have done is we have instituted a 
Security Awareness week to raise the awareness with our entire 
workforce about the importance of data security, data 
protections.
    We have got a technical group that is being convened to 
look at encryption. One of the areas that we recognize is a 
vulnerability as a result of this is that the data, we do not 
have guards at the door. We are not stopping people from 
walking out the door with this because we do not check these 
people as they walk out the door.
    But what we can do is put technical controls in place to 
protect that data. We can put encryption on laptops and we can 
require encryption of files so that if that data is on a 
laptop, that if anyone accesses it, if it is stolen, then the 
data is protected, that people cannot use it or cannot see it.
    Ms. Brown of Florida. A lot of people work from home. What 
kind of safeguards do you have there? I am not a technical 
person, but the amount of information that they can pull down, 
how does that work?
    Ms. Belles. We do have what is called a virtual private 
network in place, and everyone who is an approved telework 
status is able to dial into our networks via that VPN 
connection. That is an encrypted connection between the 
individual's laptop and the computer systems.
    We also allow on a very limited basis some of our 
contractors and business partners to access that VPN as well, 
and they are held to specific systems based on IP address so 
that they can only go to that system. The same with myself and 
everybody around the table. I have a VPN connection. I can only 
go to those systems that I would access if I were sitting at my 
desk at work.
    Ms. Brown of Florida. Do you have extra safeguards for 
those private contractors that you all contract with?
    Ms. Belles. We have business associate agreements that 
discuss the date use, the protection of that data. We have 
contracts in place that have the security language in them that 
requires background investigations at the same level as VA 
workforce members. We have requirements for them to take 
security and privacy training just like our workforce members.
    Ms. Brown of Florida. Thank you, Mr. Chairman.
    I guess the only other follow-up question I would have was 
what kind of penalties if someone breached the agreement.
    Mr. Brown of South Carolina. I assume that the person that 
was involved before, Dr. Kussman, lost his job. Is that kind of 
the penalty?
    Dr. Kussman. I have not been directly involved in that as 
you probably know. But, yeah, that is my understanding.
    But to answer the question that was asked, there is a whole 
human resource protocol for actions that are inconsistent with 
our policies and programs all the way from letters of 
admonition to firing and fines and things. So that process 
would be used in this instance if somebody violated our 
procedures and policies as well.
    Mr. Brown of South Carolina. Thank you, Ms. Brown.
    Mr. Michaud, you have a question?
    Mr. Michaud. Just two quick questions, Dr. Kussman. You had 
mentioned that we can have all the policies we want and it is 
not a hundred percent. There is one area where when you look at 
medical transcription when you contract that out, which 
actually you can help, is by going to, I believe it is called 
voice recorders versus contracting out. I think that will 
definitely be more secure.
    Are you seriously looking at doing that sort of thing 
versus contracting out? Yes or no?
    Dr. Kussman. Yes.
    Mr. Michaud. The second one is, the VA and when you look at 
Department of Defense for our active military, when they deal 
with medical records, are you working closely with the DoD 
particularly when you look at medical records?
    Dr. Kussman. Yes, sir. The transfer of information for the 
FHIE and the BHIE, the forward flow and the backward flow of 
information, the working together of the two agencies, as you 
know, is unprecedented with the partnering that is going on.
    All that information, and it is my understanding, and I 
will ask Dr. Kolodner to confirm, is that all that information 
is encrypted.
    Dr. Kolodner. The systems have not only met VA's standards 
and government standards, but also DoD standards for security, 
and all the data moving back and forth is encrypted as we move 
it between the Departments.
    Mr. Brown of South Carolina. Thank you very much, Mr. 
Michaud.
    I remind all members they have five legislative days to 
submit questions.
    And, panel, thank you very much for coming. I hope that we 
were able to gather some information from you that the VA might 
be able to use. I know you are working already with them, and 
look forward to a continued dialogue on this. Dr. Kussman, keep 
us abreast of what you come up with in order to prevent a 
breach similar to what we have just experienced.
    Dr. Kussman. Yes, sir. Thank you very much for inviting us.
    Mr. Brown of South Carolina. I also might remind members 
they have five legislative days to submit opening statements.
    And with that, the meeting stands adjourned.



                            A P P E N D I X 



[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

