[House Hearing, 110 Congress]
[From the U.S. Government Publishing Office]



 
                 INFORMATION SECURITY MANAGEMENT AT THE


                 U.S. DEPARTMENT OF VETERANS AFFAIRS--


                     CURRENT EFFECTIVENESS AND THE


                        NEED FOR CULTURAL CHANGE

=======================================================================

                                HEARING

                               before the

                     SUBCOMMITTEE ON OVERSIGHT AND
                             INVESTIGATIONS

                                 of the

                     COMMITTEE ON VETERANS' AFFAIRS
                     U.S. HOUSE OF REPRESENTATIVES

                       ONE HUNDRED TENTH CONGRESS

                             FIRST SESSION

                               __________

                           FEBRUARY 28, 2007

                               __________

                            Serial No. 110-5

                               __________

       Printed for the use of the Committee on Veterans' Affairs




                     U.S. GOVERNMENT PRINTING OFFICE

34-307 PDF                 WASHINGTON DC:  2007
---------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office  Internet: bookstore.gpo.gov Phone: toll free (866)512-1800
DC area (202)512-1800  Fax: (202) 512-2250 Mail Stop SSOP, 
Washington, DC 20402-0001


                     COMMITTEE ON VETERANS' AFFAIRS

                    BOB FILNER, California, Chairman

CORRINE BROWN, Florida               STEVE BUYER, Indiana, Ranking
VIC SNYDER, Arkansas                 CLIFF STEARNS, Florida
MICHAEL H. MICHAUD, Maine            DAN BURTON, Indiana
STEPHANIE HERSETH, South Dakota      JERRY MORAN, Kansas
HARRY E. MITCHELL, Arizona           RICHARD H. BAKER, Louisiana
JOHN J. HALL, New York               HENRY E. BROWN, JR., South 
PHIL HARE, Illinois                  Carolina
MICHAEL F. DOYLE, Pennsylvania       JEFF MILLER, Florida
SHELLEY BERKLEY, Nevada              JOHN BOOZMAN, Arkansas
JOHN T. SALAZAR, Colorado            GINNY BROWN-WAITE, Florida
CIRO D. RODRIGUEZ, Texas             MICHAEL R. TURNER, Ohio
JOE DONNELLY, Indiana                BRIAN P. BILBRAY, California
JERRY McNERNEY, California           DOUG LAMBORN, Colorado
ZACHARY T. SPACE, Ohio               GUS M. BILIRAKIS, Florida
TIMOTHY J. WALZ, Minnesota

                   Malcom A. Shorter, Staff Director

                                 ______

              Subcommittee on Oversight and Investigations

                  HARRY E. MITCHELL, Arizona, Chairman

ZACHARY T. SPACE, Ohio               GINNY BROWN-WAITE, Florida
TIMOTHY J. WALZ, Minnesota           CLIFF STEARNS, Florida
CIRO D. RODRIGUEZ, Texas             BRIAN P. BILBRAY, California

Pursuant to clause 2(e)(4) of Rule XI of the Rules of the House, public 
hearing records of the Committee on Veterans' Affairs are also 
published in electronic form. The printed hearing record remains the 
official version. Because electronic submissions are used to prepare 
both printed and electronic versions of the hearing record, the process 
of converting between various electronic formats may introduce 
unintentional errors or omissions. Such occurrences are inherent in the 
current publication process and should diminish as the process is 
further refined.


                            C O N T E N T S

                               __________

                           February 28, 2007

                                                                   Page
Information Security Management at the U.S. Department of 
  Veterans Affairs--Current Effectiveness and the Need for 
  Cultural Change................................................     1

                           OPENING STATEMENTS

Chairman, Harry E. Mitchell......................................     1
    Prepared statement of Chairman Harry E. Mitchell.............    54
Hon. Ginny Brown-Waite, Ranking Republican Member................     3
    Prepared statement of Congresswoman Brown-Waite..............    55
Hon. Timothy J. Walz.............................................     4
Hon. Ciro D. Rodriguez...........................................     5
Hon. Cliff Stearns...............................................     7
Hon. Spencer Bachus..............................................     5
Hon. Artur Davis.................................................     6

                               WITNESSES

U.S. Department of Veterans Affairs:
    Hon. Gordon H. Mansfield, Deputy Secretary...................     9
        Prepared statement of Secretary Mansfield................    56
    Hon. Robert T. Howard, Assistant Secretary for Information 
      Technology and Chief Information Officer...................    11
        Prepared statement of Mr. Howard.........................    58
    James P. Bagian, M.D., P.E., Chief Patient Safety Officer and 
      Director, National Center for Patient Safety, Veterans 
      Health Administration......................................    12
        Prepared statement of Dr. Bagian.........................    58
    Maureen Regan, Counselor to the Inspector General, Office of 
      the Inspector General......................................    34
        Prepared statement of Ms. Regan..........................    60
    Arnaldo Claudio, Director of Oversight and Compliance, Office 
      of Information Technology..................................    36
    Leonard M. Pogach, M.D., Director, Research and Enhancement 
      Award Program, VA New Jersey Health Care System, East 
      Orange, NJ.................................................    46
    Warren Blackburn, M.D., ACOS/R&D Coordinator, VA Medical 
      Center, Birmingham, Alabama................................    47
    Y.C. Parris, Facility Director, VA Medical Center, Birmingham,
       Alabama...................................................    48
U.S. Government Accountability Office, Gregory C. Wilshusen, 
  Director, Information Security Issues..........................    32
        Prepared statement of Mr. Wilshusen......................    63

                       SUBMISSION FOR THE RECORD

Hon. Zackary T. Space, a Representative in Congress from the 
  State of Ohio..................................................    69


                    INFORMATION SECURITY MANAGEMENT



                   AT THE U.S. DEPARTMENT OF VETERANS



                   AFFAIRS--CURRENT EFFECTIVENESS AND



                      THE NEED FOR CULTURAL CHANGE

                              ----------                              


                      WEDNESDAY, FEBRUARY 28, 2007

             U.S. House of Representatives,
                    Committee on Veterans' Affairs,
              Subcommittee on Oversight and Investigations,
                                                    Washington, DC.

    The Subcommittee met, pursuant to notice, at 2:36 p.m., in 
Room 334, Cannon House Office Building, Hon. Harry E. Mitchell 
[Chairman of the Subcommittee] presiding.
    Present: 
Representatives Mitchell, Walz, Rodriguez, Davis, Brown- Waite, 
Stearns.

             OPENING STATEMENT OF CHAIRMAN MITCHELL

    Mr. Mitchell. The Subcommittee on Oversight and 
Investigations hearing of February 28, 2007, will begin.
    Let me just say right off that Congressman Zach Space is 
absent because of a family emergency. Otherwise, he would be 
here.
    I have accelerated our Subcommittee's review of the VA 
information security management for several reasons.
    I thank all three panels of witnesses and our Subcommittee 
Members for their cooperation despite the somewhat short notice 
we were able to provide. It is my belief that when the subject 
matter justifies some sort of review that such a review should 
be thorough, balanced, and timely.
    This topic was on the Subcommittee agenda for later this 
year, but it is a recurring and nonpartisan topic for the 
Veterans' Affairs Committee. The events regarding a data loss 
at Birmingham and other circumstances have led me to advance 
this hearing on our Subcommittee docket.
    In this hearing, I wish to determine the current status of 
information security management at the VA. Admittedly the 
Birmingham incident holds powerful sway over the landscape. If 
the Birmingham incident stood alone against the backdrop of a 
sound information security management program, perhaps we could 
address a one-time-only incident with more patience.
    However, the record reflects a host of material weaknesses 
identified in consolidated financial statements, audits and the 
``Federal Information Security Management Act,'' FISMA, their 
audits over the recent years.
    The Inspector General's Office and the Government 
Accountability Office have both reviewed VA and found 
deficiencies in the information security management program 
over the last 8 years. VA has been slow to correct these 
deficiencies.
    For example, the VA IG made 16 recommendations with regard 
to information security management in 2004. All 16 remained 
open in 2006.
    During our full Committee review of the May 3, 2006, data 
loss, we discovered a general attitude regarding information 
security at VA that our current Committee Chairman Bob Filner 
once referred to as a culture of indifference.
    Today I wish to address this issue of culture and the need 
for cultural change with regard to information security at the 
VA.
    Last year, the Committee reviewed cultural problems at 
several levels at VA. We looked at the very top levels of the 
VA leadership and were critical. We looked at the program 
leadership levels and were critical. We looked at the 
promulgation of information security policy in VA and were 
critical of the various methods employed by some program 
leaders and advisors to gut those policies to avoid 
accountability of the weakened information security practices. 
We were critical of the lack of checks and balances in the 
information security management system at VA.
    Guidance was being followed, but did oversight occur? We 
were critical of delay by VA in providing congressional notice 
of the May 2006 incidents. We were critical of the slow 
escalation and notice of the magnitude of that problem.
    VA mailed notices to millions of veterans addressing the 
data compromise and made a public commitment to become the 
``gold standard'' in information protection within the Federal 
Government. Eight months after the initial data loss, VA 
reports another loss of significant magnitude associated with 
Birmingham VA Research Program.
    That a weakness existed in this area surprised no one. That 
it happened at all serves to precipitate this type of 
congressional oversight hearing. While the actual loss of the 
external hard drive and the limited electronic protections on 
that missing equipment should be considered the 800 pound 
gorilla in this room, there were some silver linings with the 
Birmingham story as we now know.
    For example, the loss was reported in VA and quickly 
relayed to the appropriate people. Mr. Howard notified 
congressional oversight staff and Secretary Nicholson called 
the Chairmen and Ranking Members of the VA Committees. The 
Office of Inspector General was quickly involved and opened an 
investigation.
    In similar examples from May 2006, VA took days or weeks to 
accomplish those tasks. In the Birmingham incident of January 
9, 2007, VA took hours or days to accomplish the same task.
    Staff was notified within 1 day and calls from the 
Secretary followed a few days afterward. The investigative 
trail was reasonably fresh for the IG to follow.
    What of VA culture with regard to this issue? The IG made 
five recommendations to the Secretary in the review of issues 
related to the loss of VA information involving the identity of 
millions of veterans on July 11, 2006. As of today, all five of 
those recommendations remain open. Why?
    After the 2006 series of hearings, VA issued a series of 
tough-sounding declarations, but problems still remain and 
another major incident has happened.
    After the Birmingham incident, the Secretary issued some 
tough guidance, but what impact will it have? Will history 
repeat itself? How deep are the cultural barriers?
    I believe that it is important to review all aspects of 
this issue. We need to hear from VA leadership and in that 
regard, we are pleased that Deputy Secretary Mansfield has 
agreed to testify. He, Secretary Nicholson, the Under 
Secretaries are key to setting policy. They represent the 
Department in this matter.
    But we also need to look at the problem through the eyes of 
the remaining 200,000 plus people in the VA. Do leadership 
actions throughout the management hierarchy match policy 
guidelines everywhere in the VA? Do the rules say no, but the 
culture beckons, ah, go ahead, make an extra copy of that data 
and your own life will be easier? Take a shortcut. No one will 
follow up.
    If we change the culture of VA, we can begin to fix the 
problem. But people have different cultural perspectives. Those 
of the VA leaders on panel one may differ from those of the 
researchers in the field. Leadership's policy guidance may now 
be spot on, but the question is how the policy is received at 
the user end.
    For that reason, this Subcommittee requires testimony 
across the spectrum of people who in any way handle sensitive 
information about our veterans. Let us approach this with open 
minds, consider other perspectives, and be able to put this 
problem to rest for a long time.
    Before I recognize the Ranking Republican Member for her 
remarks, I ask unanimous consent that Congressman Artur Davis 
from Alabama and Congressman Spencer Bachus be invited to sit 
at the dais for the Subcommittee hearing today. Without 
objection. Thank you.
    I now recognize Ms. Brown-Waite for her opening remarks.
    [The statement of Harry E. Mitchell appears on pg. 54.]

          OPENING STATEMENT OF HON. GINNY BROWN-WAITE

    Ms. Brown-Waite. I thank the Chairman very much for giving 
me this opportunity and also for the expedited manner in which 
this hearing was held.
    As the Chairman has indicated, it is more about information 
security management at the Department of Veterans Affairs and 
in particular the current effectiveness of information security 
at the Department and the need for cultural change.
    Since the data breach in May 2006, which was the second 
largest in the nation and actually the largest in the Federal 
Government, we have seen VA's centralization of the VA's 
information management, including information security.
    I appreciate the Secretary's desire to make the VA the 
``gold standard'' for information technology and information 
security management in the Federal Government. From what we 
have seen, however, adherence to the ``Federal Information 
Security Management Act'' or FISMA has not been adequately 
addressed government-wide as Congress intended when writing the 
law.
    This is why our Committee worked so hard last Congress to 
pass measures such as H.R. 5835 and the final version which was 
S. 3421 which eventually became Public Law 109-461.
    We have tried to give the Department, and in particular the 
Secretary, all the tools that he needs to mandate change within 
the entire Department to make certain that such security 
breaches are few, if any.
    I served on this Committee now, this is my fifth year, and 
recently have been selected as the Ranking Member of this 
Subcommittee. Over the years, however, I have seen a blatant 
lack of resolve within the underlying culture at the Department 
and particularly at the facility level to change the way senior 
management view IT security.
    We know it is very difficult to embrace change, but this is 
what we need to address in this hearing. I was involved at one 
point in my life in installing a new financial management 
system for my employer, and I can just tell you that the 
employees were kicking and screaming because change does not 
come easily. They were used to their little silos and they 
really did not adapt very well to any kind of IT change.
    I realize that this is a problem that is out there in the 
VA, but it is not one that with very strong leadership we 
cannot overcome. We have got to protect our veterans and 
provide them with the services that we need. We need to remove 
that cultural bias against change.
    I appreciate the witnesses who have come to this hearing, 
particularly those who have traveled great distances to be 
here. And I look forward to hearing your testimony.
    I thank the Chairman, and I yield back the balance of my 
time.
    [The statement of Ginny Brown-Waite appears on pg. 55.]
    Mr. Mitchell. Thank you.
    Mr. Walz.

           OPENING STATEMENT OF HON. TIMOTHY J. WALZ

    Mr. Walz. Thank you, Mr. Chairman. Just briefly, thank you 
for holding this important hearing.
    As a veteran who has received the letter earlier on lost 
data, this is obviously one that is personal to me and it is 
also one that everybody in this room cares deeply about.
    Mr. Mansfield, thanks so much for coming here. And I know 
that everyone in this room and at the table care as deeply as 
anybody about our veterans and making sure everything is done 
right.
    So I hope that in this hearing, and in the spirit of the 
Chairman's words, that we are here to find solutions, that we 
know that the intent of every member of the VA is always to 
provide the best quality care, the best quality protection to 
our veterans. So I thank you for being here.
    The one thing I would say, I guess for me, I am a cultural 
studies teacher, so this idea of culture and the things that we 
talk about, all those learned and shared values, beliefs, and 
ideas, I think is critical. Whether it is a safety issue or 
whether in this case it is data security, that I do believe 
culture plays a roll in it.
    And we are here today to figure out what we can do if it is 
a resource issue or what we can do. And I truly appreciate your 
willingness to come and all you do for veterans. And together 
we can get this thing worked out and get it going in the right 
direction. So thank you.
    And I yield back my time, Mr. Chairman.
    Mr. Mitchell. Thank you.
    Congressman Rodriguez.

          OPENING STATEMENT OF HON. CIRO D. RODRIGUEZ

    Mr. Rodriguez. Thank you very much.
    And I was just going over the report from the Inspector 
General and it is pretty startling information there in terms 
of the fact that there is still a great deal at risk.
    I know the Attorney General in Texas just ruled that all 
county clerks that release Social Security numbers would be 
committing a felony. And so somehow we need to come to grips 
with that. And if I have to, I will make some of those comments 
at that time, but I am hoping that we can direct it in the 
right direction.
    And I hope that the approach that is taken is that if you 
need some help, if you need some assistance, to come forward in 
order for us to correct this as quickly as possible.
    Thank you.
    Mr. Mitchell. Thank you.
    Mr. Bachus.

            OPENING STATEMENT OF HON. SPENCER BACHUS

    Mr. Bachus. Thank you, Mr. Chairman.
    I would say this to the panel. Since at least 1997, there 
have been reports about inadequacies at the VA, about the 
protection of information, veterans' information.
    And in 2001, there were multiple recommendations made, 17 
security recommendations made in the ``Federal Information 
Security Management Act'' for veterans to do. Yet, in May of 
2006, when you had the security loss, Ms. Brown-Waite mentioned 
that none of those had been implemented at that time.
    Now, since that time, you have given testimony to Congress 
that you fixed most of those problems. But what we had in 
Birmingham, it is my understanding, was just a laptop computer 
with information on it that was carried offsite. And to me, 
that is one of the most elementary types of things to prevent, 
simply by having a rule that they do not do that.
    Now, you have also since last May, you required all 
veterans' employees to go to security seminars, as I understand 
it. So I would just be curious in my questions following up on 
whether that was done or not and whether this employee was 
prohibited from taking it offsite.
    I know the IG's report says that the information that is 
available to all the employees is hard to understand and uses 
words like appropriate and other words which really will not 
limit them, you know, do not use the information 
inappropriately without clearly defining what may be 
appropriate and inappropriate.
    But there are other issues. I know it was 21 days before it 
was announced that this breach had occurred. Another problem 
that I had with this as a Member of Congress, Congressman Davis 
and I represent the Birmingham area and a lot of this 
information was shared with us, but we were told we could not 
share any of the information with anyone else, that it was 
critical to the investigation. And one occasion, after we were 
specifically told we could not share any of the information, it 
was critical to the investigation, within an hour, the Veterans 
Administration issued a press release with a lot of that 
information on it. So we wonder about that.
    But I came here to listen, but I did come, and I have made 
this point to you gentlemen since this breach, that encrypting 
of information is a pretty elementary step. And I wonder why, 
you know, is there a rule that this information should be 
encrypted. I mean, a lot of this information was not encrypted 
which ought to, by 2007, ought to be standard operating 
procedure on any sensitive information.
    And so I look forward to hearing from you. But it does 
appear that since 1997, at least 2001, everybody has known what 
problems were, that these were accidents waiting to happen, yet 
nothing. You know, if you did something as a practical matter, 
it did not work. So I would just be interested to know what you 
did.
    Mr. Mitchell. Thank you.
    Mr. Davis.

             OPENING STATEMENT OF HON. ARTUR DAVIS

    Mr. Davis. Thank you, Mr. Chairman. I am glad to see that 
freshmen can become Subcommittee Chairs so quickly and I 
congratulate you on that. I must be on the wrong Committee.
    Thank you for giving leave to my friend from Alabama and 
myself to come here. We are not regular Members of the 
Veterans' Affairs Committee, and I thank you for letting us 
participate because our City of Birmingham is affected.
    I want us to get to the question section as soon as we can 
so I will be very limited in my comments. But I begin by saying 
this, Mr. Mansfield. I think all of us take it for granted that 
the leadership at the VA has good intentions, but good 
intentions are usually not enough to change a culture. Better 
laws help. Better regulations help.
    And I received the correspondence that you sent to me in 
which I asked a number of questions about what the procedures 
are at the VA regarding encryption, what the procedures are at 
the VA regarding notification, and it is clear to me from 
looking at your answers that there are gaps there. And, 
frankly, that is where this institution comes into play.
    Some of us have been advocates on this Committee for having 
stronger protections for civilians regarding potential losses 
of data, regarding data security issues in the private sector.
    It seems self-evident to me that whatever the standard 
ought to be for individuals in the private sector, if anything, 
it ought to be stronger for our veterans. And I am 
disappointed. But if I understand the law and the regulations 
today, it is weaker. And understand some of us believe the 
consumer protections are not strong enough for civilians 
either.
    Second point that I want to make, I have a very strong 
hunch, Mr. Mansfield, that the only reason we are in this room 
having this hearing, the only reason that the public knows 
about any of this is simply by pure luck. And I do not mean to 
second guess, but I will make this point to you.
    Your office called my office on the late afternoon of 
February 2nd, 2007, and you told us that you wanted us to have 
information about a data breach in Birmingham and you told us 
that a news organization was about to run with the story, so 
you wanted to give us a heads up.
    I have a strong hunch, Mr. Mansfield, that but for you all 
believing this information was about to come in the public 
domain that you never would have released it.
    Second of all, after the Office of Inspector General met 
with me at my request, we lodged a very strong demand of the VA 
that the VA go forward and release the additional information 
about the amount of names that had been compromised, about the 
fact that physician information had been compromised.
    Frankly, I have a hunch that but for that demand, the 
additional information would not have been released.
    So I will end with this point. Changes need to be made, in 
my opinion, in the way that your organization reacts to this 
kind of a problem.
    I am going to ask you during my question time during the 
hearing how many data breaches are suspected by the VA since 
the incident of May 2006. We know about that incident. I am 
going to ask you during my Q and A session how much has been 
suspected in the year since. Are there other instances where 
there has been a loss of data? Are there other instances where 
there is a suspected loss of data?
    So I thank you for being here, and I look forward to 
answers to your questions.
    Mr. Chairman, thank you again.
    Mr. Mitchell. Thank you.
    Mr. Stearns.

            OPENING STATEMENT OF HON. CLIFF STEARNS

    Mr. Stearns. Thank you, Mr. Chairman, and thank you for 
holding this critical and timely hearing.
    When you look at the GAO report, it says from 1998 to 2005, 
there were over 150 recommendations to the VA on implementing 
effective controls and developing a robust information security 
program.
    And then if you just look at the VA's own Office of the 
Inspector General, they publish reports. They made 16 
recommendations from the fiscal year 2004 and they remained 
unaddressed.
    So we have here critical areas that are being highlighted 
by the GAO as well as the Office of Inspector General clearly 
saying the VA is vulnerable to denial of service attacks, 
disruption of mission-critical systems, and unauthorized access 
to sensitive data.
    So all this has been documented. The Member before me 
talked about it is just by luck we have information about this. 
But I think we have known about this for some time, at least 
since January.
    And so the question is with the GAO and the Office of 
Inspector General, why in the world are all these 
recommendations and all these suggestions not being 
implemented?
    There has been a lot in the news recently regarding 
unauthorized access violations at the VA. Last March, there was 
an incident we had where 26 million veterans' information, 
personal information, personal, identifiable information was 
lost.
    I congratulate the VA for finally getting the computer and 
getting the protection it needed, but, you know, it took a 
while to find it. And as I understand it, a lot of this 
information was not even encrypted.
    And, however, now, in the recent breach that my colleagues 
have mentioned in Birmingham this January, the proper agencies 
were informed the very next day, an improvement that I would 
like to highlight, yet it is a mixed bag of praise and 
condemnation for we have yet another breach of information 
security.
    This Birmingham hardware involved the personal medical 
records, Social Security numbers, personal information of 
veterans and many medical personnel in the VA system itself. 
And this information again was not even encrypted.
    So it seems to me at this point, this information should be 
encrypted at the very least. There are clearly areas that the 
VA needs to improve. And I guess for the life of me, I do not 
understand. If you go back to 1998 and you have got 150 
recommendations from the GAO, why are you folks not 
implementing them?
    In Congress, we responded to the data breach of last March. 
We enacted the new law, the ``Veterans Benefit Healthcare and 
Information Technology Act'' of 2006. The primary purpose of 
this legislation was to strengthen IT practices at the VA. It 
also contained internal processing requirements regarding 
security management with a mandate, with a mandate for the VA 
to develop interim regulations for improving security within 
180 days of the law's enactment.
    So, Mr. Chairman, I think that the hearing is timely. I 
look forward to the witnesses, and I hope the strategy will be 
for improving security for our veterans in the very near 
future.
    Mr. Mitchell. Thank you.
    We will now proceed to panel one. We are pleased to have 
Deputy Secretary Gordon Mansfield as the principal presenter 
for the panel.
    This Committee has a long and professional working 
relationship with Mr. Mansfield in all his roles at VA, from 
his time serving as the Assistant Secretary for Congressional 
and Legislative Affairs to his present position as Deputy 
Secretary.
    Mr. Mansfield is a highly decorated military combat 
veteran, having served two tours of duty in Vietnam. His 
military awards include the distinguished Service Cross, the 
Bronze Star, two Purple Hearts, and the Combat Infantry's 
Badge.
    Mr. Secretary, would you please introduce your team.
    Mr. Mansfield. Thank you, Mr. Chairman. If I may, before I 
start, a point of personal privilege. With your permission, I 
wanted to take a brief moment to comment on Len Sisteck's 
departure from the Committee.
    May I have your permission, sir?
    Mr. Mitchell. Yes.
    Mr. Mansfield. Len and I had a chance to talk the other day 
in my office, and he told me that he still had ``the sense of 
service to one's country'' that we have seen up to this date. 
And I am pleased that he will continue as a public servant.
    Many may say it, but Len has lived the concept of leaving 
political and ideological differences aside in order to serve 
veterans. He also got out and saw the VA operations in the 
field in a real hands-on way.
    I mentioned he was in my office, on the tenth floor. I also 
want to make the point that Len has also been with us in our 
operations center down in lower basements, the bowels of the 
VA, so he has been with us from top to bottom.
    I, for one, am glad that he will still be here on the Hill 
watching out for the interests of the Department and for 
veterans, just in a different capacity. Fairness and loyalty to 
the constituency are his, and I appreciated his service on this 
Committee. And I want to extend to him the congratulations and 
best wishes of the entire Department.
    Len, thank you very much.
    Mr. Mitchell. Thank you, Len, very much.

STATEMENTS OF HON. GORDON H. MANSFIELD, DEPUTY SECRETARY, U.S. 
   DEPARTMENT OF VETERANS AFFAIRS; ACCOMPANIED BY MICHAEL J. 
 KUSSMAN, M.D., ACTING UNDER SEC- RETARY FOR HEALTH, VETERANS 
  HEALTH ADMINISTRATION, U.S. DEPARTMENT OF VETERANS AFFAIRS; 
  HON. ROBERT HOWARD, ASSISTANT SECRETARY FOR INFORMATION AND 
 TECHNOLOGY AND CHIEF INFORMATION OFFICER, U.S. DEPARTMENT OF 
VETERANS AFFAIRS; AND JAMES BAGIAN, M.D., CHIEF PATIENT SAFETY 
OFFICER, DIRECTOR, NATIONAL CENTER FOR PATIENT SAFETY, VETERANS 
   HEALTH ADMINISTRATION, U.S. DEPARTMENT OF VETERANS AFFAIRS

               STATEMENT OF HON. GORDON MANSFIELD

    Mr. Mansfield. Mr. Chairman, if I may, I have a statement 
to submit for the record.
    Mr. Chairman, I am here today with Mr. Howard, our 
Assistant Secretary for IT; the acting Under Secretary, Dr. 
Kussman; and Dr. Bagian.
    I am here today to talk about the status of our IT security 
program and the reorganization of our Office of Information 
Technology.
    We have done a lot of work and we have come a long way 
since last May's major incident occurred. And I have to admit 
that that was probably the wake-up call for the Department. But 
we still have an awfully long way to go.
    We are well into the reorganization of the Office of 
Information and Technology to include an initial transfer of 
some 4,600 individual employees now under the control and 
direction of the CIO, Assistant Secretary Bob Howard.
    That reorganization also includes ensuring that Mr. Howard 
has the full authority as delegated by the Secretary to deal 
with security issues throughout the Department. Mr. Howard also 
has the authority to oversee the total IT budget for the 
Department.
    In the information security area, we have gone forward with 
preliminary revisions that have led us to issue a number of new 
directives to ensure that the workforce understands what their 
specific responsibilities are.
    We have brought management pressure from the top to ensure 
that the required change in culture is instituted and that we 
are moving forward to achieve the goals set by the Secretary 
for the VA to be a gold standard for the Federal Government.
    As I have stated, I think we have come a long way in both 
the reorganization and changes demanded by information security 
requirements to protect our veterans. I will be the first to 
acknowledge that we have not finished with either of these 
chores.
    We are continuing the reorganization with more transfers of 
people taking place next month, with more budget, more program, 
and more people responsibilities under the control of the CIO.
    The Security Operations Center or the SOC is now receiving 
daily reports of incidents, large and small, from across the 
Department which allow us to understand and educate the people 
that we are responsible for when they do the job wrong, and 
also it will allow management to get a better picture of the 
problem areas across the Department.
    The Birmingham incident, while evidence of major lapses in 
judgment in operations, was handled in such a way that VA 
management was informed in a timely manner and the report moved 
quickly up the chain of command to the top.
    We also started an investigation as did the Inspector 
General's Office in conjunction with the FBI. Notifications of 
the incident were made to the Hill in a timely manner. As well, 
updates on the information were provided as received.
    I want to make a point here that as we get into these 
investigations and as the IG and the FBI move into it, we are 
requested that we keep this information on hold as they start 
into their investigation and start looking for areas of 
approach, and we try to follow the FBI's request and the IG's 
request in that area.
    We have been notifying this Committee and other Committees 
of jurisdiction on the Hill on a weekly basis of the reports 
that do come in to us that are reported up the chain of 
command.
    Another area of concern is sanctions applied to those who 
fail to conform to the requirements. The Secretary has said 
there are still too many VA employees at every level to include 
senior positions who either still do not comprehend the 
seriousness of this issue or who consciously disregard it.
    This laxity is unacceptable and no longer will be 
tolerated. In appropriate cases and where justified, there must 
be serious consequences for failure to properly secure 
veterans' data. We owe our veterans no less. And that is a 
quote from the Secretary in a meeting of senior executives held 
here in Washington, D.C., on February 21, 2007.
    We are involved in cultural change in a serious way. From 
the highest leadership on down, in meetings and communications 
and site visits, the Secretary and I have endeavored to 
communicate the need to protect data and how we can make that 
happen.
    As the Secretary indicated, given the circumstances of each 
case, we need to go forward with further education and 
assistance with our employees to understand what the need is 
and what they have to do or get involved in considering whether 
sanctions should be considered and applied as required.
    In closing, let me say that I sincerely wish that I could 
promise you that no other incident will occur. I cannot do that 
now, but I can promise you that we are working hard throughout 
the Department to get the message to our 235,000 plus employees 
to do everything we can to get this problem under control.
    We have succeeded in many areas. We still have a large job 
to finish the effort. We are committed to doing that.
    Mr. Chairman, I am prepared to answer questions, and I 
would ask Mr. Howard, as I understand the sequence, to go 
forward with his comments.
    Mr. Mitchell. Correct.
    [The statement of Gordon Mansfield appears on pg. 56.]

                STATEMENT OF HON. ROBERT HOWARD

    Mr. Howard. Thank you, sir.
    And thank you, Mr. Chairman and Members of the Committee.
    I would like to expand on Deputy Secretary Mansfield's 
comments regarding the changes underway in the area of 
information and technology.
    There are two specific areas I would like to focus on. 
First is the extensive reorganization taking place and second 
is the over-arching program we have established to provide 
focus to all of our remediation efforts.
    The IT realignment program to transition the VA's IT 
management system remains on track and is scheduled to be fully 
implemented by July 2008.
    By April 1, 2007, software development employees and 
programs will be permanently reassigned to the CIO. This action 
follows the consolidation of operations and maintenance under 
the CIO which was finalized beginning this fiscal year.
    We are implementing a process-based organizational 
structure rooted in best practice processes that are aimed at 
correcting IT deficiencies that resulted in a loss of 
standardization, compatibility, interoperability, and fiscal 
discipline.
    There are 38 such processes that are being introduced with 
the assistance of IBM from a best practices standpoint. We have 
also developed a different organizational framework to provide 
focus in key areas.
    The Office of Information and Technology is now comprised 
of five major organizational elements. These will all report to 
the CIO. We have a chart of this organization with us today in 
the event you would like to discuss this structure in more 
detail.
    Each of the five major organizational elements is led by a 
Deputy Chief Information Officer. One Deputy Chief Information 
Officer, in fact, in the first column, is charged with 
directing the information protection and privacy programs in 
VA. This official is also responsible for risk assessment, risk 
mitigation, evaluation and assessment as it relates to 
information protection.
    The DCIO for information protection and risk management has 
drafted the interim final regulation on credit monitoring and 
credit protection as required by the ``Veterans Benefits 
Healthcare and Information Technology Act of 2006.''
    This regulation, which is now being reviewed throughout the 
Department, will address notification, data mining, fraud 
alerts, data breach analysis, credit monitoring, identity theft 
insurance, and credit protection services.
    To achieve the gold standard as directed by the Secretary, 
we have implemented an over-arching program to assess 
information protection controls, to develop plans to strengthen 
the controls where necessary, to enforce the controls, and 
continuously monitor the information protection program.
    This action plan we have developed includes development and 
issuance of policies and procedures, training and education, 
securing of devices, encryption of data, enhanced data security 
for VA's sensitive information, enhanced protections for shared 
data in interconnected systems, and incident management and 
monitoring.
    A number of the specific requirements of the new law have 
already been introduced into our comprehensive action plan. I 
personally review progress on these actions on a weekly basis.
    In closing, I believe we have made progress in improving IT 
operations in VA and we are working hard in partnership with 
the administrations and staff offices to improve our business 
practices to ensure the protection of sensitive information 
throughout the Department.
    Mr. Chairman, that concludes my testimony. I would be 
pleased to answer any questions the Committee may have.
    Mr. Mitchell. Thank you.
    Dr. Bagian.
    [The statement of Robert Howard appears on pg. 58.]

                 STATEMENT OF DR. JAMES BAGIAN

    Dr. Bagian. Thank you, Mr. Chairman, members of the 
Committee, for inviting me here today.
    My comments will be confined more to cultural aspects, 
especially with respect to some of the observations of what 
we've done in the patient safety area, as I've talked to some 
of you in the past.
    Let me just say at the outset, there has been some 
indication by some of the previous comments that people are 
wondering if people take the issue of IT security seriously. I 
can tell you unequivocally, they take it very seriously. 
There's nobody I see--and I am out in the field quite a bit--
that is not fully aware that this is an important issue. 
There's no question about that. I'll come back to that, but, 
let me just assure you that's a fact.
    The big issue is about culture and how we look at this. And 
I would say one of the big issues--and I'll talk about it from 
the frame of patient safety--because while our goal in patient 
safety is to prevent harm to the patient, and generally we 
think about that with regard to the medical care that we 
deliver, the fact is that if people suffer, for instance, the 
outcome of identity theft, for example, that harms them as 
well--as it harms our ability to provide care for them because 
that consumes fiscal resources and attention that could 
otherwise be focused to our primary mission, which in the VHA 
is delivering medical care. So we understand that.
    In the safety area, patient safety area, when we started to 
do this some 8, 9 years ago, the culture certainly wasn't 
geared toward patient safety, and we were starting this before 
anybody did it anywhere in medicine, quite frankly.
    And we found that it was very important to be able to 
establish for them what our real goal was in terms that were 
understandable by them and how it met what they thought they 
needed to do. To create an expectation was relevant to them 
that they thought was real.
    And then we had to go through an understanding when things 
did happen, it wasn't enough strictly just to have--and as Mr. 
Howard talked about, policies and training is important, but he 
talked about other things like encryption and other modalities. 
It's a multiplicity of these things.
    It's not just telling people, ``follow the rules,'' because 
if that is all it took to do anything, we'd write rules and go 
home. And we know it takes more than that. So, when problems 
occurred or we had close calls--as we have had IT close calls 
as well--it was to look and say what happened here, why did it 
happen, and what do we do to prevent it in the future?
    And without understanding those underlying causes, it's 
really impossible to come up with sustainable solutions. So we 
really dwelled on that quite a bit, and I think you see some of 
that same thing in what's going on with the IT organization 
today.
    The other thing is you have to take out the fear. One of 
the things that goes on with any organization, as was mentioned 
by Ms. Brown-Waite during her comments, is that change is hard 
for all organizations. And people have to feel that the change 
is in their interest, too, whatever that change is, and 
communicate to them what they believe it is. And I think we can 
do that, and we're trying to do it. But it doesn't happen 
overnight.
    We then need to supply tools, and that's being done. You've 
heard about encryption. You've heard about other things that go 
in those areas. And then we have to do it in a way that changes 
their behavior, and when that behavior works and is not at 
cross purposes with their goal--and in VHA, the goal is 
delivering clinical care; that's the main goal--information 
security is embedded in that, but that's not the reason they 
come to work. A physician doesn't come to work to achieve IT 
security. It's a component thing they need to worry about, but 
their main goal is that they want to take care of the patient.
    We have to understand how we make that real to them, that 
they understand that that's important not just because we say 
it is, because they believe it is. And I think that's trying to 
be done. So when that attitude changes, then you begin to 
change culture.
    Now, one of the things that we found that was extremely 
important when we began was we thought everybody got it about 
patient safety. We did a cultural survey--the first one ever 
done--on attitude toward patient safety, and we found some very 
remarkable results which changed the way we ran the entire 
program and in fact, I would say we are singularly responsible 
for it being successful versus failing miserably.
    We found that when we asked people, ``Do you think patient 
safety is important?'' Twenty-seven percent of all our people 
at the VHA system said ``five'' on a one-to-five scale. Patient 
safety is super important, most important it could be. Twenty-
four percent said ``one''--absolutely irrelevant. We were 
shocked. How could that be?
    But when we stopped and talked to them more--we've had 
focus groups come in to understand why that was--the reason 
they said ``one,''--that is, unimportant, was because they 
said, ``Well, I thought you meant was it important for me? It 
is not important for me, because I know I am safe. It is all 
those other people that aren't.
    And the same thing can happen here if you don't understand 
what motivates them. It's not they do not want to do it. They 
think somebody else is doing it.
    Until you really answer those questions to enable you to 
understand people's underlying assumptions, it's impossible to 
correct it effectively. So I think we need to look at that and 
look at the culture where it is and not just talk about it, but 
actually measure some of it to understand where the leverage 
points are. And I'm not sure we know all those things yet. But 
we're moving in that direction.
    One of the things we worked with the IT system back in 2003 
when the Blaster Worm--some of you may recall the Blaster Worm, 
a big problem--we went and worked with IT at that time. In 
fact, one of Mr. Howard's deputies--we talked last on the 21st, 
just last week, about how we worked with them with root cause 
analysis where we looked at these, what happened, why did it 
happen, what do we do about it--and he remarked that since that 
time we've never had a major denial of service attack, since we 
looked at this with a very systems-based approach. And they 
want to work with us more doing that, and we look forward to 
those kinds of things.
    And we think this mode of collaboration across not just the 
IT world, but across all VA--DVA, NCA, VHA--working together to 
look at this and look at the real causes will get us there, and 
I think that's where the real hope lies, and it is not just 
having a knee jerk response to the bad events, which none of us 
want, but really take the time to understand why it isn't where 
we want it to be and fix it and really nail it.
    [The statement of James Bagian appears on pg. 58.]
    Mr. Mitchell. Thank you all for your statements.
    Clearly the VA is attempting a number of different avenues 
to address the problems associated with information security 
management at VA. We are aware of the poor track record the VA 
has in this area and note that implementing a program does not 
guarantee a successful outcome by itself.
    Mr. Mansfield, I have a question. In 2006 and in earlier 
years, we saw information security policy guidance languish in 
various VA offices. The IG advises us in testimony that the VA 
still lacks a clear, concise policy in several key areas of 
information security. It has been 7 months since their report 
was issued.
    Why do they say that and how do the views of the Department 
differ with the views of the IG?
    Mr. Mansfield. Mr. Chairman, let me start by saying that we 
have proceeded and gone forward in a large number of areas and 
issued a large number of directives that deal with some of the 
issues that the IG is talking about.
    The Secretary has issued directives and I have issued 
directives. I think what the IG is saying is that we have not 
been able to finalize this thing across the entire 
organization.
    And I would make the point that in some of these areas, we 
are still learning about exactly what is happening out there, 
and we need to be able to find out what the issues are and, as 
Dr. Bagian said, what happened, why did it happen, and what are 
we going to do to fix it.
    I would make another point which is that we still have out 
there a largely decentralized system. It is nonstandardized. 
There are not any simple fixes that we can plug in. Like with 
the blaster worm, you were able to put one fix in and put it 
across the system if you have a standardized system. But we do 
not have that, so there are not any simple fixes.
    The other issue we have here is that for the most part, 190 
some thousand of those 235,000 employees are in the veterans 
health arena and that is where we have the responsibility to 
deliver healthcare. And as I have testified before this 
Committee in many previous hearings, we have approached this 
from the start with the principle, ``do no harm.'' Do no harm 
is a part of the way you have to approach this. We cannot 
afford to shut down a hospital system where patients are being 
taken care of.
    Plus, we are a government agency. We deal with civil 
service rules. We deal with contracting rules, and we go 
forward with all those issues. So that is part of the 
explanation, sir.
    Let me make the point, too, that I understand exactly where 
you are coming from and where the Committee is coming from, and 
it has been a long time. There are a number of issues out 
there. But as I said, we are working, and I think the 
centralization and reorganization of this office which the 
Secretary has directed will allow us to provide, in addition to 
what we had before, for education and information to be 
provided, that we use our VA Learning University as an 
additional effort to bring information and education to bear.
    And the other part of it is the inspection part goes 
forward where we have just started inspections, some announced, 
some unannounced, to be able to go out and find out what is 
going on out there so we are not surprised.
    Mr. Mitchell. Just a quick followup. You mentioned your 
study and you are looking at why people do the things they do. 
When do you expect this study to be over? When do you expect to 
finally implement all of these recommendations? How long is it 
going to take?
    Mr. Mansfield. Sir, I cannot give you a final date right 
now. I am sorry. I wish I could. I wish I could tell you that 
we have got this problem solved. We cannot do it.
    As I indicated and as Secretary Howard indicated and as I 
believe Dr. Bagian indicated, it is a continuous ongoing effort 
where we are going to have to continue to work on all the 
different issues until we know that we have got every single 
part of this understood and we have got a fix prepared for it. 
We put the fix in and we make it work.
    The final word I would say here is again that it is not a 
question of technology or machines or software. It is a 
question of people. And we are going to be dealing with people 
across this system, the 235,000 employees, the tens of 
thousands of contractors, all the people in the 105 medical 
schools that we deal with where you have residents and interns 
in the thousands coming in and going out of our system every 
year. So we are going to have to work on this continuously, 
sir.
    Mr. Mitchell. Thank you.
    One last question before I call on the Ranking Member. Mr. 
Howard, how long will the VA be without a cyber security chief?
    Mr. Howard. Sir, we actually had selected one, a female, 
very well-qualified. We had selected her. Several days before 
she was to show up, she decided to take another job. So I have 
now had to go back through and announce that position over 
again. I assure you we will move as fast as we can. But the 
process has to be done correctly.
    Mr. Mitchell. Thank you.
    Ms. Brown-Waite.
    Ms. Brown-Waite. Thank you, Mr. Chairman.
    You know, maybe reducing this to parenthood might be 
relevant because I only have two children that I gave birth to. 
One you could talk to and reason with and you would get 
results. The other one, it was like sometimes you had to like 
look her eyeball to eyeball and threaten sincerely in order to 
get her attention.
    So I want to know what you are doing to really get the 
attention in this culture of where we did it before, so we are 
going to continue to do it, and I want to know also what is the 
VA's policy on using personal computers, i.e., you know, maybe 
a thumb drive and taking it home and working at home? And what 
happens to the employee who you might have to like take drastic 
steps to get their attention, i.e., dismiss them? Tell me what 
is going on because it is very frustrating to see the lack of 
progress here.
    Mr. Mansfield.
    Mr. Mansfield. Let me start with the last question, and 
that is the area of sanctions. And I think to approach that we 
have to understand that, as Dr. Bagian mentioned, that that is 
a part of a total spectrum of changing the culture.
    When you are talking about sanctions, I think you have to 
start with what are our responsibilities before you can get 
there, and that is I believe that you need to let the people 
know what you expect of them, why you expect that, give them a 
chance to ask questions if they have questions about what is 
expected, and then go forward from there.
    The second part of that is I think that you cannot have one 
single decision. You have to take each case, each individual 
and each situation in and of itself and you have to measure 
what happened in that case, why it happened, and perhaps what 
the results are.
    Ms. Brown-Waite. Sir, with all due respect, we are talking 
about thousands, hundreds of thousands of veterans whose 
information is just out there.
    Mr. Mansfield. Well, I understand that. I would tell you, 
Ms. Brown-Waite, that the last time I was admitted to a VA 
facility, which was not too long ago, one of the forms they 
gave me said you can check off up here, is this information 
available for VA research.
    So I understand that every veteran in this system is at 
risk, and I hope the point is coming across that we are 
attempting to do everything we can to make sure that that risk 
is mitigated, if not eliminated.
    Ms. Brown-Waite. Do you have written policies that say one 
time and one time only, if it happens again, you are out, or is 
it no strikes and you are out? What is VA's policy at this 
point on taking a risk with individuals' information that may 
put it at risk outside of the premises of the VA offices and 
hospitals?
    Mr. Mansfield. Well, let me caution that, as I mentioned 
before, we live within the civil service rules and we have to 
recognize those and go forward and ensure that we carry out all 
the responsibilities we have there and ensure that each and 
every employee's personal rights are protected or else whatever 
we do is going to be overturned by an oversight body.
    And the other point again is that I think we have to take 
each case in itself and look at what are the issues involved 
here, how much harm was involved, and exactly how egregious or, 
as you mentioned, repetitive was the issue, and go forward from 
there. And we cannot just put it down simply as these three 
issues or these rules apply to each and every situation. We 
have to look at what the individual situation is and go from 
there.
    Ms. Brown-Waite. Sir, I have more concern for the employees 
and the veterans' information that is out there. That worries 
me. Put something in writing that is distributed to the 
employees that at least they will know exactly what the ground 
rules are. You take the stuff off campus and you have violated 
a rule. You are put on probation. It does not happen again. Put 
it in writing some place.
    Let me get to the specific Birmingham issue. I have a large 
number of seniors and I have the highest number of people on 
Social Security and Medicare. Should I be alerting citizens 
that their doctors' information on that patient may also have 
been compromised in the Birmingham breach or are you doing it? 
What are we doing to protect not just the veterans but people 
who are on Medicare and Medicaid?
    Mr. Mansfield. We are following through with the 
requirements the previous legislation referred to. Part of what 
we have to do there is a risk analysis, and our initial attempt 
was to have the IG do it. The IG just last week informed me 
that they do not believe they have the capabilities to do it. 
They also have raised some legal issues.
    I brought that issue of risk analysis to the President's 
Identity Task Force at their last meeting, and we are moving 
forward in an attempt to find some, as required by the law, 
independent body to do the analysis in order to make a 
determination of who to notify in that case.
    I would make the point, too, that I have seen some reports 
that talk about 1.3 million physicians. That is not the correct 
number. What was it, 196, I think we are down to?
    Mr. Howard. Sir, 565 that we think are----
    Mr. Mansfield. Why don't you----
    Mr. Howard. To just comment a bit more on the list of 
providers, in the case of Birmingham, there were 1.3 million on 
the list. A large number were deceased. I believe several 
hundred thousand. But in every case, we believe two elements of 
information were on the particular piece of data, name and date 
of birth. That concerns us obviously.
    But the most critical was a population of about 565,000 
where there also appeared a number not identified as such, but 
it happened to be a Social Security number. And so in the case 
of the 1.3 million providers, that is where we have pursued an 
official risk analysis on that to get specific guidance on how 
to approach it as the Deputy mentioned.
    Mr. Mansfield. Let me just clarify that the providers are 
not all medical doctors.
    Mr. Howard. They are not all medical doctors. Some are 
nurses. There is a variety of providers on the list.
    Ms. Brown-Waite. But, sir, it is very easy--and I would ask 
the Chairman's indulgence----
    Mr. Mitchell. Yes.
    Ms. Brown-Waite [continuing]. It is so easy, once you have 
a provider number, to engage in Medicare and Medicaid fraud. It 
is out there. And, you know, I do not know how long your risk 
analysis is going to take. You know, the frustration that I 
have is that we have people's identities and medical 
information and Social Security numbers. Now we have 
physicians' information also at risk.
    And the ability of somebody to go in and set up a post 
office box and do Medicare or Medicaid fraud, that is a 
dangerous situation.
    Mr. Mansfield. I fully agree with you and understand it. I 
would make the point that it has taken us a number of days to 
do the analysis that the OIT Office has done to find out who 
has been on those records and how many names there actually are 
and who they are and what information is attached to that in an 
effort to go forward and find out what we have to do to answer 
the questions you raise which are so important.
    Ms. Brown-Waite. One last question. I promise this will be 
the last. Do you have a breakdown by State of the providers and 
have they been even notified of this, because I will tell you, 
nothing will send a more chilling effect to a physician or 
another healthcare provider if they think somebody may be out 
there billing in their name because once CMS gets on their 
case, you cannot get them off?
    Mr. Mansfield. We do not now have the addresses. The file 
that we obtained from CMS was scrubbed down to a certain 
degree, they thought including removing of Social Security 
numbers, and that means that we are going to have to go back 
because when we get the full identity of the individuals to CMS 
and get them to provide us the addresses as we go forward in 
notifications.
    Ms. Brown-Waite. Thank you, Mr. Chairman. I am sorry.
    Mr. Mitchell. That is fine.
    Mr. Stearns, I understand you have to leave immediately.
    Mr. Stearns. Well, not immediately. Can I follow up on my 
colleague's--what I had is something that follows right after 
my colleague.
    My colleague from Florida mentioned this Unique Provider 
Number (UPN). Tell me what that means. She touched on it, but 
from your perspective, what does that mean for a person, a lay 
person? Tell me the significance if a doctor had their unique 
provider number.
    Mr. Mansfield. Sir, Mr. Howard has been working with these 
files, and I will let him explain what the UPN is.
    Mr. Howard. Sir, it is an identifier, you know, for the 
physician. Quite frankly, though, it is the presence of that 
Social Security number that is probably even more critical.
    Mr. Stearns. If you had the UPN number plus the Social 
Security number, does it give you authenticity and credibility, 
or if you just had the UPN number without it, you would not 
have it?
    Mr. Howard. Sir, I do not believe the UPN number alone 
would provide you what you need to set up a fraudulent 
situation on Medicare. But I might ask----
    Mr. Stearns. Are you absolutely sure that if I sent HEAD 
some fake stationery and I used a UPN number, could I not start 
billing for Medicare based upon that without a Social Security 
number? Yes or no? If you do not know, just say you do not.
    Mr. Howard. I am not sure, sir. The information I have, 
that is not enough, but I am not a physician.
    Mr. Stearns. Because in addition to the loss of personal 
identifiable information which means we have hurt the identity 
of veterans as well as physicians and physician providers, you 
have another avenue here of fraud dealing with the Medicare 
program which we did not have. When we had 26 million veterans, 
we were worried about loss of personal information. But now 
having compounded on this, what I hear from my colleague and 
this UPN is that the possibility could be you take this 
information and forget trying to steal a person's personal 
information. Just go to the source and start billing Medicare 
for thousands and thousands of dollars. And do it from 50 
states before you get caught, you could collect a lot of money. 
Am I exaggerating or is that a possibility?
    Mr. Howard. Sir, the UPN number, to my knowledge anyway, is 
publicly available. That is why I say you would need more 
information to actually set up a successful----
    Mr. Stearns. So I could find out the UPN number for my 
physician? It is accessible. Okay.
    Mr. Mansfield. Web site, right?
    Mr. Howard. It is on a Web site.
    Mr. Stearns. It is on a Web site. So that is not critical 
information. Okay.
    Mr. Howard. No, sir.
    Mr. Stearns. Okay. The gentle lady, I will yield to her if 
you have any additional--go ahead. I am just going to yield a 
minute to her.
    Ms. Brown-Waite. What I said to my colleague is the 
provider number, the Medicare provider number is something that 
they would need to set up a storefront and start billing, 
because we had exactly that problem in Florida.
    Mr. Stearns. Right. And that was part of the loss of 1.3 
million, right, what she is talking about.
    The other thing I cannot understand, this occurred on 
January 22nd. Why have you not given Members of Congress or at 
least put a profile of this information by State? I mean, at 
what point are you going to decide to notify these people?
    In California, there is a law that once you lose this 
information, you have got to notify the people immediately. How 
long are you going to take and why have you not come up with a 
plan and a date when you are going to do this? Are you just 
going to wait until you get it back, which might be 6 months? 
It seems to me there is a time where people should be notified 
that you have compromised their personal identifiable 
information.
    Mr. Mansfield. Let me make the point, sir, that since we 
became aware of this, we have been in communications with CMS 
and talking to them and their legal people and others in an 
effort to determine what we need to do to go forward.
    I would also make the point that it has been a question of 
attempting to find out what the information was because it does 
not show up as a Social Security number. It is in a box over 
here that has a name on it and it took our people a lot of work 
to----
    Mr. Stearns. So you have to go in each individual box for a 
name to find it?
    Mr. Mansfield. You have to go through that to find out, you 
know, if that number matches a Social Security number, we 
believe. And we have had to go back and do the forensic 
information to get that. That has taken some time.
    And I would make the point that we frankly concentrated on 
the veterans in an effort to get them identified and to get the 
notifications to them. We are continuing to go through the 
process of pulling all these large files together to get those 
names of the veterans and to notify them.
    Mr. Stearns. In any corporation, they have a security 
protocol which says that only certain individuals get access to 
this information. I cannot understand why your agency has not 
developed a protocol so that this veteran would not get access 
to that.
    And the second question I have and I will complete is CMS, 
are they not derelict for giving you access to this information 
without it being encrypted? Shouldn't CMS at the very least 
encrypt all this information before so that this person that 
you put on the protocol would have a password and either an 
iris or a fingerprint before he or she could get this 
information?
    So my two questions are, is there not some culpability on 
CMS for not encrypting and, two, why do you not have some kind 
of protocol with that massive information?
    Mr. Mansfield. Sir, part of the problem is that this list 
was available for our medical researchers under a memorandum of 
understanding that we had with CMS. And actually my 
understanding is that they gave us the wrong list that was put 
into the custody of a person that we had responsible for 
receiving that and responsible for making the decision to 
release it to the proper people who have authority and 
permission to be released to.
    In the process of looking at the list that we got, we found 
out that there was more information, including Social Security 
numbers, that were on there and identified as such and we got 
those removed from it. But we did not realize that this other 
number potentially could be a Social Security number also. So 
that is part of the problem.
    Mr. Stearns. Thank you, Mr. Chairman.
    Mr. Mitchell. Thank you.
    Mr. Walz.
    Mr. Walz. Thank you, Mr. Chairman.
    Once again, Mr. Mansfield and the panel, I do not intend to 
bore you with my personal history. But having been one of those 
veterans who lost their data in the first breach and having 
received the letter, I give it to you more as a person at the 
time who was not in Congress but who was a veteran and got the 
letter and got notification on the news that this happened and 
watched this unfold.
    And it was very damaging because the first thing it did it 
made me lose some faith in the credibility of the VA. That was 
really critical to me because I want to believe and, as I said 
in the beginning in my opening statements, your intentions are 
unquestionable. You are there to serve our veterans. You have 
done that.
    But when I am listening to my colleagues and I listen to 
what is coming out on this, outcomes matter more than 
intentions. There is no doubt about that. And as a veteran, I 
know my first instinct was just get this right, whatever it 
takes to get this right.
    And I hear you say, you talked about, well, you have got 
civil service issues and contracting issues and things like 
that. Dr. Bagian was talking about, and I am sure you did, your 
organizational analysis and you went through, you know, gap 
analysis or whatever you did.
    If you were given free reign--this may be more 
hypothetical, but maybe it gets to where we need to get with 
this--what are these constraints that are stopping you from 
getting this fixed? When I hear you say you have these civil 
service contracting issues and so forth, what would you change 
if you were unrestrained by those? What would fix it?
    Mr. Mansfield. Sir, I have to make the point that, you 
know, I come down here as a representative of the 
Administration, and there are some other constraints that apply 
also.
    Let me go as far as I can and push up against the fence. 
One of the constraints we have with this reorganization to make 
sure that we shrink down the amount of responsibility so the 
people in those boxes can actually get their hands around it 
and do it instead of having too much to do, which I think we 
had previously, is to change the law that is set up at the 
Department of Veterans Affairs as a cabinet agency, because 
IBM, a respected contractor that came in to help us figure out 
what this reorganization could be, said that some of those 
positions should be Deputy Assistant Secretaries in order to 
get the people that we want to get that maybe took another job 
because they had a better offer.
    And the law that established this Department established a 
number of Assistant Secretaries and then put a ratio of Deputy 
Assistant Secretaries. The IBM recommendation is that we have a 
significantly larger amount of Deputy Assistant Secretaries.
    So I would ask you to amend the law. That is an issue that 
we have to deal with, and I am trying to answer your question 
and again play by the rules.
    Mr. Walz. I appreciate your candidness.
    Mr. Mansfield. The other issue is that we have a limited 
number of SES positions. And when the 4,600 people were 
transferred in here from the field to put together an 
organization, how many SES positions were transferred in?
    Mr. Howard. None with those transfers.
    Mr. Mansfield. None. So that is an issue that we are 
dealing with, and that means that in my responsibility to 
allocate those positions across the Department, I have to pluck 
them from somewhere else, which I have done, but there are more 
requests for that on the table too. And we have to go through 
things like that. So that means we are going back to OPM and 
trying to get that number raised up.
    And then the other part is as the Assistant Secretary 
indicated, with this person that was hopefully going to be in 
the job out of the picture, then we have to go back and what, 
do we have to post it again?
    Mr. Howard. Uh-huh.
    Mr. Mansfield. So we have to go through a long, lengthy 
process that just is there. I am making the point. We live by 
those rules, and those rules were put in place and that is the 
law and those are the regulations. We live by them and we try 
and, you know, push as far as we can on those, but there are 
restrictions involved here.
    Mr. Walz. Well, I appreciate your candor, and I will finish 
up on my last bit of time here.
    Are you optimistic inside the parameters you have to 
operate it that we can get security on this data? Can we get 
this done or are we simply chasing after our tails on this 
because of the parameters that are put on you and we are never 
going to get there?
    Mr. Mansfield. We will get it done, sir. We will get it 
done. The problem we have is time and people. We can work with 
the people. We can do a better job of educating them. We can 
make sure they understand what they need to do. We can follow 
Ms. Brown-Waite's suggestion and make sure they understand if 
they do a wrong, then there are sanctions available.
    But we have got 235,000 individuals out there and we have 
got tens of thousands of contractors and every June, we have 
got how many thousand residents and interns coming in the door?
    Mr. Howard. Tens of thousands.
    Mr. Mansfield. Tens of thousands there, so we have got to 
go through that. I wish I could tell you we could line everyone 
up and zap them and it would take place.
    Mr. Walz. Thanks, Mr. Mansfield.
    Thank you, Mr. Chairman.
    Mr. Mitchell. Thank you.
    Mr. Rodriguez.
    Mr. Rodriguez. Mr. Chairman, if I could follow-up on the 
same, if it is okay.
    What I am getting and what I am seeing is a bureaucratic 
nightmare, and I can just assume in terms of what you are 
having to go through. So I am thinking you almost need an 
external group coming in, you know, in terms of cyber security 
to go in there and take care of it for you.
    You say no, but, my God, you almost need someone, a task 
force to deal with it and come and tell you where the gaps are 
and what you need to do that is external from you to be able to 
tell them how to protect that.
    And I am just going to share with you, you know, I was 
engaged in one of the few exercises prior to 2000 on that 
glitch referred to as dark screen out of San Antonio. And as a 
result of that, there is a whole group, you know, and I think 
Senator Hutchinson and them came up with--because we did not 
have enough people in cyber security--they came up with a 
Master's Degree there. And there is a group there that has been 
going around the country helping both the private sector and 
the public sector on cyber security. And, you know, you almost 
need somebody in all honesty because you have got to pull this 
off as quickly as possible, and they can tell you where the 
gaps are. They can tell you what you need to do. They could 
even tell you that they can break into it now or not.
    And so, I hate to do something like that but I think that 
that would be something that is probably almost needed where 
you need an external task force to come in there and take care 
of it. And I think that would really be helpful not only to 
you, but to all the veterans that you are serving, because I 
know that you are sincere about wanting to do that.
    But I also sense your frustration and the fact that in some 
areas, you are having some--you know, look at that chart. My 
God, you have got a mess. And so you need an external group to 
come in there and tell you gaps that you are probably not aware 
of that you already have and how to correct it.
    Mr. Mansfield. Well, sir, I would agree with you and make 
the point that in the process of getting to here, we did that. 
As a part of the reorganization, we brought in IBM and we 
brought in subsidiary contractors under that, and they came up 
with many of the recommendations from an outside view looking 
at our system, taking a chance to go around and look at it and 
help us understand what we needed to do. And part of that chart 
that you see there is as a result of that. Also some of the 
processes and policies that we need to put in place were 
recommended by them.
    Mr. Rodriguez. Mr. Chairman, I apologize. I would presume 
that if this continues, I would ask if maybe there is some way 
that as a Committee, we can force an external group to go in 
there as a task force to look at the whole--and people that are 
trained in cyber security to protect the agencies and to 
protect the Department of Energy.
    There are groups out there, because we get hit, you know, 
through cyber space. And those same people that hit us are real 
good at also being able to protect us, but also learn where the 
gaps are at. And at some point in time when the agency 
continues to have difficulty that we take that into 
consideration.
    Mr. Stearns. Will the gentleman yield?
    Mr. Rodriguez. Yes, sir.
    Mr. Stearns. I think your suggestion is excellent. And the 
GAO has made recommendations since 1998, 150 recommendations, 
and they have not been implemented. Even their Inspector 
General of the Veterans, there are 16 recommendations from 2004 
that have not been implemented. So I think your idea is 
absolutely on target that we need to have an outside group.
    And there are outside agencies, like accounting firms, that 
went in and checked Enron. You could have these outside 
security firms go in there and give you the information you 
want. And right now they have thousands of computers they have 
not even inventoried or encrypted. So I think your suggestion 
is right on target.
    Mr. Rodriguez. Thank you.
    Mr. Mitchell. Just one comment that I think will help 
everyone. Looking at this chart, I can see why things are not 
really moving, because no one up here can read it. I do not 
think anybody can.
    And I would suggest next time that you bring a picture 
chart and also provide all the Members with a chart because I 
have no idea what that says. I can see, I think, it is yellow 
and blue and white boxes, but that is it. So I would suggest 
that next time you make a presentation like that that you 
provide us all with----
    Mr. Howard. Mr. Chairman, we have----
    Mr. Mitchell. That would be nice.
    Mr. Mansfield. Secretary Howard mentioned in his comments 
that if you want to discuss it that we would go forward and do 
that. I apologize for----
    Mr. Mitchell. You keep referring to it, so I assume you 
wanted us to be able to see it.
    Mr. Mansfield. Yes, sir.
    Mr. Mitchell. Mr. Rodriguez.
    Mr. Rodriguez. Yeah. One last comment. And I sense you are 
sincere in terms of wanting to do the right thing. But I also 
pick up in terms of the fact that I am sure there is some 
frustration on your part in terms of trying to accomplish what 
you need to get done. And so with that, I will stop.
    Mr. Mitchell. Thank you.
    Mr. Davis.
    Mr. Davis. Thank you, Chairman, for letting me participate 
again.
    Mr. Mansfield, let me use March 2006 as the trigger for 
this question. That was, as I understand it, the time in which 
there was a fairly significant data security breach at the VA. 
Have I got the timeframe right, March 2006?
    Mr. Mansfield. Sir, it was May of 2006.
    Mr. Davis. May 2006. Since May 2006, how many data breaches 
are believed to have occurred at VA facilities?
    Mr. Mansfield. Sir, I can tell you that from the SOC report 
that we get, and I do not have a number with me, I will provide 
that to you as a followup to this hearing, but we know that 
there have been hundreds of them in the sense of actual 
violations of either the law or the regulations.
    Mr. Davis. And you mean hundreds just in that timeframe 
since May of 2006?
    Mr. Mansfield. Yes, sir. Since we put this new SOC 
reporting system into place following the May incident.
    Mr. Davis. What would you estimate the largest amount of 
information that has been compromised in any of those hundreds 
of breaches?
    Mr. Mansfield. How many were in the----
    Mr. Howard. It was Birmingham.
    Mr. Mansfield. I think the Birmingham incident where we are 
talking about----
    Mr. Howard. It is number two.
    Mr. Mansfield [continuing]. Is the second one, 
approximately a half a million veterans and approximately the 
same number of providers.
    Mr. Davis. Well, give me a general estimate in what you 
describe as the hundreds of breaches that have happened since 
May of 2006. Give me an estimate of the amount of information 
that you think has been compromised collectively.
    Mr. Mansfield. Again, sir, let me go back for the record. 
Some of these reports involve two veterans' information or----
    Mr. Davis. That is what I am asking you. I understand that.
    Mr. Mansfield. Yeah. I mean, I do not have that in front of 
me. Well, I can get it and have it provided for you.
    Mr. Davis. I am certainly not empowered to make requests on 
behalf of the Committee, but I suspect the Committee would be 
interested in having that information, and leads to my next 
question.
    Mr. Mitchell. Absolutely.
    Mr. Davis. Other than the Birmingham breach, how many of 
these breaches have resulted in a public notification?
    Mr. Mansfield. The UNISYS?
    Mr. Howard. Sir, let us get back to you on that. There have 
been a number of them. But to give you a precise answer, we 
need to go back and check.
    Mr. Davis. Mr. Mansfield?
    Mr. Mansfield. I would just make the point that in some 
cases, there has been lower numbers here. The veterans have 
been notified that or possibly also employees that might have 
been identified, but not necessarily the public. So we have to 
go back again and sift through all that and then followup. Many 
of these decisions can be made at the facility level.
    Mr. Davis. Is it safe to say that the Birmingham incident 
is the only instance in which a press release has gone out from 
the VA notifying the public of a breach since May 2006?
    Mr. Mansfield. No, sir.
    Mr. Davis. How many other times has a press release gone 
out notifying the public?
    Mr. Mansfield. I will have to go back and check. I do know 
on the UNISYS, there were a number of press releases. That was 
the one where one of our contractors--I am not sure how many--
--
    Mr. Davis. That leads to my next set of questions. I do not 
get a sense that there is a hard and fast policy regarding when 
you notify, when your agency notifies and when you do not. Can 
you give me a short, quick sense of what is the trigger, when 
do you all engage in public notification?
    Mr. Mansfield. It is a combination of events. I think at--
--
    Mr. Davis. Is there a statute you can point me to or 
regulation that you can point me to by number?
    Mr. Mansfield. I am going to have to go to my general 
counsel, sir. I cannot point to a statute.
    Mr. Davis. Let me ask the general counsel. I am seeing if 
there is a particular place that contains the relevant policy.
    Mr. Mansfield. Well, I think again, it becomes a question 
of what is the size of the event, what is the information given 
out. In some cases, it may be that there is incorrect 
information given out in the press and there may be an attempt 
to try and correct that.
    Let me also make the point that in any serious breach where 
the IG moves in and accepts the responsibility to go forward 
with a recommendation, they generally request us not to make 
any public notification.
    Mr. Davis. Let me ask you about that, Mr. Mansfield. And to 
me, that is one of the major problems here. I understand that 
there was a request from the IG, wait, let us do a more 
thorough investigation. I understand that at some level, but 
here is the problem. Every moment of delay is a moment in which 
information can be compromised. Every moment of delay is a 
moment in which information can be misused or misbilled. And it 
would seem to me that the balance would err in favor of 
notification, and that does not appear to be where the balance 
was in this case. Am I wrong?
    Mr. Mansfield. I will not say that you are wrong, sir. I 
will say that----
    Mr. Davis. Why shouldn't the benefit of the doubt be given 
to the veteran?
    Mr. Mansfield. Part of it is, sir, in those early 
instances--for example, in this case, we did not have the 
information available to go notify the veterans or know how 
many veterans there were actually involved or know who they 
were and where they were and how we can get in touch with them.
    Mr. Davis. Once you got that information, did notification 
occur?
    Mr. Mansfield. Yes, sir.
    Mr. Davis. Well, I am not sure if that is accurate, but let 
me move on if the Chair would indulge me to have just a few 
more seconds here.
    You made a reference in your opening statement to the 
Birmingham facility, and I looked for your written statement 
and I did not find a reference characterizing the conduct or 
the performance of the Birmingham facility.
    So let me ask you. Would you grade for me the Birmingham 
facility with respect to its handling of this matter? Would you 
give them an assessment or grade?
    Mr. Mansfield. Well, obviously with the problem that we 
have here, there is some concern about what happened. I am 
still waiting for the IG to hand me an investigative report.
    Mr. Davis. What is the nature of the concern? I understand 
there is an individual who is compromised, and I do not want to 
get into the details of that if there is an ongoing 
investigation. But beyond that individual, would you assess the 
performance of the VA in Birmingham?
    Mr. Mansfield. No, sir. I am not going to do that now.
    Mr. Davis. And the reason?
    Mr. Mansfield. I would be happy to go off line and away 
from the domain here and have a conversation.
    Mr. Davis. Is that not a matter relevant to the public? 
What is your position, sir?
    Mr. Mansfield. I am trying to follow the directions and 
orders that I have and perform the job that I am supposed to 
perform for my boss, who is the Secretary of the Department of 
Veterans Affairs, and allow him the ability to make what 
decisions he has to make in the proper forum.
    Mr. Davis. Mr. Chairman, I am sensing the fact that my time 
is out. If I can just wrap up with one observation.
    I am concerned by that answer, Mr. Mansfield, because this 
is the people's business. This is the ultimate public domain, a 
congressional hearing, and if it is the assessment of senior 
management at the VA that the Birmingham facility is not 
meeting its obligations with respect to data security or some 
other aspect of this matter, I would like my constituents in 
Birmingham to know that and I think that that is not a 
privileged matter. It is not a matter of national security. It 
is something they are entitled to know.
    Mr. Mansfield. When that decision is made, sir, I will make 
sure that I let you know and that we let the people know. And I 
would state for the record that notification of veterans 
started on 5 February of 2007.
    Mr. Mitchell. Thank you.
    Before I call on Mr. Bachus, I was just made aware that 
Public Law 109-461 enacted in December of 2006 permits the 
Secretary of the Veterans Administration to determine when to 
announce and make public any information of this kind.
    Mr. Bachus.
    Mr. Bachus. Thank you.
    Mr. Mansfield or Secretary Mansfield, my father was a 
veteran who was treated at the VA facility. He is now deceased, 
but my mother received notification that his records were among 
those lost.
    And I will tell you if he were here today, the first thing 
he would say is thank you for the medical care he received at 
the VA hospital. It was first rate. He had Alzheimer's, and he 
had the veterans facility there, partners with the UAB Medical 
Center, and he received medical care that was second to none.
    Mr. Mansfield. Thank you for those comments, sir.
    Mr. Bachus. Wonderful staff there. Y.C. Parris, I see is on 
the third panel. It is a wonderful staff. So I do think, to put 
this in perspective, this is one employee. Did he violate a VA 
written rule? I mean, is there----
    Mr. Mansfield. The individual that reported the incident 
and----
    Mr. Bachus. Yes.
    Mr. Mansfield. Yes.
    Mr. Bachus. What has been reported is he downloaded the 
entire system on a hard drive and then took the hard drive off 
premises; is that correct?
    Mr. Mansfield. Yes. And the rules state that you can do 
that, but to do it, you need your supervisor's permission and 
they have to be encrypted.
    And the original report we received through the SOC, we 
were told that the numbers were less than eventually turned out 
to be true. I think he reported somewhere around 48,000 to 
56,000 and reported that the information had been encrypted.
    But when the forensic people from the FBI with the IG went 
in and did the forensic examination, that is when we started to 
find out that we had these mega numbers involved in the--
potentially had these--we still do not know what they are, but 
potentially had these mega numbers involved.
    Mr. Bachus. You know, I think maybe a problem may be what 
is the policy on either downloading information on a hard drive 
or thumb devices and then walking out of the VA with those 
devices. To me, there ought to be a pretty firm rule that you 
do not do that or that all information is encrypted.
    Mr. Mansfield. That is the current status in Directive 6504 
which has been published as a followup to the May incident. 
There is a requirement, as I stated, to get permission and then 
have it encrypted.
    Mr. Bachus. You know, this Committee, I am not on the 
Committee, but they receive a weekly update on any security 
breaches, and one of those breaches that they received was an 
instance where a staff member was checking software on various 
machines at a VA facility and found that many of the 
workstations were logged on. There was no one at the desk and 
they had not logged out. And you could take that computer and 
go into the entire NT system. Is that a violation of the rules?
    Mr. Mansfield. Yes, that is, sir. When that station is not 
being used, it has to be shut down.
    Mr. Bachus. There are no locks in place?
    Mr. Mansfield. There are time-outs where, you know, after a 
certain period of time, and I do not know exactly on those 
machines you are referring to, but that the machine will shut 
itself down. That is a new thing we have----
    Mr. Bachus. Yeah. The person involved here was actually a 
computer programmer, was it not?
    Mr. Mansfield. I am not sure which one you are referring 
to.
    Mr. Bachus. In Birmingham.
    Mr. Mansfield. Oh, I am sorry. Yeah. In that incident, yes.
    Mr. Bachus. I am sorry. I did confuse you.
    Mr. Mansfield. Yes, you are right, that was the person that 
we are talking about. It was a status 2210 computer.
    Mr. Bachus. So he certainly knew the risk involved.
    Mr. Mansfield. He reported the issue because he knew that, 
you know, there was a problem. There are other issues that 
apply to it too that----
    Mr. Bachus. Was it not in the report that it was lost off 
premises though?
    Mr. Mansfield. Actually, I just know that it was reported 
lost.
    Mr. Bachus. I will say this. The day that the VA in 
Birmingham discovered it, they notified the IG, which was the 
next, you know----
    Mr. Mansfield. They notified the SOC, which is us, and we 
notified the IG.
    Mr. Bachus. I am sorry. The SOC. So their notification to 
you was immediate?
    Mr. Mansfield. Well, yes.
    Mr. Bachus. One last question, if I could. The thing that 
probably disturbs me that I heard today that, you know, of 
course, you shared it with us February 9th, which you asked us 
not to make it public, you know, obviously has come out in this 
hearing.
    Is the 1.3 million medical health providers, and it is not 
all doctors--I know some are dead, but most are alive and, you 
know, therapist, anyone that bills the VA basically is what we 
are talking about here, is that right, or does research for the 
VA or medical care, 1.3 million healthcare providers?
    Mr. Mansfield. Excuse me. Could you restate that? Is the 
question, are any of those private providers people that would 
bill the VA?
    Mr. Bachus. Yeah.
    Mr. Mansfield. Potentially could.
    Mr. Bachus. No. I mean, is it----
    Mr. Mansfield. I mean, I do not know, but potentially they 
could be.
    Mr. Bachus. Okay. Well, now, the physicians, I will just 
say that, you know, was it their names were on there, their 
date of birth, their credentials also, right?
    Mr. Mansfield. Their specialties, yes, sir.
    Mr. Bachus. Their specialties. The schools they studied at 
were on there?
    Mr. Mansfield. I am sorry, sir?
    Mr. Bachus. The schools they studied at would have been on 
there because that is the HHS form, is that correct?
    Mr. Mansfield. Sir, we will double check for you, sir. I 
believe that you are right.
    Mr. Bachus. Yeah. Yeah, the form that you have identified 
as being the HHS form has the school they studied at, their 
provider numbers, their billings, license. And somebody 
mentioned a medical license number. That is a tremendous amount 
of information.
    Mr. Mansfield. I think that may be the M link number which 
again is potentially another number.
    Mr. Bachus. Okay. All right.
    Mr. Howard. The school they graduated from is also on 
there, sir.
    Mr. Bachus. What?
    Mr. Howard. The school they graduated from----
    Mr. Bachus. Where they graduated medical school.
    Mr. Howard. We have a picture we can actually show you.
    Mr. Bachus. And I actually have pulled up what is on that 
HHS--it is HHS information. But you mentioned a medical 
license. Is that different? What is the medical license? Is 
their medical license number included there?
    Mr. Howard. Are you referring to the M link?
    Mr. Bachus. No. I do not know. Someone in this hearing 
mentioned the word medical license.
    Mr. Howard. State license, yes.
    Mr. Bachus. Oh, okay. Their State medical license. Okay. 
All right.
    Mr. Stearns. Is it medical license number?
    Mr. Bachus. Yeah, their number, their license or State 
license. Okay. Now, the provider numbers, their billing 
licenses is all on there?
    Mr. Mansfield. No.
    Mr. Howard. I do not see it.
    Mr. Bachus. Okay. All right. You know, all that information 
surely puts them at very high risk for Medicare billing fraud. 
I mean, someone else could bill for their services. But what I 
am hearing today is that they have not been notified?
    Mr. Mansfield. Sir, not yet, sir. We are still trying to 
identify. Much of this information is available to the general 
public on other Web sites, too, also. So we are trying to 
figure out what additional risk do we have to deal with here 
based on what information is provided on this document.
    Mr. Bachus. But now, I guess you could not go publicly. 
Could you go in and get all that including their Social 
Security numbers and their billing license, their provider 
numbers?
    Mr. Mansfield. Go ahead.
    Mr. Bachus. I would hope that is not public.
    Mr. Mansfield. I would ask General Howard to answer that 
question, sir.
    Mr. Howard. Sir, in the case of physicians, the name and 
date of birth, in fact, the date of birth of physicians can be 
found on Web sites. For the other providers, that may not be 
the case. So in the case of physicians, there is at least two 
items of information that we would consider sensitive that is 
available, you know, the name and the date of birth.
    Mr. Bachus. And I guess it begs the question. I will end 
with this. As a result of that, you have got all this 
disclosure out there. And I do not know whether it has fallen 
into anyone else's hands or not, but it seems like at least one 
question you might be asking is do you change these numbers in 
the national system. But I know you are in touch with CMS, but 
have there been any reports of any fraudulent billings?
    Mr. Mansfield. No, sir, not to our knowledge.
    Mr. Bachus. Thank you.
    Mr. Mitchell. Thank you.
    There are two people who said they wanted a followup 
question real quickly.
    Mr. Stearns, did you want to have a followup very quickly 
and then Mr. Davis, and then we are going to take a 5-minute 
break?
    Mr. Stearns. My colleague, Mr. Bachus, had mentioned that 
he is concerned about fraud. And, Mr. Chairman, the only thing 
I think, you cannot get all that information in one fell swoop 
like that.
    And it seems to me that you have got to make an assessment 
here for CMS and the veterans of the degree of fraud that could 
be instigated because you have all this information. You would 
set up a dummy office as well as stationery and you could say I 
am billing for John Miller, a followup, because you obviously 
can send with all this information and how would Medicare not 
know if you put together a bill and sent it forward? Why would 
Medicare not pay it with all that information available?
    So I think there is a danger of loss of personal 
identifiable information for veterans, but also you have a 
possibility of fraud on CMS. And that is just an area that I 
think somehow you have got to get a handle on. And I am not 
sure except one of my colleagues suggested having an expert 
outside auditing firm come in and help you assess the risk as 
well as to try and implement some procedures.
    Thank you, Mr. Chairman.
    Mr. Mansfield. That is, as I mentioned, sir, a requirement 
of the statute and does require independent analysis. We have a 
responsibility within 180 days of passage of the law to write 
the regulation that would make that work since we do not have 
that regulation written yet. We are in the process, as I 
indicated, in discussions with CMS, CMS lawyers, and how do we 
go forward in attempting to do that.
    And I would make the point that, as mentioned earlier, that 
we do have to be--we have had discussions, many discussions 
about this, and we do have to be aware and we do have to take 
it very seriously. But part of the problem is, you know, we 
have been working on the effort to identify whose identities 
actually are in there and, you know, as mentioned, which ones 
are alive and then exactly how many are physicians versus other 
providers. And then we have to do a process to get the 
addresses if we go forward. So we are working on these issues 
internally.
    Mr. Stearns. One other thing I would caution you about is I 
understand you have not done a full audit of all your computers 
and you have not instigated an encryption procedure.
    So, you know, the staff showed me you have had other 
incidents of loss or breach of information and it is going to 
continue to happen unless you get a handle on this which means 
you have got to complete your audit on these computers, you 
have got to put encryption protocol that I mentioned, or you 
are going to have this on your watch again and again.
    Mr. Mansfield. As I mentioned earlier, we are aware of 
that, sir. And as I mentioned earlier that with a decentralized 
system that we have and the fact that we are not standardized, 
we do need to move toward standardization, that there are not 
any simple fixes that allow us to just punch in the answer and 
go forward.
    We have to make sure in each of the many very different 
systems that we have across the VA, across all these hospitals 
and healthcare systems, that it is going to work and not shut 
down a system. And it is a lot more involved than I understood 
it was when we started this. And we are going forward as fast 
as we can to make sure that we get it done. But, again, the 
lead word is still do no harm and make sure that we get the 
veterans that are coming in for treatment treated and taken 
care of.
    Mr. Mitchell. Thank you.
    Mr. Davis has one question, then Ms. Brown-Waite has one 
question. We want to get to the second panel.
    Please ask the one question.
    Mr. Davis. Thank you, Mr. Chairman.
    Mr. Mansfield, with respect to the hundreds of breaches 
that you say have occurred since just May of 2006, has a single 
VA employee been fired or disciplined as a result of any of 
those breaches?
    Mr. Mansfield. The answer I am told is yes, but let me, if 
I may, sir, go back and make a point. All these reports are not 
IT breaches. Some of them are paper records. Our Veterans 
Benefit Program is based on paper files of millions of 
veterans. Some of them are based on paper records in other 
incidents. So they are not all IT.
    Mr. Davis. Thank you.
    Mr. Mitchell. Ms. Brown-Waite.
    Ms. Brown-Waite. A quick question about the cyber security 
person that you were going to hire. If you had, you know, 
narrowed it down to the top three or the top five and the one 
person declined, is there a reason why you cannot go back and 
look at the second person? Do you have to rebid this?
    Mr. Howard. Yes. That is what the process is.
    Ms. Brown-Waite. Thank you.
    Thank you, Mr. Chairman.
    Mr. Mitchell. Thank you.
    We are going to take a 5-minute recess and then have the 
second panel come up. Thank you.
    Mr. Mansfield. Thank you, Mr. Chairman and Members.
    [Recess.]
    Mr. Mitchell. All right. We will continue this Subcommittee 
hearing. I want to welcome panel number two. I welcome panel 
two to the witness table.
    And these individuals provide our Subcommittee with a major 
service not only in their ability to provide independent 
assessments of VA program performances, the GAO and VA IG are 
able to place the performance of VA's information security 
management program in a historical context. This allows us to 
better understand if cultural resistance has developed in the 
program and how to cope with this resistance.
    I have asked Mr. Claudio in his newly-created role in the 
Office of IT Oversight and Compliance to sit in on panel two 
and to answer our questions. That his position was recently 
created by the Secretary to provide a feedback mechanism with 
regard to the information security program is laudable. We are 
interested in his grass-roots viewpoint. And we will begin with 
Mr. Wilshusen.

     STATEMENTS OF GREGORY C. WILSHUSEN, DIRECTOR, INFOR- 
      MATION TECHNOLOGY SECURITY ISSUES, U.S. GOVERNMENT 
    ACCOUNTABILITY OFFICE; MAUREEN REGAN, COUNSELOR TO THE 
   INSPECTOR GENERAL, OFFICE OF THE INSPECTOR GENERAL, U.S. 
    DEPARTMENT OF VETERANS AFFAIRS; ACCOMPANIED BY KENNETH 
SARDEGNA, DEPUTY ASSISTANT INSPECTOR GENERAL FOR AUDIT, OFFICE 
OF THE INSPECTOR GENERAL, U.S. DEPARTMENT OF VETERANS AFFAIRS; 
  AND ARNALDO CLAUDIO, DIRECTOR OF OVERSIGHT AND COMPLIANCE, 
 OFFICE OF INFORMATION TECHNOLOGY, U.S. DEPARTMENT OF VETERANS 
                            AFFAIRS

                  STATEMENT OF GREG WILSHUSEN

    Mr. Wilshusen. Thank you very much, Chairman Mitchell, 
Ranking Member Brown-Waite, and Members of the Subcommittee. 
Thank you for inviting me today to participate in the hearing 
on information security management at the Department of 
Veterans Affairs.
    Recent well-publicized security breaches at the Department 
have highlighted the importance of effective information 
security controls in protecting sensitive and personal 
information not only at VA but throughout government.
    As we have reported on many occasions, poor information 
security is a widespread problem that can have devastating 
consequences, such as disruption of critical operations and 
unauthorized disclosure of highly sensitive information.
    Today I will discuss the recurring security weaknesses that 
have been reported at VA and the actions taken by the 
Department in response. I will also discuss our ongoing work at 
the Department.
    Since 1998, GAO and the Inspector General have reported on 
wide-ranging deficiencies in the Department's information 
security controls, including a lack of effective control to 
prevent individuals from gaining unauthorized access to 
computer systems and sensitive data and to detect them if they 
do.
    In addition, the Department had not consistently provided 
adequate physical security for its computer facilities, 
assigned duties in a manner that is segregated, incompatible 
functions, controlled changes to its operating systems, and 
updated and tested its contingency and disaster recovery plans.
    These deficiencies existed in part because VA had not 
implemented key components of a comprehensive integrated 
information security program, including the lack of centralized 
management and approach for addressing security challenges.
    VA has taken important steps to improve security, including 
realigning its security functions and personnel under the 
Department's CIO Office. It has also developed a data security 
corrective action plan that is to guide and track the 
Department's efforts in implementing its information security 
program and controls.
    However, many of these efforts have not yet been 
implemented. For example, key policies such as those for 
assessing risk and implemented enterprise patch management have 
not yet been developed.
    In addition, the Department has not established a track 
record of proactively mitigating known weaknesses across all of 
its systems. As a result, sensitive information remains 
vulnerable to inadvertent or deliberate misuse, loss, or 
improper disclosure as the breaches demonstrate, nor has the 
Department consistently satisfied the provisions of the 
``Federal Information Security Management Act'' (FISMA).
    OMB requires agencies to annually report on their progress 
implementing FISMA by October 1. Although it sent a draft 
report to OMB, the Department has not yet submitted its 
official annual report for 2006. It is the only one of the 24 
``CFO Act'' agencies that has not yet done so.
    At the request of this Subcommittee and other congressional 
requesters, GAO is presently reviewing the Department's lessons 
learned on notifying officials and affected individuals on data 
breaches, actions to strengthen information security, inventory 
and accountability controls over IT equipment, and efforts in 
implementing the VA's IT realignment initiative. These reviews 
are ongoing and will be completed later this year.
    In summary, longstanding control weaknesses at VA have 
placed its information systems and information at increased 
risk of misuse and unauthorized disclosure. Although VA has 
made progress in mitigating previously reported weaknesses, it 
has not taken all the steps needed to address these serious 
issues. Only through strong leadership, sustained management 
commitment, and vigilant oversight can VA implement a 
comprehensive information security program that can effectively 
manage risk on an ongoing basis.
    Mr. Chairman, this concludes my statement. I would be happy 
to answer questions.
    Mr. Mitchell. Thank you.
    Ms. Regan.
    [The statement of Gregory Wilshusen appears on pg. 63.]

                   STATEMENT OF MAUREEN REGAN

    Ms. Regan. Thank you.
    I would like to have our full statement submitted for the 
record.
    And before beginning, on behalf of the OIG I would like to 
second the Deputy Secretary's comments regarding Mr. Sistek's 
retirement or move from the Committee. We have really enjoyed 
working with him over the years, and we will miss him.
    Mr. Chairman, Members of the Subcommittee, thank you for 
the opportunity to address OIG oversight efforts of the VA's 
information security program, its effectiveness, and the need 
for cultural change within VA.
    To answer questions regarding these issues, I am joined by 
Ken Sardegna, our Deputy Assistant Inspector General for 
Auditing.
    Issues related to information security are twofold. The 
first is the protection of sensitive information maintained on 
VA automated systems from unauthorized access. The second is 
whether individuals who are authorized access to sensitive 
information adequately protect it from loss, theft, or 
inappropriate disclosure.
    Today I will highlight that there have been longstanding 
problems in VA with respect to protecting sensitive information 
that have not been fully addressed. Our FISMA audits have 
identified information security vulnerabilities every year 
since fiscal year 2001.
    VA's efforts to address these vulnerabilities in a timely 
manner have been hampered by the magnitude of the problems and 
aging IT infrastructure and the lack of standardized IT systems 
throughout VA.
    To address these vulnerabilities, we have recommended that 
VA pursue a more centralized approach to IT management, apply 
appropriate resources, and establish a clear chain of command 
to enforce internal controls and hold individuals accountable 
for not protecting information.
    In our ongoing 2006 FISMA audit, we determined that all 17 
recommendations cited in prior FISMA reports remained 
unimplemented. In addition to the 17 unimplemented 
recommendations, we anticipate identifying several new high-
risk areas associated with certification and accreditation of 
VA systems, remote access, and access to sensitive information 
by non-VA employees. Until all matters are fully addressed, VA 
systems and VA data remain at risk.
    The May 2006 theft of an employee's personal hard drive 
containing protected information on at least 26 million 
veterans and active military highlighted how vulnerable VA is 
to compromising information on veterans.
    In reviewing how this incident occurred, we found a 
patchwork of policies that were fragmented and difficult to 
locate. None of the policies prohibited removal of protected 
information from the work site or storing protected information 
on personally owned computers. These policies also did not 
provide safeguards for electronic data stored on portable 
media, such as laptops.
    We also found information provided to VA employees and 
contractors needed to be better safeguarded. Background 
investigations were not always required or done. Procedures for 
reporting potential data losses needed to be improved. We made 
five recommendations to VA to correct these problems. To date, 
all five recommendations remain open.
    As a result of this incident and subsequent actions taken 
by the Subcommittee, there is greater awareness in VA regarding 
the issue of information security. However, VA still lacks 
effective internal controls and accountability.
    Since July 2006, the VA Security Operations Center has 
received reports of approximately 3,600 incidents. The 
incidents included unauthorized access, missing, stolen, or 
lost laptop computers, improper disposal, and numerous 
incidents involving unencrypted e-mail messages containing 
sensitive information.
    Of the 3,600 incidents, 250 were referred to the Office of 
Inspector General. Of these, we opened 46 investigations. One 
of the most significant is our current investigation of the 
data loss at Birmingham, Alabama.
    Information security remains a major challenge for VA. For 
example, VA has not yet determined how many employees and 
contractors use non-VA computers to access VA systems. VA does 
not know what VA data is being stored on these computers, 
external hard drives, and other portable devices.
    VA also has no means to monitor whether access to data is 
limited to the information needed to conduct business. And much 
of VA's databases and e-mail remains unencrypted.
    VA will not be able to safeguard data unless three 
important actions are taken: Hold individuals accountable for 
compliance with policies and procedures; provide employees with 
VA-owned computers and encryption software; continue to enhance 
employee awareness of the need for a cultural change.
    Equally important, VA must find a way to implement these 
actions without impacting VA's ability to fulfill its mission.
    Thank you again for this opportunity to update you on the 
status of our ongoing work. We will be happy to answer any 
questions you may have.
    Mr. Mitchell. Thank you very much.
    [The statement of Maureen Regan appears on pg. 60.]
    Mr. Mitchell. I have a question for Mr. Claudio. You 
essentially are able to provide a fresh new perspective with 
regard to field-level activities in information security 
management at the VA. We welcome your perspective.
    Do you believe that policy guidance to the field is 
comprehensive and unambiguous with regard to information 
security management and do you believe that the policy guidance 
is rigorously enforced by field-level managers?

                  STATEMENT OF ARNALDO CLAUDIO

    Mr. Claudio. First of all, sir, thank you very much. And 
before I start, I want to say that I am honored and privileged 
to be here today and to you, Mr. Chairman and Members of the 
Subcommittee, I appreciate the opportunity to come in here and 
speak truthfully of what I have seen out in the field to you.
    Actually, I am very pleased to hear that Mr. Rodriguez and 
Mrs. Brown-Waite have basically talked about accountability and 
have talked about putting the point into who is the person to 
be looked at when we are talking about breaches of data, so 
forth and so on.
    My office was created and actually executed on the 22nd of 
January. It is an office that is called the Oversight and 
Compliance. And I do not know. It was not discussed that much 
over here, but I am the person with my organization to go out 
there and do assessments on policies, assessments on validation 
of laws, assessments and safeguard and maintaining in the areas 
of cyber security, the areas of record management, and privacy.
    Within the last 30 days, and by 15 March, we will have 
completed 16 assessments.
    To answer specifically your question, I think the IG 
basically brought up some very important points in terms of 
lack of accountability, enhancement of awareness in part. I 
have gone out and I have reviewed 6504. I have looked at every 
policy there is. And if you are a person that belongs to VA and 
you have an understanding of what you are reading in pure 
English, it is very easy to follow instructions because they 
are very clear. There are memos to the memos to the memo. There 
is policy to the policy to the policy and it is all written 
there.
    What there is a lack of, and I think it was brought in, is 
looking at a person and holding that person accountable for his 
or her action of what has occurred. And that is really lacking 
out there. So to be pointed on this is the personal 
accountability is lacking, number one. So the policy is there.
    What it is, and we talked about change of mindset, is 
change of environment. I have sat in groups where there are 20 
to 30 doctors and these doctors, we talked about and discussed 
how to safeguard the I, which is the information. Still, some 
of them, even with their high level of understanding of other 
things, will probably fight the fact that the information is 
probably not as important as their research.
    So what we are looking at is a change of mentality here, 
which is going to take effect as we go through, and I think the 
wake-up call obviously on the 6 May and then on the Birmingham 
piece will definitely change attitudes.
    Mr. Mitchell. Thank you.
    I have one other question.
    Mr. Claudio. Yes, sir.
    Mr. Mitchell. Do you believe all incidents are reported and 
do you believe that there are unauthorized reproduction of 
databases and what is the threat associated with a hypothetical 
action like this?
    Mr. Claudio. Sir, I have been a cop for over 30 years.
    Mr. Mitchell. You have been what?
    Mr. Claudio. A cop, a policeman. My last job, I was the 
Chief of Staff for the Joint Force Headquarters, National 
Capitol Region, also the senior Military Police in the military 
district of Washington. And prior to that, I was in Iraq. I was 
the senior Military Police as an advisor to General Casey.
    I will tell you that you have to make some determinations 
of what you are going to report. There are cases that are 
insignificant. Your data breaches where they are insignificant 
of one or two person, that can be handled right there and then 
and remediation can be taken care of.
    So to tell you that every incident is reported, I do not 
think so. I think with the change of mindset that is occurring 
right now, you will see the volume of SOC reports actually 
increasing, doubling, and even tripling because a lot of people 
are putting conscience into what is going on. So in that term, 
you are going to see an increase of SOC reports coming into the 
fact. So that is the first part.
    Can you repeat the second part of the question, sir?
    Mr. Mitchell. Yes, sir. Do you believe that there was 
unauthorized reproduction of the databases and what would be 
the threat associated with this type of action?
    Mr. Claudio. Sir, there is not so much a reproduction. 
There is a possibility, based on the assessment that I have 
done, that data is being passed on through unencrypted 
computers. And because that is done right now, it definitely 
creates a tremendous risk for the veterans. Yes, sir.
    Mr. Mitchell. Thank you.
    Ms. Brown-Waite.
    Ms. Brown-Waite. I thank the Chairman.
    I have a question for Mr. Wilshusen. I am not picking on 
the VA, but they happen to be our Committee's jurisdiction. If 
you could tell me of the 150 some recommendations that have 
been made, what would you say are the top five? And if you--I 
will let you answer that.
    Mr. Wilshusen. Okay. First I would like to clarify a couple 
of things regarding the 150 recommendations. We made these 
recommendations back in 1998 to 2002. Many of our reviews and 
our recommendations are very specific, detailed configuration 
items on computer systems that identify specific computer 
control vulnerabilities.
    VA has to a large extent corrected many of them. However, 
what they have not done is that they have not taken the next 
step and proactively looked at the vulnerabilities that we 
identified on those systems because typically they would just 
correct the action on a particular system or device that we 
identified the vulnerability. They did not take the next step 
to look for and identify other devices or systems that are 
similar that could have the same vulnerabilities. And we would 
find those vulnerabilities on similar devices at other 
locations. So I would just like to clarify that.
    But I would say the key recommendation that they still need 
to address is implementing a robust, centralized information 
security program. They are starting to make progress in terms 
of centralizing some of the information security functions and 
personnel within the CIO's office, but they have not yet 
implemented all of the key activities associated with a 
comprehensive information security program in terms of being 
able to adequately assess their risk of the impact that could 
result from an unauthorized security breach to developing the 
policies and procedures that effectively mitigate those risks, 
including those configuration, management, and requirements for 
specific systems and operating platforms.
    They also need to assure that their staffs and their 
security personnel are adequately trained in security 
requirements as well as security awareness so they know what 
the threats are and their responsibilities are for implementing 
the policies and procedures for testing and assessing the 
effectiveness of controls on their systems and protecting the 
information on a regular and ongoing basis.
    And once they have done those tests, they need to develop 
remedial action plans to correct and mitigate known weaknesses 
not just on those devices where they have been identified but 
across the entire Department.
    Ms. Brown-Waite. Are other organizations as resistant to 
change and do other agencies have as much of a problem with 
breach of sensitive personal information as the VA does?
    Mr. Wilshusen. Well, I will say that certainly the security 
breaches at VA have been remarkable and, in fact, stunning in 
their scope and magnitude. However, they are by no means unique 
in the Federal Government. Other Federal agencies have suffered 
and have been exposed to security breaches and data breaches as 
well.
    In fact, one of the reviews that we have ongoing right now 
is to look at some of the lessons learned regarding similar 
data breaches at other Federal agencies, particularly as they 
relate to notification to government officials and effective 
individuals when such breaches occur. But certainly VA is not 
unique in the sense that other agencies also have security and 
data breaches.
    With regard to how robust their security controls are and 
program as compared to other agencies, I would say that they 
probably are near the bottom of the 24 ``CFO Act'' agencies. 
And this is based upon a couple of facts.
    One is on the FISMA report analysis, our analysis of their 
reports have consistently shown that in terms of at least 
meeting the performance measures that they are required to 
report under by OMB is that they generally have not fared as 
well as other agencies.
    In addition, the IG and its contractors have consistently 
reported that they have a material weakness in their 
information system controls as part of the financial statement 
audit and in the agency's performance and accountability 
report, which is another indication that their controls are 
lacking.
    Mr. Mitchell. Thank you.
    Mr. Bachus.
    Mr. Bachus. Thank you.
    I will direct this question, I guess, to Ms. Regan. The VA 
has failed its annual ``Federal Information Security Act'' 
review for 6 years in a row, is that right?
    Ms. Regan. I would have Mr. Sardegna answer that question. 
He is much more familiar with the audits.
    Mr. Sardegna. I believe we have been doing this since 2001. 
And, yes, as far as I understand, the VA has never been in 
compliance with the ``Federal Information Security Management 
Act.''
    Mr. Bachus. What happens when you fail that? Are there 
remedial measures or----
    Mr. Sardegna. Our past reports have identified 17 different 
issue areas that we have been reporting for a number of years 
now. Our reports go to the Office of Management and Budget, and 
as required we provide OIG information to be included in a 
joint report with the Department that we send forward.
    We also do a separate independent assessment which we 
provide to what now would be the Assistant Secretary for 
Information and Technology at the CIO and the different 
Administration heads of the agency.
    Mr. Bachus. Okay. But, you know, I think everybody, both 
panels agreed that the VA is not doing, you know, what they 
should do at the headquarters level at least.
    And, Ms. Regan, you mentioned three things they ought to 
do, is that right?
    Ms. Regan. Yes.
    Mr. Bachus. One was encrypting data?
    Ms. Regan. Yes.
    Mr. Bachus. Is the technology there to have encrypted the 
data on the hard drive in Birmingham?
    Ms. Regan. You can encrypt the data that you store on the 
hard drive. There is software that allows you to encrypt the 
data when you transfer it or work with it on the hard drive. It 
encrypts the hard drive in itself. The data that you put on 
there is encrypted through the software.
    Mr. Bachus. Is that made available to the employees in the 
VA who are downloading this information?
    Ms. Regan. It has not been made available yet to my 
knowledge. That is one of the issues with our second point. VA 
needs to provide VA-owned computers so that you can control 
what security measures are on the computer and buy this 
encryption software.
    Mr. Bachus. Now, that seems pretty simple really, does it 
not? I mean, the technology is there. It is not provided. And 
if it were, it would in this case and many others have resulted 
in the information that was lost not being subject to misuse or 
criminal intent.
    Mr. Sardegna. Well, if I may, Congressman, there are some 
complicating factors with the Department's IT infrastructure. 
As the Deputy Secretary has testified, there are multiple 
platforms. There are many really aging information systems and 
technologies that VA is trying to bring up to date by adding 
these new technologies for encryption.
    Ms. Regan. I also believe one of the main issues with 
respect to this is the cost. We have----
    Mr. Bachus. Is what?
    Ms. Regan. The cost.
    Mr. Bachus. Cost.
    Ms. Regan. I mean, there is a price tag to providing the VA 
computers, particularly with the emphasis on telework. If you 
want people to work at home or you have people working at home, 
VA would have to buy them VA laptops and have the software 
installed on them.
    Mr. Bachus. Of course, every time they work at home or 
every time they have a hard drive, there is a case where 
somebody could steal that hard drive or they could lose it. I 
mean, that is going to happen every time, right?
    Ms. Regan. Whatever it is, whether it is a laptop or even a 
desktop at home or whether it is a hard drive or other portable 
media device, they can get lost. They can get stolen. It is 
happening all over the country. I think it gives some sense of 
security when the hardware or the data was either encrypted or 
password protected which makes it difficult for somebody to 
access that data.
    Mr. Bachus. Yeah. And that had not been done to date, 
right?
    Ms. Regan. That has not been done. Some VA entities have 
implemented encryption for e-mails but most of VA has not.
    Mr. Bachus. Okay. Let me just close by saying Congressman 
Mitchell asked, you know, in how many cases is it not reported. 
And, Mr. Claudio, you said you were a law enforcement officer.
    Mr. Claudio. Yes, sir, I was.
    Mr. Bachus. I used to be Assistant State's Attorney 
General. I can tell you this employee, I do not know him, I do 
not know anything other than what I read in the newspaper, he 
reported it. That leads me to believe that is inconsistent with 
selling it or an intentional act. I mean, and I would say that 
probably by reporting it, he probably is in the minority of my 
experience with human beings. In most cases, they do not report 
it.
    Mr. Claudio. Actually, sir, we have seen a change in 
conduct on that. Like I said before, the SOC report is growing 
by the minute. There is a conscience out there and a great 
effort made by the leadership to pass on the message how 
serious this whole thing is.
    And, again, just by going around and assessing what is 
going on, I think there is being some very heart-to-heart talk 
from the leadership. As I go around, I meet first with the 
hospital director and I spend 15 to 20 minutes trying to assess 
where he or she is in terms of policies, in terms of 
regulations.
    But you can see a definite shift. We are not there yet. It 
is going to take some time. I think the reorganization is going 
to pay its fruit. We just got to give some time for that to 
happen.
    Mr. Bachus. Now, in this case, you had a director of the 
hospital who immediately notified headquarters----
    Mr. Claudio. Yes, sir.
    Mr. Bachus [continuing]. Knowing about the publicity, the 
consequences. He did his job. I worry about probably for every 
one of those directors one that says look for it some more, are 
you sure, you know, or an employee who does not come and report 
it.
    Mr. Claudio. Yeah.
    Mr. Bachus. And I think the answer to that is encryption 
and policies on, you know, certain information should not be 
shared with people. You know, I think that probably too many 
employees have too much information that they do not need to do 
their job, number one.
    Number two, I think this idea of taking stuff home and 
working on it on your computer ought to have some severe 
limitations because, you know, things happen on the way to and 
from work or at home.
    And, number three, encryption technology, a big cost, but, 
you know, we are going to be here having hearings once a month 
if you do not have it.
    Mr. Claudio. Sir, I could not agree with you more. I think 
the ultimate thing is that all data from the veterans is 
collected, distributed within the confinements of that facility 
period. And then there is enough space inside that server that 
can handle that so you do not have to go to an external drive, 
that you do not have to go and plug in a USB port and so forth.
    Mr. Bachus. Or put it on a thumb device or put it on a hard 
drive and take it home.
    Mr. Claudio. Correct, sir.
    Mr. Mitchell. Thank you.
    I have just a couple very quick questions for Mr. 
Wilshusen. First, do you believe that the VA is on the road to 
achieving the gold standard in information security management?
    Mr. Wilshusen. If they are, they are at the early stages of 
that. Certainly since the May 3rd data theft, there appears to 
have been a change in attitude, at least at the very top.
    Secretary Nicholson has testified as well as, of course, 
now Mr. Mansfield, that it is important that the agency set the 
tone at the top in terms of what will be tolerated, what will 
not. And it seems at present at least that they are making that 
effort.
    However, attendant with that is the requirement that you 
adequately and unambiguously communicate what the expectations 
are for the employees throughout the entire organization at all 
levels on what their security requirements are and have that 
tied then to their performance standards, their position 
descriptions, communicate that through various forms of 
directives, handbooks as the VA is attempting to do.
    And then once you have communicated what those expectations 
are and provided training to the staff is to make sure then 
that there are accountability measures in place that reward 
those that do perform and address those that do not.
    Mr. Mitchell. Earlier, Mr. Claudio said there were memos on 
memos. There was every written rule in the world. I mean, that 
is not the problem. So I do not know how these employees could 
not know what is expected of them unless their supervisors are 
not doing their job.
    Mr. Wilshusen. Well, that is exactly right. You need to 
have the enforcement and accountability mechanisms in place, be 
that through performance mechanisms, through their ratings, and 
where it affects them in either the paycheck or have other 
administrative actions.
    The other thing that you have to do because people are only 
one part of the overall equation related to information 
security effectiveness in an organization, you also have 
process and technologies. Often people will be your weak link 
in many cases, but you need to have controls and other 
disciplines through the technology, make sure you have 
appropriate technology controls to include things like 
encryption, to include strong access controls on your systems.
    You also need to have appropriate processes and part of 
that is making sure that those individuals only have access to 
the information that they need to perform their job and that 
they control that information and do not allow it on laptops or 
removable media when it is not needed to perform their job.
    And if it is, to make sure you have the appropriate 
technical controls to help protect that information when it is 
at risk because the information can be at risk at multiple 
places, both at rest when it is on the hard drive, when it is 
on a server, or when it is being transmitted across a network 
or over the Internet.
    So there needs to be appropriate controls and policies in 
place. And by policies, I mean technical security control 
policies in place to protect that information.
    Mr. Mitchell. And a couple other quick questions. How does 
the VA compare with other agencies with regard to information 
security management programs?
    Mr. Wilshusen. Well, I would say that, you know, based upon 
the reporting mechanisms afforded by FISMA, the ``Federal 
Information Security Management Act,'' and based upon the 
results of audits and reviews of information system controls 
performed during financial statement audits that VA is probably 
near the bottom.
    Just to illustrate, VA has had, I guess, a material 
weakness in their performance and accountability report and 
information system controls since 1997 each year.
    In addition, for 4 of the last 5 years, the House Committee 
on Government Reform has been issuing computer security report 
cards based upon an analysis of the annual FISMA reports. And 
VA has received a failing grade for 4 of the last 5 years.
    And as I mentioned earlier, VA has not yet submitted its 
official draft or its official copy of its annual report this 
year.
    Mr. Mitchell. Can you tell us of the successful agencies 
best practice?
    Mr. Wilshusen. In terms of agencies which have done that?
    Mr. Mitchell. Right.
    Mr. Wilshusen. Well, by those same standards and criteria 
that I just laid out, some would include perhaps like Social 
Security Administration. They have not had a material weakness 
or reportable condition on their financial statement audits. 
They have consistently scored higher on the review of the FISMA 
reports.
    A couple other ones would include, I think, National 
Science Foundation. But I would also caution that though they 
have done well on the FISMA reports and also as part of the 
financial statement audits, because those reports and audits 
are somewhat limited in scope does not necessarily mean that 
they have full and highly secure systems.
    Mr. Mitchell. Ms. Brown-Waite.
    Ms. Brown-Waite. Thank you.
    Earlier during the previous panel, my colleagues, Mr. Davis 
and Mr. Stearns, had suggested an outside audit and 
investigation group come into the VA.
    And I do not know who can answer this. If they are ignoring 
the IG and the GAO, why would an outside group perform any 
magic and results that are not exactly being accomplished here 
with your report and the followups?
    Mr. Wilshusen. Well, one, first of all, I think it is 
always appropriate to have independent reviews of an 
information security program or the information security 
controls in place at an agency are all on particular systems. 
Indeed, that is what GAO and the IG have done on many reviews 
in the past.
    The basic problem is they have not implemented an 
appropriate information security program. And it will take 
probably a sea change for them in order to do that. You know, 
certainly an independent review from an outside source could 
provide other skills perhaps, but at the same time, I think the 
reviews that the IG and we have performed highlighted 
significant vulnerabilities and gaps in security controls.
    Ms. Brown-Waite. If I may ask a followup question. Would it 
be better for Congress to say--I know this is a terrible word 
to use--to earmark, to make sure that money is set aside 
specifically for the kind of security, data security that we 
need with no ifs, ands, or buts about it, take money from their 
existing budget and say, ``you will do this?''
    Ms. Regan. I was going to say I think it would depend on 
what you are going to ask them to do with the money. If it is 
going to be this money will be set aside for encryption and 
laptops, that is one thing. I think what needs to be done first 
is to have the resources put to those needs. So I think you 
would have to identify what aspects and how much money to begin 
with.
    One other issue, if I could follow up on the contractor 
issue, I think as we noted in our report last summer, the July 
report, VA still has serious problems with contractors and 
access to our data. If you remember, the UNISYS computer got 
stolen that had VA data on it.
    I think, though, the Department is making head way to do 
this. I would be concerned that the scope of any contract would 
have to be defined, and I am not sure how long it would take to 
define the requirements. VA does not have a good history with 
IT contracts. And I think it would have to be defined, but I am 
not sure it would be done in the very near future. I think you 
may be looking down the road for a while, unless it was a 
narrow scope contract on one issue.
    Ms. Brown-Waite. I think Mr. Claudio----
    Mr. Claudio. Yes, ma'am. I think it is a matter of 
capability. If you look in the past, the question is, did we 
have the capability to do such an assessment. We did not. 
Thirty days ago, that organization was put together. It is the 
organization of Oversight and Compliance.
    Basically it is an organization that covers the entire 
United States, including Alaska, Hawaii, Puerto Rico, Guam, and 
the Philippines. It will do about 16 to 20 assessments per 
month once the full capable organization. So we probably will 
have to ask that that capability to get function and go ahead 
to see how productive that is.
    We have met with the IG, the organization. We have 
discussed this point. And if you look at, there is about 266 
medical centers. There is about 63 regional centers. It is 
about 300 plus. All those regional centers and medical centers 
will be assessed about in a year and a half. So the assessment 
capability is now there and we just got to give it some time to 
see where we get from here to there.
    Mr. Mitchell. Thank you.
    Mr. Bachus.
    Mr. Bachus. Yeah. I would like to just ask two followup 
questions. My first one is about the Birmingham breach, but it 
is not directed at Birmingham because I would bet you this 
information went out to a bunch of other sites too.
    But why would anyone in the VA, in VA research or VA in 
general, need access to the entire CMS database on everyone 
that ever billed CMS for healthcare, including all that 
information, or if they were, you know, why could that not have 
been encrypted or why could it not have been under some very 
tight supervision?
    Ms. Regan. That issue is actually being addressed in our 
administrative investigation. We are looking at this point as 
to why that individual had that data. We are also looking at 
why the individual was given all the fields that are in that 
data set and whether they were necessary. We are also looking 
at whether or not CMS should have given that database to the VA 
to start with, there are key factors of the database that VA 
was never given or that were not given to the facility. But why 
that information on that many physicians? Was it necessary at 
various levels? It did not go to this individual initially. It 
went to somebody else who he works with. But we are looking at 
all of those various issues regarding that database.
    Mr. Bachus. Okay. Thank you.
    Has the VA inventoried or restricted employee access to 
sensitive veterans' personal information on a need-to-know 
basis?
    Ms. Regan. The VA has not inventoried it as far as I know. 
But I do know that when you access a database, you need to 
explain and get it approved to have access to the database and 
usually what part of the database and for how long, and whether 
you are just going to review it, if you are going to copy it, 
there are various questions that are asked.
    It gets down to the individual level. Is the individual 
ISO, information security officer, or the CIO who has 
responsibility at a facility asking the right questions? Is it 
for a limited time period? Do you need all the fields in the 
database? All those issues should be addressed. So it gets down 
to an individual level, but there are measures in VA to do 
that. It is whether or not people comply with it.
    Mr. Bachus. All right. Thank you.
    Mr. Mitchell. Thank you.
    One quick followup. Mr. Wilshusen, you mentioned some 
paperwork that the Veterans' Administration has not completed 
for information security. Could you repeat what that is again?
    Mr. Wilshusen. Yes. The ``Federal Information Security 
Management Act'' requires agencies to report annually on their 
progress in implementing the provisions of the Act. They are 
required to report in accordance with OMB's instructions on 
reporting for this. OMB has set up a number of performance 
measures and a reporting format for that and requires the 
agencies to report by October 1. It is called the Annual FISMA 
Report.
    As of today, VA has not submitted its official copy of that 
report. Now, it has submitted a draft of that report to OMB, 
but has not yet submitted the official copy. And accordingly, 
because it is a draft, both GAO and Congress are also supposed 
to receive copies of these reports and we have not received 
them yet.
    Mr. Mitchell. Have you heard anything from the VA about why 
they have not done it?
    Mr. Wilshusen. I do not know precisely the reason why. As 
far as I know, perhaps--well, my colleagues might know why.
    Mr. Mitchell. Does anybody know? I understand. Assistant 
Secretary Howard, would you address that question?
    Mr. Howard. Sir?
    Mr. Mitchell. Why the paperwork has not been submitted.
    Mr. Howard. If it is the same report I am thinking about, 
it is in the Secretary's Office with signatures.
    Mr. Mitchell. And this is February, right, and it was due 
in October? I mean, this is March really.
    Mr. Howard. Yes.
    Mr. Mitchell. Thank you.
    Mr. Bachus. Could I ask one followup question?
    Mr. Mitchell. Yes.
    Mr. Bachus. I do not know if it was this panel or the last 
panel said that in the aftermath of that May 3, 2006, the 
massive breach there, that the VA issued a directive that you 
could not download sensitive personal information about 
veterans, maybe physician providers too--I do not know--onto--
it had to be a VA computer--I do now know exactly--or VA-owned 
equipment, I think.
    But that has been now waived, is that right?
    Ms. Regan. There was a subsequent memorandum that waived 
that provision for the three Administrations, which would be 
National Cemetery Administration, Veterans Health 
Administration, and Veterans Benefit Administration.
    Mr. Bachus. So which is about all of VA basically, right?
    Ms. Regan. Pretty much. It would not only just be the 
databases. It would just impact the people using those 
databases within those Administrations. People in OIG offices 
may have access to those databases for oversight purposes. It 
would not affect us. We have our own policy that only VA-owned 
computers can be used, not personal computers.
    Mr. Bachus. Was that just as a practical matter? Once they 
did that, they prohibited that, that the system just could not 
work?
    Ms. Regan. I do not have any knowledge as to why it was 
done. We have never seen the justification.
    Mr. Bachus. I mean, why it was waived.
    Ms. Regan. Why it was waived. The reason they put the 
policy in place----
    Mr. Bachus. The prohibition.
    Ms. Regan. Right.
    Mr. Bachus. I can understand the prohibition. I do not 
understand why it was waived unless maybe as a practical 
matter, they could not pay benefits, they could not treat 
because, you know, maybe it interfered with their--but it would 
be interesting to know.
    Does any of the panel know why a temporary waiver was 
issued? Thank you.
    Mr. Mitchell. Any other questions?
    Thank you very much. I appreciate it.
    Ms. Regan. Thank you.
    Mr. Mitchell. And at this time, we are going to have the 
third panel, and this should go--they do not have opening 
statements. And I would like to, while they are getting ready, 
read a statement.
    The Minority Members had requested these witnesses for this 
panel so that we could gain better insight into information 
security management and research-related programs at VA.
    Ms. Regan, could you just hang around a little longer 
because I think I would like you to sit in on this if you 
would.
    This was an act of choice and I fully concur with the 
request. I do regret that we could not provide VA with more 
time to coordinate the appearance of one REAP Director, Dr. 
Pogach. I appreciate you responding in short notice.
    I would also like Ms. Regan, Counsel to the VA Inspector 
General, to sit in with panel three to advise us if in her 
opinion the questions or answers get too close to the nexus of 
the IG's ongoing investigation so as to jeopardize that 
investigation.
    I also welcome from the Birmingham VA MC, Mr. Parris and 
Dr. Blackburn.

 TESTIMONY OF LEONARD M. POGACH, M.D., DIRECTOR, RESEARCH AND 
 ENHANCEMENT AWARD PROGRAM, VA NEW JERSEY HEALTH CARE SYSTEM, 
   EAST ORANGE, NEW JERSEY; WARREN BLACKBURN, M.D., ACOS/R&D 
 COORDINATOR, VA MEDICAL CENTER, BIRMINGHAM, ALABAMA; AND Y.C. 
   PARRIS, FACILITY DIRECTOR, VA MEDICAL CENTER, BIRMINGHAM, 
                            ALABAMA

    And we are just going to open this up to questions.
    And, Dr. Pogach, did I pronounce your name right?
    Dr. Pogach. Yes, sir.
    Mr. Mitchell. Okay. Well, thank you for being here today. I 
appreciate it. And could you please explain what the REAP or 
REAP Program is and why researchers in that program require the 
use of large databases?
    Dr. Pogach. It is a Research and Enhancement Award Program. 
These are competitive center awards, mid-level center awards 
which are awarded by the VA Health Services Research and 
Development Program. I am not sure how long the program has 
been in existence. We were awarded, our center in New Jersey, 
in September 2003.
    The purpose of the center is each of them has a theme. We 
are interested in healthcare knowledge management which 
includes chronic illnesses and quality management. The REAPs 
are awarded to those facilities that have demonstrated certain 
research capacity and capability.
    And one of our specific interests, not the only one, is the 
use of large databases to basically look at the quality of care 
provided to veterans as well as their course over time in terms 
of looking at whether or not the quality of care provided 
results in improved outcomes, such as decreased morbidity, 
decreased mortality, for what I do especially with diabetes.
    The reason why large data sets are required is these types 
of outcomes, which are observational, often are not able to be 
attained through clinical research. For example, clinical 
randomized trials, especially when you are looking at the 
variation in outcomes among a wide variety of facilities across 
a national system.
    And this sort of data and analyses and publications 
certainly can result in not only publishable research, but the 
goal would be to provide information within the VA on where 
there is variation in care, variation in outcomes that might 
allow managers to be able to track where to look for 
interventions.
    And second of all, what we would really like to do with our 
quality improvement program, which most of you probably are 
aware of, the VA is a leader, is to actually determine if we 
can go beyond provision of--we did process. We lowered a value 
to something to really see if veterans are living longer and 
living healthier.
    Mr. Mitchell. One other question. Do you share any 
researchers with other non-VA organizations and, if you do, how 
would you assure with reasonable certainty that information 
security practices are being followed?
    Dr. Pogach. We do not share the data that we get for all 
large database analyses with other organizations.
    Mr. Mitchell. But do you share the researchers?
    Dr. Pogach. Do we share the researchers?
    Mr. Mitchell. Yeah.
    Dr. Pogach. We have WOCs who are shared with other 
universities, yes, but when they work with us they are working 
on-site and on VA grounds. The salaries may be shared.
    Mr. Mitchell. And you are fairly certain that the 
information security practices are being followed?
    Dr. Pogach. Yes. The security practices now that we have 
are very clear as to what we do. In part, we are also a 
relatively young REAP in terms of how we have been funded, and 
we did not have strong preexisting relationships with our 
organization.
    So we developed our program to be in-house. I understand 
that is not the case routinely across the entire VA system, but 
our capacities and our data systems are within our VA.
    Mr. Mitchell. Thank you.
    Ms. Brown-Waite.
    Ms. Brown-Waite. I thank the Chairman.
    Dr. Weeks, could you tell us why the REAP research was 
suspended at your facility?
    Dr. Blackburn. I think you mean me, Dr. Blackburn.
    Ms. Brown-Waite. Oh, okay.
    Dr. Blackburn. Yes. The Office of Research Oversight after 
finding out that the external hard drive had gone missing 
suspended the REAP research activities.
    Ms. Brown-Waite. I mean, will they resume?
    Dr. Blackburn. That is certainly our expectation and hope. 
To my understanding, the ORO's investigation is ongoing and has 
not been completed.
    Ms. Brown-Waite. And, Dr. Blackburn, as long as I have you 
there, do you know why this happened on your watch?
    Dr. Blackburn. The investigator or the programmer had an 
external hard drive within VA space. From what I have been told 
by him, it was stolen.
    Ms. Brown-Waite. Well, why was it not encrypted? I think 
that is part of the problem.
    Dr. Blackburn. Well, I think as panel two----
    Ms. Brown-Waite. That is the problem.
    Dr. Blackburn [continuing]. Already VA has not provided at 
this point encryption software for external hard drives. We 
have gone ahead in Birmingham and taken additional actions that 
we have now banned external hard drives, and our VISN is in the 
process of banning all but a few thumb drives.
    Ms. Brown-Waite. And the repercussions if you violate the 
ban?
    Dr. Blackburn. I am sorry. I did not hear that question.
    Ms. Brown-Waite. The repercussions if the ban is violated.
    Dr. Blackburn. Well, I think the thing is we are 
responsible and we are aware of who buys hard drives. So we 
know where they are and we have gone ahead and collected them. 
The thumb drives are going to be, to my understanding, 
inoperable based upon a computer patch except the ones that 
are----
    Ms. Brown-Waite. I want to make sure I understand what you 
are saying. Someone cannot go out and buy one at Office Depot 
and download onto it?
    Dr. Blackburn. That is my understanding of the plan of the 
IT folks within our VISN, correct.
    Ms. Brown-Waite. That is your understanding of the plan. Is 
that what the plan does?
    Dr. Blackburn. Is that what what?
    Ms. Brown-Waite. Is that what it actually does is it 
prohibits downloading on a thumb drive?
    Dr. Blackburn. Unless it is an encrypted thumb drive, that 
is correct.
    Ms. Brown-Waite. And for all three panel members and Ms. 
Regan, if you can contribute, I certainly would welcome that. 
The question is, you know, what did you individually do to 
implement the VA directives 6500 and 6504 on cyber security 
directly after last year's May 3rd incident?
    Mr. Parris. We strictly enforced that directive. We made 
sure that any external device was within that work space. The 
one area actually that was involved with this actually went 
above and beyond.
    They actually met with our staff on just a security, if you 
will, education program and they made their own policy that 
when the person who was using a drive was not in the vicinity 
of that drive, which is totally legal for it to be by the 
policy, that they actually lock that up in an additional locked 
area. So they went even beyond the policy within that 
particular area.
    Ms. Brown-Waite. Whenever I check into a hotel or motel 
when I am traveling and there is that big sign up there that 
says no swimming after ten o'clock, I always say to the owners 
what is the penalty if I go swimming after ten o'clock.
    So I want to know what you all do to actually implement and 
enforce this, because I am getting the impression that we have 
so many written policies out there, policy upon policy and 
directive upon directive that maybe that is part of the 
problem, that the employees may be totally confused when they 
have a directive de jure.
    But what is being done to implement and enforce the 
prohibitions where they do not swim after ten o'clock?
    Mr. Parris. We have gone through extensive education with 
our staff. We have gone as far as having an information 
security fair for a better term. We invited people up to a full 
day so that they could get trained on what we meant by 
information security.
    We have on our Web site all the policies. We have a 
question form for those policies for the ones who may not 
understand some of the questions.
    I do not know if I am answering your question with the look 
on your face, but, you know, I am trying to get to the gist of 
the question.
    Dr. Blackburn. Well, let me go ahead and add that we have 
required, as Mr. Parris indicated, training for every one of 
our employees who have access and it is real simple. If they 
did not go through the training, their access was cut off.
    Ms. Brown-Waite. So was this after the latest incident that 
happened at----
    Dr. Blackburn. No, ma'am.
    Ms. Brown-Waite [continuing]. Birmingham?
    Dr. Blackburn. No.
    Ms. Brown-Waite. So it was before?
    Dr. Blackburn. That is correct.
    Mr. Bachus. Let me start by saying that I know Y.C. Parris. 
He is a great Director and operates a very good ship. So I ask 
these questions. I do not need to apologize to ask them, but I 
have an obligation to ask it.
    And what I kind of heard earlier was that you all complied 
with all the procedures and the directives from VA, is that 
correct?
    Mr. Parris. Yes, sir.
    Mr. Bachus. But now, am I confused or were the directives, 
did they not include that you all encrypt this information and 
that that was not done?
    Mr. Parris. No, sir. That is part of maybe what the 
Congresswoman was getting at, that there was a little bit of 
ambiguity. And if you look at the policy, it says within the 
external hard drive, which we do not have the software 
available to encrypt the external hard drive at this time, that 
if that hard drive is within that secured work space, that 
office space, whatever it is that is VA property, then that is 
okay.
    Mr. Bachus. It does not have to be encrypted?
    Mr. Parris. No, sir.
    Mr. Bachus. But I guess they say either keep it in a secure 
location or encrypt it?
    Mr. Parris. Yes, sir.
    Mr. Bachus. But then you do not have the software nor did 
they supply the software to encrypt it?
    Mr. Parris. That is correct, sir.
    Mr. Bachus. Which is almost a directive without the ability 
to comply, is it not?
    Mr. Parris. It makes it very difficult, yes, sir.
    Mr. Bachus. I mean, I guess you could go out at your own 
expense, and I do not know. But, you know, it would seem that 
if they would supply you with information, require you to 
encrypt it, they would provide the software and the means to do 
that as part of the system. That would have been an easy way to 
avoid what happened in February, I would think.
    Mr. Parris. Yeah. The horse and the cart.
    Mr. Bachus. What?
    Mr. Parris. The horse and the cart. And Bill Gates just had 
an article in the paper recently that illustrated that where he 
said that when you see how fast technology has moved, that our 
security system is like a stone castle with a moat around it 
and a drawbridge, but the technology is a jet plane with 
missiles on it.
    Mr. Bachus. Now, the IG reported that, you know, it would 
be good to encrypt this information. And I am hearing in this 
hearing that software is available to encrypt the information, 
but the VA up here, I will tell you, they are going to want to 
shift part of the blame and said you all should have encrypted 
it. We sent a directive to you to encrypt it, but you were not 
given the software. But you were also told that it could be 
within a secure area. And you are telling me it was within the 
work space.
    Mr. Parris. Yes, sir.
    Mr. Bachus. And the employee, when he discovered that it 
had been taken or that it was no longer there, he reported it 
promptly?
    Mr. Parris. Reported to my office, yes, sir.
    Mr. Bachus. And you reported it promptly to D.C.?
    Mr. Parris. Reported it to my network director, which is my 
protocol, who was in Atlanta, and he reported to D.C. the same 
timeframe.
    Mr. Bachus. Now, they have suspended your research and that 
of also six other centers which as they inquired, they 
discovered that they had not encrypted information, including, 
I guess, the White River Junction facility, is that right?
    Dr. Pogach. Actually, from New Jersey, but they suspended 
all the REAP programs.
    Mr. Bachus. I cannot hear.
    Dr. Pogach. I am sorry. We are from New Jersey. I am not 
from White River. Dr. Weeks could not make it today. But all 
the REAP programs----
    Mr. Bachus. Are you from East Orange or where?
    Dr. Pogach. Yes, New Jersey.
    Mr. Bachus. Okay.
    Dr. Pogach. So all the REAP programs were suspended not 
specifically for any one issue but to allow for reassessment of 
all data security at those sites.
    Mr. Bachus. But was one reason it was suspended because the 
information was not encrypted?
    Dr. Pogach. I do not know the reasons why, if that could 
have been one reason or not. We were just basically told that 
all research is suspended so that we could basically make sure 
all policies----
    Mr. Parris. No, sir. I think it was due diligence on the 
part of the organization.
    Mr. Bachus. I am not arguing with their decision to shut 
down the programs and assess whether that information should be 
out there in the first place and, if it is, it ought to be 
encrypted because people are going into places and steal 
things.
    Dr. Pogach. Right.
    Mr. Bachus. Thank you.
    Mr. Mitchell. Mr. Walz.
    Mr. Walz. Thank you, Mr. Chairman, and thank you, 
gentlemen, for joining us.
    I am sorry I missed your earlier testimony, Mr. Parris, 
when you--your initial statements on this. I was here earlier 
for Deputy Secretary Mansfield, and I am looking at some of the 
things he said.
    We had a long discussion in that first panel on the idea of 
what role culture plays, culture in an institution, as you are 
well aware of. And I am listening to my colleague, Mr. Bachus, 
talk about it. And I have no doubt. I am a veteran and I 
understand and I have the greatest respect for the VA and the 
work that you do. Absolutely critical.
    And as I stated in that first panel, the intentions, I am 
always operating from the assumption that the best intentions 
are always what is there.
    When looking at these data losses, I am just trying to get 
my mind around it as a veteran, as one of those people who got 
one of those letters, what can we do to prevent it, what can we 
do to stop it.
    And when I am looking at this and I think about my job, my 
former job as a high school teacher in public schools, data 
privacy is the air that we breathe. And we have got a lot of 
people in public schools, namely our students, who are pretty 
darn good with computers. And, yet, it is just stress to us.
    And there are password changes every 21 days. There is log-
out timeouts and log-out restrictions. If your computer is 
shown as being idle and logged in, you get notified and you get 
called in and written letters on those types of things because 
they are really critical. There are student data that could get 
into health issues, too, that are on there.
    So my question is, and Deputy Secretary Mansfield was very 
candid and very open about some of the restrictions that were 
put on him, I understand your job, Mr. Parris, is to provide 
the highest quality healthcare you can to your patients. That 
is your number one priority.
    This data privacy issue is part of that and might be seen 
as a peripheral or distraction. We understand how important it 
is. I am still trying to figure out, in your mind or in your 
assessment, is this a resource issue or is this a cultural 
issue inside the VA on the importance of safeguarding this 
data?
    And I am asking you in the broad range because, as I said, 
I am operating from the assumption you want absolutely the best 
care for our patients and you want their data secured. I want 
the same thing. How do we get to that?
    Mr. Parris. Yes, sir. I agree with you about your last 
statement about wanting to secure the data and make sure we 
take care of our patients. I do not want to throw a wrench into 
this, but I think it is neither totally culture or resources. 
Both of those, you always deal with and they are always going 
to be there.
    But I think it is the growing pains. I am probably the only 
person in the room who has been around since Crew DHCP. That is 
where we had four contractors and we were testing computers and 
the only thing we had on there was a patient history. And we 
have grown to the most sophisticated medical record in the 
world right now in the VA system.
    And the growth of that, within the growth of the patients 
and the growth of the system we have, and then we have three 
major entities. Besides VHA, we have VBA, which is a huge 
entity, and then we have National Cemetery. And the things they 
do are different.
    And so I think it is growing pains as much as anything, is 
how do you stay up with the change in technology, the new 
software that is coming out. I do not know how many times I 
have sat at a table like this and talked about if we only had a 
patch on that software, we could get the patient what they need 
quicker. Can anybody write a patch for that?
    So you see the complexity of the system that we have. And I 
think that to have the people in the know to help keep up with 
the security part of that, as I talked about the castle and the 
airplane, that is really kind of the gap that we have, and how 
do we make those come together. How do we have a security 
system that runs parallel with the technology that we are 
installing on a daily basis?
    Mr. Walz. I appreciate that. There was a suggestion 
earlier, and I am just getting your feeling on this because we 
all want to solve this, whatever it is going to take, and I 
just see a massive need that the public wants this, because one 
of the things, as you well know, the biggest thing for me as a 
veteran that it is the loss of trust, which is critical to us. 
Of all the good work you do, you hate to see that happen.
    And it was suggested by Mr. Rodriguez that we just need to 
maybe provide a crack team of people that provide the best 
security or whatever it is from wherever they come from and 
drop them in here and get this thing done.
    Now, do you believe that is the solution or is this part of 
the growing pains, that that would not do it? They would not 
understand your organizational needs the way you understand 
them?
    Mr. Parris. With all due respect to that suggestion, sir, I 
do not think that would solve the problem. I think that would 
be another expenditure that probably could be spent on a 
solution to the problem internally.
    Mr. Walz. Thank you so much.
    Ms. Brown-Waite. If the gentleman would yield. I asked that 
question before because my fear is you bring an outside group 
in, they are going to ignore those recommendations as they have 
ignored the IG as well as the GAO. And I would rather see the 
money spent on some kind of a solution soon here.
    Mr. Walz. Software.
    Ms. Brown-Waite. Right. Software would be great. But, you 
know, also setting that what are the consequences of not 
securing that data. And it is not just in the VA. I think every 
agency is probably guilty of it.
    Mr. Mitchell. Thank you.
    I think that will be all. Just before we adjourn, I would 
just like to know and I think this Subcommittee would like to 
know when the Secretary signs the FISMA report. I would like to 
know that. So if somebody here could let us know when it is 
actually signed, I would appreciate that.
    And if there is nothing else, this meeting is adjourned.
    [Whereupon, at 5:30 p.m., the Subcommittee was adjourned.]



                            A P P E N D I X

                              ----------                              

              Prepared Statement of Hon. Harry E. Mitchell
         Chairman, Subcommittee on Oversight and Investigations
    I have accelerated our Subcommittee's review of VA information 
security management for several reasons. I thank all three panels of 
witnesses and our Subcommittee Members for their cooperation despite 
the somewhat short notice we were able to provide. It is my belief that 
when the subject matter justifies some sort of review, that such a 
review should be thorough, balanced and timely.
    This topic was on the Subcommittee agenda for later in this year. 
While it is a recurring and non-partisan topic for our Veterans Affairs 
Committee, the events regarding the data loss at Birmingham and other 
circumstances have led me to advance this hearing on our Subcommittee 
docket.
    In this hearing I wish to determine the current status of 
information security management at VA. Admittedly, the Birmingham 
incident holds powerful sway over the landscape. If the Birmingham 
incident stood alone against a backdrop of a sound information security 
management program perhaps we could address a one-time-only incident 
with more patience.
    However, the record reflects a host of material weaknesses 
identified in Consolidated Financial Statement Audits and Federal 
Information Security Management Act [FISMA] audits over recent years. 
The Inspector General's Office and the Government Accountability Office 
have both reviewed VA and found deficiencies in the information 
security management program over the last 8 years. VA is slow to 
correct these deficiencies. For example, the VA IG made 16 
recommendations with regard to information security management in 
2004--all 16 remained open in 2006.
    During our full Committee review of the May 3rd, 2006 data loss, we 
discovered a general attitude regarding information security at VA that 
our current full Committee Chairman Bob Filner once referred to as a 
``culture of indifference.'' Today, I wish to address this issue of 
``culture'' and the need for cultural change with regard to information 
security at VA.
    Last year, the Committee reviewed cultural problems at several 
levels at VA.
    We looked at the very top levels of VA leadership and were 
critical.
    We looked at the program leadership level and were critical.
    We looked at the promulgation of information security policy in VA 
and were critical of the various methods employed by some program 
leaders and advisors to gut those policies, to avoid accountability and 
to weaken information security practices.
    We were critical of the lack of checks and balances in the 
information security management system at VA--was guidance being 
followed, did oversight occur?
    We were critical of the delay by VA in providing congressional 
notice of the May 2006 incident. We were critical of the slow 
escalation in notice of the magnitude of that problem.
    VA mailed notices to millions of veterans addressing the data 
compromise and made a public commitment to become the ``gold standard'' 
in information protection within the Federal Government. Eight months 
after the initial data loss, VA reports another loss of significant 
magnitude associated with a Birmingham VA research program.
    That a weakness existed in this area surprised no one. That it 
happened at all serves to precipitate this type of congressional 
oversight hearing. While the actual loss of the external hard drive and 
the limited electronic protections on that missing equipment should be 
considered the 800 pound gorilla in this room, there were some silver 
linings with the Birmingham story as we now know it.
    For example, the loss was reported in VA and quickly relayed to the 
appropriate people. Mr. Howard notified congressional oversight staff 
and Secretary Nicholson called the Chairmen and Ranking Members of the 
VA Committees. The Office of the Inspector General was quickly involved 
and opened an investigation.
    In similar examples from May 2006, VA took days or weeks to 
accomplish those tasks--in the Birmingham incident of January 2007, VA 
took hours or days to accomplish the same tasks. Staff was notified 
within 1 day, and calls from the Secretary followed a few days 
afterward. The investigative trail was reasonably fresh for the IG to 
follow.
    What of VA culture with regard to this issue? The IG made five 
recommendations to the Secretary in their ``Review of Issues Related to 
the Loss of VA Information Involving the Identity of Millions of 
Veterans'' on July 11, 2006. As of today, all five of those 
recommendations remain open. Why?
    After the 2006 series of hearings, VA issued a series of tough 
sounding declarations, but problems still remained and another major 
incident has happened. After the Birmingham incident, the Secretary 
issued some tough guidance, but what impact will it have? Will history 
repeat itself? How deep are the cultural barriers?
    I believe that it is important to review all aspects of this issue. 
We need to hear from VA leadership and in that regard we are pleased 
that Deputy Secretary Mansfield has agreed to testify. He, Secretary 
Nicholson, the Under Secretaries are key to setting policy--they 
represent the Department in this matter.
    But we also need to look at this problem through the eyes of the 
remaining 200,000 plus people in the VA. Do leadership actions 
throughout the management hierarchy match policy guidelines everywhere 
in VA?
    Do the rules say ``no'' but the culture beckons, ``Aw, go ahead--
make an extra copy of the data and your life will be easier.'' ``Take a 
short-cut, no one will follow up.'' If we change the culture at VA we 
can begin to fix the problem.
    But people have different cultural perspectives; those of the VA 
leaders on panel one may differ from those of the researchers in the 
field. Leadership's policy guidance may now be spot on, but the 
question is how that policy is received at the user-end. For that 
reason, this Subcommittee requires testimony across the spectrum of 
people who in any way handle sensitive information about our veterans. 
Let us approach this with open minds, consider other perspectives, and 
be able to put this problem to rest for a long time.
    Before I recognize the Ranking Republican Member for her remarks, I 
would ask our Members' consent for a guest and permit Congressman Artur 
Davis from Alabama to sit at the dais and be allowed to ask questions 
after all Subcommittee Members have had that opportunity. Without 
objection?
    I now recognize Ms. Brown-Waite for opening remarks.

                                 
   Prepared Statement of Hon. Ginny Brown-Waite, Ranking Republican 
          Member, Subcommittee on Oversight and Investigations
    Thank you, Mr. Chairman.
    Our hearing today, as the Chairman indicated, is to learn more 
about the Information Security Management at the Department of Veterans 
Affairs, in particular, the current effectiveness of information 
security at the Department, and the need for cultural change.
    Since the data breach of May 2006, the second largest in the nation 
and the largest in the Federal Government, we have seen the VA's 
centralization of the VA's information management, including 
information security. I appreciate the Secretary's desire to make the 
VA the ``Gold Standard'' for information technology and information 
security management in the Federal Government. From what we have seen, 
adherence to the Federal Information Security Management Act (FISMA) 
has not been adequately addressed governmentwide, as Congress intended 
when writing the law. This is why our Committee worked so hard last 
Congress to pass measures such as H.R. 5835, and the final version of 
S. 3421, which became Public Law 109-461. We have tried to give the 
Department, and in particular, the Secretary, the tools he needs to 
mandate change within the entire Department to make certain that such 
security breaches are few, if any.
    I have served on this Committee for 4 years, and recently been 
selected as the Ranking Republican Member of this Subcommittee. Over 
the years, I have seen the lack of resolve within the underlying 
culture at the Department, particularly at the facility level, to 
change the way senior management view IT security. It is sometimes 
difficult to embrace change, and this is what we need to address in 
this hearing. In order to protect our veterans, and provide them with 
the services they need, we need to remove that cultural predilection 
against change.
    I appreciate the witnesses who have come to this hearing, 
particularly those who have traveled a distance to be here, and I look 
forward to hearing your testimony.
    Thank you, Mr. Chairman, and I yield back my time.

                                 
            Prepared Statement of Hon. Gordon H. Mansfield,
         Deputy Secretary, U.S. Department of Veterans Affairs
    Thank you, Mr. Chairman. I am here before this Committee on behalf 
of the Secretary and the Department to discuss with you the changes 
underway in the Department of Veterans Affairs Information Protection 
program. The Department has committed itself to becoming the ``gold 
standard'' in Information Protection within the Federal Government. We 
have made significant progress in a very short period of time to reach 
this goal. Nonetheless, we realize that there is much more to do, and 
we have positioned our Information Protection program to undertake the 
challenges before us . . . and to succeed.
    Early on, the Secretary recognized the need to reorganize our IT 
assets to give the Department's Chief Information Officer, and 
Assistant Secretary for Information and Technology, full control over 
our IT budget, people, and programs.
    This Committee was heavily invested in that decision. It held 
numerous hearings to assist the Department in addressing the many 
issues involved in centralizing our IT function.
    We created the Office of Information Technology and transferred 
over 4,500 employees to this new organization. These VA employees are 
under the supervision and direction of VA's CIO, Bob Howard. We are 
currently completing the final phase of our reorganization by bringing 
the full complement of IT programs, dollars, and people under Assistant 
Secretary Howard's control.
    This reorganization is a Departmental priority. All leadership 
elements--from Central Office to field locations from Maine to Manila--
have been briefed and instructed. Command emphasis is firmly on 
information security. And it is squarely focused on revamping our IT 
infrastructure--from practices and procedures . . . to our Department's 
data security culture.
    We are also committed to creating a dedicated IT career field that 
will help us to develop, recruit, and retain the bedrock of 
professional IT careerists we need today if we are to meet the 
challenges of tomorrow. I personally have spoken to departmental 
leaders on this critical issue.
    To improve the delivery of IT services as we transition to a 
centralized IT program, we brought in outside consultants, including 
IBM, to assist in professionalizing our systems. IBM recommended that 
we change the way we manage and direct IT. We have done that. We have 
reduced the scope of work and narrowed the span of control of our IT 
senior leaders. By telescoping their management focus, we expect more 
efficient execution of their responsibilities and, in turn, better 
results and outcomes.
    Significant issues remain in the area of Information Protection. We 
are addressing them head-on. We have begun to revamp our entire 
program, consistent with IBM recommendations. Over the past six months, 
I have spoken with many VA employees, at all levels, to underscore the 
Department's unqualified position on the IT reorganization. I have 
stressed the importance moving-out smartly to take charge of the 
difficult issues at hand. And I believe the vast majority of VA 
employees are now more aware . . . more sensitive about data management 
and security in both the administration . . . and in the delivery of 
services to veterans and their families.
    Previously, the head of our Office of Cyber and Information 
Security was assigned such a wide span of control that it was difficult 
to excel in all areas of responsibility. As a result, support of our 
Administrations and staff offices suffered.
    We have since created a more comprehensive approach by establishing 
an Office of Information Protection and Risk Management. Its management 
oversees several key areas. Cyber Security focuses on FISMA reporting 
and policy development. Risk Management and Incident Response addresses 
risk assessment, incident resolution and credit monitoring. Records 
Management and Privacy focuses on policy development and oversight of 
privacy and records. Data protection analysis and lessons learned are 
also an integral part of this new management focus.
    Our field-based Information Security Officers have been 
operationally realigned to report to the Office of Field Operations and 
Security.
    And finally, we consolidated several IT compliance programs within 
the Office of Oversight and Compliance, which reports directly to the 
Assistant Secretary for Information and Technology. This office will 
conduct rigorous assessments nationwide. Both announced and 
unannounced, these reviews rigorously evaluate facility compliance with 
legislative directives as well as policies, procedures, and practices 
relating to information protection, data management and control, data, 
records management, privacy, and IT security programs.
    This office will be the first responder to facilities where serious 
IT security incidents occur and that require the immediate review of 
records management, privacy, and cyber security business practices. I 
am confident that this office will provide the further assurance 
necessary to bolster our records management, privacy, and data security 
measures.
    On June 28, 2006, the Secretary delegated to the Assistant 
Secretary for Information and Technology the responsibility for 
Departmental Information Security. Since the May 2006 data security 
breach, VA has issued eight IT directives on specific IT security 
safeguard requirements. We have developed a comprehensive strategy to 
incident resolution that includes procedures for notifying veterans of 
incidents where personal information has been compromised. We have 
drafted a regulation to implement the Veterans Benefits, Health Care, 
and Information Technology Act of 2006. And our Oversight and 
Compliance Office, established this month, has already completed 
several facility assessments.
    We have launched a number of technology initiatives, both completed 
and underway, to protect sensitive information. We have encrypted over 
15,000 VA laptops. We are minimizing the use of thumb drives and mobile 
devices. Where authorized, we are requiring them to be encrypted. Very 
importantly, we are in the process of testing technology that will 
check for proper encryption, codewords, and security credentials 
necessary to be permitted entry into VA's information network.
    The gravity of information security is undeniable. Data security 
incidents such as we have seen tarnish VA's reputation and the peace of 
mind of those we serve.
    We are aggressively instituting a VA-wide change in culture and 
mindset across the length and breadth of our facilities, urban and 
remote.
    VA has already committed time and resources to educate our 
workforce about the importance of data security.
    Through formal training, printed communications, and other media, 
the focus is on good stewardship of data privacy. Our employees are now 
more aware about data management and security in the administration . . 
. and in the delivery of services to veterans and their families.
    Our culture is changing. Change always takes great effort. It is 
disorienting and it is disruptive. But formerly acceptable business 
practices, as we have come to realize, are simply no longer acceptable. 
We are communicating this cultural reorientation across our Department, 
at all locations and at all levels. No one person, office, or 
Administration is exempt.
    On February 21st, the Secretary convened an offsite meeting 
attended by all VA's senior leadership. He reviewed the recently issued 
information security directives and procedures as well as the 
information protection incidents and vulnerabilities. The Secretary 
reiterated, in no uncertain terms, his order that all supervisors fully 
execute their responsibilities in the area of information protection. 
In late March there will be a data security `Update' seminar for our 
senior leaders. In April, VA's annual Information Security Conference 
will address the theme of ``Strengthening [IT] Capabilities to Achieve 
the Gold Standard.'' And in June, we will conduct Awareness Week and 
the systemic Security and Privacy Training ongoing across the 
Department.
    We are working hard to achieve our goal--full protection of VA's 
sensitive data and information. We have made substantial progress in a 
relatively short timeframe . . . and we expect nothing less than 
continuous improvement. We have implemented corrective policies and 
procedures. Deployed the necessary technologies. Trained our workforce. 
And we will not relent in our efforts to ensure that every veteran's 
personal data is safe and secure.
    While we have made great progress, we have clearly not fully 
achieved our objective. In our defense, I want to say that when data 
was lost, we did not stand still. We notified affected veterans by 
letter. We began investigations to determine root causes. We took 
preventive measures to improve security. And we communicated these 
incidents to the Congress. I don't believe there is any other Federal 
Department as forthcoming and public about this issue.
    I can assure you we will continue work to improve our processes. We 
know all too well that lapses in information security . . . such as the 
one that occurred last year, and recently in Birmingham, weaken the 
confidence of our veterans, their families, and the American public in 
our ability to perform the mission that has been entrusted to us.
    Mr. Chairman, that concludes my testimony. I will answer any 
questions that the Committee may have.

                                 
              Prepared Statement of Hon. Robert T. Howard,
          Assistant Secretary for Information and Technology,
                  U.S. Department of Veterans Affairs
    Thank you, Mr. Chairman. I would like to expand on Deputy Secretary 
Mansfield's comments regarding the changes underway in the area of 
Information Technology. There are two specific areas I will focus on. 
First is the extensive reorganization taking place and second is the 
overarching program we have established to provide focus to all our 
remediation efforts.
    The IT Realignment Program to transition the VA's IT Management 
System remains on track and is scheduled to be fully implemented by 
July 2008.
    By April 1, 2007, software development employees and programs will 
be permanently reassigned to the CIO. This action follows the 
consolidation of operations and maintenance under the CIO, which was 
finalized beginning this FY. We are implementing a process based 
organizational structure, rooted in best practice processes that are 
aimed at correcting IT deficiencies that resulted in a loss of 
standardization, compatibility, interoperability and fiscal discipline. 
There are a total of four processes that are being introduced with the 
assistance of IBM, from a ``best practices'' standpoint. We have also 
developed a different organizational framework to provide focus in key 
areas. The Office of Information and Technology is now comprised of 
five major organizational elements, built around these core process 
areas. These will report to the CIO.
    Each of the five major organizational elements is led by a Deputy 
CIO. One Deputy CIO is charged with directing the information 
protection and privacy protection programs in VA. This official is also 
responsible for risk assessment, risk mitigation, evaluation and 
assessment as it relates to information protection. The DCIO for 
Information Protection and Risk Management has already drafted 
regulations as required by the Veterans Benefits, Healthcare and 
Information Technology Act of 2006. The regulations will address at 
minimum, notification, data mining, fraud alerts, data breach analysis, 
credit monitoring, identity theft insurance and credit protection 
services.
    To reach the ``Gold Standard,'' as directed by the Secretary, we 
have implemented a new program to assess our information protection 
controls, develop plans to strengthen the controls where necessary, 
enforce the controls, and continuously monitor the information 
protection program. The action plan we have developed includes 
Development and Issuance of Policies and Procedures, Training and 
Education, Securing of Devices, Encryption of Data, Enhanced Data 
Security for VA's Sensitive Information, Enhanced Protection for Shared 
Data in Interconnected Systems, and Incident Management and Monitoring. 
A number of the specific requirements of the new law have already been 
introduced into our comprehensive plan. Regarding this plan I 
personally review progress on a weekly basis.
    In closing, I believe we have made progress in improving IT 
operations in VA and we are working hard in partnership with the 
administrations and staff offices to improve our business practices to 
ensure the protection of veterans' sensitive information. Mr. Chairman, 
that concludes my testimony. I would be pleased to answer any questions 
that the Committee may have.

                                 
           Prepared Statement of James P. Bagian, M.D., P.E.,
  Chief Patient Safety Officer, Director, National Center for Patient 
  Safety, Veterans Health Administration, U.S. Department of Veterans 
                                Affairs
    Mr. Chairman and Members of the Committee, I am pleased to be here 
today to discuss the issues of IT security, patient safety, culture and 
their relationships.
    At the National Center for Patient Safety our mission is to prevent 
our patients being unintentionally harmed while under our care. This 
mission is quite large in scope and while most of our activities are 
concerned with direct clinical care they also address things that are a 
bit more removed such as safety during transport in vans, automatic 
doors and their potential to cause injury, and parking lot barrier 
design to name but a few. Similarly, the information system (IT) is 
also of great interest to us as our electronic health record (CPRS) is 
the tool that in large part is responsible for our ability to deliver 
the safe and high-quality care for which the VA has received many kudos 
and is a model for the country and world. While IT security is not 
intimately related to the direct clinical/physical safety of the 
patient we still view it as a relevant endeavor under the overall 
umbrella of preventing unintended harm to our patients, because issues 
such as identity theft can result in harm to our patients. In addition 
to direct harm, such as that which might be caused by someone 
successfully pretending to be a veteran getting care at VA facilities, 
a larger and more wide-ranging harm can come from the energies expended 
responding to IT security issues. This redirection of resources can 
detract from our ability to render the medical care that is our basic 
mission.
    The efforts of the National Center for Patient Safety have been 
based on creating an environment where problems can be identified in a 
timely manner, prioritized as to the appropriate action required, and 
analyzed to elicit the real underlying root causes and contributing 
factors. These steps result in the formulation of well-founded actions 
to mitigate risks. We often express this as three simple questions to 
be determined: What happened? Why did it happen? and What should be 
done to prevent it from happening in the future? We also have 
championed and implemented a system that promotes the extensive 
consideration of close calls, which are events where no significant 
harm befalls the patient. Studying close calls provides an opportunity 
to learn that is different from the traditional approach where learning 
begins only after a patient has suffered harm. The culture of the 
Veterans Health Administration has changed from one that was reactive 
to one that acts proactively to prevent undesirable outcomes. This did 
not happen overnight or by fiat. It happened through identifying 
problems that those at all levels of the organization perceived as real 
and worth tackling, and then removing the barriers that stood in the 
way of adopting more effective and risk-based strategies and techniques 
to prevent harm to patients. Through the implementation of a program 
that embraced these concepts and actively and aggressively solicited 
collaboration from all levels of the organization, as well as from 
stakeholders external to the organization such as Congressional 
committees, Veterans Service Organizations, and our unions, we have 
been able to make significant progress.
    There is general agreement that the VA IT security efforts to date 
have not achieved the level of success as quickly as desired. There is 
little doubt that the VA has committed much effort to enhance the 
security of its IT systems and that the Secretary and senior management 
are dedicated and serious in their efforts to improve things. The real 
question at hand is why problems are still occurring. There are a 
myriad of factors, but I would like to point out several factors that 
may be worthy of consideration based on my experience and perspective.
    Let me first state that there are no magic bullets here but there 
are some practices that have been applied in the area of patient safety 
as well as other areas that merit consideration. The use of root cause 
analysis (RCA) as developed by the VA National Center for Patient 
Safety (NCPS) has been a valuable tool that has identified the root 
causes and contributing factors behind many problems. These techniques 
include methodologies that go beyond the typical but ineffective 
initial questions such as ``whose fault is this'' to the three more 
meaningful and productive questions that I mentioned earlier: (1) What 
happened? (2) Why did it happen? and (3) What do we do to prevent it in 
the future? In fact, several years ago NCPS suggested to Secretary 
Principi that we be allowed to lead a multidisciplinary RCA team in 
response to the Blaster Worm problem that the IT world experienced. 
Secretary Principi agreed and chartered this team, and the result was 
extremely successful. In fact, on the 21st of February 2007 in a 
meeting between Mr. Howard and some of his top managers, including Mr. 
Shyshka, who worked with us on the Blaster Worm response, Mr. Shyshka 
brought up the fact that the group should currently consider employing 
the use of the RCA process on a widespread basis. The rationale he gave 
for this suggestion was the sustained success in preventing the 
reoccurrence of problems like that previously caused by the Blaster 
Worm. We agree with this suggestion and believe that the adoption of 
the RCA process might result in actions that are more effective than 
what we have experienced to date with regard to IT security. One 
important aspect of the RCA process is that it focuses on preventing 
future problems through understanding and mitigating the true 
underlying systems-based causative factors.
    Some have indicated that what is needed is a culture change. While 
this may be true, culture changes do not happen by fiat or written 
directives. They happen through the creation of a shared vision of a 
goal that is deemed worthy, identification of the barriers to success 
through discussion at all levels of the organization and removal of 
these barriers, creation of tools and provision of the appropriate 
resources to accomplish the goals, and constant and unfettered 
communication both up and down the chain of command that encourages the 
candid identification of problems and appropriate responses to those 
problems. At the meeting with Mr. Howard mentioned above, the issue of 
communication and collaboration before the implementation of directives 
was discussed in an effort by all parties to maximize the chances of 
success. If this leads to a more proactive, collaborative, systems-
based process that balances the security risks versus the clinical 
risks I think that meaningful progress can be made.
    A suggestion would be to do a cultural/attitudinal survey of top 
and middle management that includes some frontline staff. A reason to 
survey senior leaders is that it is difficult to proceed, in this case 
toward improving culture and attitudes about IT security, if you don't 
know where you are starting from and why you are there.
    In order to enhance the likelihood of success I believe that this 
Committee together with senior VA leadership needs to clearly 
communicate the types of approaches to be adopted. VA management and 
staff need to understand the various ramifications of the actions to be 
implemented, including schedules to be met and the expectations as to 
tradeoffs to be made to reduce risk. This kind of understanding was 
pivotal to the planning and implementation of the Patient Safety 
Program at the VA and without it the Patient Safety Program would have 
failed. There should be public acknowledgement that some IT security 
risk will always exist and that perfection is not possible. If such 
changes do not occur I am concerned that the security issues will not 
be resolved, and that clinical care will also suffer. This would result 
in our veterans losing in two ways.

                                 
                  Prepared Statement of Maureen Regan,
                  Counselor to the Inspector General,
  Office of the Inspector General, U.S. Department of Veterans Affairs
INTRODUCTION
    Mr. Chairman and Members of the Subcommittee, I am pleased to be 
here today to address the Office of Inspector General's (OIG's) 
oversight efforts of the Department of Veterans Affairs (VA) 
Information Security Program, its effectiveness, and the need for 
cultural change in VA to further improve and strengthen information 
security. Today, I will present our observations and identify the 
information security challenges VA must continue to address in order to 
ensure information security in VA. With me today is the Deputy 
Assistant Inspector General for Auditing, who will help answer 
questions about our audit work related to information security.
    To improve the Department's information security posture, VA's 
senior management needs to effectively secure the Department's 
information assets. This includes the entire set of information 
technology (IT) systems and technological infrastructure, as well as 
all sensitive information and data under VA's control. It is critical 
that effective controls and monitoring mechanisms be in place to ensure 
compliance with applicable Federal standards and all VA policy 
requirements. Protecting VA information and data is, and must remain, a 
primary focus of the Department. Our observations indicate that VA 
needs a culture change throughout the Department to gain reasonable 
assurance of VA-wide compliance with Federal and Department information 
security regulations, policies, procedures, and guidance.
OIG HAS REPORTED CONTINUING WEAKNESSES IN INFORMATION SECURITY
    Our audits and evaluations on information security and IT systems 
have shown the need for continued improvements in addressing security 
weaknesses and support the need to change VA's culture. We reported VA 
information security controls as a material weakness in our annual 
Consolidated Financial Statements (CFS) audits since the fiscal year 
(FY) 1997 audit. Our annual Federal Information Security Management Act 
(FISMA) audits have identified continuing information security 
vulnerabilities every year since FY 2001. We have also reported IT 
security as a major management challenge for the Department from FY 
2000 to the present. As a result of these vulnerabilities, we 
recommended that VA pursue a more centralized approach, apply 
appropriate resources, and establish a clear chain of command and 
accountability structure to implement and enforce internal controls.
    During the period 2000-2005, we reported that persistent repeat 
findings and weaknesses existed for physical, personnel, and electronic 
security and concluded that VA had not taken sufficient actions to 
correct the information weaknesses in our previous FISMA reports. Also, 
our work has continued to identify that corrective actions are not 
implemented at all VA facilities.
    We observed that management of data centers and several program 
offices have taken actions to remediate elements of information 
security control weaknesses reported in our prior reports. However, 
VA's program and financial data continue to be at risk due to 
significant weaknesses related to the lack of effective implementation 
and enforcement of agencywide security controls. These weaknesses place 
sensitive information, including financial data and veterans' medical 
and benefit information, at risk of unauthorized access, improper 
disclosure, alteration, theft, or destruction, possibly occurring 
without detection.
    Prior to the May 2006 data loss, VA's information security program 
showed significant security vulnerabilities. VA's CIO reported he did 
not have sole authority to implement all aspects of the VA-wide IT 
security program within VA's Administrations. IT infrastructure was 
decentralized because VA believed that decentralized operations 
provided better management of VA facilities. Finally, VA lacked 
adequate agencywide security control policies and procedures to provide 
effective guidance and organization standards.
    VA has not fully implemented any of the recommendations on 
information security from our previous FISMA reports. In our ongoing 
2006 FISMA audit, we determined that all 17 recommendations cited in 
prior FISMA reports remained unimplemented. In addition, we anticipate 
identifying several new high-risk areas associated with certification 
and accreditation of VA systems, remote access, and access to sensitive 
information by non-VA employees. Until all matters are fully addressed 
by the Department, VA systems and VA data remain at risk.
    In some areas, however, the Department has made progress. Since the 
May 2006 data breach, VA has initiated positive steps focused on 
policies, awareness, and training. For example, all VA employees were 
mandated to complete information security awareness training. In 
addition, in 2006, VA took initial steps toward implementing a more 
centralized Departmentwide IT security program under the direction of 
the Department's CIO. However, establishing and implementing an 
effective centralized Departmentwide IT security program will require 
more time and effort.
VA DOES NOT ADEQUATELY PROTECT SENSITIVE INFORMATION FROM DISCLOSURE
    The May 2006 theft of an employee's personal hard drive containing 
personal information on at least 26.8 million veterans, active 
military, and dependents, has been characterized as the largest data 
breach ever in the government. The employee, who was authorized access 
to the data, copied large amounts of protected information onto 
portable devices and took it home without authorization. The data was 
not encrypted or password-protected.
    The incident was a wake-up call for VA because it identified the 
lack of effective policy and internal controls to protect sensitive 
information from theft, loss, or misuse by VA and contract employees. 
Our review found a patchwork of policies that were difficult to locate 
and fragmented. None of the policies prohibited the removal of 
protected information from the worksite or storing protected 
information on a personally owned computer, and did not provide 
safeguards for electronic data stored on portable media, such as laptop 
computers.
    The potential loss of protected information not stored on a VA 
automated system highlighted a gap between VA policies implementing 
information laws and those implementing information security laws. We 
found that policies implementing information laws focused on 
identifying what information is to be protected and the conditions for 
disclosure; whereas, policies implementing information security laws 
focused on protecting VA automated systems from unauthorized intrusions 
and viruses. As a result, VA did not have policies in place at the time 
of the incident to safeguard protected information not stored on a VA 
automated system.
    We found that policies implemented by the Secretary since the 
incident were a positive step in the right direction; however, we 
determined that more needed to be done to ensure protected information 
is adequately safeguarded. We determined that VA needed to enhance its 
policies for identifying and reporting incidents involving information 
violations and information security violations to ensure that incidents 
are promptly and thoroughly investigated; the magnitude of the 
potential loss is properly evaluated; and that VA management, 
appropriate law enforcement entities, and individuals and entities 
potentially affected by the incident are notified in a timely manner.
    To address these deficiencies, we recommended that the Secretary 
take the following actions in our report, Review of Issues Related to 
the Loss of VA Information Involving the Identity of Millions of 
Veterans (Report Number 06-02238-63, July 11, 2006).

      Establish one clear, concise VA policy on safeguarding 
protected information when stored or not stored in VA automated 
systems, ensure that the policy is readily accessible to employees, and 
that employees are held accountable for non-compliance.
      Modify the mandatory Cyber Security and Privacy Awareness 
training to identify and provide a link to all applicable laws and VA 
policy.
      Ensure that all position descriptions are evaluated and 
have proper sensitivity level designations, that there is consistency 
nationwide for positions that are similar in nature or have similar 
access to VA protected information and automated systems, and that all 
required background checks are completed in a timely manner.
      Establish VA-wide policy for contracts for services that 
requires access to protected information and/or VA automated systems, 
that ensures contractor personnel are held to the same standards as VA 
employees, and that information accessed, stored, or processed on non-
VA automated systems is safeguarded.
      Establish VA policy and procedures that provide clear, 
consistent criteria for reporting, investigating, and tracking 
incidents of loss, theft, or potential disclosure of protected 
information or unauthorized access to automated systems, including 
specific timeframes and responsibilities for reporting within the VA 
chain-of-command and, where appropriate, to OIG and other law 
enforcement entities, as well as appropriate notification to 
individuals whose protected information may be compromised.

    The Secretary concurred with the findings and recommendations in 
our report and agreed to implement the recommendations. On February 9, 
2007, the Assistant Secretary for Information and Technology and his 
staff provided us with a briefing on the status of the recommendations 
in the report. Although an implementation process was discussed using 
an electronic database with a matrix that showed what issues needed to 
be addressed, we were not provided an implementation plan or any 
supporting documentation, such as draft policies, to show progress made 
in implementing the recommendations. To date, all 5 recommendations 
remain open, although VA has developed a new Privacy Awareness training 
module. It was circulated to all VA Privacy Officers, including the 
OIG's Privacy Officer, for review and comment. We reviewed the module 
and confirmed that it provides a link to applicable laws and VA policy. 
When implemented, the module will meet the intent of one of our 
recommendations.
    Shortly after the May 2006 incident, VA issued policies to address 
information security. On June 7, 2006, the Secretary issued VA 
Directive 6504, Restrictions on Transmission, Transportation and Use 
of, and Access to, VA Data Outside VA Facilities, and it is available 
to all employees on VA's directives Web site. VA Directive 6504 
contains policy for 23 different items. As stated in our report, we 
found that the Directive was difficult to understand; too technical for 
the average employee to understand; used terms, such as ``appropriate'' 
that were too vague to ensure compliance; and made reference to other 
applicable policies, guidelines, and laws without identifying them.
    Notwithstanding these concerns, we considered VA Directive 6504 to 
be a step in the right direction. The Directive prohibits the use of 
non-VA owned equipment to access the VA Intranet remotely or to process 
VA protected information except as provided in the Directive. In 
addition to requiring the use of encryption software on computers used 
outside VA facilities, a key provision in the Directive is that only 
VA-owned equipment, including laptops and handheld computers, may be 
used when accessing VA systems remotely. However, these requirements 
have not been implemented throughout VA. On October 5, 2006, VA issued 
a Memorandum, IT Directive 06-5, approving a temporary waiver for all 
three VA Administrations. Although the VA personnel were required to 
use approved encryption software when using non-VA hardware, VA does 
not provide the software. In addition, neither VA Directive 6504 nor IT 
Directive 06-5 contain provisions stating how VA will ensure 
compliance.
    There is a greater awareness in VA regarding the issue. However, VA 
still lacks effective internal controls and accountability which leaves 
sensitive information at risk.
VA CONTINUES TO REPORT ONGOING DATA INCIDENTS
    VA's Security Operations Center (SOC) is responsible for managing, 
protecting, and monitoring the cyber security posture of the agency. In 
July 2006, VA began sending us information on incidents from the SOC, 
providing information on a variety of incidents such as unauthorized 
access; missing, stolen, or lost laptop computers; improper disposal; 
and numerous incidents involving unencrypted e-mail messages containing 
sensitive information.
    To date, these reports have covered about 3,600 incidents and the 
SOC has referred over 250 incidents to us, which resulted in us opening 
46 cases to investigate. SOC reports do not always include indications 
of the magnitude of the data breach, that is, the number of individuals 
with personally identifiable information related to the incident. We 
have no way to determine the number and magnitude of incidents that 
occurred and were not reported to the SOC, nor can we verify the 
accuracy on the reported number of individuals affected by data 
incidents listed in SOC reports.
    Since the May 2006 incident, the OIG has remained committed to 
investigating significant data loss cases that show that VA or contract 
employees are not taking the steps necessary to protect sensitive 
information. For example, the incident involving the theft of a 
computer owned and maintained by Unisys, containing sensitive VA 
information, shows that information provided to contractors is also at 
risk. In our ongoing investigation of the data loss at Birmingham, 
Alabama, we continue to find that VA sensitive information was not 
protected.
CONTINUING CHALLENGES
    Information security weaknesses persist at VA despite the findings 
and recommendations made in our reports. Most VA data remains 
unencrypted, including data transmitted by electronic mail over the 
Internet. Although the Department has begun action, it still does not 
know how many VA employees and contractors use non-VA computers to 
remotely access VA systems. In addition, VA has not determined how many 
external hard drives or other portable devices are in use throughout 
VA. Finally, VA does not know what VA data is stored on these 
computers, external hard drives, or other portable devices. VA also has 
no means to monitor whether access to data by employees and contractors 
is limited to the information needed to conduct business.
    Policies and procedures issued to safeguard protected information 
will not be effective unless there is compliance by all employees and 
contract personnel who have access to the information. Local management 
needs to conduct adequate oversight to ensure compliance and hold 
employees and contractors accountable for noncompliance. VA must ensure 
that managers and supervisors are held accountable for implementing the 
policies and procedures. In addition, VA must invest in the resources 
needed to provide employees with the hardware and software needed to 
conduct business and, at the same time, protect sensitive information.
    Implementing the controls needed to ensure that sensitive 
information is protected will require that VA employees change the 
manner in which they currently conduct business. VA must find a way to 
implement these controls without impacting VA's ability to meet its 
mission.
    In closing, I would like the Subcommittee to know that oversight 
and reviews of the effectiveness of VA's information security will 
remain a priority for the OIG until these issues are addressed. We 
remain committed to assessing the adequacy of information security 
controls and we will remain dedicated to protecting our Nation's 
veterans along with their personal and sensitive information. Mr. 
Chairman and Members of the Subcommittee, thank you again for this 
opportunity to update you on the status of our ongoing work. We are 
happy to answer any questions.

                                 
         Prepared Statement of Gregory C. Wilshusen, Director,
   Information Security Issues, U.S. Government Accountability Office
    Mr. Chairman and Members of the Subcommittee:
    Thank you for inviting me to participate in today's hearing on 
information security management at the Department of Veterans Affairs 
(VA). For many years, GAO has identified information security as a 
governmentwide high-risk issue \1\ and emphasized its criticality for 
protecting the government's information assets. GAO has issued over 15 
reports and testimonies and made over 150 recommendations from 1998 to 
2005 related to VA's information security program.
---------------------------------------------------------------------------
    \1\ GAO, High-Risk Series: An Update, GAO-07-310 (Washington, D.C.: 
January 2007); Information Security: Weaknesses Persist at Federal 
Agencies Despite Progress Made in Implementing Related Statutory 
Requirements, GAO-05-552 (Washington, D.C.: July 15, 2005).
---------------------------------------------------------------------------
    Today I will address VA's information security management, 
including weaknesses that GAO and others have reported, as well as 
actions that the Department has taken to resolve these deficiencies. I 
will also discuss ongoing audit work that GAO is conducting at VA.
    To describe VA's information security management, we reviewed our 
previous work in this area, as well as reports by the Department and 
its Office of Inspector General (IG). To provide additional context, we 
have included, as an attachment, a list of key GAO publications related 
to VA security issues. All GAO work conducted for this testimony is in 
accordance with generally accepted government auditing standards.
Results in Brief
    Significant concerns have been raised over the years about VA's 
information security--particularly its lack of a robust information 
security program, which is vital to avoiding the compromise of 
government information. We have previously reported on wide-ranging 
deficiencies in VA's information security controls.\2\ For example, VA 
had not consistently implemented appropriate controls for (1) limiting, 
preventing, and detecting electronic access to sensitive computerized 
information; (2) restricting physical access to computer and network 
equipment to authorized individuals; (3) segregating incompatible 
duties among separate groups or individuals; (4) ensuring changes to 
computer software were authorized and timely; and (5) providing 
continuity of computerized systems and operations. The Department's IG 
has recently identified similar weaknesses. These longstanding 
deficiencies existed, in part, because VA had not implemented key 
components of a comprehensive, integrated information security program. 
Although the Department has taken steps to implement components of its 
security program, its efforts have not been sufficient to effectively 
protect its information and information systems. As a result, sensitive 
information remains vulnerable to inadvertent or deliberate misuse, 
loss, or improper disclosure.
---------------------------------------------------------------------------
    \2\ See attachment 1.
---------------------------------------------------------------------------
    We have several ongoing engagements to perform work at VA to review 
the Department's efforts in improving its information security and 
information technology management. Our ongoing work is examining data 
breach notification, actions to strengthen information security 
controls, controls over information technology equipment, and 
implementation of an information technology realignment initiative.
Background
    Information security is a critical consideration for any 
organization that depends on information systems and networks to carry 
out its mission or business. The security of these systems and data is 
essential to prevent data tampering, disruptions in critical 
operations, fraud, and the inappropriate disclosure of sensitive 
information. Recognizing the importance of securing Federal systems and 
data, Congress passed the Federal Information Security Management Act 
(FISMA) in 2002, which set forth a comprehensive framework for ensuring 
the effectiveness of information security controls over information 
resources that support Federal operations and assets.\3\
---------------------------------------------------------------------------
    \3\ FISMA, Title III, E-Government Act of 2002, Pub. L. 107-347 
(Dec. 17, 2002).
---------------------------------------------------------------------------
    Under FISMA, agencies are required to provide sufficient safeguards 
to cost-effectively protect their information and information systems 
from unauthorized access, use, disclosure, disruption, modification, or 
destruction, including controls necessary to preserve authorized 
restrictions on access and disclosure. The Act requires each agency to 
develop, document, and implement an agencywide information security 
program that is to include assessing risk; developing and implementing 
policies, procedures, and security plans; providing security awareness 
and training; testing and evaluating the effectiveness of controls; 
planning, implementing, evaluating, and documenting remedial action to 
address information security deficiencies; detecting, reporting, and 
responding to security incidents; and ensuring continuity of 
operations.
    In providing health care and other benefits to veterans and their 
dependents, VA relies on a vast array of computer systems and 
telecommunications networks to support its operations and store 
sensitive information, including personal information on veterans. 
Effectively securing these computer systems and networks is critical to 
the Department's ability to safeguard its assets and sensitive 
information.
VA's Information Security Weaknesses Are Long Standing
    VA has faced longstanding challenges in achieving effective 
information security across the Department. Our previous reports and 
testimonies \4\ have identified wide-ranging, often recurring 
deficiencies in the Department's information security controls. For 
example, VA had not consistently implemented appropriate controls for 
(1) limiting, preventing, and detecting electronic access to sensitive 
computerized information; (2) restricting physical access to computer 
and network equipment to authorized individuals; (3) segregating 
incompatible duties among separate groups or individuals; (4) ensuring 
changes to computer software were authorized and timely; and (5) 
providing continuity of computerized systems and operations. Figure 1 
details the information security control weaknesses we identified at VA 
from 1998 through 2005.
---------------------------------------------------------------------------
    \4\ Attachment 1 includes a list of our products related to 
information technology vulnerabilities at VA.
---------------------------------------------------------------------------
Figure 1: Chronology of Information Security Weaknesses Identified by GA
                                   O
[GRAPHIC] [TIFF OMITTED] 34307A.001


    Notes: Hines is a suburb of Chicago.
    Full citations are provided in attachment 1.

    These weaknesses existed, in part, because VA had not implemented 
key components of a comprehensive information security program. 
Specifically, VA's information security efforts lacked:

      Clearly delineated security roles and responsibilities;
      Regular, periodic assessments of risk;
      Security policies and procedures that addressed all 
aspects of VA's interconnected environment;
      An ongoing security monitoring program to identify and 
investigate unauthorized, unusual, or suspicious access activity; and
      A process to measure, test, and report on the continued 
effectiveness of computer system, network, and process controls.

    We made a number of recommendations in 2002 that were aimed at 
improving VA's security management.\5\ Among the primary elements of 
these recommendations were that VA centralize its security management 
functions and perform other actions to establish an information 
security program, including actions related to risk assessments, 
security policies and procedures, security awareness, and monitoring 
and evaluating computer controls.\6\
---------------------------------------------------------------------------
    \5\ GAO, Veterans Affairs: Sustained Management Attention Is Key to 
Achieving Information Technology Results, GAO-02-703 (Washington, D.C.: 
June 12, 2002).
    \6\ We based our recommendations on guidance and practices provided 
in GAO, Federal Information System Controls Audit Manual, GAO/AIMD-
12.19.6 (Washington, D.C.: January 1999); Information Security 
Management: Learning from Leading Organizations, GAO/AIMD-98-68 
(Washington, D.C.: May 1998); Information Security Risk Assessment: 
Practices of Leading Organizations, GAO/AIMD-00-33 (Washington, D.C.: 
November 1999); and Chief Information Officer Council, Federal 
Information Technology Security Assessment Framework (Washington, D.C.: 
Nov. 28, 2000). The provisions of FISMA (passed in late 2002) and 
associated guidance were generally consistent with this earlier 
guidance.
---------------------------------------------------------------------------
    Since our report in 2002, VA's independent auditors and its IG have 
continued to report serious weaknesses with the Department's 
information security controls. In the auditors' report on internal 
controls prepared at the completion of VA's 2006 financial statement 
audit, information technology security controls were identified as a 
material weakness because of serious weaknesses related to access 
control, segregation of duties, change control, and service 
continuity.\7\ These areas of weakness are virtually identical to those 
that we had identified years earlier.
---------------------------------------------------------------------------
    \7\ The auditor's report is included in VA's FY 2006 Annual 
Performance and Accountability Report.
---------------------------------------------------------------------------
    The Department's FY 2006 Annual Performance and Accountability 
Report states that the IG continues to identify the same 
vulnerabilities and make the same recommendations year after year. The 
IG's September 2006 audit of VA's information security program noted 
that 16 previously reported recommendations remained unimplemented; it 
also identified a new weakness and made an additional recommendation. 
The IG has reported information technology security as a major 
management challenge for the Department each year for the past 6 years.
VA's Efforts to Address Information Security Weaknesses Have Been 
        Limited
    Despite having taken steps to address the weaknesses described in 
our earlier work, VA has not yet resolved these weaknesses on a 
Departmentwide basis or implemented a comprehensive information 
security program.\8\ For example:
---------------------------------------------------------------------------
    \8\ This result is also reflected in the Department's failing grade 
in the annual report card on computer security that was issued by the 
then House Committee on Government Reform: Computer Security Report 
Card (Washington, D.C.: Mar. 16, 2006).

      Central security management function: In October 2006, 
the Department moved to a centralized management model. The Department 
has also contracted for project support in helping to frame a security 
governance structure and provide tools to assist management with 
controls over information technology assets. This work is scheduled to 
be completed in March 2007.
      Periodic risk assessments: VA is implementing a 
commercial tool to identify the level of risk associated with system 
changes and also to conduct information security risk assessments. It 
also created a methodology that establishes minimum requirements for 
such risk assessments. However, it has not yet completed its risk 
assessment policy and guidance. While the policy and guidance were 
originally scheduled to be completed by the end of 2006, the completion 
date was extended to April 2007.
      Security policies and procedures: VA is in the process of 
developing policies and directives to strengthen security controls as 
part of its action plan. For example, VA planned to develop directives 
by the end of 2006 on access controls and media protection, standards 
for restricting use of portable and mobile devices, and policies 
regarding physical access to VA computer rooms. However, the completion 
date for development of these policies has been extended to April 2007.
      Security awareness: VA has taken steps to improve 
security awareness training. It holds an annual Department information 
security conference, and it has developed a Web portal for security 
training, policy, and procedures, as well as a security awareness 
course that VA employees are required to review annually. However, VA 
has not demonstrated that it has a process to ensure compliance.
      Monitoring and evaluating computer controls: VA has taken 
steps to improve the monitoring and evaluating of computer controls by 
developing policies and procedures. For example, VA planned to develop 
by the end of 2006 criteria for system security control testing at 
least every 3 years and planned to identify key system security 
controls for testing on a routine basis. However, the completion dates 
for development of these policies have been extended to April 2007.

    To fulfill our recommendations in these areas, VA must not only 
complete and document the policies, procedures, and plans that it is 
currently developing, but also implement them effectively. With regard 
to its IG's findings and recommendations, the Department has 
established an action plan to address the material weakness in 
information security (Data Security--Assessment and Strengthening of 
Controls), which is to correct deficiencies and eliminate 
vulnerabilities in this area. Despite these actions, the Department has 
not implemented the key elements of a comprehensive security management 
program, and its efforts have not been sufficient to effectively 
protect its information systems and information, including personal 
information, from unauthorized disclosure, misuse, or loss.
GAO Has Ongoing Reviews of Information Technology and Security Issues 
        at VA
    We have several ongoing engagements to perform work at VA to review 
the Department's efforts in improving its information security and 
information technology management. These engagements address:

      Data breach notification: We are conducting a study to 
determine the lessons that can be learned from the VA data breach with 
respect to notifying government officials and affected individuals 
about data breaches. For this evaluation, we are examining similar data 
breach cases at other Federal agencies, as well as analyzing Federal 
guidance on data breach notification procedures.
      Actions to strengthen information security controls: We 
are conducting a review to evaluate VA's efforts to implement prior GAO 
and IG information security-related recommendations and to assess 
actions VA has taken since the data breach of May 3, 2006, to 
strengthen information security and protect personal information. As 
part of this engagement, we are examining VA's timeline of planned 
efforts to strengthen controls.
      Controls over information technology equipment: We are 
conducting a followup audit \9\ at selected VA locations to determine 
the risk of theft, loss, or misappropriation of information technology 
equipment. To perform our audit, we are assessing the effectiveness of 
physical inventory controls and the property disposal process at four 
VA locations.
---------------------------------------------------------------------------
    \9\ This is a followup audit to work reported in GAO, VA Medical 
Centers: Internal Control Over Selected Operating Functions Needs 
Improvement, GAO-04-755 (Washington, D.C.: July 21, 2004).
---------------------------------------------------------------------------
      VA's information technology realignment initiative: We 
are conducting a review to determine whether VA's realignment plan for 
its Office of Information and Technology includes critical factors for 
successful implementation of a centralized management model. We are 
also looking at how the realignment will ensure that under the 
centralized management approach, the chief information officer is 
accountable for the entire information technology budget (including 
those funds that had been administered by the Veterans Health 
Administration and Veterans Benefits Administration). In performing 
this evaluation, we are analyzing governance and implementation plans, 
as well as budgetary and other relevant documentation.

    In summary, longstanding information security control weaknesses at 
VA have placed its information systems and information at increased 
risk of misuse and unauthorized disclosure. Although VA has taken steps 
to mitigate previously reported weaknesses, the Department has not yet 
resolved these weaknesses, implemented the recommendations of GAO and 
the IG, or implemented a comprehensive information security program, 
which it needs in order to effectively manage risks on an ongoing 
basis. Much work remains to be done. Only through strong leadership, 
sustained management commitment and effort, disciplined processes, and 
consistent oversight can VA address its persistent, longstanding 
control weaknesses.
    Mr. Chairman, this concludes my statement. I would be happy to 
answer any questions you or other Members of the Subcommittee may have.
Contact and Acknowledgments
    If you have any questions concerning this statement, please contact 
Gregory C. Wilshusen, Director, Information Security Issues, at (202) 
512-6244, [email protected]. Other individuals who made key 
contributions include Barbara Collier, Mary Hatcher, Valerie Hopkins, 
Leena Mathew, and Charles Vrabel.
                  Attachment 1: Selected GAO Products
    Information Security: Leadership Needed to Address Weaknesses and 
Privacy at Veterans Affairs. GAO-06-897T. Washington, D.C.: June 20, 
2006.
    Veterans Affairs: Leadership Needed to Address Security Weaknesses 
and Privacy Issues. GAO-06-866T. Washington, D.C.: June 14, 2006.
    Privacy: Preventing and Responding to Improper Disclosures of 
Personal Information. GAO-06-833T. Washington, D.C.: June 8, 2006.
    Information Security: Weaknesses Persist at Federal Agencies 
Despite Progress Made in Implementing Related Statutory Requirements. 
GAO-05-552. Washington, D.C.: July 15, 2005.
    Veterans Affairs: Sustained Management Attention is Key to 
Achieving Information Technology Results. GAO-02-703. Washington, D.C.: 
June 12, 2002.
    Major Management Challenges and Program Risks: Department of 
Veterans Affairs. GAO-01-255. Washington, D.C.: January 2001.
    VA Information Systems: Computer Security Weaknesses Persist at the 
Veterans Health Administration. GAO/AIMD-00-232. Washington, D.C.: 
September 8, 2000.
    Information Systems: The Status of Computer Security at the 
Department of Veterans Affairs. GAO/AIMD-00-5. Washington, D.C.: 
October 4, 1999.
    VA Information Systems: The Austin Automation Center Has Made 
Progress in Improving Information System Controls. GAO/AIMD-99-161. 
Washington, D.C.: June 8, 1999.
    Information Systems: VA Computer Control Weaknesses Increase Risk 
of Fraud, Misuse, and Improper Disclosure. GAO/AIMD-98-175. Washington, 
D.C.: September 23, 1998.
                             GAO Highlights
 Information Security: Veterans Affairs Needs to Address Long-Standing 
                               Weaknesses
Why GAO Did This Study
    Security breaches at the Department of Veterans Affairs (VA) and 
other public and private organizations have highlighted the importance 
of well-designed and implemented information security programs. GAO was 
asked to testify on its past work on VA's information security program, 
as well as ongoing reviews that it is conducting at VA.
    In developing its testimony, GAO drew on over 15 of its previous 
reports and testimonies, as well as reports by the Department's 
Inspector General (IG).
What GAO Recommends
    To ensure that security issues are adequately addressed, GAO has 
previously made over 150 recommendations to VA on implementing 
effective controls and developing a robust information security 
program.
What GAO Found
    For many years, GAO has raised significant concerns about VA's 
information security--particularly its lack of a comprehensive 
information security program, which is vital to safeguarding government 
information. The figure below details information security weaknesses 
that GAO identified from 1998 to 2005. As shown, VA had not 
consistently implemented appropriate controls for (1) limiting, 
preventing, and detecting electronic access to sensitive computerized 
information; (2) restricting physical access to computer and network 
equipment to authorized individuals; (3) segregating incompatible 
duties among separate groups or individuals; (4) ensuring that changes 
to computer software were authorized and timely; or (5) providing 
continuity of computerized systems and operations. The Department's IG 
has also reported recurring weaknesses throughout VA in such areas as 
access controls, physical security, and segregation of incompatible 
duties. In response, the Department has taken actions to address these 
weaknesses, but these have not been sufficient to establish a 
comprehensive information security program. As a result, sensitive 
information has remained vulnerable to inadvertent or deliberate 
misuse, loss, or improper disclosure. Without an established and 
implemented security program, the Department will continue to have 
major challenges in protecting its systems and information from 
security breaches.
    GAO has several ongoing engagements to review the Department's 
efforts in improving its information security and information 
technology management. These engagements address:

      Data breach notification;
      Actions to strengthen information security controls;
      Controls over information technology equipment; and
      VA's information technology realignment effort.
                       SUBMISSION FOR THE RECORD
              Prepared Statement of Hon. Zackary T. Space,
          a Representative in Congress from the State of Ohio
    Dear Members of the Subcommittee and Panelists,
    I would like to submit for the record my most sincere apologies for 
my absence this afternoon. An unexpected family emergency has called me 
away from my congressional duties. While I would like very much to be 
in attendance today to review the important information and security 
management procedures in place at the VA, I must be with my mother on 
the loss of her husband.
    I appreciate your understanding on this matter. Please know that I 
remain committed as ever to the important work of this Subcommittee and 
those that it serves.
            Sincerely,
                                                        Zack Space.

                                 
