b'<html>\n<title> - INFORMATION SECURITY MANAGEMENT AT THE U.S. DEPARTMENT OF VETERANS AFFAIRS</title>\n<body><pre>[House Hearing, 110 Congress]\n[From the U.S. Government Printing Office]\n\n\n\n \n                 INFORMATION SECURITY MANAGEMENT AT THE\n\n\n                 U.S. DEPARTMENT OF VETERANS AFFAIRS--\n\n\n                     CURRENT EFFECTIVENESS AND THE\n\n\n                        NEED FOR CULTURAL CHANGE\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                     SUBCOMMITTEE ON OVERSIGHT AND\n                             INVESTIGATIONS\n\n                                 of the\n\n                     COMMITTEE ON VETERANS\' AFFAIRS\n                     U.S. HOUSE OF REPRESENTATIVES\n\n                       ONE HUNDRED TENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                           FEBRUARY 28, 2007\n\n                               __________\n\n                            Serial No. 110-5\n\n                               __________\n\n       Printed for the use of the Committee on Veterans\' Affairs\n\n\n\n\n                     U.S. GOVERNMENT PRINTING OFFICE\n\n34-307 PDF                 WASHINGTON DC:  2007\n---------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Printing\nOffice  Internet: bookstore.gpo.gov Phone: toll free (866)512-1800\nDC area (202)512-1800  Fax: (202) 512-2250 Mail Stop SSOP, \nWashington, DC 20402-0001\n\n\n                     COMMITTEE ON VETERANS\' AFFAIRS\n\n                    BOB FILNER, California, Chairman\n\nCORRINE BROWN, Florida               STEVE BUYER, Indiana, Ranking\nVIC SNYDER, Arkansas                 CLIFF STEARNS, Florida\nMICHAEL H. MICHAUD, Maine            DAN BURTON, Indiana\nSTEPHANIE HERSETH, South Dakota      JERRY MORAN, Kansas\nHARRY E. MITCHELL, Arizona           RICHARD H. BAKER, Louisiana\nJOHN J. HALL, New York               HENRY E. BROWN, JR., South \nPHIL HARE, Illinois                  Carolina\nMICHAEL F. DOYLE, Pennsylvania       JEFF MILLER, Florida\nSHELLEY BERKLEY, Nevada              JOHN BOOZMAN, Arkansas\nJOHN T. SALAZAR, Colorado            GINNY BROWN-WAITE, Florida\nCIRO D. RODRIGUEZ, Texas             MICHAEL R. TURNER, Ohio\nJOE DONNELLY, Indiana                BRIAN P. BILBRAY, California\nJERRY McNERNEY, California           DOUG LAMBORN, Colorado\nZACHARY T. SPACE, Ohio               GUS M. BILIRAKIS, Florida\nTIMOTHY J. WALZ, Minnesota\n\n                   Malcom A. Shorter, Staff Director\n\n                                 ______\n\n              Subcommittee on Oversight and Investigations\n\n                  HARRY E. MITCHELL, Arizona, Chairman\n\nZACHARY T. SPACE, Ohio               GINNY BROWN-WAITE, Florida\nTIMOTHY J. WALZ, Minnesota           CLIFF STEARNS, Florida\nCIRO D. RODRIGUEZ, Texas             BRIAN P. BILBRAY, California\n\nPursuant to clause 2(e)(4) of Rule XI of the Rules of the House, public \nhearing records of the Committee on Veterans\' Affairs are also \npublished in electronic form. The printed hearing record remains the \nofficial version. Because electronic submissions are used to prepare \nboth printed and electronic versions of the hearing record, the process \nof converting between various electronic formats may introduce \nunintentional errors or omissions. Such occurrences are inherent in the \ncurrent publication process and should diminish as the process is \nfurther refined.\n\n\n                            C O N T E N T S\n\n                               __________\n\n                           February 28, 2007\n\n                                                                   Page\nInformation Security Management at the U.S. Department of \n  Veterans Affairs--Current Effectiveness and the Need for \n  Cultural Change................................................     1\n\n                           OPENING STATEMENTS\n\nChairman, Harry E. Mitchell......................................     1\n    Prepared statement of Chairman Harry E. Mitchell.............    54\nHon. Ginny Brown-Waite, Ranking Republican Member................     3\n    Prepared statement of Congresswoman Brown-Waite..............    55\nHon. Timothy J. Walz.............................................     4\nHon. Ciro D. Rodriguez...........................................     5\nHon. Cliff Stearns...............................................     7\nHon. Spencer Bachus..............................................     5\nHon. Artur Davis.................................................     6\n\n                               WITNESSES\n\nU.S. Department of Veterans Affairs:\n    Hon. Gordon H. Mansfield, Deputy Secretary...................     9\n        Prepared statement of Secretary Mansfield................    56\n    Hon. Robert T. Howard, Assistant Secretary for Information \n      Technology and Chief Information Officer...................    11\n        Prepared statement of Mr. Howard.........................    58\n    James P. Bagian, M.D., P.E., Chief Patient Safety Officer and \n      Director, National Center for Patient Safety, Veterans \n      Health Administration......................................    12\n        Prepared statement of Dr. Bagian.........................    58\n    Maureen Regan, Counselor to the Inspector General, Office of \n      the Inspector General......................................    34\n        Prepared statement of Ms. Regan..........................    60\n    Arnaldo Claudio, Director of Oversight and Compliance, Office \n      of Information Technology..................................    36\n    Leonard M. Pogach, M.D., Director, Research and Enhancement \n      Award Program, VA New Jersey Health Care System, East \n      Orange, NJ.................................................    46\n    Warren Blackburn, M.D., ACOS/R&D Coordinator, VA Medical \n      Center, Birmingham, Alabama................................    47\n    Y.C. Parris, Facility Director, VA Medical Center, Birmingham,\n       Alabama...................................................    48\nU.S. Government Accountability Office, Gregory C. Wilshusen, \n  Director, Information Security Issues..........................    32\n        Prepared statement of Mr. Wilshusen......................    63\n\n                       SUBMISSION FOR THE RECORD\n\nHon. Zackary T. Space, a Representative in Congress from the \n  State of Ohio..................................................    69\n\n\n                    INFORMATION SECURITY MANAGEMENT\n\n\n\n                   AT THE U.S. DEPARTMENT OF VETERANS\n\n\n\n                   AFFAIRS--CURRENT EFFECTIVENESS AND\n\n\n\n                      THE NEED FOR CULTURAL CHANGE\n\n                              ----------                              \n\n\n                      WEDNESDAY, FEBRUARY 28, 2007\n\n             U.S. House of Representatives,\n                    Committee on Veterans\' Affairs,\n              Subcommittee on Oversight and Investigations,\n                                                    Washington, DC.\n\n    The Subcommittee met, pursuant to notice, at 2:36 p.m., in \nRoom 334, Cannon House Office Building, Hon. Harry E. Mitchell \n[Chairman of the Subcommittee] presiding.\n    Present: \nRepresentatives Mitchell, Walz, Rodriguez, Davis, Brown- Waite, \nStearns.\n\n             OPENING STATEMENT OF CHAIRMAN MITCHELL\n\n    Mr. Mitchell. The Subcommittee on Oversight and \nInvestigations hearing of February 28, 2007, will begin.\n    Let me just say right off that Congressman Zach Space is \nabsent because of a family emergency. Otherwise, he would be \nhere.\n    I have accelerated our Subcommittee\'s review of the VA \ninformation security management for several reasons.\n    I thank all three panels of witnesses and our Subcommittee \nMembers for their cooperation despite the somewhat short notice \nwe were able to provide. It is my belief that when the subject \nmatter justifies some sort of review that such a review should \nbe thorough, balanced, and timely.\n    This topic was on the Subcommittee agenda for later this \nyear, but it is a recurring and nonpartisan topic for the \nVeterans\' Affairs Committee. The events regarding a data loss \nat Birmingham and other circumstances have led me to advance \nthis hearing on our Subcommittee docket.\n    In this hearing, I wish to determine the current status of \ninformation security management at the VA. Admittedly the \nBirmingham incident holds powerful sway over the landscape. If \nthe Birmingham incident stood alone against the backdrop of a \nsound information security management program, perhaps we could \naddress a one-time-only incident with more patience.\n    However, the record reflects a host of material weaknesses \nidentified in consolidated financial statements, audits and the \n``Federal Information Security Management Act,\'\' FISMA, their \naudits over the recent years.\n    The Inspector General\'s Office and the Government \nAccountability Office have both reviewed VA and found \ndeficiencies in the information security management program \nover the last 8 years. VA has been slow to correct these \ndeficiencies.\n    For example, the VA IG made 16 recommendations with regard \nto information security management in 2004. All 16 remained \nopen in 2006.\n    During our full Committee review of the May 3, 2006, data \nloss, we discovered a general attitude regarding information \nsecurity at VA that our current Committee Chairman Bob Filner \nonce referred to as a culture of indifference.\n    Today I wish to address this issue of culture and the need \nfor cultural change with regard to information security at the \nVA.\n    Last year, the Committee reviewed cultural problems at \nseveral levels at VA. We looked at the very top levels of the \nVA leadership and were critical. We looked at the program \nleadership levels and were critical. We looked at the \npromulgation of information security policy in VA and were \ncritical of the various methods employed by some program \nleaders and advisors to gut those policies to avoid \naccountability of the weakened information security practices. \nWe were critical of the lack of checks and balances in the \ninformation security management system at VA.\n    Guidance was being followed, but did oversight occur? We \nwere critical of delay by VA in providing congressional notice \nof the May 2006 incidents. We were critical of the slow \nescalation and notice of the magnitude of that problem.\n    VA mailed notices to millions of veterans addressing the \ndata compromise and made a public commitment to become the \n``gold standard\'\' in information protection within the Federal \nGovernment. Eight months after the initial data loss, VA \nreports another loss of significant magnitude associated with \nBirmingham VA Research Program.\n    That a weakness existed in this area surprised no one. That \nit happened at all serves to precipitate this type of \ncongressional oversight hearing. While the actual loss of the \nexternal hard drive and the limited electronic protections on \nthat missing equipment should be considered the 800 pound \ngorilla in this room, there were some silver linings with the \nBirmingham story as we now know.\n    For example, the loss was reported in VA and quickly \nrelayed to the appropriate people. Mr. Howard notified \ncongressional oversight staff and Secretary Nicholson called \nthe Chairmen and Ranking Members of the VA Committees. The \nOffice of Inspector General was quickly involved and opened an \ninvestigation.\n    In similar examples from May 2006, VA took days or weeks to \naccomplish those tasks. In the Birmingham incident of January \n9, 2007, VA took hours or days to accomplish the same task.\n    Staff was notified within 1 day and calls from the \nSecretary followed a few days afterward. The investigative \ntrail was reasonably fresh for the IG to follow.\n    What of VA culture with regard to this issue? The IG made \nfive recommendations to the Secretary in the review of issues \nrelated to the loss of VA information involving the identity of \nmillions of veterans on July 11, 2006. As of today, all five of \nthose recommendations remain open. Why?\n    After the 2006 series of hearings, VA issued a series of \ntough-sounding declarations, but problems still remain and \nanother major incident has happened.\n    After the Birmingham incident, the Secretary issued some \ntough guidance, but what impact will it have? Will history \nrepeat itself? How deep are the cultural barriers?\n    I believe that it is important to review all aspects of \nthis issue. We need to hear from VA leadership and in that \nregard, we are pleased that Deputy Secretary Mansfield has \nagreed to testify. He, Secretary Nicholson, the Under \nSecretaries are key to setting policy. They represent the \nDepartment in this matter.\n    But we also need to look at the problem through the eyes of \nthe remaining 200,000 plus people in the VA. Do leadership \nactions throughout the management hierarchy match policy \nguidelines everywhere in the VA? Do the rules say no, but the \nculture beckons, ah, go ahead, make an extra copy of that data \nand your own life will be easier? Take a shortcut. No one will \nfollow up.\n    If we change the culture of VA, we can begin to fix the \nproblem. But people have different cultural perspectives. Those \nof the VA leaders on panel one may differ from those of the \nresearchers in the field. Leadership\'s policy guidance may now \nbe spot on, but the question is how the policy is received at \nthe user end.\n    For that reason, this Subcommittee requires testimony \nacross the spectrum of people who in any way handle sensitive \ninformation about our veterans. Let us approach this with open \nminds, consider other perspectives, and be able to put this \nproblem to rest for a long time.\n    Before I recognize the Ranking Republican Member for her \nremarks, I ask unanimous consent that Congressman Artur Davis \nfrom Alabama and Congressman Spencer Bachus be invited to sit \nat the dais for the Subcommittee hearing today. Without \nobjection. Thank you.\n    I now recognize Ms. Brown-Waite for her opening remarks.\n    [The statement of Harry E. Mitchell appears on pg. 54.]\n\n          OPENING STATEMENT OF HON. GINNY BROWN-WAITE\n\n    Ms. Brown-Waite. I thank the Chairman very much for giving \nme this opportunity and also for the expedited manner in which \nthis hearing was held.\n    As the Chairman has indicated, it is more about information \nsecurity management at the Department of Veterans Affairs and \nin particular the current effectiveness of information security \nat the Department and the need for cultural change.\n    Since the data breach in May 2006, which was the second \nlargest in the nation and actually the largest in the Federal \nGovernment, we have seen VA\'s centralization of the VA\'s \ninformation management, including information security.\n    I appreciate the Secretary\'s desire to make the VA the \n``gold standard\'\' for information technology and information \nsecurity management in the Federal Government. From what we \nhave seen, however, adherence to the ``Federal Information \nSecurity Management Act\'\' or FISMA has not been adequately \naddressed government-wide as Congress intended when writing the \nlaw.\n    This is why our Committee worked so hard last Congress to \npass measures such as H.R. 5835 and the final version which was \nS. 3421 which eventually became Public Law 109-461.\n    We have tried to give the Department, and in particular the \nSecretary, all the tools that he needs to mandate change within \nthe entire Department to make certain that such security \nbreaches are few, if any.\n    I served on this Committee now, this is my fifth year, and \nrecently have been selected as the Ranking Member of this \nSubcommittee. Over the years, however, I have seen a blatant \nlack of resolve within the underlying culture at the Department \nand particularly at the facility level to change the way senior \nmanagement view IT security.\n    We know it is very difficult to embrace change, but this is \nwhat we need to address in this hearing. I was involved at one \npoint in my life in installing a new financial management \nsystem for my employer, and I can just tell you that the \nemployees were kicking and screaming because change does not \ncome easily. They were used to their little silos and they \nreally did not adapt very well to any kind of IT change.\n    I realize that this is a problem that is out there in the \nVA, but it is not one that with very strong leadership we \ncannot overcome. We have got to protect our veterans and \nprovide them with the services that we need. We need to remove \nthat cultural bias against change.\n    I appreciate the witnesses who have come to this hearing, \nparticularly those who have traveled great distances to be \nhere. And I look forward to hearing your testimony.\n    I thank the Chairman, and I yield back the balance of my \ntime.\n    [The statement of Ginny Brown-Waite appears on pg. 55.]\n    Mr. Mitchell. Thank you.\n    Mr. Walz.\n\n           OPENING STATEMENT OF HON. TIMOTHY J. WALZ\n\n    Mr. Walz. Thank you, Mr. Chairman. Just briefly, thank you \nfor holding this important hearing.\n    As a veteran who has received the letter earlier on lost \ndata, this is obviously one that is personal to me and it is \nalso one that everybody in this room cares deeply about.\n    Mr. Mansfield, thanks so much for coming here. And I know \nthat everyone in this room and at the table care as deeply as \nanybody about our veterans and making sure everything is done \nright.\n    So I hope that in this hearing, and in the spirit of the \nChairman\'s words, that we are here to find solutions, that we \nknow that the intent of every member of the VA is always to \nprovide the best quality care, the best quality protection to \nour veterans. So I thank you for being here.\n    The one thing I would say, I guess for me, I am a cultural \nstudies teacher, so this idea of culture and the things that we \ntalk about, all those learned and shared values, beliefs, and \nideas, I think is critical. Whether it is a safety issue or \nwhether in this case it is data security, that I do believe \nculture plays a roll in it.\n    And we are here today to figure out what we can do if it is \na resource issue or what we can do. And I truly appreciate your \nwillingness to come and all you do for veterans. And together \nwe can get this thing worked out and get it going in the right \ndirection. So thank you.\n    And I yield back my time, Mr. Chairman.\n    Mr. Mitchell. Thank you.\n    Congressman Rodriguez.\n\n          OPENING STATEMENT OF HON. CIRO D. RODRIGUEZ\n\n    Mr. Rodriguez. Thank you very much.\n    And I was just going over the report from the Inspector \nGeneral and it is pretty startling information there in terms \nof the fact that there is still a great deal at risk.\n    I know the Attorney General in Texas just ruled that all \ncounty clerks that release Social Security numbers would be \ncommitting a felony. And so somehow we need to come to grips \nwith that. And if I have to, I will make some of those comments \nat that time, but I am hoping that we can direct it in the \nright direction.\n    And I hope that the approach that is taken is that if you \nneed some help, if you need some assistance, to come forward in \norder for us to correct this as quickly as possible.\n    Thank you.\n    Mr. Mitchell. Thank you.\n    Mr. Bachus.\n\n            OPENING STATEMENT OF HON. SPENCER BACHUS\n\n    Mr. Bachus. Thank you, Mr. Chairman.\n    I would say this to the panel. Since at least 1997, there \nhave been reports about inadequacies at the VA, about the \nprotection of information, veterans\' information.\n    And in 2001, there were multiple recommendations made, 17 \nsecurity recommendations made in the ``Federal Information \nSecurity Management Act\'\' for veterans to do. Yet, in May of \n2006, when you had the security loss, Ms. Brown-Waite mentioned \nthat none of those had been implemented at that time.\n    Now, since that time, you have given testimony to Congress \nthat you fixed most of those problems. But what we had in \nBirmingham, it is my understanding, was just a laptop computer \nwith information on it that was carried offsite. And to me, \nthat is one of the most elementary types of things to prevent, \nsimply by having a rule that they do not do that.\n    Now, you have also since last May, you required all \nveterans\' employees to go to security seminars, as I understand \nit. So I would just be curious in my questions following up on \nwhether that was done or not and whether this employee was \nprohibited from taking it offsite.\n    I know the IG\'s report says that the information that is \navailable to all the employees is hard to understand and uses \nwords like appropriate and other words which really will not \nlimit them, you know, do not use the information \ninappropriately without clearly defining what may be \nappropriate and inappropriate.\n    But there are other issues. I know it was 21 days before it \nwas announced that this breach had occurred. Another problem \nthat I had with this as a Member of Congress, Congressman Davis \nand I represent the Birmingham area and a lot of this \ninformation was shared with us, but we were told we could not \nshare any of the information with anyone else, that it was \ncritical to the investigation. And one occasion, after we were \nspecifically told we could not share any of the information, it \nwas critical to the investigation, within an hour, the Veterans \nAdministration issued a press release with a lot of that \ninformation on it. So we wonder about that.\n    But I came here to listen, but I did come, and I have made \nthis point to you gentlemen since this breach, that encrypting \nof information is a pretty elementary step. And I wonder why, \nyou know, is there a rule that this information should be \nencrypted. I mean, a lot of this information was not encrypted \nwhich ought to, by 2007, ought to be standard operating \nprocedure on any sensitive information.\n    And so I look forward to hearing from you. But it does \nappear that since 1997, at least 2001, everybody has known what \nproblems were, that these were accidents waiting to happen, yet \nnothing. You know, if you did something as a practical matter, \nit did not work. So I would just be interested to know what you \ndid.\n    Mr. Mitchell. Thank you.\n    Mr. Davis.\n\n             OPENING STATEMENT OF HON. ARTUR DAVIS\n\n    Mr. Davis. Thank you, Mr. Chairman. I am glad to see that \nfreshmen can become Subcommittee Chairs so quickly and I \ncongratulate you on that. I must be on the wrong Committee.\n    Thank you for giving leave to my friend from Alabama and \nmyself to come here. We are not regular Members of the \nVeterans\' Affairs Committee, and I thank you for letting us \nparticipate because our City of Birmingham is affected.\n    I want us to get to the question section as soon as we can \nso I will be very limited in my comments. But I begin by saying \nthis, Mr. Mansfield. I think all of us take it for granted that \nthe leadership at the VA has good intentions, but good \nintentions are usually not enough to change a culture. Better \nlaws help. Better regulations help.\n    And I received the correspondence that you sent to me in \nwhich I asked a number of questions about what the procedures \nare at the VA regarding encryption, what the procedures are at \nthe VA regarding notification, and it is clear to me from \nlooking at your answers that there are gaps there. And, \nfrankly, that is where this institution comes into play.\n    Some of us have been advocates on this Committee for having \nstronger protections for civilians regarding potential losses \nof data, regarding data security issues in the private sector.\n    It seems self-evident to me that whatever the standard \nought to be for individuals in the private sector, if anything, \nit ought to be stronger for our veterans. And I am \ndisappointed. But if I understand the law and the regulations \ntoday, it is weaker. And understand some of us believe the \nconsumer protections are not strong enough for civilians \neither.\n    Second point that I want to make, I have a very strong \nhunch, Mr. Mansfield, that the only reason we are in this room \nhaving this hearing, the only reason that the public knows \nabout any of this is simply by pure luck. And I do not mean to \nsecond guess, but I will make this point to you.\n    Your office called my office on the late afternoon of \nFebruary 2nd, 2007, and you told us that you wanted us to have \ninformation about a data breach in Birmingham and you told us \nthat a news organization was about to run with the story, so \nyou wanted to give us a heads up.\n    I have a strong hunch, Mr. Mansfield, that but for you all \nbelieving this information was about to come in the public \ndomain that you never would have released it.\n    Second of all, after the Office of Inspector General met \nwith me at my request, we lodged a very strong demand of the VA \nthat the VA go forward and release the additional information \nabout the amount of names that had been compromised, about the \nfact that physician information had been compromised.\n    Frankly, I have a hunch that but for that demand, the \nadditional information would not have been released.\n    So I will end with this point. Changes need to be made, in \nmy opinion, in the way that your organization reacts to this \nkind of a problem.\n    I am going to ask you during my question time during the \nhearing how many data breaches are suspected by the VA since \nthe incident of May 2006. We know about that incident. I am \ngoing to ask you during my Q and A session how much has been \nsuspected in the year since. Are there other instances where \nthere has been a loss of data? Are there other instances where \nthere is a suspected loss of data?\n    So I thank you for being here, and I look forward to \nanswers to your questions.\n    Mr. Chairman, thank you again.\n    Mr. Mitchell. Thank you.\n    Mr. Stearns.\n\n            OPENING STATEMENT OF HON. CLIFF STEARNS\n\n    Mr. Stearns. Thank you, Mr. Chairman, and thank you for \nholding this critical and timely hearing.\n    When you look at the GAO report, it says from 1998 to 2005, \nthere were over 150 recommendations to the VA on implementing \neffective controls and developing a robust information security \nprogram.\n    And then if you just look at the VA\'s own Office of the \nInspector General, they publish reports. They made 16 \nrecommendations from the fiscal year 2004 and they remained \nunaddressed.\n    So we have here critical areas that are being highlighted \nby the GAO as well as the Office of Inspector General clearly \nsaying the VA is vulnerable to denial of service attacks, \ndisruption of mission-critical systems, and unauthorized access \nto sensitive data.\n    So all this has been documented. The Member before me \ntalked about it is just by luck we have information about this. \nBut I think we have known about this for some time, at least \nsince January.\n    And so the question is with the GAO and the Office of \nInspector General, why in the world are all these \nrecommendations and all these suggestions not being \nimplemented?\n    There has been a lot in the news recently regarding \nunauthorized access violations at the VA. Last March, there was \nan incident we had where 26 million veterans\' information, \npersonal information, personal, identifiable information was \nlost.\n    I congratulate the VA for finally getting the computer and \ngetting the protection it needed, but, you know, it took a \nwhile to find it. And as I understand it, a lot of this \ninformation was not even encrypted.\n    And, however, now, in the recent breach that my colleagues \nhave mentioned in Birmingham this January, the proper agencies \nwere informed the very next day, an improvement that I would \nlike to highlight, yet it is a mixed bag of praise and \ncondemnation for we have yet another breach of information \nsecurity.\n    This Birmingham hardware involved the personal medical \nrecords, Social Security numbers, personal information of \nveterans and many medical personnel in the VA system itself. \nAnd this information again was not even encrypted.\n    So it seems to me at this point, this information should be \nencrypted at the very least. There are clearly areas that the \nVA needs to improve. And I guess for the life of me, I do not \nunderstand. If you go back to 1998 and you have got 150 \nrecommendations from the GAO, why are you folks not \nimplementing them?\n    In Congress, we responded to the data breach of last March. \nWe enacted the new law, the ``Veterans Benefit Healthcare and \nInformation Technology Act\'\' of 2006. The primary purpose of \nthis legislation was to strengthen IT practices at the VA. It \nalso contained internal processing requirements regarding \nsecurity management with a mandate, with a mandate for the VA \nto develop interim regulations for improving security within \n180 days of the law\'s enactment.\n    So, Mr. Chairman, I think that the hearing is timely. I \nlook forward to the witnesses, and I hope the strategy will be \nfor improving security for our veterans in the very near \nfuture.\n    Mr. Mitchell. Thank you.\n    We will now proceed to panel one. We are pleased to have \nDeputy Secretary Gordon Mansfield as the principal presenter \nfor the panel.\n    This Committee has a long and professional working \nrelationship with Mr. Mansfield in all his roles at VA, from \nhis time serving as the Assistant Secretary for Congressional \nand Legislative Affairs to his present position as Deputy \nSecretary.\n    Mr. Mansfield is a highly decorated military combat \nveteran, having served two tours of duty in Vietnam. His \nmilitary awards include the distinguished Service Cross, the \nBronze Star, two Purple Hearts, and the Combat Infantry\'s \nBadge.\n    Mr. Secretary, would you please introduce your team.\n    Mr. Mansfield. Thank you, Mr. Chairman. If I may, before I \nstart, a point of personal privilege. With your permission, I \nwanted to take a brief moment to comment on Len Sisteck\'s \ndeparture from the Committee.\n    May I have your permission, sir?\n    Mr. Mitchell. Yes.\n    Mr. Mansfield. Len and I had a chance to talk the other day \nin my office, and he told me that he still had ``the sense of \nservice to one\'s country\'\' that we have seen up to this date. \nAnd I am pleased that he will continue as a public servant.\n    Many may say it, but Len has lived the concept of leaving \npolitical and ideological differences aside in order to serve \nveterans. He also got out and saw the VA operations in the \nfield in a real hands-on way.\n    I mentioned he was in my office, on the tenth floor. I also \nwant to make the point that Len has also been with us in our \noperations center down in lower basements, the bowels of the \nVA, so he has been with us from top to bottom.\n    I, for one, am glad that he will still be here on the Hill \nwatching out for the interests of the Department and for \nveterans, just in a different capacity. Fairness and loyalty to \nthe constituency are his, and I appreciated his service on this \nCommittee. And I want to extend to him the congratulations and \nbest wishes of the entire Department.\n    Len, thank you very much.\n    Mr. Mitchell. Thank you, Len, very much.\n\nSTATEMENTS OF HON. GORDON H. MANSFIELD, DEPUTY SECRETARY, U.S. \n   DEPARTMENT OF VETERANS AFFAIRS; ACCOMPANIED BY MICHAEL J. \n KUSSMAN, M.D., ACTING UNDER SEC- RETARY FOR HEALTH, VETERANS \n  HEALTH ADMINISTRATION, U.S. DEPARTMENT OF VETERANS AFFAIRS; \n  HON. ROBERT HOWARD, ASSISTANT SECRETARY FOR INFORMATION AND \n TECHNOLOGY AND CHIEF INFORMATION OFFICER, U.S. DEPARTMENT OF \nVETERANS AFFAIRS; AND JAMES BAGIAN, M.D., CHIEF PATIENT SAFETY \nOFFICER, DIRECTOR, NATIONAL CENTER FOR PATIENT SAFETY, VETERANS \n   HEALTH ADMINISTRATION, U.S. DEPARTMENT OF VETERANS AFFAIRS\n\n               STATEMENT OF HON. GORDON MANSFIELD\n\n    Mr. Mansfield. Mr. Chairman, if I may, I have a statement \nto submit for the record.\n    Mr. Chairman, I am here today with Mr. Howard, our \nAssistant Secretary for IT; the acting Under Secretary, Dr. \nKussman; and Dr. Bagian.\n    I am here today to talk about the status of our IT security \nprogram and the reorganization of our Office of Information \nTechnology.\n    We have done a lot of work and we have come a long way \nsince last May\'s major incident occurred. And I have to admit \nthat that was probably the wake-up call for the Department. But \nwe still have an awfully long way to go.\n    We are well into the reorganization of the Office of \nInformation and Technology to include an initial transfer of \nsome 4,600 individual employees now under the control and \ndirection of the CIO, Assistant Secretary Bob Howard.\n    That reorganization also includes ensuring that Mr. Howard \nhas the full authority as delegated by the Secretary to deal \nwith security issues throughout the Department. Mr. Howard also \nhas the authority to oversee the total IT budget for the \nDepartment.\n    In the information security area, we have gone forward with \npreliminary revisions that have led us to issue a number of new \ndirectives to ensure that the workforce understands what their \nspecific responsibilities are.\n    We have brought management pressure from the top to ensure \nthat the required change in culture is instituted and that we \nare moving forward to achieve the goals set by the Secretary \nfor the VA to be a gold standard for the Federal Government.\n    As I have stated, I think we have come a long way in both \nthe reorganization and changes demanded by information security \nrequirements to protect our veterans. I will be the first to \nacknowledge that we have not finished with either of these \nchores.\n    We are continuing the reorganization with more transfers of \npeople taking place next month, with more budget, more program, \nand more people responsibilities under the control of the CIO.\n    The Security Operations Center or the SOC is now receiving \ndaily reports of incidents, large and small, from across the \nDepartment which allow us to understand and educate the people \nthat we are responsible for when they do the job wrong, and \nalso it will allow management to get a better picture of the \nproblem areas across the Department.\n    The Birmingham incident, while evidence of major lapses in \njudgment in operations, was handled in such a way that VA \nmanagement was informed in a timely manner and the report moved \nquickly up the chain of command to the top.\n    We also started an investigation as did the Inspector \nGeneral\'s Office in conjunction with the FBI. Notifications of \nthe incident were made to the Hill in a timely manner. As well, \nupdates on the information were provided as received.\n    I want to make a point here that as we get into these \ninvestigations and as the IG and the FBI move into it, we are \nrequested that we keep this information on hold as they start \ninto their investigation and start looking for areas of \napproach, and we try to follow the FBI\'s request and the IG\'s \nrequest in that area.\n    We have been notifying this Committee and other Committees \nof jurisdiction on the Hill on a weekly basis of the reports \nthat do come in to us that are reported up the chain of \ncommand.\n    Another area of concern is sanctions applied to those who \nfail to conform to the requirements. The Secretary has said \nthere are still too many VA employees at every level to include \nsenior positions who either still do not comprehend the \nseriousness of this issue or who consciously disregard it.\n    This laxity is unacceptable and no longer will be \ntolerated. In appropriate cases and where justified, there must \nbe serious consequences for failure to properly secure \nveterans\' data. We owe our veterans no less. And that is a \nquote from the Secretary in a meeting of senior executives held \nhere in Washington, D.C., on February 21, 2007.\n    We are involved in cultural change in a serious way. From \nthe highest leadership on down, in meetings and communications \nand site visits, the Secretary and I have endeavored to \ncommunicate the need to protect data and how we can make that \nhappen.\n    As the Secretary indicated, given the circumstances of each \ncase, we need to go forward with further education and \nassistance with our employees to understand what the need is \nand what they have to do or get involved in considering whether \nsanctions should be considered and applied as required.\n    In closing, let me say that I sincerely wish that I could \npromise you that no other incident will occur. I cannot do that \nnow, but I can promise you that we are working hard throughout \nthe Department to get the message to our 235,000 plus employees \nto do everything we can to get this problem under control.\n    We have succeeded in many areas. We still have a large job \nto finish the effort. We are committed to doing that.\n    Mr. Chairman, I am prepared to answer questions, and I \nwould ask Mr. Howard, as I understand the sequence, to go \nforward with his comments.\n    Mr. Mitchell. Correct.\n    [The statement of Gordon Mansfield appears on pg. 56.]\n\n                STATEMENT OF HON. ROBERT HOWARD\n\n    Mr. Howard. Thank you, sir.\n    And thank you, Mr. Chairman and Members of the Committee.\n    I would like to expand on Deputy Secretary Mansfield\'s \ncomments regarding the changes underway in the area of \ninformation and technology.\n    There are two specific areas I would like to focus on. \nFirst is the extensive reorganization taking place and second \nis the over-arching program we have established to provide \nfocus to all of our remediation efforts.\n    The IT realignment program to transition the VA\'s IT \nmanagement system remains on track and is scheduled to be fully \nimplemented by July 2008.\n    By April 1, 2007, software development employees and \nprograms will be permanently reassigned to the CIO. This action \nfollows the consolidation of operations and maintenance under \nthe CIO which was finalized beginning this fiscal year.\n    We are implementing a process-based organizational \nstructure rooted in best practice processes that are aimed at \ncorrecting IT deficiencies that resulted in a loss of \nstandardization, compatibility, interoperability, and fiscal \ndiscipline.\n    There are 38 such processes that are being introduced with \nthe assistance of IBM from a best practices standpoint. We have \nalso developed a different organizational framework to provide \nfocus in key areas.\n    The Office of Information and Technology is now comprised \nof five major organizational elements. These will all report to \nthe CIO. We have a chart of this organization with us today in \nthe event you would like to discuss this structure in more \ndetail.\n    Each of the five major organizational elements is led by a \nDeputy Chief Information Officer. One Deputy Chief Information \nOfficer, in fact, in the first column, is charged with \ndirecting the information protection and privacy programs in \nVA. This official is also responsible for risk assessment, risk \nmitigation, evaluation and assessment as it relates to \ninformation protection.\n    The DCIO for information protection and risk management has \ndrafted the interim final regulation on credit monitoring and \ncredit protection as required by the ``Veterans Benefits \nHealthcare and Information Technology Act of 2006.\'\'\n    This regulation, which is now being reviewed throughout the \nDepartment, will address notification, data mining, fraud \nalerts, data breach analysis, credit monitoring, identity theft \ninsurance, and credit protection services.\n    To achieve the gold standard as directed by the Secretary, \nwe have implemented an over-arching program to assess \ninformation protection controls, to develop plans to strengthen \nthe controls where necessary, to enforce the controls, and \ncontinuously monitor the information protection program.\n    This action plan we have developed includes development and \nissuance of policies and procedures, training and education, \nsecuring of devices, encryption of data, enhanced data security \nfor VA\'s sensitive information, enhanced protections for shared \ndata in interconnected systems, and incident management and \nmonitoring.\n    A number of the specific requirements of the new law have \nalready been introduced into our comprehensive action plan. I \npersonally review progress on these actions on a weekly basis.\n    In closing, I believe we have made progress in improving IT \noperations in VA and we are working hard in partnership with \nthe administrations and staff offices to improve our business \npractices to ensure the protection of sensitive information \nthroughout the Department.\n    Mr. Chairman, that concludes my testimony. I would be \npleased to answer any questions the Committee may have.\n    Mr. Mitchell. Thank you.\n    Dr. Bagian.\n    [The statement of Robert Howard appears on pg. 58.]\n\n                 STATEMENT OF DR. JAMES BAGIAN\n\n    Dr. Bagian. Thank you, Mr. Chairman, members of the \nCommittee, for inviting me here today.\n    My comments will be confined more to cultural aspects, \nespecially with respect to some of the observations of what \nwe\'ve done in the patient safety area, as I\'ve talked to some \nof you in the past.\n    Let me just say at the outset, there has been some \nindication by some of the previous comments that people are \nwondering if people take the issue of IT security seriously. I \ncan tell you unequivocally, they take it very seriously. \nThere\'s nobody I see--and I am out in the field quite a bit--\nthat is not fully aware that this is an important issue. \nThere\'s no question about that. I\'ll come back to that, but, \nlet me just assure you that\'s a fact.\n    The big issue is about culture and how we look at this. And \nI would say one of the big issues--and I\'ll talk about it from \nthe frame of patient safety--because while our goal in patient \nsafety is to prevent harm to the patient, and generally we \nthink about that with regard to the medical care that we \ndeliver, the fact is that if people suffer, for instance, the \noutcome of identity theft, for example, that harms them as \nwell--as it harms our ability to provide care for them because \nthat consumes fiscal resources and attention that could \notherwise be focused to our primary mission, which in the VHA \nis delivering medical care. So we understand that.\n    In the safety area, patient safety area, when we started to \ndo this some 8, 9 years ago, the culture certainly wasn\'t \ngeared toward patient safety, and we were starting this before \nanybody did it anywhere in medicine, quite frankly.\n    And we found that it was very important to be able to \nestablish for them what our real goal was in terms that were \nunderstandable by them and how it met what they thought they \nneeded to do. To create an expectation was relevant to them \nthat they thought was real.\n    And then we had to go through an understanding when things \ndid happen, it wasn\'t enough strictly just to have--and as Mr. \nHoward talked about, policies and training is important, but he \ntalked about other things like encryption and other modalities. \nIt\'s a multiplicity of these things.\n    It\'s not just telling people, ``follow the rules,\'\' because \nif that is all it took to do anything, we\'d write rules and go \nhome. And we know it takes more than that. So, when problems \noccurred or we had close calls--as we have had IT close calls \nas well--it was to look and say what happened here, why did it \nhappen, and what do we do to prevent it in the future?\n    And without understanding those underlying causes, it\'s \nreally impossible to come up with sustainable solutions. So we \nreally dwelled on that quite a bit, and I think you see some of \nthat same thing in what\'s going on with the IT organization \ntoday.\n    The other thing is you have to take out the fear. One of \nthe things that goes on with any organization, as was mentioned \nby Ms. Brown-Waite during her comments, is that change is hard \nfor all organizations. And people have to feel that the change \nis in their interest, too, whatever that change is, and \ncommunicate to them what they believe it is. And I think we can \ndo that, and we\'re trying to do it. But it doesn\'t happen \novernight.\n    We then need to supply tools, and that\'s being done. You\'ve \nheard about encryption. You\'ve heard about other things that go \nin those areas. And then we have to do it in a way that changes \ntheir behavior, and when that behavior works and is not at \ncross purposes with their goal--and in VHA, the goal is \ndelivering clinical care; that\'s the main goal--information \nsecurity is embedded in that, but that\'s not the reason they \ncome to work. A physician doesn\'t come to work to achieve IT \nsecurity. It\'s a component thing they need to worry about, but \ntheir main goal is that they want to take care of the patient.\n    We have to understand how we make that real to them, that \nthey understand that that\'s important not just because we say \nit is, because they believe it is. And I think that\'s trying to \nbe done. So when that attitude changes, then you begin to \nchange culture.\n    Now, one of the things that we found that was extremely \nimportant when we began was we thought everybody got it about \npatient safety. We did a cultural survey--the first one ever \ndone--on attitude toward patient safety, and we found some very \nremarkable results which changed the way we ran the entire \nprogram and in fact, I would say we are singularly responsible \nfor it being successful versus failing miserably.\n    We found that when we asked people, ``Do you think patient \nsafety is important?\'\' Twenty-seven percent of all our people \nat the VHA system said ``five\'\' on a one-to-five scale. Patient \nsafety is super important, most important it could be. Twenty-\nfour percent said ``one\'\'--absolutely irrelevant. We were \nshocked. How could that be?\n    But when we stopped and talked to them more--we\'ve had \nfocus groups come in to understand why that was--the reason \nthey said ``one,\'\'--that is, unimportant, was because they \nsaid, ``Well, I thought you meant was it important for me? It \nis not important for me, because I know I am safe. It is all \nthose other people that aren\'t.\n    And the same thing can happen here if you don\'t understand \nwhat motivates them. It\'s not they do not want to do it. They \nthink somebody else is doing it.\n    Until you really answer those questions to enable you to \nunderstand people\'s underlying assumptions, it\'s impossible to \ncorrect it effectively. So I think we need to look at that and \nlook at the culture where it is and not just talk about it, but \nactually measure some of it to understand where the leverage \npoints are. And I\'m not sure we know all those things yet. But \nwe\'re moving in that direction.\n    One of the things we worked with the IT system back in 2003 \nwhen the Blaster Worm--some of you may recall the Blaster Worm, \na big problem--we went and worked with IT at that time. In \nfact, one of Mr. Howard\'s deputies--we talked last on the 21st, \njust last week, about how we worked with them with root cause \nanalysis where we looked at these, what happened, why did it \nhappen, what do we do about it--and he remarked that since that \ntime we\'ve never had a major denial of service attack, since we \nlooked at this with a very systems-based approach. And they \nwant to work with us more doing that, and we look forward to \nthose kinds of things.\n    And we think this mode of collaboration across not just the \nIT world, but across all VA--DVA, NCA, VHA--working together to \nlook at this and look at the real causes will get us there, and \nI think that\'s where the real hope lies, and it is not just \nhaving a knee jerk response to the bad events, which none of us \nwant, but really take the time to understand why it isn\'t where \nwe want it to be and fix it and really nail it.\n    [The statement of James Bagian appears on pg. 58.]\n    Mr. Mitchell. Thank you all for your statements.\n    Clearly the VA is attempting a number of different avenues \nto address the problems associated with information security \nmanagement at VA. We are aware of the poor track record the VA \nhas in this area and note that implementing a program does not \nguarantee a successful outcome by itself.\n    Mr. Mansfield, I have a question. In 2006 and in earlier \nyears, we saw information security policy guidance languish in \nvarious VA offices. The IG advises us in testimony that the VA \nstill lacks a clear, concise policy in several key areas of \ninformation security. It has been 7 months since their report \nwas issued.\n    Why do they say that and how do the views of the Department \ndiffer with the views of the IG?\n    Mr. Mansfield. Mr. Chairman, let me start by saying that we \nhave proceeded and gone forward in a large number of areas and \nissued a large number of directives that deal with some of the \nissues that the IG is talking about.\n    The Secretary has issued directives and I have issued \ndirectives. I think what the IG is saying is that we have not \nbeen able to finalize this thing across the entire \norganization.\n    And I would make the point that in some of these areas, we \nare still learning about exactly what is happening out there, \nand we need to be able to find out what the issues are and, as \nDr. Bagian said, what happened, why did it happen, and what are \nwe going to do to fix it.\n    I would make another point which is that we still have out \nthere a largely decentralized system. It is nonstandardized. \nThere are not any simple fixes that we can plug in. Like with \nthe blaster worm, you were able to put one fix in and put it \nacross the system if you have a standardized system. But we do \nnot have that, so there are not any simple fixes.\n    The other issue we have here is that for the most part, 190 \nsome thousand of those 235,000 employees are in the veterans \nhealth arena and that is where we have the responsibility to \ndeliver healthcare. And as I have testified before this \nCommittee in many previous hearings, we have approached this \nfrom the start with the principle, ``do no harm.\'\' Do no harm \nis a part of the way you have to approach this. We cannot \nafford to shut down a hospital system where patients are being \ntaken care of.\n    Plus, we are a government agency. We deal with civil \nservice rules. We deal with contracting rules, and we go \nforward with all those issues. So that is part of the \nexplanation, sir.\n    Let me make the point, too, that I understand exactly where \nyou are coming from and where the Committee is coming from, and \nit has been a long time. There are a number of issues out \nthere. But as I said, we are working, and I think the \ncentralization and reorganization of this office which the \nSecretary has directed will allow us to provide, in addition to \nwhat we had before, for education and information to be \nprovided, that we use our VA Learning University as an \nadditional effort to bring information and education to bear.\n    And the other part of it is the inspection part goes \nforward where we have just started inspections, some announced, \nsome unannounced, to be able to go out and find out what is \ngoing on out there so we are not surprised.\n    Mr. Mitchell. Just a quick followup. You mentioned your \nstudy and you are looking at why people do the things they do. \nWhen do you expect this study to be over? When do you expect to \nfinally implement all of these recommendations? How long is it \ngoing to take?\n    Mr. Mansfield. Sir, I cannot give you a final date right \nnow. I am sorry. I wish I could. I wish I could tell you that \nwe have got this problem solved. We cannot do it.\n    As I indicated and as Secretary Howard indicated and as I \nbelieve Dr. Bagian indicated, it is a continuous ongoing effort \nwhere we are going to have to continue to work on all the \ndifferent issues until we know that we have got every single \npart of this understood and we have got a fix prepared for it. \nWe put the fix in and we make it work.\n    The final word I would say here is again that it is not a \nquestion of technology or machines or software. It is a \nquestion of people. And we are going to be dealing with people \nacross this system, the 235,000 employees, the tens of \nthousands of contractors, all the people in the 105 medical \nschools that we deal with where you have residents and interns \nin the thousands coming in and going out of our system every \nyear. So we are going to have to work on this continuously, \nsir.\n    Mr. Mitchell. Thank you.\n    One last question before I call on the Ranking Member. Mr. \nHoward, how long will the VA be without a cyber security chief?\n    Mr. Howard. Sir, we actually had selected one, a female, \nvery well-qualified. We had selected her. Several days before \nshe was to show up, she decided to take another job. So I have \nnow had to go back through and announce that position over \nagain. I assure you we will move as fast as we can. But the \nprocess has to be done correctly.\n    Mr. Mitchell. Thank you.\n    Ms. Brown-Waite.\n    Ms. Brown-Waite. Thank you, Mr. Chairman.\n    You know, maybe reducing this to parenthood might be \nrelevant because I only have two children that I gave birth to. \nOne you could talk to and reason with and you would get \nresults. The other one, it was like sometimes you had to like \nlook her eyeball to eyeball and threaten sincerely in order to \nget her attention.\n    So I want to know what you are doing to really get the \nattention in this culture of where we did it before, so we are \ngoing to continue to do it, and I want to know also what is the \nVA\'s policy on using personal computers, i.e., you know, maybe \na thumb drive and taking it home and working at home? And what \nhappens to the employee who you might have to like take drastic \nsteps to get their attention, i.e., dismiss them? Tell me what \nis going on because it is very frustrating to see the lack of \nprogress here.\n    Mr. Mansfield.\n    Mr. Mansfield. Let me start with the last question, and \nthat is the area of sanctions. And I think to approach that we \nhave to understand that, as Dr. Bagian mentioned, that that is \na part of a total spectrum of changing the culture.\n    When you are talking about sanctions, I think you have to \nstart with what are our responsibilities before you can get \nthere, and that is I believe that you need to let the people \nknow what you expect of them, why you expect that, give them a \nchance to ask questions if they have questions about what is \nexpected, and then go forward from there.\n    The second part of that is I think that you cannot have one \nsingle decision. You have to take each case, each individual \nand each situation in and of itself and you have to measure \nwhat happened in that case, why it happened, and perhaps what \nthe results are.\n    Ms. Brown-Waite. Sir, with all due respect, we are talking \nabout thousands, hundreds of thousands of veterans whose \ninformation is just out there.\n    Mr. Mansfield. Well, I understand that. I would tell you, \nMs. Brown-Waite, that the last time I was admitted to a VA \nfacility, which was not too long ago, one of the forms they \ngave me said you can check off up here, is this information \navailable for VA research.\n    So I understand that every veteran in this system is at \nrisk, and I hope the point is coming across that we are \nattempting to do everything we can to make sure that that risk \nis mitigated, if not eliminated.\n    Ms. Brown-Waite. Do you have written policies that say one \ntime and one time only, if it happens again, you are out, or is \nit no strikes and you are out? What is VA\'s policy at this \npoint on taking a risk with individuals\' information that may \nput it at risk outside of the premises of the VA offices and \nhospitals?\n    Mr. Mansfield. Well, let me caution that, as I mentioned \nbefore, we live within the civil service rules and we have to \nrecognize those and go forward and ensure that we carry out all \nthe responsibilities we have there and ensure that each and \nevery employee\'s personal rights are protected or else whatever \nwe do is going to be overturned by an oversight body.\n    And the other point again is that I think we have to take \neach case in itself and look at what are the issues involved \nhere, how much harm was involved, and exactly how egregious or, \nas you mentioned, repetitive was the issue, and go forward from \nthere. And we cannot just put it down simply as these three \nissues or these rules apply to each and every situation. We \nhave to look at what the individual situation is and go from \nthere.\n    Ms. Brown-Waite. Sir, I have more concern for the employees \nand the veterans\' information that is out there. That worries \nme. Put something in writing that is distributed to the \nemployees that at least they will know exactly what the ground \nrules are. You take the stuff off campus and you have violated \na rule. You are put on probation. It does not happen again. Put \nit in writing some place.\n    Let me get to the specific Birmingham issue. I have a large \nnumber of seniors and I have the highest number of people on \nSocial Security and Medicare. Should I be alerting citizens \nthat their doctors\' information on that patient may also have \nbeen compromised in the Birmingham breach or are you doing it? \nWhat are we doing to protect not just the veterans but people \nwho are on Medicare and Medicaid?\n    Mr. Mansfield. We are following through with the \nrequirements the previous legislation referred to. Part of what \nwe have to do there is a risk analysis, and our initial attempt \nwas to have the IG do it. The IG just last week informed me \nthat they do not believe they have the capabilities to do it. \nThey also have raised some legal issues.\n    I brought that issue of risk analysis to the President\'s \nIdentity Task Force at their last meeting, and we are moving \nforward in an attempt to find some, as required by the law, \nindependent body to do the analysis in order to make a \ndetermination of who to notify in that case.\n    I would make the point, too, that I have seen some reports \nthat talk about 1.3 million physicians. That is not the correct \nnumber. What was it, 196, I think we are down to?\n    Mr. Howard. Sir, 565 that we think are----\n    Mr. Mansfield. Why don\'t you----\n    Mr. Howard. To just comment a bit more on the list of \nproviders, in the case of Birmingham, there were 1.3 million on \nthe list. A large number were deceased. I believe several \nhundred thousand. But in every case, we believe two elements of \ninformation were on the particular piece of data, name and date \nof birth. That concerns us obviously.\n    But the most critical was a population of about 565,000 \nwhere there also appeared a number not identified as such, but \nit happened to be a Social Security number. And so in the case \nof the 1.3 million providers, that is where we have pursued an \nofficial risk analysis on that to get specific guidance on how \nto approach it as the Deputy mentioned.\n    Mr. Mansfield. Let me just clarify that the providers are \nnot all medical doctors.\n    Mr. Howard. They are not all medical doctors. Some are \nnurses. There is a variety of providers on the list.\n    Ms. Brown-Waite. But, sir, it is very easy--and I would ask \nthe Chairman\'s indulgence----\n    Mr. Mitchell. Yes.\n    Ms. Brown-Waite [continuing]. It is so easy, once you have \na provider number, to engage in Medicare and Medicaid fraud. It \nis out there. And, you know, I do not know how long your risk \nanalysis is going to take. You know, the frustration that I \nhave is that we have people\'s identities and medical \ninformation and Social Security numbers. Now we have \nphysicians\' information also at risk.\n    And the ability of somebody to go in and set up a post \noffice box and do Medicare or Medicaid fraud, that is a \ndangerous situation.\n    Mr. Mansfield. I fully agree with you and understand it. I \nwould make the point that it has taken us a number of days to \ndo the analysis that the OIT Office has done to find out who \nhas been on those records and how many names there actually are \nand who they are and what information is attached to that in an \neffort to go forward and find out what we have to do to answer \nthe questions you raise which are so important.\n    Ms. Brown-Waite. One last question. I promise this will be \nthe last. Do you have a breakdown by State of the providers and \nhave they been even notified of this, because I will tell you, \nnothing will send a more chilling effect to a physician or \nanother healthcare provider if they think somebody may be out \nthere billing in their name because once CMS gets on their \ncase, you cannot get them off?\n    Mr. Mansfield. We do not now have the addresses. The file \nthat we obtained from CMS was scrubbed down to a certain \ndegree, they thought including removing of Social Security \nnumbers, and that means that we are going to have to go back \nbecause when we get the full identity of the individuals to CMS \nand get them to provide us the addresses as we go forward in \nnotifications.\n    Ms. Brown-Waite. Thank you, Mr. Chairman. I am sorry.\n    Mr. Mitchell. That is fine.\n    Mr. Stearns, I understand you have to leave immediately.\n    Mr. Stearns. Well, not immediately. Can I follow up on my \ncolleague\'s--what I had is something that follows right after \nmy colleague.\n    My colleague from Florida mentioned this Unique Provider \nNumber (UPN). Tell me what that means. She touched on it, but \nfrom your perspective, what does that mean for a person, a lay \nperson? Tell me the significance if a doctor had their unique \nprovider number.\n    Mr. Mansfield. Sir, Mr. Howard has been working with these \nfiles, and I will let him explain what the UPN is.\n    Mr. Howard. Sir, it is an identifier, you know, for the \nphysician. Quite frankly, though, it is the presence of that \nSocial Security number that is probably even more critical.\n    Mr. Stearns. If you had the UPN number plus the Social \nSecurity number, does it give you authenticity and credibility, \nor if you just had the UPN number without it, you would not \nhave it?\n    Mr. Howard. Sir, I do not believe the UPN number alone \nwould provide you what you need to set up a fraudulent \nsituation on Medicare. But I might ask----\n    Mr. Stearns. Are you absolutely sure that if I sent HEAD \nsome fake stationery and I used a UPN number, could I not start \nbilling for Medicare based upon that without a Social Security \nnumber? Yes or no? If you do not know, just say you do not.\n    Mr. Howard. I am not sure, sir. The information I have, \nthat is not enough, but I am not a physician.\n    Mr. Stearns. Because in addition to the loss of personal \nidentifiable information which means we have hurt the identity \nof veterans as well as physicians and physician providers, you \nhave another avenue here of fraud dealing with the Medicare \nprogram which we did not have. When we had 26 million veterans, \nwe were worried about loss of personal information. But now \nhaving compounded on this, what I hear from my colleague and \nthis UPN is that the possibility could be you take this \ninformation and forget trying to steal a person\'s personal \ninformation. Just go to the source and start billing Medicare \nfor thousands and thousands of dollars. And do it from 50 \nstates before you get caught, you could collect a lot of money. \nAm I exaggerating or is that a possibility?\n    Mr. Howard. Sir, the UPN number, to my knowledge anyway, is \npublicly available. That is why I say you would need more \ninformation to actually set up a successful----\n    Mr. Stearns. So I could find out the UPN number for my \nphysician? It is accessible. Okay.\n    Mr. Mansfield. Web site, right?\n    Mr. Howard. It is on a Web site.\n    Mr. Stearns. It is on a Web site. So that is not critical \ninformation. Okay.\n    Mr. Howard. No, sir.\n    Mr. Stearns. Okay. The gentle lady, I will yield to her if \nyou have any additional--go ahead. I am just going to yield a \nminute to her.\n    Ms. Brown-Waite. What I said to my colleague is the \nprovider number, the Medicare provider number is something that \nthey would need to set up a storefront and start billing, \nbecause we had exactly that problem in Florida.\n    Mr. Stearns. Right. And that was part of the loss of 1.3 \nmillion, right, what she is talking about.\n    The other thing I cannot understand, this occurred on \nJanuary 22nd. Why have you not given Members of Congress or at \nleast put a profile of this information by State? I mean, at \nwhat point are you going to decide to notify these people?\n    In California, there is a law that once you lose this \ninformation, you have got to notify the people immediately. How \nlong are you going to take and why have you not come up with a \nplan and a date when you are going to do this? Are you just \ngoing to wait until you get it back, which might be 6 months? \nIt seems to me there is a time where people should be notified \nthat you have compromised their personal identifiable \ninformation.\n    Mr. Mansfield. Let me make the point, sir, that since we \nbecame aware of this, we have been in communications with CMS \nand talking to them and their legal people and others in an \neffort to determine what we need to do to go forward.\n    I would also make the point that it has been a question of \nattempting to find out what the information was because it does \nnot show up as a Social Security number. It is in a box over \nhere that has a name on it and it took our people a lot of work \nto----\n    Mr. Stearns. So you have to go in each individual box for a \nname to find it?\n    Mr. Mansfield. You have to go through that to find out, you \nknow, if that number matches a Social Security number, we \nbelieve. And we have had to go back and do the forensic \ninformation to get that. That has taken some time.\n    And I would make the point that we frankly concentrated on \nthe veterans in an effort to get them identified and to get the \nnotifications to them. We are continuing to go through the \nprocess of pulling all these large files together to get those \nnames of the veterans and to notify them.\n    Mr. Stearns. In any corporation, they have a security \nprotocol which says that only certain individuals get access to \nthis information. I cannot understand why your agency has not \ndeveloped a protocol so that this veteran would not get access \nto that.\n    And the second question I have and I will complete is CMS, \nare they not derelict for giving you access to this information \nwithout it being encrypted? Shouldn\'t CMS at the very least \nencrypt all this information before so that this person that \nyou put on the protocol would have a password and either an \niris or a fingerprint before he or she could get this \ninformation?\n    So my two questions are, is there not some culpability on \nCMS for not encrypting and, two, why do you not have some kind \nof protocol with that massive information?\n    Mr. Mansfield. Sir, part of the problem is that this list \nwas available for our medical researchers under a memorandum of \nunderstanding that we had with CMS. And actually my \nunderstanding is that they gave us the wrong list that was put \ninto the custody of a person that we had responsible for \nreceiving that and responsible for making the decision to \nrelease it to the proper people who have authority and \npermission to be released to.\n    In the process of looking at the list that we got, we found \nout that there was more information, including Social Security \nnumbers, that were on there and identified as such and we got \nthose removed from it. But we did not realize that this other \nnumber potentially could be a Social Security number also. So \nthat is part of the problem.\n    Mr. Stearns. Thank you, Mr. Chairman.\n    Mr. Mitchell. Thank you.\n    Mr. Walz.\n    Mr. Walz. Thank you, Mr. Chairman.\n    Once again, Mr. Mansfield and the panel, I do not intend to \nbore you with my personal history. But having been one of those \nveterans who lost their data in the first breach and having \nreceived the letter, I give it to you more as a person at the \ntime who was not in Congress but who was a veteran and got the \nletter and got notification on the news that this happened and \nwatched this unfold.\n    And it was very damaging because the first thing it did it \nmade me lose some faith in the credibility of the VA. That was \nreally critical to me because I want to believe and, as I said \nin the beginning in my opening statements, your intentions are \nunquestionable. You are there to serve our veterans. You have \ndone that.\n    But when I am listening to my colleagues and I listen to \nwhat is coming out on this, outcomes matter more than \nintentions. There is no doubt about that. And as a veteran, I \nknow my first instinct was just get this right, whatever it \ntakes to get this right.\n    And I hear you say, you talked about, well, you have got \ncivil service issues and contracting issues and things like \nthat. Dr. Bagian was talking about, and I am sure you did, your \norganizational analysis and you went through, you know, gap \nanalysis or whatever you did.\n    If you were given free reign--this may be more \nhypothetical, but maybe it gets to where we need to get with \nthis--what are these constraints that are stopping you from \ngetting this fixed? When I hear you say you have these civil \nservice contracting issues and so forth, what would you change \nif you were unrestrained by those? What would fix it?\n    Mr. Mansfield. Sir, I have to make the point that, you \nknow, I come down here as a representative of the \nAdministration, and there are some other constraints that apply \nalso.\n    Let me go as far as I can and push up against the fence. \nOne of the constraints we have with this reorganization to make \nsure that we shrink down the amount of responsibility so the \npeople in those boxes can actually get their hands around it \nand do it instead of having too much to do, which I think we \nhad previously, is to change the law that is set up at the \nDepartment of Veterans Affairs as a cabinet agency, because \nIBM, a respected contractor that came in to help us figure out \nwhat this reorganization could be, said that some of those \npositions should be Deputy Assistant Secretaries in order to \nget the people that we want to get that maybe took another job \nbecause they had a better offer.\n    And the law that established this Department established a \nnumber of Assistant Secretaries and then put a ratio of Deputy \nAssistant Secretaries. The IBM recommendation is that we have a \nsignificantly larger amount of Deputy Assistant Secretaries.\n    So I would ask you to amend the law. That is an issue that \nwe have to deal with, and I am trying to answer your question \nand again play by the rules.\n    Mr. Walz. I appreciate your candidness.\n    Mr. Mansfield. The other issue is that we have a limited \nnumber of SES positions. And when the 4,600 people were \ntransferred in here from the field to put together an \norganization, how many SES positions were transferred in?\n    Mr. Howard. None with those transfers.\n    Mr. Mansfield. None. So that is an issue that we are \ndealing with, and that means that in my responsibility to \nallocate those positions across the Department, I have to pluck \nthem from somewhere else, which I have done, but there are more \nrequests for that on the table too. And we have to go through \nthings like that. So that means we are going back to OPM and \ntrying to get that number raised up.\n    And then the other part is as the Assistant Secretary \nindicated, with this person that was hopefully going to be in \nthe job out of the picture, then we have to go back and what, \ndo we have to post it again?\n    Mr. Howard. Uh-huh.\n    Mr. Mansfield. So we have to go through a long, lengthy \nprocess that just is there. I am making the point. We live by \nthose rules, and those rules were put in place and that is the \nlaw and those are the regulations. We live by them and we try \nand, you know, push as far as we can on those, but there are \nrestrictions involved here.\n    Mr. Walz. Well, I appreciate your candor, and I will finish \nup on my last bit of time here.\n    Are you optimistic inside the parameters you have to \noperate it that we can get security on this data? Can we get \nthis done or are we simply chasing after our tails on this \nbecause of the parameters that are put on you and we are never \ngoing to get there?\n    Mr. Mansfield. We will get it done, sir. We will get it \ndone. The problem we have is time and people. We can work with \nthe people. We can do a better job of educating them. We can \nmake sure they understand what they need to do. We can follow \nMs. Brown-Waite\'s suggestion and make sure they understand if \nthey do a wrong, then there are sanctions available.\n    But we have got 235,000 individuals out there and we have \ngot tens of thousands of contractors and every June, we have \ngot how many thousand residents and interns coming in the door?\n    Mr. Howard. Tens of thousands.\n    Mr. Mansfield. Tens of thousands there, so we have got to \ngo through that. I wish I could tell you we could line everyone \nup and zap them and it would take place.\n    Mr. Walz. Thanks, Mr. Mansfield.\n    Thank you, Mr. Chairman.\n    Mr. Mitchell. Thank you.\n    Mr. Rodriguez.\n    Mr. Rodriguez. Mr. Chairman, if I could follow-up on the \nsame, if it is okay.\n    What I am getting and what I am seeing is a bureaucratic \nnightmare, and I can just assume in terms of what you are \nhaving to go through. So I am thinking you almost need an \nexternal group coming in, you know, in terms of cyber security \nto go in there and take care of it for you.\n    You say no, but, my God, you almost need someone, a task \nforce to deal with it and come and tell you where the gaps are \nand what you need to do that is external from you to be able to \ntell them how to protect that.\n    And I am just going to share with you, you know, I was \nengaged in one of the few exercises prior to 2000 on that \nglitch referred to as dark screen out of San Antonio. And as a \nresult of that, there is a whole group, you know, and I think \nSenator Hutchinson and them came up with--because we did not \nhave enough people in cyber security--they came up with a \nMaster\'s Degree there. And there is a group there that has been \ngoing around the country helping both the private sector and \nthe public sector on cyber security. And, you know, you almost \nneed somebody in all honesty because you have got to pull this \noff as quickly as possible, and they can tell you where the \ngaps are. They can tell you what you need to do. They could \neven tell you that they can break into it now or not.\n    And so, I hate to do something like that but I think that \nthat would be something that is probably almost needed where \nyou need an external task force to come in there and take care \nof it. And I think that would really be helpful not only to \nyou, but to all the veterans that you are serving, because I \nknow that you are sincere about wanting to do that.\n    But I also sense your frustration and the fact that in some \nareas, you are having some--you know, look at that chart. My \nGod, you have got a mess. And so you need an external group to \ncome in there and tell you gaps that you are probably not aware \nof that you already have and how to correct it.\n    Mr. Mansfield. Well, sir, I would agree with you and make \nthe point that in the process of getting to here, we did that. \nAs a part of the reorganization, we brought in IBM and we \nbrought in subsidiary contractors under that, and they came up \nwith many of the recommendations from an outside view looking \nat our system, taking a chance to go around and look at it and \nhelp us understand what we needed to do. And part of that chart \nthat you see there is as a result of that. Also some of the \nprocesses and policies that we need to put in place were \nrecommended by them.\n    Mr. Rodriguez. Mr. Chairman, I apologize. I would presume \nthat if this continues, I would ask if maybe there is some way \nthat as a Committee, we can force an external group to go in \nthere as a task force to look at the whole--and people that are \ntrained in cyber security to protect the agencies and to \nprotect the Department of Energy.\n    There are groups out there, because we get hit, you know, \nthrough cyber space. And those same people that hit us are real \ngood at also being able to protect us, but also learn where the \ngaps are at. And at some point in time when the agency \ncontinues to have difficulty that we take that into \nconsideration.\n    Mr. Stearns. Will the gentleman yield?\n    Mr. Rodriguez. Yes, sir.\n    Mr. Stearns. I think your suggestion is excellent. And the \nGAO has made recommendations since 1998, 150 recommendations, \nand they have not been implemented. Even their Inspector \nGeneral of the Veterans, there are 16 recommendations from 2004 \nthat have not been implemented. So I think your idea is \nabsolutely on target that we need to have an outside group.\n    And there are outside agencies, like accounting firms, that \nwent in and checked Enron. You could have these outside \nsecurity firms go in there and give you the information you \nwant. And right now they have thousands of computers they have \nnot even inventoried or encrypted. So I think your suggestion \nis right on target.\n    Mr. Rodriguez. Thank you.\n    Mr. Mitchell. Just one comment that I think will help \neveryone. Looking at this chart, I can see why things are not \nreally moving, because no one up here can read it. I do not \nthink anybody can.\n    And I would suggest next time that you bring a picture \nchart and also provide all the Members with a chart because I \nhave no idea what that says. I can see, I think, it is yellow \nand blue and white boxes, but that is it. So I would suggest \nthat next time you make a presentation like that that you \nprovide us all with----\n    Mr. Howard. Mr. Chairman, we have----\n    Mr. Mitchell. That would be nice.\n    Mr. Mansfield. Secretary Howard mentioned in his comments \nthat if you want to discuss it that we would go forward and do \nthat. I apologize for----\n    Mr. Mitchell. You keep referring to it, so I assume you \nwanted us to be able to see it.\n    Mr. Mansfield. Yes, sir.\n    Mr. Mitchell. Mr. Rodriguez.\n    Mr. Rodriguez. Yeah. One last comment. And I sense you are \nsincere in terms of wanting to do the right thing. But I also \npick up in terms of the fact that I am sure there is some \nfrustration on your part in terms of trying to accomplish what \nyou need to get done. And so with that, I will stop.\n    Mr. Mitchell. Thank you.\n    Mr. Davis.\n    Mr. Davis. Thank you, Chairman, for letting me participate \nagain.\n    Mr. Mansfield, let me use March 2006 as the trigger for \nthis question. That was, as I understand it, the time in which \nthere was a fairly significant data security breach at the VA. \nHave I got the timeframe right, March 2006?\n    Mr. Mansfield. Sir, it was May of 2006.\n    Mr. Davis. May 2006. Since May 2006, how many data breaches \nare believed to have occurred at VA facilities?\n    Mr. Mansfield. Sir, I can tell you that from the SOC report \nthat we get, and I do not have a number with me, I will provide \nthat to you as a followup to this hearing, but we know that \nthere have been hundreds of them in the sense of actual \nviolations of either the law or the regulations.\n    Mr. Davis. And you mean hundreds just in that timeframe \nsince May of 2006?\n    Mr. Mansfield. Yes, sir. Since we put this new SOC \nreporting system into place following the May incident.\n    Mr. Davis. What would you estimate the largest amount of \ninformation that has been compromised in any of those hundreds \nof breaches?\n    Mr. Mansfield. How many were in the----\n    Mr. Howard. It was Birmingham.\n    Mr. Mansfield. I think the Birmingham incident where we are \ntalking about----\n    Mr. Howard. It is number two.\n    Mr. Mansfield [continuing]. Is the second one, \napproximately a half a million veterans and approximately the \nsame number of providers.\n    Mr. Davis. Well, give me a general estimate in what you \ndescribe as the hundreds of breaches that have happened since \nMay of 2006. Give me an estimate of the amount of information \nthat you think has been compromised collectively.\n    Mr. Mansfield. Again, sir, let me go back for the record. \nSome of these reports involve two veterans\' information or----\n    Mr. Davis. That is what I am asking you. I understand that.\n    Mr. Mansfield. Yeah. I mean, I do not have that in front of \nme. Well, I can get it and have it provided for you.\n    Mr. Davis. I am certainly not empowered to make requests on \nbehalf of the Committee, but I suspect the Committee would be \ninterested in having that information, and leads to my next \nquestion.\n    Mr. Mitchell. Absolutely.\n    Mr. Davis. Other than the Birmingham breach, how many of \nthese breaches have resulted in a public notification?\n    Mr. Mansfield. The UNISYS?\n    Mr. Howard. Sir, let us get back to you on that. There have \nbeen a number of them. But to give you a precise answer, we \nneed to go back and check.\n    Mr. Davis. Mr. Mansfield?\n    Mr. Mansfield. I would just make the point that in some \ncases, there has been lower numbers here. The veterans have \nbeen notified that or possibly also employees that might have \nbeen identified, but not necessarily the public. So we have to \ngo back again and sift through all that and then followup. Many \nof these decisions can be made at the facility level.\n    Mr. Davis. Is it safe to say that the Birmingham incident \nis the only instance in which a press release has gone out from \nthe VA notifying the public of a breach since May 2006?\n    Mr. Mansfield. No, sir.\n    Mr. Davis. How many other times has a press release gone \nout notifying the public?\n    Mr. Mansfield. I will have to go back and check. I do know \non the UNISYS, there were a number of press releases. That was \nthe one where one of our contractors--I am not sure how many--\n--\n    Mr. Davis. That leads to my next set of questions. I do not \nget a sense that there is a hard and fast policy regarding when \nyou notify, when your agency notifies and when you do not. Can \nyou give me a short, quick sense of what is the trigger, when \ndo you all engage in public notification?\n    Mr. Mansfield. It is a combination of events. I think at--\n--\n    Mr. Davis. Is there a statute you can point me to or \nregulation that you can point me to by number?\n    Mr. Mansfield. I am going to have to go to my general \ncounsel, sir. I cannot point to a statute.\n    Mr. Davis. Let me ask the general counsel. I am seeing if \nthere is a particular place that contains the relevant policy.\n    Mr. Mansfield. Well, I think again, it becomes a question \nof what is the size of the event, what is the information given \nout. In some cases, it may be that there is incorrect \ninformation given out in the press and there may be an attempt \nto try and correct that.\n    Let me also make the point that in any serious breach where \nthe IG moves in and accepts the responsibility to go forward \nwith a recommendation, they generally request us not to make \nany public notification.\n    Mr. Davis. Let me ask you about that, Mr. Mansfield. And to \nme, that is one of the major problems here. I understand that \nthere was a request from the IG, wait, let us do a more \nthorough investigation. I understand that at some level, but \nhere is the problem. Every moment of delay is a moment in which \ninformation can be compromised. Every moment of delay is a \nmoment in which information can be misused or misbilled. And it \nwould seem to me that the balance would err in favor of \nnotification, and that does not appear to be where the balance \nwas in this case. Am I wrong?\n    Mr. Mansfield. I will not say that you are wrong, sir. I \nwill say that----\n    Mr. Davis. Why shouldn\'t the benefit of the doubt be given \nto the veteran?\n    Mr. Mansfield. Part of it is, sir, in those early \ninstances--for example, in this case, we did not have the \ninformation available to go notify the veterans or know how \nmany veterans there were actually involved or know who they \nwere and where they were and how we can get in touch with them.\n    Mr. Davis. Once you got that information, did notification \noccur?\n    Mr. Mansfield. Yes, sir.\n    Mr. Davis. Well, I am not sure if that is accurate, but let \nme move on if the Chair would indulge me to have just a few \nmore seconds here.\n    You made a reference in your opening statement to the \nBirmingham facility, and I looked for your written statement \nand I did not find a reference characterizing the conduct or \nthe performance of the Birmingham facility.\n    So let me ask you. Would you grade for me the Birmingham \nfacility with respect to its handling of this matter? Would you \ngive them an assessment or grade?\n    Mr. Mansfield. Well, obviously with the problem that we \nhave here, there is some concern about what happened. I am \nstill waiting for the IG to hand me an investigative report.\n    Mr. Davis. What is the nature of the concern? I understand \nthere is an individual who is compromised, and I do not want to \nget into the details of that if there is an ongoing \ninvestigation. But beyond that individual, would you assess the \nperformance of the VA in Birmingham?\n    Mr. Mansfield. No, sir. I am not going to do that now.\n    Mr. Davis. And the reason?\n    Mr. Mansfield. I would be happy to go off line and away \nfrom the domain here and have a conversation.\n    Mr. Davis. Is that not a matter relevant to the public? \nWhat is your position, sir?\n    Mr. Mansfield. I am trying to follow the directions and \norders that I have and perform the job that I am supposed to \nperform for my boss, who is the Secretary of the Department of \nVeterans Affairs, and allow him the ability to make what \ndecisions he has to make in the proper forum.\n    Mr. Davis. Mr. Chairman, I am sensing the fact that my time \nis out. If I can just wrap up with one observation.\n    I am concerned by that answer, Mr. Mansfield, because this \nis the people\'s business. This is the ultimate public domain, a \ncongressional hearing, and if it is the assessment of senior \nmanagement at the VA that the Birmingham facility is not \nmeeting its obligations with respect to data security or some \nother aspect of this matter, I would like my constituents in \nBirmingham to know that and I think that that is not a \nprivileged matter. It is not a matter of national security. It \nis something they are entitled to know.\n    Mr. Mansfield. When that decision is made, sir, I will make \nsure that I let you know and that we let the people know. And I \nwould state for the record that notification of veterans \nstarted on 5 February of 2007.\n    Mr. Mitchell. Thank you.\n    Before I call on Mr. Bachus, I was just made aware that \nPublic Law 109-461 enacted in December of 2006 permits the \nSecretary of the Veterans Administration to determine when to \nannounce and make public any information of this kind.\n    Mr. Bachus.\n    Mr. Bachus. Thank you.\n    Mr. Mansfield or Secretary Mansfield, my father was a \nveteran who was treated at the VA facility. He is now deceased, \nbut my mother received notification that his records were among \nthose lost.\n    And I will tell you if he were here today, the first thing \nhe would say is thank you for the medical care he received at \nthe VA hospital. It was first rate. He had Alzheimer\'s, and he \nhad the veterans facility there, partners with the UAB Medical \nCenter, and he received medical care that was second to none.\n    Mr. Mansfield. Thank you for those comments, sir.\n    Mr. Bachus. Wonderful staff there. Y.C. Parris, I see is on \nthe third panel. It is a wonderful staff. So I do think, to put \nthis in perspective, this is one employee. Did he violate a VA \nwritten rule? I mean, is there----\n    Mr. Mansfield. The individual that reported the incident \nand----\n    Mr. Bachus. Yes.\n    Mr. Mansfield. Yes.\n    Mr. Bachus. What has been reported is he downloaded the \nentire system on a hard drive and then took the hard drive off \npremises; is that correct?\n    Mr. Mansfield. Yes. And the rules state that you can do \nthat, but to do it, you need your supervisor\'s permission and \nthey have to be encrypted.\n    And the original report we received through the SOC, we \nwere told that the numbers were less than eventually turned out \nto be true. I think he reported somewhere around 48,000 to \n56,000 and reported that the information had been encrypted.\n    But when the forensic people from the FBI with the IG went \nin and did the forensic examination, that is when we started to \nfind out that we had these mega numbers involved in the--\npotentially had these--we still do not know what they are, but \npotentially had these mega numbers involved.\n    Mr. Bachus. You know, I think maybe a problem may be what \nis the policy on either downloading information on a hard drive \nor thumb devices and then walking out of the VA with those \ndevices. To me, there ought to be a pretty firm rule that you \ndo not do that or that all information is encrypted.\n    Mr. Mansfield. That is the current status in Directive 6504 \nwhich has been published as a followup to the May incident. \nThere is a requirement, as I stated, to get permission and then \nhave it encrypted.\n    Mr. Bachus. You know, this Committee, I am not on the \nCommittee, but they receive a weekly update on any security \nbreaches, and one of those breaches that they received was an \ninstance where a staff member was checking software on various \nmachines at a VA facility and found that many of the \nworkstations were logged on. There was no one at the desk and \nthey had not logged out. And you could take that computer and \ngo into the entire NT system. Is that a violation of the rules?\n    Mr. Mansfield. Yes, that is, sir. When that station is not \nbeing used, it has to be shut down.\n    Mr. Bachus. There are no locks in place?\n    Mr. Mansfield. There are time-outs where, you know, after a \ncertain period of time, and I do not know exactly on those \nmachines you are referring to, but that the machine will shut \nitself down. That is a new thing we have----\n    Mr. Bachus. Yeah. The person involved here was actually a \ncomputer programmer, was it not?\n    Mr. Mansfield. I am not sure which one you are referring \nto.\n    Mr. Bachus. In Birmingham.\n    Mr. Mansfield. Oh, I am sorry. Yeah. In that incident, yes.\n    Mr. Bachus. I am sorry. I did confuse you.\n    Mr. Mansfield. Yes, you are right, that was the person that \nwe are talking about. It was a status 2210 computer.\n    Mr. Bachus. So he certainly knew the risk involved.\n    Mr. Mansfield. He reported the issue because he knew that, \nyou know, there was a problem. There are other issues that \napply to it too that----\n    Mr. Bachus. Was it not in the report that it was lost off \npremises though?\n    Mr. Mansfield. Actually, I just know that it was reported \nlost.\n    Mr. Bachus. I will say this. The day that the VA in \nBirmingham discovered it, they notified the IG, which was the \nnext, you know----\n    Mr. Mansfield. They notified the SOC, which is us, and we \nnotified the IG.\n    Mr. Bachus. I am sorry. The SOC. So their notification to \nyou was immediate?\n    Mr. Mansfield. Well, yes.\n    Mr. Bachus. One last question, if I could. The thing that \nprobably disturbs me that I heard today that, you know, of \ncourse, you shared it with us February 9th, which you asked us \nnot to make it public, you know, obviously has come out in this \nhearing.\n    Is the 1.3 million medical health providers, and it is not \nall doctors--I know some are dead, but most are alive and, you \nknow, therapist, anyone that bills the VA basically is what we \nare talking about here, is that right, or does research for the \nVA or medical care, 1.3 million healthcare providers?\n    Mr. Mansfield. Excuse me. Could you restate that? Is the \nquestion, are any of those private providers people that would \nbill the VA?\n    Mr. Bachus. Yeah.\n    Mr. Mansfield. Potentially could.\n    Mr. Bachus. No. I mean, is it----\n    Mr. Mansfield. I mean, I do not know, but potentially they \ncould be.\n    Mr. Bachus. Okay. Well, now, the physicians, I will just \nsay that, you know, was it their names were on there, their \ndate of birth, their credentials also, right?\n    Mr. Mansfield. Their specialties, yes, sir.\n    Mr. Bachus. Their specialties. The schools they studied at \nwere on there?\n    Mr. Mansfield. I am sorry, sir?\n    Mr. Bachus. The schools they studied at would have been on \nthere because that is the HHS form, is that correct?\n    Mr. Mansfield. Sir, we will double check for you, sir. I \nbelieve that you are right.\n    Mr. Bachus. Yeah. Yeah, the form that you have identified \nas being the HHS form has the school they studied at, their \nprovider numbers, their billings, license. And somebody \nmentioned a medical license number. That is a tremendous amount \nof information.\n    Mr. Mansfield. I think that may be the M link number which \nagain is potentially another number.\n    Mr. Bachus. Okay. All right.\n    Mr. Howard. The school they graduated from is also on \nthere, sir.\n    Mr. Bachus. What?\n    Mr. Howard. The school they graduated from----\n    Mr. Bachus. Where they graduated medical school.\n    Mr. Howard. We have a picture we can actually show you.\n    Mr. Bachus. And I actually have pulled up what is on that \nHHS--it is HHS information. But you mentioned a medical \nlicense. Is that different? What is the medical license? Is \ntheir medical license number included there?\n    Mr. Howard. Are you referring to the M link?\n    Mr. Bachus. No. I do not know. Someone in this hearing \nmentioned the word medical license.\n    Mr. Howard. State license, yes.\n    Mr. Bachus. Oh, okay. Their State medical license. Okay. \nAll right.\n    Mr. Stearns. Is it medical license number?\n    Mr. Bachus. Yeah, their number, their license or State \nlicense. Okay. Now, the provider numbers, their billing \nlicenses is all on there?\n    Mr. Mansfield. No.\n    Mr. Howard. I do not see it.\n    Mr. Bachus. Okay. All right. You know, all that information \nsurely puts them at very high risk for Medicare billing fraud. \nI mean, someone else could bill for their services. But what I \nam hearing today is that they have not been notified?\n    Mr. Mansfield. Sir, not yet, sir. We are still trying to \nidentify. Much of this information is available to the general \npublic on other Web sites, too, also. So we are trying to \nfigure out what additional risk do we have to deal with here \nbased on what information is provided on this document.\n    Mr. Bachus. But now, I guess you could not go publicly. \nCould you go in and get all that including their Social \nSecurity numbers and their billing license, their provider \nnumbers?\n    Mr. Mansfield. Go ahead.\n    Mr. Bachus. I would hope that is not public.\n    Mr. Mansfield. I would ask General Howard to answer that \nquestion, sir.\n    Mr. Howard. Sir, in the case of physicians, the name and \ndate of birth, in fact, the date of birth of physicians can be \nfound on Web sites. For the other providers, that may not be \nthe case. So in the case of physicians, there is at least two \nitems of information that we would consider sensitive that is \navailable, you know, the name and the date of birth.\n    Mr. Bachus. And I guess it begs the question. I will end \nwith this. As a result of that, you have got all this \ndisclosure out there. And I do not know whether it has fallen \ninto anyone else\'s hands or not, but it seems like at least one \nquestion you might be asking is do you change these numbers in \nthe national system. But I know you are in touch with CMS, but \nhave there been any reports of any fraudulent billings?\n    Mr. Mansfield. No, sir, not to our knowledge.\n    Mr. Bachus. Thank you.\n    Mr. Mitchell. Thank you.\n    There are two people who said they wanted a followup \nquestion real quickly.\n    Mr. Stearns, did you want to have a followup very quickly \nand then Mr. Davis, and then we are going to take a 5-minute \nbreak?\n    Mr. Stearns. My colleague, Mr. Bachus, had mentioned that \nhe is concerned about fraud. And, Mr. Chairman, the only thing \nI think, you cannot get all that information in one fell swoop \nlike that.\n    And it seems to me that you have got to make an assessment \nhere for CMS and the veterans of the degree of fraud that could \nbe instigated because you have all this information. You would \nset up a dummy office as well as stationery and you could say I \nam billing for John Miller, a followup, because you obviously \ncan send with all this information and how would Medicare not \nknow if you put together a bill and sent it forward? Why would \nMedicare not pay it with all that information available?\n    So I think there is a danger of loss of personal \nidentifiable information for veterans, but also you have a \npossibility of fraud on CMS. And that is just an area that I \nthink somehow you have got to get a handle on. And I am not \nsure except one of my colleagues suggested having an expert \noutside auditing firm come in and help you assess the risk as \nwell as to try and implement some procedures.\n    Thank you, Mr. Chairman.\n    Mr. Mansfield. That is, as I mentioned, sir, a requirement \nof the statute and does require independent analysis. We have a \nresponsibility within 180 days of passage of the law to write \nthe regulation that would make that work since we do not have \nthat regulation written yet. We are in the process, as I \nindicated, in discussions with CMS, CMS lawyers, and how do we \ngo forward in attempting to do that.\n    And I would make the point that, as mentioned earlier, that \nwe do have to be--we have had discussions, many discussions \nabout this, and we do have to be aware and we do have to take \nit very seriously. But part of the problem is, you know, we \nhave been working on the effort to identify whose identities \nactually are in there and, you know, as mentioned, which ones \nare alive and then exactly how many are physicians versus other \nproviders. And then we have to do a process to get the \naddresses if we go forward. So we are working on these issues \ninternally.\n    Mr. Stearns. One other thing I would caution you about is I \nunderstand you have not done a full audit of all your computers \nand you have not instigated an encryption procedure.\n    So, you know, the staff showed me you have had other \nincidents of loss or breach of information and it is going to \ncontinue to happen unless you get a handle on this which means \nyou have got to complete your audit on these computers, you \nhave got to put encryption protocol that I mentioned, or you \nare going to have this on your watch again and again.\n    Mr. Mansfield. As I mentioned earlier, we are aware of \nthat, sir. And as I mentioned earlier that with a decentralized \nsystem that we have and the fact that we are not standardized, \nwe do need to move toward standardization, that there are not \nany simple fixes that allow us to just punch in the answer and \ngo forward.\n    We have to make sure in each of the many very different \nsystems that we have across the VA, across all these hospitals \nand healthcare systems, that it is going to work and not shut \ndown a system. And it is a lot more involved than I understood \nit was when we started this. And we are going forward as fast \nas we can to make sure that we get it done. But, again, the \nlead word is still do no harm and make sure that we get the \nveterans that are coming in for treatment treated and taken \ncare of.\n    Mr. Mitchell. Thank you.\n    Mr. Davis has one question, then Ms. Brown-Waite has one \nquestion. We want to get to the second panel.\n    Please ask the one question.\n    Mr. Davis. Thank you, Mr. Chairman.\n    Mr. Mansfield, with respect to the hundreds of breaches \nthat you say have occurred since just May of 2006, has a single \nVA employee been fired or disciplined as a result of any of \nthose breaches?\n    Mr. Mansfield. The answer I am told is yes, but let me, if \nI may, sir, go back and make a point. All these reports are not \nIT breaches. Some of them are paper records. Our Veterans \nBenefit Program is based on paper files of millions of \nveterans. Some of them are based on paper records in other \nincidents. So they are not all IT.\n    Mr. Davis. Thank you.\n    Mr. Mitchell. Ms. Brown-Waite.\n    Ms. Brown-Waite. A quick question about the cyber security \nperson that you were going to hire. If you had, you know, \nnarrowed it down to the top three or the top five and the one \nperson declined, is there a reason why you cannot go back and \nlook at the second person? Do you have to rebid this?\n    Mr. Howard. Yes. That is what the process is.\n    Ms. Brown-Waite. Thank you.\n    Thank you, Mr. Chairman.\n    Mr. Mitchell. Thank you.\n    We are going to take a 5-minute recess and then have the \nsecond panel come up. Thank you.\n    Mr. Mansfield. Thank you, Mr. Chairman and Members.\n    [Recess.]\n    Mr. Mitchell. All right. We will continue this Subcommittee \nhearing. I want to welcome panel number two. I welcome panel \ntwo to the witness table.\n    And these individuals provide our Subcommittee with a major \nservice not only in their ability to provide independent \nassessments of VA program performances, the GAO and VA IG are \nable to place the performance of VA\'s information security \nmanagement program in a historical context. This allows us to \nbetter understand if cultural resistance has developed in the \nprogram and how to cope with this resistance.\n    I have asked Mr. Claudio in his newly-created role in the \nOffice of IT Oversight and Compliance to sit in on panel two \nand to answer our questions. That his position was recently \ncreated by the Secretary to provide a feedback mechanism with \nregard to the information security program is laudable. We are \ninterested in his grass-roots viewpoint. And we will begin with \nMr. Wilshusen.\n\n     STATEMENTS OF GREGORY C. WILSHUSEN, DIRECTOR, INFOR- \n      MATION TECHNOLOGY SECURITY ISSUES, U.S. GOVERNMENT \n    ACCOUNTABILITY OFFICE; MAUREEN REGAN, COUNSELOR TO THE \n   INSPECTOR GENERAL, OFFICE OF THE INSPECTOR GENERAL, U.S. \n    DEPARTMENT OF VETERANS AFFAIRS; ACCOMPANIED BY KENNETH \nSARDEGNA, DEPUTY ASSISTANT INSPECTOR GENERAL FOR AUDIT, OFFICE \nOF THE INSPECTOR GENERAL, U.S. DEPARTMENT OF VETERANS AFFAIRS; \n  AND ARNALDO CLAUDIO, DIRECTOR OF OVERSIGHT AND COMPLIANCE, \n OFFICE OF INFORMATION TECHNOLOGY, U.S. DEPARTMENT OF VETERANS \n                            AFFAIRS\n\n                  STATEMENT OF GREG WILSHUSEN\n\n    Mr. Wilshusen. Thank you very much, Chairman Mitchell, \nRanking Member Brown-Waite, and Members of the Subcommittee. \nThank you for inviting me today to participate in the hearing \non information security management at the Department of \nVeterans Affairs.\n    Recent well-publicized security breaches at the Department \nhave highlighted the importance of effective information \nsecurity controls in protecting sensitive and personal \ninformation not only at VA but throughout government.\n    As we have reported on many occasions, poor information \nsecurity is a widespread problem that can have devastating \nconsequences, such as disruption of critical operations and \nunauthorized disclosure of highly sensitive information.\n    Today I will discuss the recurring security weaknesses that \nhave been reported at VA and the actions taken by the \nDepartment in response. I will also discuss our ongoing work at \nthe Department.\n    Since 1998, GAO and the Inspector General have reported on \nwide-ranging deficiencies in the Department\'s information \nsecurity controls, including a lack of effective control to \nprevent individuals from gaining unauthorized access to \ncomputer systems and sensitive data and to detect them if they \ndo.\n    In addition, the Department had not consistently provided \nadequate physical security for its computer facilities, \nassigned duties in a manner that is segregated, incompatible \nfunctions, controlled changes to its operating systems, and \nupdated and tested its contingency and disaster recovery plans.\n    These deficiencies existed in part because VA had not \nimplemented key components of a comprehensive integrated \ninformation security program, including the lack of centralized \nmanagement and approach for addressing security challenges.\n    VA has taken important steps to improve security, including \nrealigning its security functions and personnel under the \nDepartment\'s CIO Office. It has also developed a data security \ncorrective action plan that is to guide and track the \nDepartment\'s efforts in implementing its information security \nprogram and controls.\n    However, many of these efforts have not yet been \nimplemented. For example, key policies such as those for \nassessing risk and implemented enterprise patch management have \nnot yet been developed.\n    In addition, the Department has not established a track \nrecord of proactively mitigating known weaknesses across all of \nits systems. As a result, sensitive information remains \nvulnerable to inadvertent or deliberate misuse, loss, or \nimproper disclosure as the breaches demonstrate, nor has the \nDepartment consistently satisfied the provisions of the \n``Federal Information Security Management Act\'\' (FISMA).\n    OMB requires agencies to annually report on their progress \nimplementing FISMA by October 1. Although it sent a draft \nreport to OMB, the Department has not yet submitted its \nofficial annual report for 2006. It is the only one of the 24 \n``CFO Act\'\' agencies that has not yet done so.\n    At the request of this Subcommittee and other congressional \nrequesters, GAO is presently reviewing the Department\'s lessons \nlearned on notifying officials and affected individuals on data \nbreaches, actions to strengthen information security, inventory \nand accountability controls over IT equipment, and efforts in \nimplementing the VA\'s IT realignment initiative. These reviews \nare ongoing and will be completed later this year.\n    In summary, longstanding control weaknesses at VA have \nplaced its information systems and information at increased \nrisk of misuse and unauthorized disclosure. Although VA has \nmade progress in mitigating previously reported weaknesses, it \nhas not taken all the steps needed to address these serious \nissues. Only through strong leadership, sustained management \ncommitment, and vigilant oversight can VA implement a \ncomprehensive information security program that can effectively \nmanage risk on an ongoing basis.\n    Mr. Chairman, this concludes my statement. I would be happy \nto answer questions.\n    Mr. Mitchell. Thank you.\n    Ms. Regan.\n    [The statement of Gregory Wilshusen appears on pg. 63.]\n\n                   STATEMENT OF MAUREEN REGAN\n\n    Ms. Regan. Thank you.\n    I would like to have our full statement submitted for the \nrecord.\n    And before beginning, on behalf of the OIG I would like to \nsecond the Deputy Secretary\'s comments regarding Mr. Sistek\'s \nretirement or move from the Committee. We have really enjoyed \nworking with him over the years, and we will miss him.\n    Mr. Chairman, Members of the Subcommittee, thank you for \nthe opportunity to address OIG oversight efforts of the VA\'s \ninformation security program, its effectiveness, and the need \nfor cultural change within VA.\n    To answer questions regarding these issues, I am joined by \nKen Sardegna, our Deputy Assistant Inspector General for \nAuditing.\n    Issues related to information security are twofold. The \nfirst is the protection of sensitive information maintained on \nVA automated systems from unauthorized access. The second is \nwhether individuals who are authorized access to sensitive \ninformation adequately protect it from loss, theft, or \ninappropriate disclosure.\n    Today I will highlight that there have been longstanding \nproblems in VA with respect to protecting sensitive information \nthat have not been fully addressed. Our FISMA audits have \nidentified information security vulnerabilities every year \nsince fiscal year 2001.\n    VA\'s efforts to address these vulnerabilities in a timely \nmanner have been hampered by the magnitude of the problems and \naging IT infrastructure and the lack of standardized IT systems \nthroughout VA.\n    To address these vulnerabilities, we have recommended that \nVA pursue a more centralized approach to IT management, apply \nappropriate resources, and establish a clear chain of command \nto enforce internal controls and hold individuals accountable \nfor not protecting information.\n    In our ongoing 2006 FISMA audit, we determined that all 17 \nrecommendations cited in prior FISMA reports remained \nunimplemented. In addition to the 17 unimplemented \nrecommendations, we anticipate identifying several new high-\nrisk areas associated with certification and accreditation of \nVA systems, remote access, and access to sensitive information \nby non-VA employees. Until all matters are fully addressed, VA \nsystems and VA data remain at risk.\n    The May 2006 theft of an employee\'s personal hard drive \ncontaining protected information on at least 26 million \nveterans and active military highlighted how vulnerable VA is \nto compromising information on veterans.\n    In reviewing how this incident occurred, we found a \npatchwork of policies that were fragmented and difficult to \nlocate. None of the policies prohibited removal of protected \ninformation from the work site or storing protected information \non personally owned computers. These policies also did not \nprovide safeguards for electronic data stored on portable \nmedia, such as laptops.\n    We also found information provided to VA employees and \ncontractors needed to be better safeguarded. Background \ninvestigations were not always required or done. Procedures for \nreporting potential data losses needed to be improved. We made \nfive recommendations to VA to correct these problems. To date, \nall five recommendations remain open.\n    As a result of this incident and subsequent actions taken \nby the Subcommittee, there is greater awareness in VA regarding \nthe issue of information security. However, VA still lacks \neffective internal controls and accountability.\n    Since July 2006, the VA Security Operations Center has \nreceived reports of approximately 3,600 incidents. The \nincidents included unauthorized access, missing, stolen, or \nlost laptop computers, improper disposal, and numerous \nincidents involving unencrypted e-mail messages containing \nsensitive information.\n    Of the 3,600 incidents, 250 were referred to the Office of \nInspector General. Of these, we opened 46 investigations. One \nof the most significant is our current investigation of the \ndata loss at Birmingham, Alabama.\n    Information security remains a major challenge for VA. For \nexample, VA has not yet determined how many employees and \ncontractors use non-VA computers to access VA systems. VA does \nnot know what VA data is being stored on these computers, \nexternal hard drives, and other portable devices.\n    VA also has no means to monitor whether access to data is \nlimited to the information needed to conduct business. And much \nof VA\'s databases and e-mail remains unencrypted.\n    VA will not be able to safeguard data unless three \nimportant actions are taken: Hold individuals accountable for \ncompliance with policies and procedures; provide employees with \nVA-owned computers and encryption software; continue to enhance \nemployee awareness of the need for a cultural change.\n    Equally important, VA must find a way to implement these \nactions without impacting VA\'s ability to fulfill its mission.\n    Thank you again for this opportunity to update you on the \nstatus of our ongoing work. We will be happy to answer any \nquestions you may have.\n    Mr. Mitchell. Thank you very much.\n    [The statement of Maureen Regan appears on pg. 60.]\n    Mr. Mitchell. I have a question for Mr. Claudio. You \nessentially are able to provide a fresh new perspective with \nregard to field-level activities in information security \nmanagement at the VA. We welcome your perspective.\n    Do you believe that policy guidance to the field is \ncomprehensive and unambiguous with regard to information \nsecurity management and do you believe that the policy guidance \nis rigorously enforced by field-level managers?\n\n                  STATEMENT OF ARNALDO CLAUDIO\n\n    Mr. Claudio. First of all, sir, thank you very much. And \nbefore I start, I want to say that I am honored and privileged \nto be here today and to you, Mr. Chairman and Members of the \nSubcommittee, I appreciate the opportunity to come in here and \nspeak truthfully of what I have seen out in the field to you.\n    Actually, I am very pleased to hear that Mr. Rodriguez and \nMrs. Brown-Waite have basically talked about accountability and \nhave talked about putting the point into who is the person to \nbe looked at when we are talking about breaches of data, so \nforth and so on.\n    My office was created and actually executed on the 22nd of \nJanuary. It is an office that is called the Oversight and \nCompliance. And I do not know. It was not discussed that much \nover here, but I am the person with my organization to go out \nthere and do assessments on policies, assessments on validation \nof laws, assessments and safeguard and maintaining in the areas \nof cyber security, the areas of record management, and privacy.\n    Within the last 30 days, and by 15 March, we will have \ncompleted 16 assessments.\n    To answer specifically your question, I think the IG \nbasically brought up some very important points in terms of \nlack of accountability, enhancement of awareness in part. I \nhave gone out and I have reviewed 6504. I have looked at every \npolicy there is. And if you are a person that belongs to VA and \nyou have an understanding of what you are reading in pure \nEnglish, it is very easy to follow instructions because they \nare very clear. There are memos to the memos to the memo. There \nis policy to the policy to the policy and it is all written \nthere.\n    What there is a lack of, and I think it was brought in, is \nlooking at a person and holding that person accountable for his \nor her action of what has occurred. And that is really lacking \nout there. So to be pointed on this is the personal \naccountability is lacking, number one. So the policy is there.\n    What it is, and we talked about change of mindset, is \nchange of environment. I have sat in groups where there are 20 \nto 30 doctors and these doctors, we talked about and discussed \nhow to safeguard the I, which is the information. Still, some \nof them, even with their high level of understanding of other \nthings, will probably fight the fact that the information is \nprobably not as important as their research.\n    So what we are looking at is a change of mentality here, \nwhich is going to take effect as we go through, and I think the \nwake-up call obviously on the 6 May and then on the Birmingham \npiece will definitely change attitudes.\n    Mr. Mitchell. Thank you.\n    I have one other question.\n    Mr. Claudio. Yes, sir.\n    Mr. Mitchell. Do you believe all incidents are reported and \ndo you believe that there are unauthorized reproduction of \ndatabases and what is the threat associated with a hypothetical \naction like this?\n    Mr. Claudio. Sir, I have been a cop for over 30 years.\n    Mr. Mitchell. You have been what?\n    Mr. Claudio. A cop, a policeman. My last job, I was the \nChief of Staff for the Joint Force Headquarters, National \nCapitol Region, also the senior Military Police in the military \ndistrict of Washington. And prior to that, I was in Iraq. I was \nthe senior Military Police as an advisor to General Casey.\n    I will tell you that you have to make some determinations \nof what you are going to report. There are cases that are \ninsignificant. Your data breaches where they are insignificant \nof one or two person, that can be handled right there and then \nand remediation can be taken care of.\n    So to tell you that every incident is reported, I do not \nthink so. I think with the change of mindset that is occurring \nright now, you will see the volume of SOC reports actually \nincreasing, doubling, and even tripling because a lot of people \nare putting conscience into what is going on. So in that term, \nyou are going to see an increase of SOC reports coming into the \nfact. So that is the first part.\n    Can you repeat the second part of the question, sir?\n    Mr. Mitchell. Yes, sir. Do you believe that there was \nunauthorized reproduction of the databases and what would be \nthe threat associated with this type of action?\n    Mr. Claudio. Sir, there is not so much a reproduction. \nThere is a possibility, based on the assessment that I have \ndone, that data is being passed on through unencrypted \ncomputers. And because that is done right now, it definitely \ncreates a tremendous risk for the veterans. Yes, sir.\n    Mr. Mitchell. Thank you.\n    Ms. Brown-Waite.\n    Ms. Brown-Waite. I thank the Chairman.\n    I have a question for Mr. Wilshusen. I am not picking on \nthe VA, but they happen to be our Committee\'s jurisdiction. If \nyou could tell me of the 150 some recommendations that have \nbeen made, what would you say are the top five? And if you--I \nwill let you answer that.\n    Mr. Wilshusen. Okay. First I would like to clarify a couple \nof things regarding the 150 recommendations. We made these \nrecommendations back in 1998 to 2002. Many of our reviews and \nour recommendations are very specific, detailed configuration \nitems on computer systems that identify specific computer \ncontrol vulnerabilities.\n    VA has to a large extent corrected many of them. However, \nwhat they have not done is that they have not taken the next \nstep and proactively looked at the vulnerabilities that we \nidentified on those systems because typically they would just \ncorrect the action on a particular system or device that we \nidentified the vulnerability. They did not take the next step \nto look for and identify other devices or systems that are \nsimilar that could have the same vulnerabilities. And we would \nfind those vulnerabilities on similar devices at other \nlocations. So I would just like to clarify that.\n    But I would say the key recommendation that they still need \nto address is implementing a robust, centralized information \nsecurity program. They are starting to make progress in terms \nof centralizing some of the information security functions and \npersonnel within the CIO\'s office, but they have not yet \nimplemented all of the key activities associated with a \ncomprehensive information security program in terms of being \nable to adequately assess their risk of the impact that could \nresult from an unauthorized security breach to developing the \npolicies and procedures that effectively mitigate those risks, \nincluding those configuration, management, and requirements for \nspecific systems and operating platforms.\n    They also need to assure that their staffs and their \nsecurity personnel are adequately trained in security \nrequirements as well as security awareness so they know what \nthe threats are and their responsibilities are for implementing \nthe policies and procedures for testing and assessing the \neffectiveness of controls on their systems and protecting the \ninformation on a regular and ongoing basis.\n    And once they have done those tests, they need to develop \nremedial action plans to correct and mitigate known weaknesses \nnot just on those devices where they have been identified but \nacross the entire Department.\n    Ms. Brown-Waite. Are other organizations as resistant to \nchange and do other agencies have as much of a problem with \nbreach of sensitive personal information as the VA does?\n    Mr. Wilshusen. Well, I will say that certainly the security \nbreaches at VA have been remarkable and, in fact, stunning in \ntheir scope and magnitude. However, they are by no means unique \nin the Federal Government. Other Federal agencies have suffered \nand have been exposed to security breaches and data breaches as \nwell.\n    In fact, one of the reviews that we have ongoing right now \nis to look at some of the lessons learned regarding similar \ndata breaches at other Federal agencies, particularly as they \nrelate to notification to government officials and effective \nindividuals when such breaches occur. But certainly VA is not \nunique in the sense that other agencies also have security and \ndata breaches.\n    With regard to how robust their security controls are and \nprogram as compared to other agencies, I would say that they \nprobably are near the bottom of the 24 ``CFO Act\'\' agencies. \nAnd this is based upon a couple of facts.\n    One is on the FISMA report analysis, our analysis of their \nreports have consistently shown that in terms of at least \nmeeting the performance measures that they are required to \nreport under by OMB is that they generally have not fared as \nwell as other agencies.\n    In addition, the IG and its contractors have consistently \nreported that they have a material weakness in their \ninformation system controls as part of the financial statement \naudit and in the agency\'s performance and accountability \nreport, which is another indication that their controls are \nlacking.\n    Mr. Mitchell. Thank you.\n    Mr. Bachus.\n    Mr. Bachus. Thank you.\n    I will direct this question, I guess, to Ms. Regan. The VA \nhas failed its annual ``Federal Information Security Act\'\' \nreview for 6 years in a row, is that right?\n    Ms. Regan. I would have Mr. Sardegna answer that question. \nHe is much more familiar with the audits.\n    Mr. Sardegna. I believe we have been doing this since 2001. \nAnd, yes, as far as I understand, the VA has never been in \ncompliance with the ``Federal Information Security Management \nAct.\'\'\n    Mr. Bachus. What happens when you fail that? Are there \nremedial measures or----\n    Mr. Sardegna. Our past reports have identified 17 different \nissue areas that we have been reporting for a number of years \nnow. Our reports go to the Office of Management and Budget, and \nas required we provide OIG information to be included in a \njoint report with the Department that we send forward.\n    We also do a separate independent assessment which we \nprovide to what now would be the Assistant Secretary for \nInformation and Technology at the CIO and the different \nAdministration heads of the agency.\n    Mr. Bachus. Okay. But, you know, I think everybody, both \npanels agreed that the VA is not doing, you know, what they \nshould do at the headquarters level at least.\n    And, Ms. Regan, you mentioned three things they ought to \ndo, is that right?\n    Ms. Regan. Yes.\n    Mr. Bachus. One was encrypting data?\n    Ms. Regan. Yes.\n    Mr. Bachus. Is the technology there to have encrypted the \ndata on the hard drive in Birmingham?\n    Ms. Regan. You can encrypt the data that you store on the \nhard drive. There is software that allows you to encrypt the \ndata when you transfer it or work with it on the hard drive. It \nencrypts the hard drive in itself. The data that you put on \nthere is encrypted through the software.\n    Mr. Bachus. Is that made available to the employees in the \nVA who are downloading this information?\n    Ms. Regan. It has not been made available yet to my \nknowledge. That is one of the issues with our second point. VA \nneeds to provide VA-owned computers so that you can control \nwhat security measures are on the computer and buy this \nencryption software.\n    Mr. Bachus. Now, that seems pretty simple really, does it \nnot? I mean, the technology is there. It is not provided. And \nif it were, it would in this case and many others have resulted \nin the information that was lost not being subject to misuse or \ncriminal intent.\n    Mr. Sardegna. Well, if I may, Congressman, there are some \ncomplicating factors with the Department\'s IT infrastructure. \nAs the Deputy Secretary has testified, there are multiple \nplatforms. There are many really aging information systems and \ntechnologies that VA is trying to bring up to date by adding \nthese new technologies for encryption.\n    Ms. Regan. I also believe one of the main issues with \nrespect to this is the cost. We have----\n    Mr. Bachus. Is what?\n    Ms. Regan. The cost.\n    Mr. Bachus. Cost.\n    Ms. Regan. I mean, there is a price tag to providing the VA \ncomputers, particularly with the emphasis on telework. If you \nwant people to work at home or you have people working at home, \nVA would have to buy them VA laptops and have the software \ninstalled on them.\n    Mr. Bachus. Of course, every time they work at home or \nevery time they have a hard drive, there is a case where \nsomebody could steal that hard drive or they could lose it. I \nmean, that is going to happen every time, right?\n    Ms. Regan. Whatever it is, whether it is a laptop or even a \ndesktop at home or whether it is a hard drive or other portable \nmedia device, they can get lost. They can get stolen. It is \nhappening all over the country. I think it gives some sense of \nsecurity when the hardware or the data was either encrypted or \npassword protected which makes it difficult for somebody to \naccess that data.\n    Mr. Bachus. Yeah. And that had not been done to date, \nright?\n    Ms. Regan. That has not been done. Some VA entities have \nimplemented encryption for e-mails but most of VA has not.\n    Mr. Bachus. Okay. Let me just close by saying Congressman \nMitchell asked, you know, in how many cases is it not reported. \nAnd, Mr. Claudio, you said you were a law enforcement officer.\n    Mr. Claudio. Yes, sir, I was.\n    Mr. Bachus. I used to be Assistant State\'s Attorney \nGeneral. I can tell you this employee, I do not know him, I do \nnot know anything other than what I read in the newspaper, he \nreported it. That leads me to believe that is inconsistent with \nselling it or an intentional act. I mean, and I would say that \nprobably by reporting it, he probably is in the minority of my \nexperience with human beings. In most cases, they do not report \nit.\n    Mr. Claudio. Actually, sir, we have seen a change in \nconduct on that. Like I said before, the SOC report is growing \nby the minute. There is a conscience out there and a great \neffort made by the leadership to pass on the message how \nserious this whole thing is.\n    And, again, just by going around and assessing what is \ngoing on, I think there is being some very heart-to-heart talk \nfrom the leadership. As I go around, I meet first with the \nhospital director and I spend 15 to 20 minutes trying to assess \nwhere he or she is in terms of policies, in terms of \nregulations.\n    But you can see a definite shift. We are not there yet. It \nis going to take some time. I think the reorganization is going \nto pay its fruit. We just got to give some time for that to \nhappen.\n    Mr. Bachus. Now, in this case, you had a director of the \nhospital who immediately notified headquarters----\n    Mr. Claudio. Yes, sir.\n    Mr. Bachus [continuing]. Knowing about the publicity, the \nconsequences. He did his job. I worry about probably for every \none of those directors one that says look for it some more, are \nyou sure, you know, or an employee who does not come and report \nit.\n    Mr. Claudio. Yeah.\n    Mr. Bachus. And I think the answer to that is encryption \nand policies on, you know, certain information should not be \nshared with people. You know, I think that probably too many \nemployees have too much information that they do not need to do \ntheir job, number one.\n    Number two, I think this idea of taking stuff home and \nworking on it on your computer ought to have some severe \nlimitations because, you know, things happen on the way to and \nfrom work or at home.\n    And, number three, encryption technology, a big cost, but, \nyou know, we are going to be here having hearings once a month \nif you do not have it.\n    Mr. Claudio. Sir, I could not agree with you more. I think \nthe ultimate thing is that all data from the veterans is \ncollected, distributed within the confinements of that facility \nperiod. And then there is enough space inside that server that \ncan handle that so you do not have to go to an external drive, \nthat you do not have to go and plug in a USB port and so forth.\n    Mr. Bachus. Or put it on a thumb device or put it on a hard \ndrive and take it home.\n    Mr. Claudio. Correct, sir.\n    Mr. Mitchell. Thank you.\n    I have just a couple very quick questions for Mr. \nWilshusen. First, do you believe that the VA is on the road to \nachieving the gold standard in information security management?\n    Mr. Wilshusen. If they are, they are at the early stages of \nthat. Certainly since the May 3rd data theft, there appears to \nhave been a change in attitude, at least at the very top.\n    Secretary Nicholson has testified as well as, of course, \nnow Mr. Mansfield, that it is important that the agency set the \ntone at the top in terms of what will be tolerated, what will \nnot. And it seems at present at least that they are making that \neffort.\n    However, attendant with that is the requirement that you \nadequately and unambiguously communicate what the expectations \nare for the employees throughout the entire organization at all \nlevels on what their security requirements are and have that \ntied then to their performance standards, their position \ndescriptions, communicate that through various forms of \ndirectives, handbooks as the VA is attempting to do.\n    And then once you have communicated what those expectations \nare and provided training to the staff is to make sure then \nthat there are accountability measures in place that reward \nthose that do perform and address those that do not.\n    Mr. Mitchell. Earlier, Mr. Claudio said there were memos on \nmemos. There was every written rule in the world. I mean, that \nis not the problem. So I do not know how these employees could \nnot know what is expected of them unless their supervisors are \nnot doing their job.\n    Mr. Wilshusen. Well, that is exactly right. You need to \nhave the enforcement and accountability mechanisms in place, be \nthat through performance mechanisms, through their ratings, and \nwhere it affects them in either the paycheck or have other \nadministrative actions.\n    The other thing that you have to do because people are only \none part of the overall equation related to information \nsecurity effectiveness in an organization, you also have \nprocess and technologies. Often people will be your weak link \nin many cases, but you need to have controls and other \ndisciplines through the technology, make sure you have \nappropriate technology controls to include things like \nencryption, to include strong access controls on your systems.\n    You also need to have appropriate processes and part of \nthat is making sure that those individuals only have access to \nthe information that they need to perform their job and that \nthey control that information and do not allow it on laptops or \nremovable media when it is not needed to perform their job.\n    And if it is, to make sure you have the appropriate \ntechnical controls to help protect that information when it is \nat risk because the information can be at risk at multiple \nplaces, both at rest when it is on the hard drive, when it is \non a server, or when it is being transmitted across a network \nor over the Internet.\n    So there needs to be appropriate controls and policies in \nplace. And by policies, I mean technical security control \npolicies in place to protect that information.\n    Mr. Mitchell. And a couple other quick questions. How does \nthe VA compare with other agencies with regard to information \nsecurity management programs?\n    Mr. Wilshusen. Well, I would say that, you know, based upon \nthe reporting mechanisms afforded by FISMA, the ``Federal \nInformation Security Management Act,\'\' and based upon the \nresults of audits and reviews of information system controls \nperformed during financial statement audits that VA is probably \nnear the bottom.\n    Just to illustrate, VA has had, I guess, a material \nweakness in their performance and accountability report and \ninformation system controls since 1997 each year.\n    In addition, for 4 of the last 5 years, the House Committee \non Government Reform has been issuing computer security report \ncards based upon an analysis of the annual FISMA reports. And \nVA has received a failing grade for 4 of the last 5 years.\n    And as I mentioned earlier, VA has not yet submitted its \nofficial draft or its official copy of its annual report this \nyear.\n    Mr. Mitchell. Can you tell us of the successful agencies \nbest practice?\n    Mr. Wilshusen. In terms of agencies which have done that?\n    Mr. Mitchell. Right.\n    Mr. Wilshusen. Well, by those same standards and criteria \nthat I just laid out, some would include perhaps like Social \nSecurity Administration. They have not had a material weakness \nor reportable condition on their financial statement audits. \nThey have consistently scored higher on the review of the FISMA \nreports.\n    A couple other ones would include, I think, National \nScience Foundation. But I would also caution that though they \nhave done well on the FISMA reports and also as part of the \nfinancial statement audits, because those reports and audits \nare somewhat limited in scope does not necessarily mean that \nthey have full and highly secure systems.\n    Mr. Mitchell. Ms. Brown-Waite.\n    Ms. Brown-Waite. Thank you.\n    Earlier during the previous panel, my colleagues, Mr. Davis \nand Mr. Stearns, had suggested an outside audit and \ninvestigation group come into the VA.\n    And I do not know who can answer this. If they are ignoring \nthe IG and the GAO, why would an outside group perform any \nmagic and results that are not exactly being accomplished here \nwith your report and the followups?\n    Mr. Wilshusen. Well, one, first of all, I think it is \nalways appropriate to have independent reviews of an \ninformation security program or the information security \ncontrols in place at an agency are all on particular systems. \nIndeed, that is what GAO and the IG have done on many reviews \nin the past.\n    The basic problem is they have not implemented an \nappropriate information security program. And it will take \nprobably a sea change for them in order to do that. You know, \ncertainly an independent review from an outside source could \nprovide other skills perhaps, but at the same time, I think the \nreviews that the IG and we have performed highlighted \nsignificant vulnerabilities and gaps in security controls.\n    Ms. Brown-Waite. If I may ask a followup question. Would it \nbe better for Congress to say--I know this is a terrible word \nto use--to earmark, to make sure that money is set aside \nspecifically for the kind of security, data security that we \nneed with no ifs, ands, or buts about it, take money from their \nexisting budget and say, ``you will do this?\'\'\n    Ms. Regan. I was going to say I think it would depend on \nwhat you are going to ask them to do with the money. If it is \ngoing to be this money will be set aside for encryption and \nlaptops, that is one thing. I think what needs to be done first \nis to have the resources put to those needs. So I think you \nwould have to identify what aspects and how much money to begin \nwith.\n    One other issue, if I could follow up on the contractor \nissue, I think as we noted in our report last summer, the July \nreport, VA still has serious problems with contractors and \naccess to our data. If you remember, the UNISYS computer got \nstolen that had VA data on it.\n    I think, though, the Department is making head way to do \nthis. I would be concerned that the scope of any contract would \nhave to be defined, and I am not sure how long it would take to \ndefine the requirements. VA does not have a good history with \nIT contracts. And I think it would have to be defined, but I am \nnot sure it would be done in the very near future. I think you \nmay be looking down the road for a while, unless it was a \nnarrow scope contract on one issue.\n    Ms. Brown-Waite. I think Mr. Claudio----\n    Mr. Claudio. Yes, ma\'am. I think it is a matter of \ncapability. If you look in the past, the question is, did we \nhave the capability to do such an assessment. We did not. \nThirty days ago, that organization was put together. It is the \norganization of Oversight and Compliance.\n    Basically it is an organization that covers the entire \nUnited States, including Alaska, Hawaii, Puerto Rico, Guam, and \nthe Philippines. It will do about 16 to 20 assessments per \nmonth once the full capable organization. So we probably will \nhave to ask that that capability to get function and go ahead \nto see how productive that is.\n    We have met with the IG, the organization. We have \ndiscussed this point. And if you look at, there is about 266 \nmedical centers. There is about 63 regional centers. It is \nabout 300 plus. All those regional centers and medical centers \nwill be assessed about in a year and a half. So the assessment \ncapability is now there and we just got to give it some time to \nsee where we get from here to there.\n    Mr. Mitchell. Thank you.\n    Mr. Bachus.\n    Mr. Bachus. Yeah. I would like to just ask two followup \nquestions. My first one is about the Birmingham breach, but it \nis not directed at Birmingham because I would bet you this \ninformation went out to a bunch of other sites too.\n    But why would anyone in the VA, in VA research or VA in \ngeneral, need access to the entire CMS database on everyone \nthat ever billed CMS for healthcare, including all that \ninformation, or if they were, you know, why could that not have \nbeen encrypted or why could it not have been under some very \ntight supervision?\n    Ms. Regan. That issue is actually being addressed in our \nadministrative investigation. We are looking at this point as \nto why that individual had that data. We are also looking at \nwhy the individual was given all the fields that are in that \ndata set and whether they were necessary. We are also looking \nat whether or not CMS should have given that database to the VA \nto start with, there are key factors of the database that VA \nwas never given or that were not given to the facility. But why \nthat information on that many physicians? Was it necessary at \nvarious levels? It did not go to this individual initially. It \nwent to somebody else who he works with. But we are looking at \nall of those various issues regarding that database.\n    Mr. Bachus. Okay. Thank you.\n    Has the VA inventoried or restricted employee access to \nsensitive veterans\' personal information on a need-to-know \nbasis?\n    Ms. Regan. The VA has not inventoried it as far as I know. \nBut I do know that when you access a database, you need to \nexplain and get it approved to have access to the database and \nusually what part of the database and for how long, and whether \nyou are just going to review it, if you are going to copy it, \nthere are various questions that are asked.\n    It gets down to the individual level. Is the individual \nISO, information security officer, or the CIO who has \nresponsibility at a facility asking the right questions? Is it \nfor a limited time period? Do you need all the fields in the \ndatabase? All those issues should be addressed. So it gets down \nto an individual level, but there are measures in VA to do \nthat. It is whether or not people comply with it.\n    Mr. Bachus. All right. Thank you.\n    Mr. Mitchell. Thank you.\n    One quick followup. Mr. Wilshusen, you mentioned some \npaperwork that the Veterans\' Administration has not completed \nfor information security. Could you repeat what that is again?\n    Mr. Wilshusen. Yes. The ``Federal Information Security \nManagement Act\'\' requires agencies to report annually on their \nprogress in implementing the provisions of the Act. They are \nrequired to report in accordance with OMB\'s instructions on \nreporting for this. OMB has set up a number of performance \nmeasures and a reporting format for that and requires the \nagencies to report by October 1. It is called the Annual FISMA \nReport.\n    As of today, VA has not submitted its official copy of that \nreport. Now, it has submitted a draft of that report to OMB, \nbut has not yet submitted the official copy. And accordingly, \nbecause it is a draft, both GAO and Congress are also supposed \nto receive copies of these reports and we have not received \nthem yet.\n    Mr. Mitchell. Have you heard anything from the VA about why \nthey have not done it?\n    Mr. Wilshusen. I do not know precisely the reason why. As \nfar as I know, perhaps--well, my colleagues might know why.\n    Mr. Mitchell. Does anybody know? I understand. Assistant \nSecretary Howard, would you address that question?\n    Mr. Howard. Sir?\n    Mr. Mitchell. Why the paperwork has not been submitted.\n    Mr. Howard. If it is the same report I am thinking about, \nit is in the Secretary\'s Office with signatures.\n    Mr. Mitchell. And this is February, right, and it was due \nin October? I mean, this is March really.\n    Mr. Howard. Yes.\n    Mr. Mitchell. Thank you.\n    Mr. Bachus. Could I ask one followup question?\n    Mr. Mitchell. Yes.\n    Mr. Bachus. I do not know if it was this panel or the last \npanel said that in the aftermath of that May 3, 2006, the \nmassive breach there, that the VA issued a directive that you \ncould not download sensitive personal information about \nveterans, maybe physician providers too--I do not know--onto--\nit had to be a VA computer--I do now know exactly--or VA-owned \nequipment, I think.\n    But that has been now waived, is that right?\n    Ms. Regan. There was a subsequent memorandum that waived \nthat provision for the three Administrations, which would be \nNational Cemetery Administration, Veterans Health \nAdministration, and Veterans Benefit Administration.\n    Mr. Bachus. So which is about all of VA basically, right?\n    Ms. Regan. Pretty much. It would not only just be the \ndatabases. It would just impact the people using those \ndatabases within those Administrations. People in OIG offices \nmay have access to those databases for oversight purposes. It \nwould not affect us. We have our own policy that only VA-owned \ncomputers can be used, not personal computers.\n    Mr. Bachus. Was that just as a practical matter? Once they \ndid that, they prohibited that, that the system just could not \nwork?\n    Ms. Regan. I do not have any knowledge as to why it was \ndone. We have never seen the justification.\n    Mr. Bachus. I mean, why it was waived.\n    Ms. Regan. Why it was waived. The reason they put the \npolicy in place----\n    Mr. Bachus. The prohibition.\n    Ms. Regan. Right.\n    Mr. Bachus. I can understand the prohibition. I do not \nunderstand why it was waived unless maybe as a practical \nmatter, they could not pay benefits, they could not treat \nbecause, you know, maybe it interfered with their--but it would \nbe interesting to know.\n    Does any of the panel know why a temporary waiver was \nissued? Thank you.\n    Mr. Mitchell. Any other questions?\n    Thank you very much. I appreciate it.\n    Ms. Regan. Thank you.\n    Mr. Mitchell. And at this time, we are going to have the \nthird panel, and this should go--they do not have opening \nstatements. And I would like to, while they are getting ready, \nread a statement.\n    The Minority Members had requested these witnesses for this \npanel so that we could gain better insight into information \nsecurity management and research-related programs at VA.\n    Ms. Regan, could you just hang around a little longer \nbecause I think I would like you to sit in on this if you \nwould.\n    This was an act of choice and I fully concur with the \nrequest. I do regret that we could not provide VA with more \ntime to coordinate the appearance of one REAP Director, Dr. \nPogach. I appreciate you responding in short notice.\n    I would also like Ms. Regan, Counsel to the VA Inspector \nGeneral, to sit in with panel three to advise us if in her \nopinion the questions or answers get too close to the nexus of \nthe IG\'s ongoing investigation so as to jeopardize that \ninvestigation.\n    I also welcome from the Birmingham VA MC, Mr. Parris and \nDr. Blackburn.\n\n TESTIMONY OF LEONARD M. POGACH, M.D., DIRECTOR, RESEARCH AND \n ENHANCEMENT AWARD PROGRAM, VA NEW JERSEY HEALTH CARE SYSTEM, \n   EAST ORANGE, NEW JERSEY; WARREN BLACKBURN, M.D., ACOS/R&D \n COORDINATOR, VA MEDICAL CENTER, BIRMINGHAM, ALABAMA; AND Y.C. \n   PARRIS, FACILITY DIRECTOR, VA MEDICAL CENTER, BIRMINGHAM, \n                            ALABAMA\n\n    And we are just going to open this up to questions.\n    And, Dr. Pogach, did I pronounce your name right?\n    Dr. Pogach. Yes, sir.\n    Mr. Mitchell. Okay. Well, thank you for being here today. I \nappreciate it. And could you please explain what the REAP or \nREAP Program is and why researchers in that program require the \nuse of large databases?\n    Dr. Pogach. It is a Research and Enhancement Award Program. \nThese are competitive center awards, mid-level center awards \nwhich are awarded by the VA Health Services Research and \nDevelopment Program. I am not sure how long the program has \nbeen in existence. We were awarded, our center in New Jersey, \nin September 2003.\n    The purpose of the center is each of them has a theme. We \nare interested in healthcare knowledge management which \nincludes chronic illnesses and quality management. The REAPs \nare awarded to those facilities that have demonstrated certain \nresearch capacity and capability.\n    And one of our specific interests, not the only one, is the \nuse of large databases to basically look at the quality of care \nprovided to veterans as well as their course over time in terms \nof looking at whether or not the quality of care provided \nresults in improved outcomes, such as decreased morbidity, \ndecreased mortality, for what I do especially with diabetes.\n    The reason why large data sets are required is these types \nof outcomes, which are observational, often are not able to be \nattained through clinical research. For example, clinical \nrandomized trials, especially when you are looking at the \nvariation in outcomes among a wide variety of facilities across \na national system.\n    And this sort of data and analyses and publications \ncertainly can result in not only publishable research, but the \ngoal would be to provide information within the VA on where \nthere is variation in care, variation in outcomes that might \nallow managers to be able to track where to look for \ninterventions.\n    And second of all, what we would really like to do with our \nquality improvement program, which most of you probably are \naware of, the VA is a leader, is to actually determine if we \ncan go beyond provision of--we did process. We lowered a value \nto something to really see if veterans are living longer and \nliving healthier.\n    Mr. Mitchell. One other question. Do you share any \nresearchers with other non-VA organizations and, if you do, how \nwould you assure with reasonable certainty that information \nsecurity practices are being followed?\n    Dr. Pogach. We do not share the data that we get for all \nlarge database analyses with other organizations.\n    Mr. Mitchell. But do you share the researchers?\n    Dr. Pogach. Do we share the researchers?\n    Mr. Mitchell. Yeah.\n    Dr. Pogach. We have WOCs who are shared with other \nuniversities, yes, but when they work with us they are working \non-site and on VA grounds. The salaries may be shared.\n    Mr. Mitchell. And you are fairly certain that the \ninformation security practices are being followed?\n    Dr. Pogach. Yes. The security practices now that we have \nare very clear as to what we do. In part, we are also a \nrelatively young REAP in terms of how we have been funded, and \nwe did not have strong preexisting relationships with our \norganization.\n    So we developed our program to be in-house. I understand \nthat is not the case routinely across the entire VA system, but \nour capacities and our data systems are within our VA.\n    Mr. Mitchell. Thank you.\n    Ms. Brown-Waite.\n    Ms. Brown-Waite. I thank the Chairman.\n    Dr. Weeks, could you tell us why the REAP research was \nsuspended at your facility?\n    Dr. Blackburn. I think you mean me, Dr. Blackburn.\n    Ms. Brown-Waite. Oh, okay.\n    Dr. Blackburn. Yes. The Office of Research Oversight after \nfinding out that the external hard drive had gone missing \nsuspended the REAP research activities.\n    Ms. Brown-Waite. I mean, will they resume?\n    Dr. Blackburn. That is certainly our expectation and hope. \nTo my understanding, the ORO\'s investigation is ongoing and has \nnot been completed.\n    Ms. Brown-Waite. And, Dr. Blackburn, as long as I have you \nthere, do you know why this happened on your watch?\n    Dr. Blackburn. The investigator or the programmer had an \nexternal hard drive within VA space. From what I have been told \nby him, it was stolen.\n    Ms. Brown-Waite. Well, why was it not encrypted? I think \nthat is part of the problem.\n    Dr. Blackburn. Well, I think as panel two----\n    Ms. Brown-Waite. That is the problem.\n    Dr. Blackburn [continuing]. Already VA has not provided at \nthis point encryption software for external hard drives. We \nhave gone ahead in Birmingham and taken additional actions that \nwe have now banned external hard drives, and our VISN is in the \nprocess of banning all but a few thumb drives.\n    Ms. Brown-Waite. And the repercussions if you violate the \nban?\n    Dr. Blackburn. I am sorry. I did not hear that question.\n    Ms. Brown-Waite. The repercussions if the ban is violated.\n    Dr. Blackburn. Well, I think the thing is we are \nresponsible and we are aware of who buys hard drives. So we \nknow where they are and we have gone ahead and collected them. \nThe thumb drives are going to be, to my understanding, \ninoperable based upon a computer patch except the ones that \nare----\n    Ms. Brown-Waite. I want to make sure I understand what you \nare saying. Someone cannot go out and buy one at Office Depot \nand download onto it?\n    Dr. Blackburn. That is my understanding of the plan of the \nIT folks within our VISN, correct.\n    Ms. Brown-Waite. That is your understanding of the plan. Is \nthat what the plan does?\n    Dr. Blackburn. Is that what what?\n    Ms. Brown-Waite. Is that what it actually does is it \nprohibits downloading on a thumb drive?\n    Dr. Blackburn. Unless it is an encrypted thumb drive, that \nis correct.\n    Ms. Brown-Waite. And for all three panel members and Ms. \nRegan, if you can contribute, I certainly would welcome that. \nThe question is, you know, what did you individually do to \nimplement the VA directives 6500 and 6504 on cyber security \ndirectly after last year\'s May 3rd incident?\n    Mr. Parris. We strictly enforced that directive. We made \nsure that any external device was within that work space. The \none area actually that was involved with this actually went \nabove and beyond.\n    They actually met with our staff on just a security, if you \nwill, education program and they made their own policy that \nwhen the person who was using a drive was not in the vicinity \nof that drive, which is totally legal for it to be by the \npolicy, that they actually lock that up in an additional locked \narea. So they went even beyond the policy within that \nparticular area.\n    Ms. Brown-Waite. Whenever I check into a hotel or motel \nwhen I am traveling and there is that big sign up there that \nsays no swimming after ten o\'clock, I always say to the owners \nwhat is the penalty if I go swimming after ten o\'clock.\n    So I want to know what you all do to actually implement and \nenforce this, because I am getting the impression that we have \nso many written policies out there, policy upon policy and \ndirective upon directive that maybe that is part of the \nproblem, that the employees may be totally confused when they \nhave a directive de jure.\n    But what is being done to implement and enforce the \nprohibitions where they do not swim after ten o\'clock?\n    Mr. Parris. We have gone through extensive education with \nour staff. We have gone as far as having an information \nsecurity fair for a better term. We invited people up to a full \nday so that they could get trained on what we meant by \ninformation security.\n    We have on our Web site all the policies. We have a \nquestion form for those policies for the ones who may not \nunderstand some of the questions.\n    I do not know if I am answering your question with the look \non your face, but, you know, I am trying to get to the gist of \nthe question.\n    Dr. Blackburn. Well, let me go ahead and add that we have \nrequired, as Mr. Parris indicated, training for every one of \nour employees who have access and it is real simple. If they \ndid not go through the training, their access was cut off.\n    Ms. Brown-Waite. So was this after the latest incident that \nhappened at----\n    Dr. Blackburn. No, ma\'am.\n    Ms. Brown-Waite [continuing]. Birmingham?\n    Dr. Blackburn. No.\n    Ms. Brown-Waite. So it was before?\n    Dr. Blackburn. That is correct.\n    Mr. Bachus. Let me start by saying that I know Y.C. Parris. \nHe is a great Director and operates a very good ship. So I ask \nthese questions. I do not need to apologize to ask them, but I \nhave an obligation to ask it.\n    And what I kind of heard earlier was that you all complied \nwith all the procedures and the directives from VA, is that \ncorrect?\n    Mr. Parris. Yes, sir.\n    Mr. Bachus. But now, am I confused or were the directives, \ndid they not include that you all encrypt this information and \nthat that was not done?\n    Mr. Parris. No, sir. That is part of maybe what the \nCongresswoman was getting at, that there was a little bit of \nambiguity. And if you look at the policy, it says within the \nexternal hard drive, which we do not have the software \navailable to encrypt the external hard drive at this time, that \nif that hard drive is within that secured work space, that \noffice space, whatever it is that is VA property, then that is \nokay.\n    Mr. Bachus. It does not have to be encrypted?\n    Mr. Parris. No, sir.\n    Mr. Bachus. But I guess they say either keep it in a secure \nlocation or encrypt it?\n    Mr. Parris. Yes, sir.\n    Mr. Bachus. But then you do not have the software nor did \nthey supply the software to encrypt it?\n    Mr. Parris. That is correct, sir.\n    Mr. Bachus. Which is almost a directive without the ability \nto comply, is it not?\n    Mr. Parris. It makes it very difficult, yes, sir.\n    Mr. Bachus. I mean, I guess you could go out at your own \nexpense, and I do not know. But, you know, it would seem that \nif they would supply you with information, require you to \nencrypt it, they would provide the software and the means to do \nthat as part of the system. That would have been an easy way to \navoid what happened in February, I would think.\n    Mr. Parris. Yeah. The horse and the cart.\n    Mr. Bachus. What?\n    Mr. Parris. The horse and the cart. And Bill Gates just had \nan article in the paper recently that illustrated that where he \nsaid that when you see how fast technology has moved, that our \nsecurity system is like a stone castle with a moat around it \nand a drawbridge, but the technology is a jet plane with \nmissiles on it.\n    Mr. Bachus. Now, the IG reported that, you know, it would \nbe good to encrypt this information. And I am hearing in this \nhearing that software is available to encrypt the information, \nbut the VA up here, I will tell you, they are going to want to \nshift part of the blame and said you all should have encrypted \nit. We sent a directive to you to encrypt it, but you were not \ngiven the software. But you were also told that it could be \nwithin a secure area. And you are telling me it was within the \nwork space.\n    Mr. Parris. Yes, sir.\n    Mr. Bachus. And the employee, when he discovered that it \nhad been taken or that it was no longer there, he reported it \npromptly?\n    Mr. Parris. Reported to my office, yes, sir.\n    Mr. Bachus. And you reported it promptly to D.C.?\n    Mr. Parris. Reported it to my network director, which is my \nprotocol, who was in Atlanta, and he reported to D.C. the same \ntimeframe.\n    Mr. Bachus. Now, they have suspended your research and that \nof also six other centers which as they inquired, they \ndiscovered that they had not encrypted information, including, \nI guess, the White River Junction facility, is that right?\n    Dr. Pogach. Actually, from New Jersey, but they suspended \nall the REAP programs.\n    Mr. Bachus. I cannot hear.\n    Dr. Pogach. I am sorry. We are from New Jersey. I am not \nfrom White River. Dr. Weeks could not make it today. But all \nthe REAP programs----\n    Mr. Bachus. Are you from East Orange or where?\n    Dr. Pogach. Yes, New Jersey.\n    Mr. Bachus. Okay.\n    Dr. Pogach. So all the REAP programs were suspended not \nspecifically for any one issue but to allow for reassessment of \nall data security at those sites.\n    Mr. Bachus. But was one reason it was suspended because the \ninformation was not encrypted?\n    Dr. Pogach. I do not know the reasons why, if that could \nhave been one reason or not. We were just basically told that \nall research is suspended so that we could basically make sure \nall policies----\n    Mr. Parris. No, sir. I think it was due diligence on the \npart of the organization.\n    Mr. Bachus. I am not arguing with their decision to shut \ndown the programs and assess whether that information should be \nout there in the first place and, if it is, it ought to be \nencrypted because people are going into places and steal \nthings.\n    Dr. Pogach. Right.\n    Mr. Bachus. Thank you.\n    Mr. Mitchell. Mr. Walz.\n    Mr. Walz. Thank you, Mr. Chairman, and thank you, \ngentlemen, for joining us.\n    I am sorry I missed your earlier testimony, Mr. Parris, \nwhen you--your initial statements on this. I was here earlier \nfor Deputy Secretary Mansfield, and I am looking at some of the \nthings he said.\n    We had a long discussion in that first panel on the idea of \nwhat role culture plays, culture in an institution, as you are \nwell aware of. And I am listening to my colleague, Mr. Bachus, \ntalk about it. And I have no doubt. I am a veteran and I \nunderstand and I have the greatest respect for the VA and the \nwork that you do. Absolutely critical.\n    And as I stated in that first panel, the intentions, I am \nalways operating from the assumption that the best intentions \nare always what is there.\n    When looking at these data losses, I am just trying to get \nmy mind around it as a veteran, as one of those people who got \none of those letters, what can we do to prevent it, what can we \ndo to stop it.\n    And when I am looking at this and I think about my job, my \nformer job as a high school teacher in public schools, data \nprivacy is the air that we breathe. And we have got a lot of \npeople in public schools, namely our students, who are pretty \ndarn good with computers. And, yet, it is just stress to us.\n    And there are password changes every 21 days. There is log-\nout timeouts and log-out restrictions. If your computer is \nshown as being idle and logged in, you get notified and you get \ncalled in and written letters on those types of things because \nthey are really critical. There are student data that could get \ninto health issues, too, that are on there.\n    So my question is, and Deputy Secretary Mansfield was very \ncandid and very open about some of the restrictions that were \nput on him, I understand your job, Mr. Parris, is to provide \nthe highest quality healthcare you can to your patients. That \nis your number one priority.\n    This data privacy issue is part of that and might be seen \nas a peripheral or distraction. We understand how important it \nis. I am still trying to figure out, in your mind or in your \nassessment, is this a resource issue or is this a cultural \nissue inside the VA on the importance of safeguarding this \ndata?\n    And I am asking you in the broad range because, as I said, \nI am operating from the assumption you want absolutely the best \ncare for our patients and you want their data secured. I want \nthe same thing. How do we get to that?\n    Mr. Parris. Yes, sir. I agree with you about your last \nstatement about wanting to secure the data and make sure we \ntake care of our patients. I do not want to throw a wrench into \nthis, but I think it is neither totally culture or resources. \nBoth of those, you always deal with and they are always going \nto be there.\n    But I think it is the growing pains. I am probably the only \nperson in the room who has been around since Crew DHCP. That is \nwhere we had four contractors and we were testing computers and \nthe only thing we had on there was a patient history. And we \nhave grown to the most sophisticated medical record in the \nworld right now in the VA system.\n    And the growth of that, within the growth of the patients \nand the growth of the system we have, and then we have three \nmajor entities. Besides VHA, we have VBA, which is a huge \nentity, and then we have National Cemetery. And the things they \ndo are different.\n    And so I think it is growing pains as much as anything, is \nhow do you stay up with the change in technology, the new \nsoftware that is coming out. I do not know how many times I \nhave sat at a table like this and talked about if we only had a \npatch on that software, we could get the patient what they need \nquicker. Can anybody write a patch for that?\n    So you see the complexity of the system that we have. And I \nthink that to have the people in the know to help keep up with \nthe security part of that, as I talked about the castle and the \nairplane, that is really kind of the gap that we have, and how \ndo we make those come together. How do we have a security \nsystem that runs parallel with the technology that we are \ninstalling on a daily basis?\n    Mr. Walz. I appreciate that. There was a suggestion \nearlier, and I am just getting your feeling on this because we \nall want to solve this, whatever it is going to take, and I \njust see a massive need that the public wants this, because one \nof the things, as you well know, the biggest thing for me as a \nveteran that it is the loss of trust, which is critical to us. \nOf all the good work you do, you hate to see that happen.\n    And it was suggested by Mr. Rodriguez that we just need to \nmaybe provide a crack team of people that provide the best \nsecurity or whatever it is from wherever they come from and \ndrop them in here and get this thing done.\n    Now, do you believe that is the solution or is this part of \nthe growing pains, that that would not do it? They would not \nunderstand your organizational needs the way you understand \nthem?\n    Mr. Parris. With all due respect to that suggestion, sir, I \ndo not think that would solve the problem. I think that would \nbe another expenditure that probably could be spent on a \nsolution to the problem internally.\n    Mr. Walz. Thank you so much.\n    Ms. Brown-Waite. If the gentleman would yield. I asked that \nquestion before because my fear is you bring an outside group \nin, they are going to ignore those recommendations as they have \nignored the IG as well as the GAO. And I would rather see the \nmoney spent on some kind of a solution soon here.\n    Mr. Walz. Software.\n    Ms. Brown-Waite. Right. Software would be great. But, you \nknow, also setting that what are the consequences of not \nsecuring that data. And it is not just in the VA. I think every \nagency is probably guilty of it.\n    Mr. Mitchell. Thank you.\n    I think that will be all. Just before we adjourn, I would \njust like to know and I think this Subcommittee would like to \nknow when the Secretary signs the FISMA report. I would like to \nknow that. So if somebody here could let us know when it is \nactually signed, I would appreciate that.\n    And if there is nothing else, this meeting is adjourned.\n    [Whereupon, at 5:30 p.m., the Subcommittee was adjourned.]\n\n\n\n                            A P P E N D I X\n\n                              ----------                              \n\n              Prepared Statement of Hon. Harry E. Mitchell\n         Chairman, Subcommittee on Oversight and Investigations\n    I have accelerated our Subcommittee\'s review of VA information \nsecurity management for several reasons. I thank all three panels of \nwitnesses and our Subcommittee Members for their cooperation despite \nthe somewhat short notice we were able to provide. It is my belief that \nwhen the subject matter justifies some sort of review, that such a \nreview should be thorough, balanced and timely.\n    This topic was on the Subcommittee agenda for later in this year. \nWhile it is a recurring and non-partisan topic for our Veterans Affairs \nCommittee, the events regarding the data loss at Birmingham and other \ncircumstances have led me to advance this hearing on our Subcommittee \ndocket.\n    In this hearing I wish to determine the current status of \ninformation security management at VA. Admittedly, the Birmingham \nincident holds powerful sway over the landscape. If the Birmingham \nincident stood alone against a backdrop of a sound information security \nmanagement program perhaps we could address a one-time-only incident \nwith more patience.\n    However, the record reflects a host of material weaknesses \nidentified in Consolidated Financial Statement Audits and Federal \nInformation Security Management Act [FISMA] audits over recent years. \nThe Inspector General\'s Office and the Government Accountability Office \nhave both reviewed VA and found deficiencies in the information \nsecurity management program over the last 8 years. VA is slow to \ncorrect these deficiencies. For example, the VA IG made 16 \nrecommendations with regard to information security management in \n2004--all 16 remained open in 2006.\n    During our full Committee review of the May 3rd, 2006 data loss, we \ndiscovered a general attitude regarding information security at VA that \nour current full Committee Chairman Bob Filner once referred to as a \n``culture of indifference.\'\' Today, I wish to address this issue of \n``culture\'\' and the need for cultural change with regard to information \nsecurity at VA.\n    Last year, the Committee reviewed cultural problems at several \nlevels at VA.\n    We looked at the very top levels of VA leadership and were \ncritical.\n    We looked at the program leadership level and were critical.\n    We looked at the promulgation of information security policy in VA \nand were critical of the various methods employed by some program \nleaders and advisors to gut those policies, to avoid accountability and \nto weaken information security practices.\n    We were critical of the lack of checks and balances in the \ninformation security management system at VA--was guidance being \nfollowed, did oversight occur?\n    We were critical of the delay by VA in providing congressional \nnotice of the May 2006 incident. We were critical of the slow \nescalation in notice of the magnitude of that problem.\n    VA mailed notices to millions of veterans addressing the data \ncompromise and made a public commitment to become the ``gold standard\'\' \nin information protection within the Federal Government. Eight months \nafter the initial data loss, VA reports another loss of significant \nmagnitude associated with a Birmingham VA research program.\n    That a weakness existed in this area surprised no one. That it \nhappened at all serves to precipitate this type of congressional \noversight hearing. While the actual loss of the external hard drive and \nthe limited electronic protections on that missing equipment should be \nconsidered the 800 pound gorilla in this room, there were some silver \nlinings with the Birmingham story as we now know it.\n    For example, the loss was reported in VA and quickly relayed to the \nappropriate people. Mr. Howard notified congressional oversight staff \nand Secretary Nicholson called the Chairmen and Ranking Members of the \nVA Committees. The Office of the Inspector General was quickly involved \nand opened an investigation.\n    In similar examples from May 2006, VA took days or weeks to \naccomplish those tasks--in the Birmingham incident of January 2007, VA \ntook hours or days to accomplish the same tasks. Staff was notified \nwithin 1 day, and calls from the Secretary followed a few days \nafterward. The investigative trail was reasonably fresh for the IG to \nfollow.\n    What of VA culture with regard to this issue? The IG made five \nrecommendations to the Secretary in their ``Review of Issues Related to \nthe Loss of VA Information Involving the Identity of Millions of \nVeterans\'\' on July 11, 2006. As of today, all five of those \nrecommendations remain open. Why?\n    After the 2006 series of hearings, VA issued a series of tough \nsounding declarations, but problems still remained and another major \nincident has happened. After the Birmingham incident, the Secretary \nissued some tough guidance, but what impact will it have? Will history \nrepeat itself? How deep are the cultural barriers?\n    I believe that it is important to review all aspects of this issue. \nWe need to hear from VA leadership and in that regard we are pleased \nthat Deputy Secretary Mansfield has agreed to testify. He, Secretary \nNicholson, the Under Secretaries are key to setting policy--they \nrepresent the Department in this matter.\n    But we also need to look at this problem through the eyes of the \nremaining 200,000 plus people in the VA. Do leadership actions \nthroughout the management hierarchy match policy guidelines everywhere \nin VA?\n    Do the rules say ``no\'\' but the culture beckons, ``Aw, go ahead--\nmake an extra copy of the data and your life will be easier.\'\' ``Take a \nshort-cut, no one will follow up.\'\' If we change the culture at VA we \ncan begin to fix the problem.\n    But people have different cultural perspectives; those of the VA \nleaders on panel one may differ from those of the researchers in the \nfield. Leadership\'s policy guidance may now be spot on, but the \nquestion is how that policy is received at the user-end. For that \nreason, this Subcommittee requires testimony across the spectrum of \npeople who in any way handle sensitive information about our veterans. \nLet us approach this with open minds, consider other perspectives, and \nbe able to put this problem to rest for a long time.\n    Before I recognize the Ranking Republican Member for her remarks, I \nwould ask our Members\' consent for a guest and permit Congressman Artur \nDavis from Alabama to sit at the dais and be allowed to ask questions \nafter all Subcommittee Members have had that opportunity. Without \nobjection?\n    I now recognize Ms. Brown-Waite for opening remarks.\n\n                                 <F-dash>\n   Prepared Statement of Hon. Ginny Brown-Waite, Ranking Republican \n          Member, Subcommittee on Oversight and Investigations\n    Thank you, Mr. Chairman.\n    Our hearing today, as the Chairman indicated, is to learn more \nabout the Information Security Management at the Department of Veterans \nAffairs, in particular, the current effectiveness of information \nsecurity at the Department, and the need for cultural change.\n    Since the data breach of May 2006, the second largest in the nation \nand the largest in the Federal Government, we have seen the VA\'s \ncentralization of the VA\'s information management, including \ninformation security. I appreciate the Secretary\'s desire to make the \nVA the ``Gold Standard\'\' for information technology and information \nsecurity management in the Federal Government. From what we have seen, \nadherence to the Federal Information Security Management Act (FISMA) \nhas not been adequately addressed governmentwide, as Congress intended \nwhen writing the law. This is why our Committee worked so hard last \nCongress to pass measures such as H.R. 5835, and the final version of \nS. 3421, which became Public Law 109-461. We have tried to give the \nDepartment, and in particular, the Secretary, the tools he needs to \nmandate change within the entire Department to make certain that such \nsecurity breaches are few, if any.\n    I have served on this Committee for 4 years, and recently been \nselected as the Ranking Republican Member of this Subcommittee. Over \nthe years, I have seen the lack of resolve within the underlying \nculture at the Department, particularly at the facility level, to \nchange the way senior management view IT security. It is sometimes \ndifficult to embrace change, and this is what we need to address in \nthis hearing. In order to protect our veterans, and provide them with \nthe services they need, we need to remove that cultural predilection \nagainst change.\n    I appreciate the witnesses who have come to this hearing, \nparticularly those who have traveled a distance to be here, and I look \nforward to hearing your testimony.\n    Thank you, Mr. Chairman, and I yield back my time.\n\n                                 <F-dash>\n            Prepared Statement of Hon. Gordon H. Mansfield,\n         Deputy Secretary, U.S. Department of Veterans Affairs\n    Thank you, Mr. Chairman. I am here before this Committee on behalf \nof the Secretary and the Department to discuss with you the changes \nunderway in the Department of Veterans Affairs Information Protection \nprogram. The Department has committed itself to becoming the ``gold \nstandard\'\' in Information Protection within the Federal Government. We \nhave made significant progress in a very short period of time to reach \nthis goal. Nonetheless, we realize that there is much more to do, and \nwe have positioned our Information Protection program to undertake the \nchallenges before us . . . and to succeed.\n    Early on, the Secretary recognized the need to reorganize our IT \nassets to give the Department\'s Chief Information Officer, and \nAssistant Secretary for Information and Technology, full control over \nour IT budget, people, and programs.\n    This Committee was heavily invested in that decision. It held \nnumerous hearings to assist the Department in addressing the many \nissues involved in centralizing our IT function.\n    We created the Office of Information Technology and transferred \nover 4,500 employees to this new organization. These VA employees are \nunder the supervision and direction of VA\'s CIO, Bob Howard. We are \ncurrently completing the final phase of our reorganization by bringing \nthe full complement of IT programs, dollars, and people under Assistant \nSecretary Howard\'s control.\n    This reorganization is a Departmental priority. All leadership \nelements--from Central Office to field locations from Maine to Manila--\nhave been briefed and instructed. Command emphasis is firmly on \ninformation security. And it is squarely focused on revamping our IT \ninfrastructure--from practices and procedures . . . to our Department\'s \ndata security culture.\n    We are also committed to creating a dedicated IT career field that \nwill help us to develop, recruit, and retain the bedrock of \nprofessional IT careerists we need today if we are to meet the \nchallenges of tomorrow. I personally have spoken to departmental \nleaders on this critical issue.\n    To improve the delivery of IT services as we transition to a \ncentralized IT program, we brought in outside consultants, including \nIBM, to assist in professionalizing our systems. IBM recommended that \nwe change the way we manage and direct IT. We have done that. We have \nreduced the scope of work and narrowed the span of control of our IT \nsenior leaders. By telescoping their management focus, we expect more \nefficient execution of their responsibilities and, in turn, better \nresults and outcomes.\n    Significant issues remain in the area of Information Protection. We \nare addressing them head-on. We have begun to revamp our entire \nprogram, consistent with IBM recommendations. Over the past six months, \nI have spoken with many VA employees, at all levels, to underscore the \nDepartment\'s unqualified position on the IT reorganization. I have \nstressed the importance moving-out smartly to take charge of the \ndifficult issues at hand. And I believe the vast majority of VA \nemployees are now more aware . . . more sensitive about data management \nand security in both the administration . . . and in the delivery of \nservices to veterans and their families.\n    Previously, the head of our Office of Cyber and Information \nSecurity was assigned such a wide span of control that it was difficult \nto excel in all areas of responsibility. As a result, support of our \nAdministrations and staff offices suffered.\n    We have since created a more comprehensive approach by establishing \nan Office of Information Protection and Risk Management. Its management \noversees several key areas. Cyber Security focuses on FISMA reporting \nand policy development. Risk Management and Incident Response addresses \nrisk assessment, incident resolution and credit monitoring. Records \nManagement and Privacy focuses on policy development and oversight of \nprivacy and records. Data protection analysis and lessons learned are \nalso an integral part of this new management focus.\n    Our field-based Information Security Officers have been \noperationally realigned to report to the Office of Field Operations and \nSecurity.\n    And finally, we consolidated several IT compliance programs within \nthe Office of Oversight and Compliance, which reports directly to the \nAssistant Secretary for Information and Technology. This office will \nconduct rigorous assessments nationwide. Both announced and \nunannounced, these reviews rigorously evaluate facility compliance with \nlegislative directives as well as policies, procedures, and practices \nrelating to information protection, data management and control, data, \nrecords management, privacy, and IT security programs.\n    This office will be the first responder to facilities where serious \nIT security incidents occur and that require the immediate review of \nrecords management, privacy, and cyber security business practices. I \nam confident that this office will provide the further assurance \nnecessary to bolster our records management, privacy, and data security \nmeasures.\n    On June 28, 2006, the Secretary delegated to the Assistant \nSecretary for Information and Technology the responsibility for \nDepartmental Information Security. Since the May 2006 data security \nbreach, VA has issued eight IT directives on specific IT security \nsafeguard requirements. We have developed a comprehensive strategy to \nincident resolution that includes procedures for notifying veterans of \nincidents where personal information has been compromised. We have \ndrafted a regulation to implement the Veterans Benefits, Health Care, \nand Information Technology Act of 2006. And our Oversight and \nCompliance Office, established this month, has already completed \nseveral facility assessments.\n    We have launched a number of technology initiatives, both completed \nand underway, to protect sensitive information. We have encrypted over \n15,000 VA laptops. We are minimizing the use of thumb drives and mobile \ndevices. Where authorized, we are requiring them to be encrypted. Very \nimportantly, we are in the process of testing technology that will \ncheck for proper encryption, codewords, and security credentials \nnecessary to be permitted entry into VA\'s information network.\n    The gravity of information security is undeniable. Data security \nincidents such as we have seen tarnish VA\'s reputation and the peace of \nmind of those we serve.\n    We are aggressively instituting a VA-wide change in culture and \nmindset across the length and breadth of our facilities, urban and \nremote.\n    VA has already committed time and resources to educate our \nworkforce about the importance of data security.\n    Through formal training, printed communications, and other media, \nthe focus is on good stewardship of data privacy. Our employees are now \nmore aware about data management and security in the administration . . \n. and in the delivery of services to veterans and their families.\n    Our culture is changing. Change always takes great effort. It is \ndisorienting and it is disruptive. But formerly acceptable business \npractices, as we have come to realize, are simply no longer acceptable. \nWe are communicating this cultural reorientation across our Department, \nat all locations and at all levels. No one person, office, or \nAdministration is exempt.\n    On February 21st, the Secretary convened an offsite meeting \nattended by all VA\'s senior leadership. He reviewed the recently issued \ninformation security directives and procedures as well as the \ninformation protection incidents and vulnerabilities. The Secretary \nreiterated, in no uncertain terms, his order that all supervisors fully \nexecute their responsibilities in the area of information protection. \nIn late March there will be a data security `Update\' seminar for our \nsenior leaders. In April, VA\'s annual Information Security Conference \nwill address the theme of ``Strengthening [IT] Capabilities to Achieve \nthe Gold Standard.\'\' And in June, we will conduct Awareness Week and \nthe systemic Security and Privacy Training ongoing across the \nDepartment.\n    We are working hard to achieve our goal--full protection of VA\'s \nsensitive data and information. We have made substantial progress in a \nrelatively short timeframe . . . and we expect nothing less than \ncontinuous improvement. We have implemented corrective policies and \nprocedures. Deployed the necessary technologies. Trained our workforce. \nAnd we will not relent in our efforts to ensure that every veteran\'s \npersonal data is safe and secure.\n    While we have made great progress, we have clearly not fully \nachieved our objective. In our defense, I want to say that when data \nwas lost, we did not stand still. We notified affected veterans by \nletter. We began investigations to determine root causes. We took \npreventive measures to improve security. And we communicated these \nincidents to the Congress. I don\'t believe there is any other Federal \nDepartment as forthcoming and public about this issue.\n    I can assure you we will continue work to improve our processes. We \nknow all too well that lapses in information security . . . such as the \none that occurred last year, and recently in Birmingham, weaken the \nconfidence of our veterans, their families, and the American public in \nour ability to perform the mission that has been entrusted to us.\n    Mr. Chairman, that concludes my testimony. I will answer any \nquestions that the Committee may have.\n\n                                 <F-dash>\n              Prepared Statement of Hon. Robert T. Howard,\n          Assistant Secretary for Information and Technology,\n                  U.S. Department of Veterans Affairs\n    Thank you, Mr. Chairman. I would like to expand on Deputy Secretary \nMansfield\'s comments regarding the changes underway in the area of \nInformation Technology. There are two specific areas I will focus on. \nFirst is the extensive reorganization taking place and second is the \noverarching program we have established to provide focus to all our \nremediation efforts.\n    The IT Realignment Program to transition the VA\'s IT Management \nSystem remains on track and is scheduled to be fully implemented by \nJuly 2008.\n    By April 1, 2007, software development employees and programs will \nbe permanently reassigned to the CIO. This action follows the \nconsolidation of operations and maintenance under the CIO, which was \nfinalized beginning this FY. We are implementing a process based \norganizational structure, rooted in best practice processes that are \naimed at correcting IT deficiencies that resulted in a loss of \nstandardization, compatibility, interoperability and fiscal discipline. \nThere are a total of four processes that are being introduced with the \nassistance of IBM, from a ``best practices\'\' standpoint. We have also \ndeveloped a different organizational framework to provide focus in key \nareas. The Office of Information and Technology is now comprised of \nfive major organizational elements, built around these core process \nareas. These will report to the CIO.\n    Each of the five major organizational elements is led by a Deputy \nCIO. One Deputy CIO is charged with directing the information \nprotection and privacy protection programs in VA. This official is also \nresponsible for risk assessment, risk mitigation, evaluation and \nassessment as it relates to information protection. The DCIO for \nInformation Protection and Risk Management has already drafted \nregulations as required by the Veterans Benefits, Healthcare and \nInformation Technology Act of 2006. The regulations will address at \nminimum, notification, data mining, fraud alerts, data breach analysis, \ncredit monitoring, identity theft insurance and credit protection \nservices.\n    To reach the ``Gold Standard,\'\' as directed by the Secretary, we \nhave implemented a new program to assess our information protection \ncontrols, develop plans to strengthen the controls where necessary, \nenforce the controls, and continuously monitor the information \nprotection program. The action plan we have developed includes \nDevelopment and Issuance of Policies and Procedures, Training and \nEducation, Securing of Devices, Encryption of Data, Enhanced Data \nSecurity for VA\'s Sensitive Information, Enhanced Protection for Shared \nData in Interconnected Systems, and Incident Management and Monitoring. \nA number of the specific requirements of the new law have already been \nintroduced into our comprehensive plan. Regarding this plan I \npersonally review progress on a weekly basis.\n    In closing, I believe we have made progress in improving IT \noperations in VA and we are working hard in partnership with the \nadministrations and staff offices to improve our business practices to \nensure the protection of veterans\' sensitive information. Mr. Chairman, \nthat concludes my testimony. I would be pleased to answer any questions \nthat the Committee may have.\n\n                                 <F-dash>\n           Prepared Statement of James P. Bagian, M.D., P.E.,\n  Chief Patient Safety Officer, Director, National Center for Patient \n  Safety, Veterans Health Administration, U.S. Department of Veterans \n                                Affairs\n    Mr. Chairman and Members of the Committee, I am pleased to be here \ntoday to discuss the issues of IT security, patient safety, culture and \ntheir relationships.\n    At the National Center for Patient Safety our mission is to prevent \nour patients being unintentionally harmed while under our care. This \nmission is quite large in scope and while most of our activities are \nconcerned with direct clinical care they also address things that are a \nbit more removed such as safety during transport in vans, automatic \ndoors and their potential to cause injury, and parking lot barrier \ndesign to name but a few. Similarly, the information system (IT) is \nalso of great interest to us as our electronic health record (CPRS) is \nthe tool that in large part is responsible for our ability to deliver \nthe safe and high-quality care for which the VA has received many kudos \nand is a model for the country and world. While IT security is not \nintimately related to the direct clinical/physical safety of the \npatient we still view it as a relevant endeavor under the overall \numbrella of preventing unintended harm to our patients, because issues \nsuch as identity theft can result in harm to our patients. In addition \nto direct harm, such as that which might be caused by someone \nsuccessfully pretending to be a veteran getting care at VA facilities, \na larger and more wide-ranging harm can come from the energies expended \nresponding to IT security issues. This redirection of resources can \ndetract from our ability to render the medical care that is our basic \nmission.\n    The efforts of the National Center for Patient Safety have been \nbased on creating an environment where problems can be identified in a \ntimely manner, prioritized as to the appropriate action required, and \nanalyzed to elicit the real underlying root causes and contributing \nfactors. These steps result in the formulation of well-founded actions \nto mitigate risks. We often express this as three simple questions to \nbe determined: What happened? Why did it happen? and What should be \ndone to prevent it from happening in the future? We also have \nchampioned and implemented a system that promotes the extensive \nconsideration of close calls, which are events where no significant \nharm befalls the patient. Studying close calls provides an opportunity \nto learn that is different from the traditional approach where learning \nbegins only after a patient has suffered harm. The culture of the \nVeterans Health Administration has changed from one that was reactive \nto one that acts proactively to prevent undesirable outcomes. This did \nnot happen overnight or by fiat. It happened through identifying \nproblems that those at all levels of the organization perceived as real \nand worth tackling, and then removing the barriers that stood in the \nway of adopting more effective and risk-based strategies and techniques \nto prevent harm to patients. Through the implementation of a program \nthat embraced these concepts and actively and aggressively solicited \ncollaboration from all levels of the organization, as well as from \nstakeholders external to the organization such as Congressional \ncommittees, Veterans Service Organizations, and our unions, we have \nbeen able to make significant progress.\n    There is general agreement that the VA IT security efforts to date \nhave not achieved the level of success as quickly as desired. There is \nlittle doubt that the VA has committed much effort to enhance the \nsecurity of its IT systems and that the Secretary and senior management \nare dedicated and serious in their efforts to improve things. The real \nquestion at hand is why problems are still occurring. There are a \nmyriad of factors, but I would like to point out several factors that \nmay be worthy of consideration based on my experience and perspective.\n    Let me first state that there are no magic bullets here but there \nare some practices that have been applied in the area of patient safety \nas well as other areas that merit consideration. The use of root cause \nanalysis (RCA) as developed by the VA National Center for Patient \nSafety (NCPS) has been a valuable tool that has identified the root \ncauses and contributing factors behind many problems. These techniques \ninclude methodologies that go beyond the typical but ineffective \ninitial questions such as ``whose fault is this\'\' to the three more \nmeaningful and productive questions that I mentioned earlier: (1) What \nhappened? (2) Why did it happen? and (3) What do we do to prevent it in \nthe future? In fact, several years ago NCPS suggested to Secretary \nPrincipi that we be allowed to lead a multidisciplinary RCA team in \nresponse to the Blaster Worm problem that the IT world experienced. \nSecretary Principi agreed and chartered this team, and the result was \nextremely successful. In fact, on the 21st of February 2007 in a \nmeeting between Mr. Howard and some of his top managers, including Mr. \nShyshka, who worked with us on the Blaster Worm response, Mr. Shyshka \nbrought up the fact that the group should currently consider employing \nthe use of the RCA process on a widespread basis. The rationale he gave \nfor this suggestion was the sustained success in preventing the \nreoccurrence of problems like that previously caused by the Blaster \nWorm. We agree with this suggestion and believe that the adoption of \nthe RCA process might result in actions that are more effective than \nwhat we have experienced to date with regard to IT security. One \nimportant aspect of the RCA process is that it focuses on preventing \nfuture problems through understanding and mitigating the true \nunderlying systems-based causative factors.\n    Some have indicated that what is needed is a culture change. While \nthis may be true, culture changes do not happen by fiat or written \ndirectives. They happen through the creation of a shared vision of a \ngoal that is deemed worthy, identification of the barriers to success \nthrough discussion at all levels of the organization and removal of \nthese barriers, creation of tools and provision of the appropriate \nresources to accomplish the goals, and constant and unfettered \ncommunication both up and down the chain of command that encourages the \ncandid identification of problems and appropriate responses to those \nproblems. At the meeting with Mr. Howard mentioned above, the issue of \ncommunication and collaboration before the implementation of directives \nwas discussed in an effort by all parties to maximize the chances of \nsuccess. If this leads to a more proactive, collaborative, systems-\nbased process that balances the security risks versus the clinical \nrisks I think that meaningful progress can be made.\n    A suggestion would be to do a cultural/attitudinal survey of top \nand middle management that includes some frontline staff. A reason to \nsurvey senior leaders is that it is difficult to proceed, in this case \ntoward improving culture and attitudes about IT security, if you don\'t \nknow where you are starting from and why you are there.\n    In order to enhance the likelihood of success I believe that this \nCommittee together with senior VA leadership needs to clearly \ncommunicate the types of approaches to be adopted. VA management and \nstaff need to understand the various ramifications of the actions to be \nimplemented, including schedules to be met and the expectations as to \ntradeoffs to be made to reduce risk. This kind of understanding was \npivotal to the planning and implementation of the Patient Safety \nProgram at the VA and without it the Patient Safety Program would have \nfailed. There should be public acknowledgement that some IT security \nrisk will always exist and that perfection is not possible. If such \nchanges do not occur I am concerned that the security issues will not \nbe resolved, and that clinical care will also suffer. This would result \nin our veterans losing in two ways.\n\n                                 <F-dash>\n                  Prepared Statement of Maureen Regan,\n                  Counselor to the Inspector General,\n  Office of the Inspector General, U.S. Department of Veterans Affairs\nINTRODUCTION\n    Mr. Chairman and Members of the Subcommittee, I am pleased to be \nhere today to address the Office of Inspector General\'s (OIG\'s) \noversight efforts of the Department of Veterans Affairs (VA) \nInformation Security Program, its effectiveness, and the need for \ncultural change in VA to further improve and strengthen information \nsecurity. Today, I will present our observations and identify the \ninformation security challenges VA must continue to address in order to \nensure information security in VA. With me today is the Deputy \nAssistant Inspector General for Auditing, who will help answer \nquestions about our audit work related to information security.\n    To improve the Department\'s information security posture, VA\'s \nsenior management needs to effectively secure the Department\'s \ninformation assets. This includes the entire set of information \ntechnology (IT) systems and technological infrastructure, as well as \nall sensitive information and data under VA\'s control. It is critical \nthat effective controls and monitoring mechanisms be in place to ensure \ncompliance with applicable Federal standards and all VA policy \nrequirements. Protecting VA information and data is, and must remain, a \nprimary focus of the Department. Our observations indicate that VA \nneeds a culture change throughout the Department to gain reasonable \nassurance of VA-wide compliance with Federal and Department information \nsecurity regulations, policies, procedures, and guidance.\nOIG HAS REPORTED CONTINUING WEAKNESSES IN INFORMATION SECURITY\n    Our audits and evaluations on information security and IT systems \nhave shown the need for continued improvements in addressing security \nweaknesses and support the need to change VA\'s culture. We reported VA \ninformation security controls as a material weakness in our annual \nConsolidated Financial Statements (CFS) audits since the fiscal year \n(FY) 1997 audit. Our annual Federal Information Security Management Act \n(FISMA) audits have identified continuing information security \nvulnerabilities every year since FY 2001. We have also reported IT \nsecurity as a major management challenge for the Department from FY \n2000 to the present. As a result of these vulnerabilities, we \nrecommended that VA pursue a more centralized approach, apply \nappropriate resources, and establish a clear chain of command and \naccountability structure to implement and enforce internal controls.\n    During the period 2000-2005, we reported that persistent repeat \nfindings and weaknesses existed for physical, personnel, and electronic \nsecurity and concluded that VA had not taken sufficient actions to \ncorrect the information weaknesses in our previous FISMA reports. Also, \nour work has continued to identify that corrective actions are not \nimplemented at all VA facilities.\n    We observed that management of data centers and several program \noffices have taken actions to remediate elements of information \nsecurity control weaknesses reported in our prior reports. However, \nVA\'s program and financial data continue to be at risk due to \nsignificant weaknesses related to the lack of effective implementation \nand enforcement of agencywide security controls. These weaknesses place \nsensitive information, including financial data and veterans\' medical \nand benefit information, at risk of unauthorized access, improper \ndisclosure, alteration, theft, or destruction, possibly occurring \nwithout detection.\n    Prior to the May 2006 data loss, VA\'s information security program \nshowed significant security vulnerabilities. VA\'s CIO reported he did \nnot have sole authority to implement all aspects of the VA-wide IT \nsecurity program within VA\'s Administrations. IT infrastructure was \ndecentralized because VA believed that decentralized operations \nprovided better management of VA facilities. Finally, VA lacked \nadequate agencywide security control policies and procedures to provide \neffective guidance and organization standards.\n    VA has not fully implemented any of the recommendations on \ninformation security from our previous FISMA reports. In our ongoing \n2006 FISMA audit, we determined that all 17 recommendations cited in \nprior FISMA reports remained unimplemented. In addition, we anticipate \nidentifying several new high-risk areas associated with certification \nand accreditation of VA systems, remote access, and access to sensitive \ninformation by non-VA employees. Until all matters are fully addressed \nby the Department, VA systems and VA data remain at risk.\n    In some areas, however, the Department has made progress. Since the \nMay 2006 data breach, VA has initiated positive steps focused on \npolicies, awareness, and training. For example, all VA employees were \nmandated to complete information security awareness training. In \naddition, in 2006, VA took initial steps toward implementing a more \ncentralized Departmentwide IT security program under the direction of \nthe Department\'s CIO. However, establishing and implementing an \neffective centralized Departmentwide IT security program will require \nmore time and effort.\nVA DOES NOT ADEQUATELY PROTECT SENSITIVE INFORMATION FROM DISCLOSURE\n    The May 2006 theft of an employee\'s personal hard drive containing \npersonal information on at least 26.8 million veterans, active \nmilitary, and dependents, has been characterized as the largest data \nbreach ever in the government. The employee, who was authorized access \nto the data, copied large amounts of protected information onto \nportable devices and took it home without authorization. The data was \nnot encrypted or password-protected.\n    The incident was a wake-up call for VA because it identified the \nlack of effective policy and internal controls to protect sensitive \ninformation from theft, loss, or misuse by VA and contract employees. \nOur review found a patchwork of policies that were difficult to locate \nand fragmented. None of the policies prohibited the removal of \nprotected information from the worksite or storing protected \ninformation on a personally owned computer, and did not provide \nsafeguards for electronic data stored on portable media, such as laptop \ncomputers.\n    The potential loss of protected information not stored on a VA \nautomated system highlighted a gap between VA policies implementing \ninformation laws and those implementing information security laws. We \nfound that policies implementing information laws focused on \nidentifying what information is to be protected and the conditions for \ndisclosure; whereas, policies implementing information security laws \nfocused on protecting VA automated systems from unauthorized intrusions \nand viruses. As a result, VA did not have policies in place at the time \nof the incident to safeguard protected information not stored on a VA \nautomated system.\n    We found that policies implemented by the Secretary since the \nincident were a positive step in the right direction; however, we \ndetermined that more needed to be done to ensure protected information \nis adequately safeguarded. We determined that VA needed to enhance its \npolicies for identifying and reporting incidents involving information \nviolations and information security violations to ensure that incidents \nare promptly and thoroughly investigated; the magnitude of the \npotential loss is properly evaluated; and that VA management, \nappropriate law enforcement entities, and individuals and entities \npotentially affected by the incident are notified in a timely manner.\n    To address these deficiencies, we recommended that the Secretary \ntake the following actions in our report, Review of Issues Related to \nthe Loss of VA Information Involving the Identity of Millions of \nVeterans (Report Number 06-02238-63, July 11, 2006).\n\n    <bullet>  Establish one clear, concise VA policy on safeguarding \nprotected information when stored or not stored in VA automated \nsystems, ensure that the policy is readily accessible to employees, and \nthat employees are held accountable for non-compliance.\n    <bullet>  Modify the mandatory Cyber Security and Privacy Awareness \ntraining to identify and provide a link to all applicable laws and VA \npolicy.\n    <bullet>  Ensure that all position descriptions are evaluated and \nhave proper sensitivity level designations, that there is consistency \nnationwide for positions that are similar in nature or have similar \naccess to VA protected information and automated systems, and that all \nrequired background checks are completed in a timely manner.\n    <bullet>  Establish VA-wide policy for contracts for services that \nrequires access to protected information and/or VA automated systems, \nthat ensures contractor personnel are held to the same standards as VA \nemployees, and that information accessed, stored, or processed on non-\nVA automated systems is safeguarded.\n    <bullet>  Establish VA policy and procedures that provide clear, \nconsistent criteria for reporting, investigating, and tracking \nincidents of loss, theft, or potential disclosure of protected \ninformation or unauthorized access to automated systems, including \nspecific timeframes and responsibilities for reporting within the VA \nchain-of-command and, where appropriate, to OIG and other law \nenforcement entities, as well as appropriate notification to \nindividuals whose protected information may be compromised.\n\n    The Secretary concurred with the findings and recommendations in \nour report and agreed to implement the recommendations. On February 9, \n2007, the Assistant Secretary for Information and Technology and his \nstaff provided us with a briefing on the status of the recommendations \nin the report. Although an implementation process was discussed using \nan electronic database with a matrix that showed what issues needed to \nbe addressed, we were not provided an implementation plan or any \nsupporting documentation, such as draft policies, to show progress made \nin implementing the recommendations. To date, all 5 recommendations \nremain open, although VA has developed a new Privacy Awareness training \nmodule. It was circulated to all VA Privacy Officers, including the \nOIG\'s Privacy Officer, for review and comment. We reviewed the module \nand confirmed that it provides a link to applicable laws and VA policy. \nWhen implemented, the module will meet the intent of one of our \nrecommendations.\n    Shortly after the May 2006 incident, VA issued policies to address \ninformation security. On June 7, 2006, the Secretary issued VA \nDirective 6504, Restrictions on Transmission, Transportation and Use \nof, and Access to, VA Data Outside VA Facilities, and it is available \nto all employees on VA\'s directives Web site. VA Directive 6504 \ncontains policy for 23 different items. As stated in our report, we \nfound that the Directive was difficult to understand; too technical for \nthe average employee to understand; used terms, such as ``appropriate\'\' \nthat were too vague to ensure compliance; and made reference to other \napplicable policies, guidelines, and laws without identifying them.\n    Notwithstanding these concerns, we considered VA Directive 6504 to \nbe a step in the right direction. The Directive prohibits the use of \nnon-VA owned equipment to access the VA Intranet remotely or to process \nVA protected information except as provided in the Directive. In \naddition to requiring the use of encryption software on computers used \noutside VA facilities, a key provision in the Directive is that only \nVA-owned equipment, including laptops and handheld computers, may be \nused when accessing VA systems remotely. However, these requirements \nhave not been implemented throughout VA. On October 5, 2006, VA issued \na Memorandum, IT Directive 06-5, approving a temporary waiver for all \nthree VA Administrations. Although the VA personnel were required to \nuse approved encryption software when using non-VA hardware, VA does \nnot provide the software. In addition, neither VA Directive 6504 nor IT \nDirective 06-5 contain provisions stating how VA will ensure \ncompliance.\n    There is a greater awareness in VA regarding the issue. However, VA \nstill lacks effective internal controls and accountability which leaves \nsensitive information at risk.\nVA CONTINUES TO REPORT ONGOING DATA INCIDENTS\n    VA\'s Security Operations Center (SOC) is responsible for managing, \nprotecting, and monitoring the cyber security posture of the agency. In \nJuly 2006, VA began sending us information on incidents from the SOC, \nproviding information on a variety of incidents such as unauthorized \naccess; missing, stolen, or lost laptop computers; improper disposal; \nand numerous incidents involving unencrypted e-mail messages containing \nsensitive information.\n    To date, these reports have covered about 3,600 incidents and the \nSOC has referred over 250 incidents to us, which resulted in us opening \n46 cases to investigate. SOC reports do not always include indications \nof the magnitude of the data breach, that is, the number of individuals \nwith personally identifiable information related to the incident. We \nhave no way to determine the number and magnitude of incidents that \noccurred and were not reported to the SOC, nor can we verify the \naccuracy on the reported number of individuals affected by data \nincidents listed in SOC reports.\n    Since the May 2006 incident, the OIG has remained committed to \ninvestigating significant data loss cases that show that VA or contract \nemployees are not taking the steps necessary to protect sensitive \ninformation. For example, the incident involving the theft of a \ncomputer owned and maintained by Unisys, containing sensitive VA \ninformation, shows that information provided to contractors is also at \nrisk. In our ongoing investigation of the data loss at Birmingham, \nAlabama, we continue to find that VA sensitive information was not \nprotected.\nCONTINUING CHALLENGES\n    Information security weaknesses persist at VA despite the findings \nand recommendations made in our reports. Most VA data remains \nunencrypted, including data transmitted by electronic mail over the \nInternet. Although the Department has begun action, it still does not \nknow how many VA employees and contractors use non-VA computers to \nremotely access VA systems. In addition, VA has not determined how many \nexternal hard drives or other portable devices are in use throughout \nVA. Finally, VA does not know what VA data is stored on these \ncomputers, external hard drives, or other portable devices. VA also has \nno means to monitor whether access to data by employees and contractors \nis limited to the information needed to conduct business.\n    Policies and procedures issued to safeguard protected information \nwill not be effective unless there is compliance by all employees and \ncontract personnel who have access to the information. Local management \nneeds to conduct adequate oversight to ensure compliance and hold \nemployees and contractors accountable for noncompliance. VA must ensure \nthat managers and supervisors are held accountable for implementing the \npolicies and procedures. In addition, VA must invest in the resources \nneeded to provide employees with the hardware and software needed to \nconduct business and, at the same time, protect sensitive information.\n    Implementing the controls needed to ensure that sensitive \ninformation is protected will require that VA employees change the \nmanner in which they currently conduct business. VA must find a way to \nimplement these controls without impacting VA\'s ability to meet its \nmission.\n    In closing, I would like the Subcommittee to know that oversight \nand reviews of the effectiveness of VA\'s information security will \nremain a priority for the OIG until these issues are addressed. We \nremain committed to assessing the adequacy of information security \ncontrols and we will remain dedicated to protecting our Nation\'s \nveterans along with their personal and sensitive information. Mr. \nChairman and Members of the Subcommittee, thank you again for this \nopportunity to update you on the status of our ongoing work. We are \nhappy to answer any questions.\n\n                                 <F-dash>\n         Prepared Statement of Gregory C. Wilshusen, Director,\n   Information Security Issues, U.S. Government Accountability Office\n    Mr. Chairman and Members of the Subcommittee:\n    Thank you for inviting me to participate in today\'s hearing on \ninformation security management at the Department of Veterans Affairs \n(VA). For many years, GAO has identified information security as a \ngovernmentwide high-risk issue \\1\\ and emphasized its criticality for \nprotecting the government\'s information assets. GAO has issued over 15 \nreports and testimonies and made over 150 recommendations from 1998 to \n2005 related to VA\'s information security program.\n---------------------------------------------------------------------------\n    \\1\\ GAO, High-Risk Series: An Update, GAO-07-310 (Washington, D.C.: \nJanuary 2007); Information Security: Weaknesses Persist at Federal \nAgencies Despite Progress Made in Implementing Related Statutory \nRequirements, GAO-05-552 (Washington, D.C.: July 15, 2005).\n---------------------------------------------------------------------------\n    Today I will address VA\'s information security management, \nincluding weaknesses that GAO and others have reported, as well as \nactions that the Department has taken to resolve these deficiencies. I \nwill also discuss ongoing audit work that GAO is conducting at VA.\n    To describe VA\'s information security management, we reviewed our \nprevious work in this area, as well as reports by the Department and \nits Office of Inspector General (IG). To provide additional context, we \nhave included, as an attachment, a list of key GAO publications related \nto VA security issues. All GAO work conducted for this testimony is in \naccordance with generally accepted government auditing standards.\nResults in Brief\n    Significant concerns have been raised over the years about VA\'s \ninformation security--particularly its lack of a robust information \nsecurity program, which is vital to avoiding the compromise of \ngovernment information. We have previously reported on wide-ranging \ndeficiencies in VA\'s information security controls.\\2\\ For example, VA \nhad not consistently implemented appropriate controls for (1) limiting, \npreventing, and detecting electronic access to sensitive computerized \ninformation; (2) restricting physical access to computer and network \nequipment to authorized individuals; (3) segregating incompatible \nduties among separate groups or individuals; (4) ensuring changes to \ncomputer software were authorized and timely; and (5) providing \ncontinuity of computerized systems and operations. The Department\'s IG \nhas recently identified similar weaknesses. These longstanding \ndeficiencies existed, in part, because VA had not implemented key \ncomponents of a comprehensive, integrated information security program. \nAlthough the Department has taken steps to implement components of its \nsecurity program, its efforts have not been sufficient to effectively \nprotect its information and information systems. As a result, sensitive \ninformation remains vulnerable to inadvertent or deliberate misuse, \nloss, or improper disclosure.\n---------------------------------------------------------------------------\n    \\2\\ See attachment 1.\n---------------------------------------------------------------------------\n    We have several ongoing engagements to perform work at VA to review \nthe Department\'s efforts in improving its information security and \ninformation technology management. Our ongoing work is examining data \nbreach notification, actions to strengthen information security \ncontrols, controls over information technology equipment, and \nimplementation of an information technology realignment initiative.\nBackground\n    Information security is a critical consideration for any \norganization that depends on information systems and networks to carry \nout its mission or business. The security of these systems and data is \nessential to prevent data tampering, disruptions in critical \noperations, fraud, and the inappropriate disclosure of sensitive \ninformation. Recognizing the importance of securing Federal systems and \ndata, Congress passed the Federal Information Security Management Act \n(FISMA) in 2002, which set forth a comprehensive framework for ensuring \nthe effectiveness of information security controls over information \nresources that support Federal operations and assets.\\3\\\n---------------------------------------------------------------------------\n    \\3\\ FISMA, Title III, E-Government Act of 2002, Pub. L. 107-347 \n(Dec. 17, 2002).\n---------------------------------------------------------------------------\n    Under FISMA, agencies are required to provide sufficient safeguards \nto cost-effectively protect their information and information systems \nfrom unauthorized access, use, disclosure, disruption, modification, or \ndestruction, including controls necessary to preserve authorized \nrestrictions on access and disclosure. The Act requires each agency to \ndevelop, document, and implement an agencywide information security \nprogram that is to include assessing risk; developing and implementing \npolicies, procedures, and security plans; providing security awareness \nand training; testing and evaluating the effectiveness of controls; \nplanning, implementing, evaluating, and documenting remedial action to \naddress information security deficiencies; detecting, reporting, and \nresponding to security incidents; and ensuring continuity of \noperations.\n    In providing health care and other benefits to veterans and their \ndependents, VA relies on a vast array of computer systems and \ntelecommunications networks to support its operations and store \nsensitive information, including personal information on veterans. \nEffectively securing these computer systems and networks is critical to \nthe Department\'s ability to safeguard its assets and sensitive \ninformation.\nVA\'s Information Security Weaknesses Are Long Standing\n    VA has faced longstanding challenges in achieving effective \ninformation security across the Department. Our previous reports and \ntestimonies \\4\\ have identified wide-ranging, often recurring \ndeficiencies in the Department\'s information security controls. For \nexample, VA had not consistently implemented appropriate controls for \n(1) limiting, preventing, and detecting electronic access to sensitive \ncomputerized information; (2) restricting physical access to computer \nand network equipment to authorized individuals; (3) segregating \nincompatible duties among separate groups or individuals; (4) ensuring \nchanges to computer software were authorized and timely; and (5) \nproviding continuity of computerized systems and operations. Figure 1 \ndetails the information security control weaknesses we identified at VA \nfrom 1998 through 2005.\n---------------------------------------------------------------------------\n    \\4\\ Attachment 1 includes a list of our products related to \ninformation technology vulnerabilities at VA.\n---------------------------------------------------------------------------\nFigure 1: Chronology of Information Security Weaknesses Identified by GA\n                                   O\n[GRAPHIC] [TIFF OMITTED] 34307A.001\n\n\n    Notes: Hines is a suburb of Chicago.\n    Full citations are provided in attachment 1.\n\n    These weaknesses existed, in part, because VA had not implemented \nkey components of a comprehensive information security program. \nSpecifically, VA\'s information security efforts lacked:\n\n    <bullet>  Clearly delineated security roles and responsibilities;\n    <bullet>  Regular, periodic assessments of risk;\n    <bullet>  Security policies and procedures that addressed all \naspects of VA\'s interconnected environment;\n    <bullet>  An ongoing security monitoring program to identify and \ninvestigate unauthorized, unusual, or suspicious access activity; and\n    <bullet>  A process to measure, test, and report on the continued \neffectiveness of computer system, network, and process controls.\n\n    We made a number of recommendations in 2002 that were aimed at \nimproving VA\'s security management.\\5\\ Among the primary elements of \nthese recommendations were that VA centralize its security management \nfunctions and perform other actions to establish an information \nsecurity program, including actions related to risk assessments, \nsecurity policies and procedures, security awareness, and monitoring \nand evaluating computer controls.\\6\\\n---------------------------------------------------------------------------\n    \\5\\ GAO, Veterans Affairs: Sustained Management Attention Is Key to \nAchieving Information Technology Results, GAO-02-703 (Washington, D.C.: \nJune 12, 2002).\n    \\6\\ We based our recommendations on guidance and practices provided \nin GAO, Federal Information System Controls Audit Manual, GAO/AIMD-\n12.19.6 (Washington, D.C.: January 1999); Information Security \nManagement: Learning from Leading Organizations, GAO/AIMD-98-68 \n(Washington, D.C.: May 1998); Information Security Risk Assessment: \nPractices of Leading Organizations, GAO/AIMD-00-33 (Washington, D.C.: \nNovember 1999); and Chief Information Officer Council, Federal \nInformation Technology Security Assessment Framework (Washington, D.C.: \nNov. 28, 2000). The provisions of FISMA (passed in late 2002) and \nassociated guidance were generally consistent with this earlier \nguidance.\n---------------------------------------------------------------------------\n    Since our report in 2002, VA\'s independent auditors and its IG have \ncontinued to report serious weaknesses with the Department\'s \ninformation security controls. In the auditors\' report on internal \ncontrols prepared at the completion of VA\'s 2006 financial statement \naudit, information technology security controls were identified as a \nmaterial weakness because of serious weaknesses related to access \ncontrol, segregation of duties, change control, and service \ncontinuity.\\7\\ These areas of weakness are virtually identical to those \nthat we had identified years earlier.\n---------------------------------------------------------------------------\n    \\7\\ The auditor\'s report is included in VA\'s FY 2006 Annual \nPerformance and Accountability Report.\n---------------------------------------------------------------------------\n    The Department\'s FY 2006 Annual Performance and Accountability \nReport states that the IG continues to identify the same \nvulnerabilities and make the same recommendations year after year. The \nIG\'s September 2006 audit of VA\'s information security program noted \nthat 16 previously reported recommendations remained unimplemented; it \nalso identified a new weakness and made an additional recommendation. \nThe IG has reported information technology security as a major \nmanagement challenge for the Department each year for the past 6 years.\nVA\'s Efforts to Address Information Security Weaknesses Have Been \n        Limited\n    Despite having taken steps to address the weaknesses described in \nour earlier work, VA has not yet resolved these weaknesses on a \nDepartmentwide basis or implemented a comprehensive information \nsecurity program.\\8\\ For example:\n---------------------------------------------------------------------------\n    \\8\\ This result is also reflected in the Department\'s failing grade \nin the annual report card on computer security that was issued by the \nthen House Committee on Government Reform: Computer Security Report \nCard (Washington, D.C.: Mar. 16, 2006).\n\n    <bullet>  Central security management function: In October 2006, \nthe Department moved to a centralized management model. The Department \nhas also contracted for project support in helping to frame a security \ngovernance structure and provide tools to assist management with \ncontrols over information technology assets. This work is scheduled to \nbe completed in March 2007.\n    <bullet>  Periodic risk assessments: VA is implementing a \ncommercial tool to identify the level of risk associated with system \nchanges and also to conduct information security risk assessments. It \nalso created a methodology that establishes minimum requirements for \nsuch risk assessments. However, it has not yet completed its risk \nassessment policy and guidance. While the policy and guidance were \noriginally scheduled to be completed by the end of 2006, the completion \ndate was extended to April 2007.\n    <bullet>  Security policies and procedures: VA is in the process of \ndeveloping policies and directives to strengthen security controls as \npart of its action plan. For example, VA planned to develop directives \nby the end of 2006 on access controls and media protection, standards \nfor restricting use of portable and mobile devices, and policies \nregarding physical access to VA computer rooms. However, the completion \ndate for development of these policies has been extended to April 2007.\n    <bullet>  Security awareness: VA has taken steps to improve \nsecurity awareness training. It holds an annual Department information \nsecurity conference, and it has developed a Web portal for security \ntraining, policy, and procedures, as well as a security awareness \ncourse that VA employees are required to review annually. However, VA \nhas not demonstrated that it has a process to ensure compliance.\n    <bullet>  Monitoring and evaluating computer controls: VA has taken \nsteps to improve the monitoring and evaluating of computer controls by \ndeveloping policies and procedures. For example, VA planned to develop \nby the end of 2006 criteria for system security control testing at \nleast every 3 years and planned to identify key system security \ncontrols for testing on a routine basis. However, the completion dates \nfor development of these policies have been extended to April 2007.\n\n    To fulfill our recommendations in these areas, VA must not only \ncomplete and document the policies, procedures, and plans that it is \ncurrently developing, but also implement them effectively. With regard \nto its IG\'s findings and recommendations, the Department has \nestablished an action plan to address the material weakness in \ninformation security (Data Security--Assessment and Strengthening of \nControls), which is to correct deficiencies and eliminate \nvulnerabilities in this area. Despite these actions, the Department has \nnot implemented the key elements of a comprehensive security management \nprogram, and its efforts have not been sufficient to effectively \nprotect its information systems and information, including personal \ninformation, from unauthorized disclosure, misuse, or loss.\nGAO Has Ongoing Reviews of Information Technology and Security Issues \n        at VA\n    We have several ongoing engagements to perform work at VA to review \nthe Department\'s efforts in improving its information security and \ninformation technology management. These engagements address:\n\n    <bullet>  Data breach notification: We are conducting a study to \ndetermine the lessons that can be learned from the VA data breach with \nrespect to notifying government officials and affected individuals \nabout data breaches. For this evaluation, we are examining similar data \nbreach cases at other Federal agencies, as well as analyzing Federal \nguidance on data breach notification procedures.\n    <bullet>  Actions to strengthen information security controls: We \nare conducting a review to evaluate VA\'s efforts to implement prior GAO \nand IG information security-related recommendations and to assess \nactions VA has taken since the data breach of May 3, 2006, to \nstrengthen information security and protect personal information. As \npart of this engagement, we are examining VA\'s timeline of planned \nefforts to strengthen controls.\n    <bullet>  Controls over information technology equipment: We are \nconducting a followup audit \\9\\ at selected VA locations to determine \nthe risk of theft, loss, or misappropriation of information technology \nequipment. To perform our audit, we are assessing the effectiveness of \nphysical inventory controls and the property disposal process at four \nVA locations.\n---------------------------------------------------------------------------\n    \\9\\ This is a followup audit to work reported in GAO, VA Medical \nCenters: Internal Control Over Selected Operating Functions Needs \nImprovement, GAO-04-755 (Washington, D.C.: July 21, 2004).\n---------------------------------------------------------------------------\n    <bullet>  VA\'s information technology realignment initiative: We \nare conducting a review to determine whether VA\'s realignment plan for \nits Office of Information and Technology includes critical factors for \nsuccessful implementation of a centralized management model. We are \nalso looking at how the realignment will ensure that under the \ncentralized management approach, the chief information officer is \naccountable for the entire information technology budget (including \nthose funds that had been administered by the Veterans Health \nAdministration and Veterans Benefits Administration). In performing \nthis evaluation, we are analyzing governance and implementation plans, \nas well as budgetary and other relevant documentation.\n\n    In summary, longstanding information security control weaknesses at \nVA have placed its information systems and information at increased \nrisk of misuse and unauthorized disclosure. Although VA has taken steps \nto mitigate previously reported weaknesses, the Department has not yet \nresolved these weaknesses, implemented the recommendations of GAO and \nthe IG, or implemented a comprehensive information security program, \nwhich it needs in order to effectively manage risks on an ongoing \nbasis. Much work remains to be done. Only through strong leadership, \nsustained management commitment and effort, disciplined processes, and \nconsistent oversight can VA address its persistent, longstanding \ncontrol weaknesses.\n    Mr. Chairman, this concludes my statement. I would be happy to \nanswer any questions you or other Members of the Subcommittee may have.\nContact and Acknowledgments\n    If you have any questions concerning this statement, please contact \nGregory C. Wilshusen, Director, Information Security Issues, at (202) \n512-6244, <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="f4839d98879c8187919a93b493959bda939b82da">[email&#160;protected]</a> Other individuals who made key \ncontributions include Barbara Collier, Mary Hatcher, Valerie Hopkins, \nLeena Mathew, and Charles Vrabel.\n                  Attachment 1: Selected GAO Products\n    Information Security: Leadership Needed to Address Weaknesses and \nPrivacy at Veterans Affairs. GAO-06-897T. Washington, D.C.: June 20, \n2006.\n    Veterans Affairs: Leadership Needed to Address Security Weaknesses \nand Privacy Issues. GAO-06-866T. Washington, D.C.: June 14, 2006.\n    Privacy: Preventing and Responding to Improper Disclosures of \nPersonal Information. GAO-06-833T. Washington, D.C.: June 8, 2006.\n    Information Security: Weaknesses Persist at Federal Agencies \nDespite Progress Made in Implementing Related Statutory Requirements. \nGAO-05-552. Washington, D.C.: July 15, 2005.\n    Veterans Affairs: Sustained Management Attention is Key to \nAchieving Information Technology Results. GAO-02-703. Washington, D.C.: \nJune 12, 2002.\n    Major Management Challenges and Program Risks: Department of \nVeterans Affairs. GAO-01-255. Washington, D.C.: January 2001.\n    VA Information Systems: Computer Security Weaknesses Persist at the \nVeterans Health Administration. GAO/AIMD-00-232. Washington, D.C.: \nSeptember 8, 2000.\n    Information Systems: The Status of Computer Security at the \nDepartment of Veterans Affairs. GAO/AIMD-00-5. Washington, D.C.: \nOctober 4, 1999.\n    VA Information Systems: The Austin Automation Center Has Made \nProgress in Improving Information System Controls. GAO/AIMD-99-161. \nWashington, D.C.: June 8, 1999.\n    Information Systems: VA Computer Control Weaknesses Increase Risk \nof Fraud, Misuse, and Improper Disclosure. GAO/AIMD-98-175. Washington, \nD.C.: September 23, 1998.\n                             GAO Highlights\n Information Security: Veterans Affairs Needs to Address Long-Standing \n                               Weaknesses\nWhy GAO Did This Study\n    Security breaches at the Department of Veterans Affairs (VA) and \nother public and private organizations have highlighted the importance \nof well-designed and implemented information security programs. GAO was \nasked to testify on its past work on VA\'s information security program, \nas well as ongoing reviews that it is conducting at VA.\n    In developing its testimony, GAO drew on over 15 of its previous \nreports and testimonies, as well as reports by the Department\'s \nInspector General (IG).\nWhat GAO Recommends\n    To ensure that security issues are adequately addressed, GAO has \npreviously made over 150 recommendations to VA on implementing \neffective controls and developing a robust information security \nprogram.\nWhat GAO Found\n    For many years, GAO has raised significant concerns about VA\'s \ninformation security--particularly its lack of a comprehensive \ninformation security program, which is vital to safeguarding government \ninformation. The figure below details information security weaknesses \nthat GAO identified from 1998 to 2005. As shown, VA had not \nconsistently implemented appropriate controls for (1) limiting, \npreventing, and detecting electronic access to sensitive computerized \ninformation; (2) restricting physical access to computer and network \nequipment to authorized individuals; (3) segregating incompatible \nduties among separate groups or individuals; (4) ensuring that changes \nto computer software were authorized and timely; or (5) providing \ncontinuity of computerized systems and operations. The Department\'s IG \nhas also reported recurring weaknesses throughout VA in such areas as \naccess controls, physical security, and segregation of incompatible \nduties. In response, the Department has taken actions to address these \nweaknesses, but these have not been sufficient to establish a \ncomprehensive information security program. As a result, sensitive \ninformation has remained vulnerable to inadvertent or deliberate \nmisuse, loss, or improper disclosure. Without an established and \nimplemented security program, the Department will continue to have \nmajor challenges in protecting its systems and information from \nsecurity breaches.\n    GAO has several ongoing engagements to review the Department\'s \nefforts in improving its information security and information \ntechnology management. These engagements address:\n\n    <bullet>  Data breach notification;\n    <bullet>  Actions to strengthen information security controls;\n    <bullet>  Controls over information technology equipment; and\n    <bullet>  VA\'s information technology realignment effort.\n                       SUBMISSION FOR THE RECORD\n              Prepared Statement of Hon. Zackary T. Space,\n          a Representative in Congress from the State of Ohio\n    Dear Members of the Subcommittee and Panelists,\n    I would like to submit for the record my most sincere apologies for \nmy absence this afternoon. An unexpected family emergency has called me \naway from my congressional duties. While I would like very much to be \nin attendance today to review the important information and security \nmanagement procedures in place at the VA, I must be with my mother on \nthe loss of her husband.\n    I appreciate your understanding on this matter. Please know that I \nremain committed as ever to the important work of this Subcommittee and \nthose that it serves.\n            Sincerely,\n                                                        Zack Space.\n\n                                 <all>\n\x1a\n</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body></html>\n'