<DOC>
[109th Congress House Hearings]
[From the U.S. Government Printing Office via GPO Access]
[DOCID: f:28451.wais]
HEARING ON SAFEGUARDING VETERANS'
MEDICAL INFORMATION WITHIN THE VETERANS
HEALTH ADMINISTRATION
=======================================================================
HEARING
before the
SUBCOMMITTEE ON HEALTH
of the
COMMITTEE ON VETERANS' AFFAIRS
HOUSE OF REPRESENTATIVES
ONE HUNDRED NINTH CONGRESS
SECOND SESSION
__________
JUNE 21, 2006
__________
Serial No. 109-55
__________
Printed for the use of the Committee on Veterans' Affairs
U.S. GOVERNMENT PRINTING OFFICE
28-451 PDF WASHINGTON : 2007
------------------------------------------------------------------
For sale by Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800;
DC area (202) 512-1800 Fax: (202) 512-2250. Mail: Stop SSOP,
Washington, DC 20402-0001
COMMITTEE ON VETERANS' AFFAIRS
STEVE BUYER, Indiana, Chairman
MICHAEL BILIRAKIS, Florida LANE EVANS, Illinois,
TERRY EVERETT, Alabama Ranking Member
CLIFF STEARNS, Florida BOB FILNER, California
DAN BURTON, Indiana LUIS V. GUTIERREZ, Illinois
JERRY MORAN, Kansas CORRINE BROWN, Florida
RICHARD H. BAKER, Louisiana VIC SNYDER, Arkansas
HENRY E. BROWN, Jr., South Carolina MICHAEL H. MICHAUD, Maine
JEFF MILLER, Florida STEPHANIE HERSETH, South Dakota
JOHN BOOZMAN, Arkansas TED STRICKLAND, Ohio
JEB BRADLEY, New Hampshire DARLENE HOOLEY, Oregon
GINNY BROWN-WAITE, Florida SILVESTRE REYES, Texas
MICHAEL R. TURNER, Ohio SHELLEY BERKLEY, Nevada
JOHN CAMPBELL, California TOM UDALL, New Mexico
JOHN T. SALAZAR, Colorado
James M. Lariviere, Staff Director
SUBCOMMITTEE ON HEALTH
HENRY E. BROWN, Jr., South Carolina, Chairman
CLIFF STEARNS, Florida MICHAEL H. MICHAUD, Maine,
RICHARD H. BAKER, Louisiana Ranking Member
JERRY MORAN, Kansas BOB FILNER, California
JEFF MILLER, Florida LUIS V. GUTIERREZ, Illinois
MICHAEL R. TURNER, Ohio CORRINE BROWN, Florida
JOHN CAMPBELL, California VIC SNYDER, Arkansas
C O N T E N T S
----------
June 21, 2006--Hearing on Safeguarding Veterans' Medical Information
with the Veterans Health Administration
Page
OPENING STATEMENTS
Chairman Henry E. Brown.......................................... 1
Prepared statement of Chairman Brown............................. 23
Hon. Michael H. Michaud, Ranking Democratic Member............... 2
Prepared statement of Congressman Michaud........................ 30
STATEMENT FOR THE RECORD
Hon. Corrine Brown............................................... 19
Prepared statement of Congresswoman Brown........................ 32
WITNESSES
Kussman, Brig. Gen. Michael J., M.D., M.S., MACPP (US Army Ret),
Principal Deputy Under Secretary for Health, Veterans Health
Administration, Department of Veterans Affairs................. 4
Prepared statement of Dr. Kussman................................ 37
Seliger, Robert, Chief Executive Officer and Co-Founder,
Sentillion, Inc., and Chair, Steering Committee for Integration
and Interoperability, Healthcare Information and Management
Systems Society (HIMSS)........................................ 6
Prepared statement of Mr. Seliger................................ 46
POST-HEARING QUESTIONS FOR THE RECORD
Hon. Michael H. Michaud.......................................... 54
Hon. Corrine Brown............................................... 61
HEARING ON SAFEGUARDING VETERANS' MEDICAL INFORMATION WITH THE VETERANS
HEALTH ADMINISTRATION
----------
WEDNESDAY, JUNE 21, 2006
House of Representatives,
Subcommittee on Health,
Committee on Veterans' Affairs,
Washington, DC.
The subcommittee met, pursuant to call, at 10 a.m., in room
334, Cannon House Office Building, Hon. Henry Brown (chairman
of the subcommittee) presiding.
Present: Representatives Brown of South Carolina, Michaud,
Turner, Brown of Florida, and Snyder.
Mr. Brown of South Carolina. Good morning. The Subcommittee
will now come to order. We are holding this hearing today to
address the vulnerability of VA's electronic medical records
system and examine the access and control policies VA employs
and the compliance mechanism VA uses to safeguard sensitive,
personal veterans' health information from internal and
external security threats.
The value of VA's electronic medical records system was
evident in VA's response to Hurricane Katrina. During Hurricane
Katrina, VA doctors and nurses were able to treat without
interruption patients transferred from VA facilities in New
Orleans to VA hospitals in Houston. Because of the system's
electronic medical records, all patients' records were backed
up, securely transported to Houston, and were back on line and
available almost immediately.
At the same time, however, there are risks with holding
such sensitive and personal information electronically, and the
lack of a solid VA information security program greatly
troubles me.
The personal and sensitive data of our nation's veterans
must be handled with the utmost care. The burglary of the home
of a Department of Veterans Affairs employee that included a
data file with personal information on millions of veterans is
simply unacceptable.
The Department of Veterans Affairs is working with the FBI
to thoroughly investigate this matter, and this Committee will
be closely monitoring this situation to help ensure that such
an occurrence is not repeated.
We must make sure that there are explicit and clear
security and confidentiality policies to protect the health
information of our nation's veterans. To that end, we are
interested today in hearing from those at the Department that
the most sensitive information, individually identifiable
health information is currently being protected.
Additionally, in light of the recent theft, I am interested
in knowing what the VA anticipates doing to better protect this
information in the future and what steps, if any, have already
been taken.
Through a series of hearings set up by the Chairman of our
full Committee, Chairman Buyer, we have been able to closely
examine data integrity and security issues from a number of
different perspectives, but today we have the opportunity to
specifically focus on health-related information.
In addition to having assembled the cast before us from the
VA, we have also taken the opportunity to speak with folks from
the private sector. I for one welcome the opportunity to hear
what is currently being considered state-of-the-art in the
private sector and then benchmarking that standard against VA's
current practices. Today we have this opportunity.
I would like to personally thank all of our witnesses for
being here today. And with that, I now yield to our Ranking
Member, Mr. Michaud, for an opening statement.
[The statement of Henry Brown appears on p. 23]
Mr. Michaud. Thank you very much, Chairman Brown, and thank
you for holding this very important oversight hearing. VA's
electronic patient record system remains the technological
force behind VA's state-of-the-art care. It can save lives as
well as money.
Last week, the VA Inspector General issued a report on VA's
procedure for outsourcing medical record transcriptions. The
report showed that the VA had weak controls over the veterans'
medical records. In 2005, a subcontractor in India contacted
the IG and threatened to expose thousands of patients' records
over the internet if the subcontractor was not paid.
This allegation and the IG audit showed the VA was
incapable of controlling or detecting where a contractor had
medical information transcribed or who had access to it. VA's
procedure for acquiring medical transcription services from
contractors failed to address basic security requirements.
Of the VA facilities surveyed, 91 percent did not remove
personal identifiers such as patients' names and Social
Security numbers before transmitting the data to contractors
for transcriptions.
I agree with the IG that the VA needs to do this work with
VA staff because this is not a practical way to ensure that
contractors safeguard patients' protected health information.
As the IG report says, and I quote, ``The inability to
control confidential information in an era of global
outsourcing leaves protected health information unprotected and
patients subject to identity theft,'' end of quote.
Given the clear risk with outsourcing, I cannot understand
why this Administration and the Office of Management and Budget
identified the jobs in medical information or records as ones
that should be studied for outsourcing.
I look forward to hearing from Dr. Kussman about the VA's
effort to improve controls on medical transcriptions.
Chairman Brown, I commend you for your leadership in
holding this hearing so that we can better understand what the
Veterans Health Administration has done and what they will do
to preserve the security and privacy of veterans' medical
records.
Also, Mr. Chairman, I would like my full opening statement
to be submitted for the record. Thank you.
Mr. Brown of South Carolina. Okay. Without objection. Thank
you, Mr. Michaud.
[The statement of Michael Michaud appears on p. 30]
Mr. Brown of South Carolina. Mr. Turner, do you have an
opening statement?
Mr. Turner. Mr. Chairman, I want to thank you for holding
this hearing. I appreciate your continuing to give information
to the Subcommittee members and the members of the full
Committee on this important issue, and I would like permission
to submit an opening statement for the record.
Mr. Brown of South Carolina. Without objection.
[No statement was submitted.]
Mr. Brown of South Carolina. Dr. Snyder.
Mr. Snyder. No thank you.
Mr. Brown of South Carolina. Okay. On our first and only
panel representing the Department of Veterans Affairs, we are
honored to have Brigadier General Michael J. Kussman. Dr.
Kussman was appointed Deputy Under Secretary of Health for the
Veterans Health Administration on May 29, 2005.
In this capacity, he leads the clinical policy and programs
for the nation's largest integrated healthcare system. Among
his many accomplishments, Dr. Kussman served as the Army
Surgeon Generals chief consultant in internal medicine and
governor for the Army Region of the American College of
Physicians in 1988.
From March 1993 to August 2005, he commanded Martin Army
Community Hospital at Ft. Benning, Georgia and later commanded
the Walter Reed healthcare system in Washington, DC, where he
was promoted to Brigadier General.
Following his tour at Walter Reed, Dr. Kussman served as
commander of the Europe Regional Medical Command and was
responsible for healthcare throughout Europe, the Middle East,
and Africa.
Dr. Kussman is accompanied by Mr. Craig B. Luigart, VHA
Chief Information Officer; Dr. Robert Kolodner, Chief Health
Information Officer; Ms. Stephania Putt, VHA Privacy Officer;
and Ms. Gail Belles, VHA Technical Security Advisor.
Also I want to welcome Mr. Robert Seliger. He's the CEO and
Co-Founder of Sentillion. Mr. Seliger has led the company in
creating security solutions that improve information access and
work flow for customers in the healthcare information
technology industry. He is widely recognized as a visionary at
the forefront of converging technical markets and clinical
trends in healthcare.
Prior to co-founding Sentillion, Mr. Seliger was a senior
R&D manager and chief architect at an International Team
responsible for development of Hewlett Packard's medical
products group's largest portfolio of clinical information
systems products.
Presently he chairs the Healthcare Information and
Management Systems Society Steering Committee for Integration
and Interoperability. We are very pleased to have him at our
hearing today.
Dr. Kussman, before you begin, I gave you all those
accolades. I want to chastise you just a bit for the lateness
of your prepared remarks to the Committee. We certainly wish
you would be a little bit more responsive and a little bit more
timely getting the information to us so we will have a better
opportunity to review testimony before it is actually
presented.
But with that, we will now start with you.
STATEMENTS OF BRIG. GEN. MICHAEL J. KUSSMAN, M.D., PRINCIPAL
DEPUTY UNDER SECRETARY OF HEALTH, VETERANS HEALTH
ADMINISTRATION, DEPARTMENT OF VETERANS AFFAIRS; ACCOMPANIED BY
ROBERT KOLODNER, M.D., CHIEF HEALTH INFORMATICS OFFICER, VHA,
DEPARTMENT OF VETERANS AFFAIRS; STEPHANIA PUTT, PRIVACY
OFFICER, VHA, DEPARTMENT OF VETERANS AFFAIRS; GAIL BELLES,
TECHNICAL SECURITY ADVISOR, VHA, DEPARTMENT OF VETERANS
AFFAIRS; AND ROBERT SELIGER, CHIEF EXECUTIVE OFFICER AND CO-
FOUNDER, SENTILLION, INC., CHAIR, STEERING COMMITTEE FOR
INTEGRATION AND INTEROPERABILITY, HEALTHCARE INFORMATION AND
MANAGEMENT SYSTEMS SOCIETY
STATEMENT OF MICHAEL J. KUSSMAN
Dr. Kussman. Good morning, Mr. Chairman, and Ranking
Member, other members of the Committee.
First, let me say that I apologize for the lateness of the
statement, and I have talked to Counsel and we clearly need to
do better and we will.
Mr. Brown of South Carolina. Well, I know you are under a
lot of pressure from a lot of different groups to prepare
remarks, but we do need to try to resolve this problem we have.
But, anyway, we are grateful to have you here today.
Dr. Kussman. Yes, sir. This is a partnership and we need to
do better. So thank you for your comments.
Thank you for allowing me to provide an overview of the
data management and security procedures that the Veterans
Health Administration employs to ensure the safety and
integrity of veterans' electronic health records and to
safeguard sensitive personal veteran information from internal
and external security threats.
Before I proceed with my review of our security and privacy
procedures, I want to assure both you and our nation's veterans
that the recent data breach did not include any of the Veterans
Health Administration's electronic health records.
VHA views data privacy and security as a fundamental
operational pillar. We are committed not only to ensuring that
our veterans receive the best healthcare but that we also fully
protect the security and privacy of their paper and electronic
health records.
VHA is responsible for protecting data on all systems that
facilitate the delivery of healthcare benefits to our nation's
veterans. Similar protections are provided for the databases
that contain the veteran health records exchanged between the
Department of Defense and VA. We protect many important health
databases and systems that enable us to provide quality care to
our veterans.
Our core electronic health records system is VISTA. This
widely acclaimed system has saved the lives of thousands of
veterans, but it was designed 20 years ago and, as such, it is
principally hospital based and is deployed in more than 100
locations. This distributed nature does not lend itself to
simple security compliance.
Today network and telecommunications standards and
solutions exist to assist in mitigating these risks while
creating greater efficiency and effectiveness, and a wide range
of security and privacy procedures protect VISTA and other VHA
systems.
For years, VHA has required that all employees and
contractors complete annual privacy and security training. VA
policy is that anyone needing access to our data to perform
their duties, whether a provider, a researcher, or veteran
service officer, must be granted explicit approval for that
access.
This is just the beginning. VHA also develops its own
policies and guidance focused on healthcare-specific issues and
implements sophisticated technical controls to protect the
veterans' health records.
VHA carefully controls access to sensitive data. Only those
who have a legitimate and demonstrated need are granted access
to sensitive information. Even then, users' access is limited
to the information needed to do their jobs.
VHA also employs security measures to protect VA systems
and data when VHA employees and contractors perform work
outside of VA offices. All external connections into the VA
network are protected by a virtual private network, VPN, which
provides secure, remote access. VPN access requires management
approval and approved users are required to sign and abide by a
rules of behavior document that must be in place before access
is granted.
Across this nationwide network of systems, VHA applies many
other security controls. These include intrusion detection
systems that monitor and detect intruders, encryption of
sensitive data exchanged with DoD, routine backups of data on
our critical systems, and continuity of operations, processes,
and procedures.
VHA is committed to continuing to strengthen our security
and privacy controls. To this end, VA is investigating the use
of encryption solutions appropriate for our information systems
and data protection needs that will be adopted for use across
VHA.
VHA is reengineering current applications that will broaden
auditing capabilities. We are enhancing our current role-based
access control capabilities to provide granularity with user-
defined roles. And VHA has taken the lead in developing role-
based access control enhancements that are being evaluated for
national and international endorsement.
To further strengthen security and privacy, VHA has
identified a number of specific actions for strengthening data
security procedures that are in the planning stages or have
been identified as a result of the data security breach as
follows:
Provide and mandate centrally deployed security solutions;
implement a department-wide encryption solution that encrypts
data that is sent across VA networks; increase the use of
secure web-based solutions for e-mail, scheduling, and other
administrative needs; require that portable media and laptops
have the capability to encrypt all sensitive data and that
appropriate guidance tools training are provided to the users
to implement these solutions effectively; and update VA and VHA
security policies to address changes in technology's current IT
environments.
To further emphasize the importance of security, VA is
planning a department-wide Security Awareness Week for
workforce members from June 26 to 30 June with daily briefings
on proper security practices. VHA is taking the lead for
coordinating the week.
In addition, to help veterans, VA will set up information
booths across the VA so that veterans can get information on
identity theft and data protection.
In closing, let me reiterate that we see data privacy and
security as a fundamental operational pillar. We are committed
to providing the best possible care to our nation's veterans,
and we will do everything in our power to fully protect the
security and privacy of their health records. For our veterans,
for the men and women who have fought so bravely for our
country, anything else is unacceptable.
And I might close, if you would not mind, sir, with a
personal comment. As a veteran and a retiree, I have received a
letter from the Secretary as well. It was not a surprise to me
obviously, but I did receive the letter. And I can assure you
that myself and others of us who are in that same situation
take this very, very seriously both on a personal and
professional basis.
Thank you.
Mr. Brown of South Carolina. Thank you, Dr. Kussman, for
your testimony.
Dr. Kolodner, we will take your testimony next. I am sorry.
Mr. Seliger. We will get to you later. Okay.
[The statement of Michael Kussman appears on p. 37]
STATEMENT OF ROBERT SELIGER
Mr. Seliger. Chairman Brown, Mr. Michaud, distinguished
members of the Committee, thank you for the opportunity to
testify before you today on a subject of critical importance
for our Nation's veterans, but also to every citizen, how to
safeguard sensitive personal health and related information
from external and internal security threats.
My name is Robert Seliger, and I am Co-Founder and CEO of
Sentillion. Sentillion is the industry leading provider of
identity and access management solutions to hospitals and
healthcare systems. Every day Sentillion helps hundreds of
institutions and hundreds of thousands of physicians, nurses,
and other caregivers at those institutions employ effective
security and privacy practices while also facilitating the
care-delivery process.
We are exceedingly proud to say that among these
institutions are all 163 medical centers of the Departments of
Veterans Affairs.
To further introduce myself, I have 26 years of experience
in the field of health information technology. I have served on
numerous Standards Committees and have chaired a variety of
healthcare industry initiatives.
Recent activities include serving as Chair for the HIMSS
Steering Committee for Integration and Interoperability and
serving as an advisor on standards uptake for the Pan-Canadian
Electronic Health Records Standard Steering Committee.
Today I want to focus on one aspect of the complex
challenge of safeguarding patient data in a clinical setting,
and that is how can we safeguard patient data without also
impeding the care-delivery process? Practicing safe and
effective medicine will always take precedence over concerns
for security and privacy.
Our nation's nurses and physicians are among the smartest,
most highly-trained people in the world. This fact coupled with
their deep sense of mission will compel them to avoid, work
around, and challenge policies that impede the care-delivery
process. This is because the care-delivery process by its very
nature requires immediate information access and the constant
sharing of information with others.
As a simple example, consider the seemingly trivial tasks
of logging onto a computer in order to access patient data and
then logging off the computer when done. These actions are
almost never performed in the hospital. Instead computer
accounts are shared in order to avoid logging in and no one
logs off.
The reason is that a caregiver in a busy hospital might
need to log on and off 50 to 100 times a day. At a minute or
two for each log on and log off, you can quickly see how this
seemingly trivial best practice is avoided because it
interferes with the pace of providing care.
And so our nation's physicians and nurses practice good
healthcare, but leave millions of personal computers across the
country open to access or even simple perusal by any passerby
from other healthcare workers with no valid reason to view the
information to other patients to people visiting patients to
anyone else who might be in the hospital.
I would like to assert that the security and privacy
challenge that the healthcare industry faces are not just
attacks from outside but also transgressions from within. The
question is, how do we as a nation change the situation without
compromising the care-delivery process?
Data that we have from a study we conducted shows that
under circumstances in which log-on and log-off times were
reduced to just a few seconds, nurses in one hospital who only
logged off 50 percent ofthe time were now doing so 100 percent
of the time. And physicians who were not logging off at all were now
doing so 86 percent of the time.
This change in behavior was not due to a new policy or the
threat of punitive measures. Rather, we simply made it easier
for caregivers to behave as good security and privacy citizens.
The challenge we face is to make sure that the things we do
to keep the bad guys out do not effectively prevent letting the
good guys in. This is about making sure we engineer security
and privacy solutions from a work-flow perspective and not
attempt to force upon healthcare organizations mechanisms that
make sense for other types of environments but which do not
make sense for healthcare.
Delivering effective healthcare is an intense and
complicated process. It is also a truly mission-critical
process. Our industry must find the right balance between
applying security and privacy measures that are known to work
and applying measures that could be detrimental to patient
care.
We can assert, for example, that every caregiver must have
a password for each application that they use, but what, in
fact, are we asking our caregivers to do if they need to
remember ten different passwords and enter each one in dozens
of times a day?
To truly safeguard patient security and privacy requires a
broad set of measures. These measures include not only good
network security and the appropriate encryption of data but
also involves tools and mechanisms that enable good people,
well-meaning people to do their jobs without compromising
patient health, patient security, or patient privacy.
Mr. Chairman, this concludes my remarks. Thank you for the
privilege of speaking before you today. I am happy to answer
any questions the Committee may have.
[The statement of Robert Seliger appears on p. 46]
Mr. Brown of South Carolina. And I thank you very much for
your testimony and also Dr. Kussman. Have you all met before?
Mr. Seliger. I am sorry?
Mr. Brown of South Carolina. Have you all met before?
Mr. Seliger. No.
Mr. Brown of South Carolina. Okay. Well, I think you both
bring a great perspective to the process. And, in fact, I will
ask you the first question if I might.
Your testimony makes a number of sound points. I wonder if
you could expand a bit on the relative importance of auditing
electronic access to records. I mean, security protocol and
audit capabilities are one thing, but actually doing the audit
and understanding who is using the data is quite another.
What security features should a healthcare system like the
VA contain?
Mr. Seliger. Well, the audit process begins with being able
to establish the identity of the people using the system. In
the example I just gave that people are not logging in, and I
am using the same accounts as Dr. Kolodner or Dr. Kussman here,
then an audit is irrelevant because you do not really know who
is actually using the computer.
So the best audit processes begin with establishing
mechanisms that enable caregivers to want to, to easily sign on
and sign off the computers, and do so in a secure manner, so
each person is uniquely identified. Once we have that, we can
then record the access and make appropriate conclusions about
whether those accesses were appropriate or not.
Mr. Brown of South Carolina. Dr. Kussman, do you all have a
system similar to this or how do you control and audit the
users?
Dr. Kussman. Yes, sir. Thank you for the question.
I believe we do have a process that identifies the people
not only that have access to the system but makes sure that the
people who have access need to have access.
You know, we talk in the security realm about need to know.
That is only part of it. The question is need to have. I mean,
a lot of people like to have access to things that they do not
necessarily need to have.
From a clinical perspective, obviously, as was mentioned,
our primary mission is to provide the state-of-the-art care to
our veterans, and the electronic health record is a modality of
delivery of care. For us, it is the same as a stethoscope or an
EKG machine or CAT scan, and it has become part of our culture
and used daily.
I might ask Dr. Kolodner, who is an expert on this, to
maybe illustrate further how that is done.
Dr. Kolodner. Yes. Thank you very much.
Each of our users has their own account and a two-level
password, both of which are private, so the physician or nurse
will log on and access the patient.
We also have a third password for the electronic signature.
If I am entering data, I have to add that additional password,
which means that I cannot come in behind someone else and use
the system since I would not know their electronic signature
password.
We reinforce the importance of protecting passwords to our
providers on a regular basis, and we actually take action for
those who violate the log-off, log-on procedures in our
facilities.
Dr. Kussman. Sir, I might add just one other thing is that
in many ways, the electronic health record has improved the
security dramatically and access to information or protection
of information because many of us are old enough and dinosaurs
before the electronic health record. And when we had hard copy,
the records would sit around, if you will. They would be on a
nurse's station or on a doctor's desk or in a records room. And
in many ways, anybody could come up and pick up that record and
read something about the patient. It was very difficult to have
physical security on this.
So what Dr. Kolodner has been mentioning is a quantum leap
improvement, I think, in security in keeping that information
private.
Mr. Brown of South Carolina. Is it password protected on
different segments so the record has different levels of
authority and certain controls over parts of the record?
Dr. Kolodner. Yes. We have a series of access controls in
our current system. And based on the work that we have been
doing, we have been developing a much more sophisticated system
called role-based access that defines what parts of the record
a particular individual should be allowed to read from or write
to based on the role that they are serving or playing in the
facility.
We have taken that schema for the role-based access to the
standards development organizations, working in conjunction
with our Departmentof Defense and with Kaiser Permanente
colleagues, and it has passed the ballot for an international standard.
So we do already have a process in our current process for
controlling that access, and we are devising and planning to
implement in our next generation system an even more
sophisticated system.
Mr. Brown of South Carolina. Since the theft of those
records, have you done anything different to put in place
policies that would further identify in the audit if there has
been a breach within your own areas and indicate who might be
using this data? Are there other security measures you put in
place since the event?
Dr. Kussman. Yes, sir. As you know, that from a healthcare
perspective, we always had a very sophisticated and controlled
program known as the Health Information Portability and
Accountability Act, the HIPAA, and that put in place a great
deal of standards different than nonhealthcare data.
And that has been inculcated into the culture of all
healthcare delivery systems because everyone knows if you
breach that, not only are you doing something wrong as far as
an ethical, moral thing, but you can really be hurt financially
and potentially go to jail for it.
So there is a great deal of sensitivity about controlling
healthcare information. So that was already the foundation.
Because of this breach of information, and as we have said,
thank goodness it was not involved with healthcare data, but it
certainly has sensitized us immensely to that.
And I might ask Ms. Putt, who is our privacy manager, and
Gail, our security people, to comment on what are some of the
newer things that we have looked at in respect to the breach.
Ms. Belles. Actually, we have taken a number of steps to
address issues. One thing that we have done is to issue a data
access inventory to all of our VA personnel. We are identifying
the access to sensitive data for every individual in our
workforce, employees, contractors, students, residents, et
cetera. That is a major undertaking for us. We are planning to
get the results back from that access inventory at the end of
June.
The Security Awareness Week, we talked about. We are going
out to the entire workforce to give briefings on the importance
of security and privacy and the things that need to be done to
protect patient data so that it is not compromised at any time.
There has been policies that have been updated, rewritten
to address remote access to our systems and data. We have
actions to bring groups together to look at encryption
methodologies for laptops and portable media so that we can
address that area which we know is vulnerability.
So a number of good steps as a result of this.
Mr. Brown of South Carolina. Let me just follow-up on that
statement. The access inventory--you will not get a response
until the end of June. How often would you get a report if
somebody accessed a file that should not be there? If somebody
accessed a file, they would have to have access to some
password. But what does the access inventory do for you?
Ms. Belles. What that does is provides us with a list of
the entire workforce and the systems, the sensitive data that
they have, and how they access it. So if they access it
remotely or if they access it from an office or they access it
in paper form, we can identify that and we can also look very
closely at the appropriateness of those accesses.
As far as individuals accessing medical records, we have
audit trails that are logged on a continuous basis and are
reviewed by the facility information security officers on a
regular basis to ensure that with managers that the individuals
accessing these records or accessing these options have the
need to know.
Mr. Brown of South Carolina. And how timely is that review?
Ms. Belles. I am sorry?
Mr. Brown of South Carolina. How timely is that review?
Ms. Belles. It is a real-time recording of the audit.
Mr. Brown of South Carolina. Right.
Ms. Belles. I think it's probably a 30-day review by the
ISOs.
Dr. Kussman. Sir, if I might add to that. With our
inventory review, we are going out and looking at not only who
have laptops but who have access to that virtual network that I
talked about, the VPN, because over a period of time,
organizations, there may be more people who have access than we
think we really knew need to have.
Many people may be using it just for e-mail and they do not
need the laptop for that. We have Blackberries and other ways
of doing that. So we are doing a very close scrub on who has
laptops and what are they doing with them, and then also
educating people very closely on what their responsibility is
if they have a laptop.
I mean, you can have it and need VPN access both when you
are going some place. You have a responsibility to protect that
laptop in a hotel or a restaurant or even in your car. And on
top of that, you should not carry as much as possible any
information that if indeed the laptop was stolen for some--I
mean, obviously we cannot prevent somebody from holding
somebody up on the street and taking their laptop, but we
certainly would not want any information on there or as little
information on there that would be incriminating or sensitive
in any way.
Mr. Brown of South Carolina. That leads me to my next
question, and this will be my last question. I notice that your
written testimony referenced the Department's interest in
starting to encrypt the data that is sent between VA sites. Is
there some specific reason why that has never been seen as
appropriate before?
Dr. Kussman. Yes, sir. Let me just make a comment that our
VPN network is already encrypted. And so there is a significant
amount of encryption that goes forward. And if everybody stayed
within the firewall, if you will, using the encryption, then
indeed we have much less of a potential problem.
The question is that in data that even flows within the
system or somebody downloaded something to their hard drive,
can that bypass the VPN encrypted nature? And so we are looking
at that. But that really is not only a VHA responsibility, it's
a VA-wide responsibility to look at encryption, and we would
want to coordinate that with the VA CIO so we have one system
of encryption.
Would either one of you like to add to that?
Ms. Belles. I will just add that several years ago, we
transformed from what we had in place for our network was IDCU,
which is a private network, and we have gone to a more open
network.
So at the time we had the IDCU, we did not require any
encryption between the facilities. But now that we are in this
environment where we have a more open network, we need to look
at encryption between the facilities.
Mr. Brown of South Carolina. Thank you very much for your
testimony.
And, Mr. Michaud.
Mr. Michaud. Thank you, Mr. Chairman.
Dr. Kussman, I just want to reiterate what Chairman Brown
had mentioned in his opening as far as questioning. I, too, was
concerned about the lateness of your testimony, and have not
had a chance to go through it.
And I know next week, we have a hearing on Tuesday and VA's
testimony is supposed to be in tomorrow. So hopefully we will
be able to, you know, have your testimony tomorrow for next
week's hearing.
Dr. Kussman, in your testimony, you state that VA contracts
forbid the transfer of veterans' protected health information
outside the jurisdiction of the United States. A couple of
questions.
How will you monitor compliance with that provision? Can
you give us total and complete assurance that absolutely no VA
contractor will use an overseas subcontractor to transcribe
veterans' medical information?
Dr. Kussman. Yes.
Mr. Michaud. How will you monitor the provision?
Dr. Kussman. Sir, that is written into the contract and the
contractors have to abide by the same security issues that we
have in-house that is part of the contract.
The issue that you are describing, I am well aware of, that
took place. We did not realize, quite frankly, that the
contractor had subcontracted. When we found out, we stopped
that and we have prohibited that from occurring again.
Mr. Michaud. Okay. Thank you.
And are you confident that the VA can control veterans'
private and personal medical information while it is outsourced
for medical transcriptions here in the United States?
Dr. Kussman. Yes, sir. As you are well aware of, we are a
large organization. We talked about the need to balance the
delivery of healthcare with safety. They are not mutually
exclusive. I mean, they are together.
We with our contractors will leave no stone unturned, no
process unlooked at to protect the privacy and security of all
our veterans. And if indeed there is a mishap, we will have in
place processes that will aggressively and quickly address
those issues and be sure that we inform the veterans.
As you know, we have a very elaborate safety program that
we do. We have briefed you and others on similar types of
issues related to safety. We have an open environment. There
are no secrets. We try to make sure that both you and other
supervising entities as well as the patients know what we are
doing.
So I believe we have in place and we will aggressively
enforce all the security needs to protect our patients.
Having said that, as you know, the gold standard in this
country is the airline industry and FAA, as I mentioned to you
earlier, and we all feel fairly secure when we get on an
airplane. Unfortunately, even with everything, airplanes do not
work the way that they are supposed to and there are accidents.
We will put in and aggressively put in all the processes
that would minimize and mitigate any situations that we can
anticipate. But to tell you a hundred percent that it will
never happen again, you know as well as I that that would be
difficult to do.
Mr. Michaud. Thank you.
Also in your testimony, you state that the VA conducts an
annual system-wide ongoing assessment and review strategy
called SOARS.
What did SOARS identify to be the most significant privacy
and security threat to VA's medical health data system both
internal and external?
Ms. Putt. Mr. Congressman, I do not have that information
at this time on the finding of the SOARS assessment
specifically. I do have information on other assessments.
Mr. Michaud. Would you be able to provide the Committee
with the SOARS assessment?
Ms. Putt. I think we can.
Dr. Kussman. Yes, sir. The SOARS has been a very successful
program for us. It has been a self-induced, self-initiated
program that looks at a whole gamut of things much like a mini
joint commission assessment would volunteer. And it was
originally volunteers. The facilities were not required to do
this. But it has been successful, everybody asks for it. So
effectively it is a guaranteed program.
One of the things that we have always looked at but will
look at more closely is the issue of data security. I am not
aware that that has been a major problem for us that has come
up in the SOARS, but we will look back at that. And with your
indulgence, we will report back to you for the record on that.
Mr. Michaud. Thank you.
VA researchers can have access to databases with Social
Security numbers identifying veterans. I understand that
researchers must go through an approval process to get access
codes to this database.
What does VA do after a researcher has access to ensure
that such data is not downloaded, put on a laptop or extended
hard drive or otherwise put at risk of being lost or stolen and
how do you enforce this policy?
Dr. Kussman. Yes, sir. Thank you for the question.
We are aware of that situation. We monitor it very closely.
As you alluded to, that anybody who does research has to apply
for that. There are standards that have to be met. It is part
and parcel of the approval in the Institutional Review Boards
at the facilities that approve the human research and protect
the patients, and it is not only protection for their clinical
things, but it is also protection of their information and
their rules and regulations on what the researcher can do and
what they can transport.
But I will ask Gail or Stephania to elaborate on that.
Ms. Putt. Thank you.
As stated, researchers/investigators do have to follow the
privacy and security of protecting their research information
as outlined in their research protocol that is approved by the
Institutional Review Board.
The data that they use and collect cannot be used for any
other purpose without going back to the Institutional Review
Board for approval. They must also follow policies regarding
the protection of human subjects and their data for research to
ensure that the information is not shared with affiliates or
colleagues who are not VA employees or do not have legal
authority to see the information, and they have to safeguard it
in accordance with policies if it is placed on any laptops or
other devices.
Mr. Michaud. But the question was, what does the VA do
after they do all the research? What does the VA do after the
researcher has access to all this information? How do you know
that they do not download it or make copies on another CD?
Ms. Putt. VA researchers should follow policies that
prohibit them keeping the data after the research study has
concluded. Once the study has concluded and they have maybe
published their results, they are supposed to destroy the data
or return the data. They are not to keep it to use for future
research projects.
Mr. Michaud. On that same line of questioning, how does the
VA enforce a policy for researchers from taking the stuff home?
Ms. Putt. There is a Research Compliance Office that is
responsible for reviewing researchers' activities in terms of
their research protocols and what they are doing in terms of
their studies, along the same lines with the protection and
security of their information.
I do not have any more information on the processes of the
Research Compliance Office, but facilities do actually have
Research Compliance Officers at some of the facilities who are
responsible for reviewing the researchers' activities.
Mr. Michaud. Not being a computer whiz, how confident are
you that the researchers do not take this information home? Is
there any way that you can find out? I mean, just how confident
are you?
Dr. Kussman. I guess I got the look to answer the question.
Sir, through the Office of Research Oversight, they do
random samples. They look at that. They look at a process under
which people adhere to the processes. We set that up--it used
to be called ORCA. It is now the ORO, the Office of Research
Oversight--to really look at this.
Part of the reason was to look at this issue because the
researchers do research. And sometimes, just like anybody else,
you could get a little lax about what you are doing. And so we
needed to have a process under which we looked at that.
Does every protocol need to be looked at? No. We believe
that the process is valid. Because of this, we will relook at
our thing to see if it needs further strengthening. But to some
degree, we have to trust the people who signed the pieces of
paper who say that they are following what we have told them to
do.
We believe that the process that we have in place works
pretty well because I am not aware of a significant or any
episodes where things have been lost or sensitive data has been
compromised. It is not to say that it could not have happened.
Mr. Michaud. My last question for you, Dr. Kussman, not
knowing whether it can be done or not, can you prevent any
information, any of the data that you have from being
downloaded? Is the technology available to do that and, if so,
are you doing that?
Dr. Kussman. Whether it is research or otherwise?
Mr. Michaud. That is correct.
Dr. Kussman. Using the VPN network, and I might ask Dr.
Kolodner to comment on it, my understanding--and I am a
dinosaur when it comes to this stuff too. I can just use e-mail
and that is about--or a little WordPerfect and that is it. But
it is not easy to download using the VPN process, and it is
encrypted.
The issue of downloading, as we said, that at the place of
work, people can download things into their computer. We are
aggressively looking at an encryption process that would
protect that as well. So whatever was downloaded and making the
presumption that the person had need to have this information,
it was not done for any other spurious reason, that it would be
encrypted and very difficult to get access to if the computer
was compromised in any way, shape, or form.
So we are clearly getting better and learning as we move
along.
Rob, would you like to comment?
Dr. Kolodner. The downloading that might occur would take
place mostly inside the firewalls at the office, and there are
some business reasons why one might need to do that.
As part of this access review, we are examining who has
access to bulk data, confirming if they need access, and, what
constraints we have on that access.
To reiterate, there are business reasons why sometimes
someone needs to download such data. We just need to know about
that and to know that the proper controls are in place, the
proper agreements have been signed, and a periodic review is
done.
Mr. Michaud. So if there is a business reason why they have
to download information, would they have to get approval first?
Dr. Kolodner. Yes. They would have to have requested
approval, had their supervisor present that request to their
information security officer, and then been given approval
based on that justification.
Mr. Michaud. Great. Thank you.
My last question which will go to Mr. Seliger, again not
being familiar with technology, I have seen situations, and as
you described in your testimony, when going through a hospital,
you see someone's medical record up there on the screen, people
can see it.
And I can understand where it would be cumbersome to log
off, log on quite frequently, which will take time, but I have
also seen technology, particularly actually in Maine, with
Bangor Mental Health, where when the employees punch in to go
to work, they use their finger which identifies the employee.
Is the technology available so if someone wants to access
quickly a medical record that you can use your thumbprint to
open up the system and then a certain time frame, it
automatically goes off? Is that something that your
organization has looked at and might be available?
Mr. Seliger. The answer is yes. We have a number of
hospitals and healthcare organizations in the private sector
using technology exactly as you described. For the record, I
would like to point out it is not your thumbprint but any of
the other three fingers that one tends to use for technical
reasons.
But having said that, we have caregivers who are using
interesting combinations of devices. So fingerprint, as you
said, for authentication, but also devices that are called
active proximity devices, not much bigger than my card holder
here, and they detect your arrival or departure from a
workstation. And the operative word here is departure. When you
leave the vicinity of a computer, it locks it up. Okay?
So having to remember--and this is the kind of technologies
I was alluding to in my testimony, being able to accommodate
the caregiver work flow. Imagine yourself in an emergency room
coming and going, patients coming and going, computers all over
the place. Even if it was fast, you still have to remember to
do it.
And by equipping caregivers with devices to make the log-on
process fast and easy, to make the log-off process implicit by
just leaving, we can achieve the kind of safeguards I alluded
to and actually facilitatethe care-delivery process. People are
actually going to use the computers rather than paper as Dr. Kussman
referred to, which is still the primary source of information data in
most healthcare organizations in a general sense.
Now, the VA itself has made a number of steps to be, I
guess the better way of putting it, quite pioneering in a
number of regards relative to information security in the
caregiver workplace.
And as recently as this summer, we are proud to be working
with the VA at its Hines Facility on a project that has been
code named Medical Sign-On which is about taking this process,
these work flows with good security to a whole other level. We
will pilot at Hines, work out the kinks, make sure it works
properly, and then hopefully have a basis to roll this out to
the other VA medical centers.
Dr. Kussman. Sir, we also have instituted a program where
the computers would automatically log off in five minutes is
what we are doing. It drives me crazy in my office because I
will have logged on, I will answer the phone, and then I have
got to log back in and things. But it certainly works, I can
assure you, because it logs off and then I have to log back in.
That would be the same thing around the system, whether it
is a nurse's station or anything else, that if a nurse walks
away or a physician walks away, if they do not get back on and
they are not sitting there within five minutes, it
automatically logs off. It is an irritant to people, but it is
a protection.
Mr. Michaud. If I might, Mr. Chairman.
Is the VA looking at the same technology that was just
talked about as far as using your----
Dr. Kussman. We are looking at that and I think it will be
looked at as an agency issue with the CIO of whether we are
going to embark on that technology or not. I do not have enough
information. I do not think any of us know how much that would
cost or whatever.
Would you like to comment on that?
Ms. Belles. We are working on a Medical Sign-On pilot with
Sentillion at Hines as Mr. Seliger said. We are looking at all
kinds of technologies that can improve that interface for
clinicians and nurses so that we do not have a situation where
people just get up and walk away because they are called out
for an emergency or other things.
You know, we have been in the position where the clinicians
come to us and say you have got to make this process better for
us. And Sentillion is partnering with us to find out the right
methods to do that.
Mr. Michaud. Thank you very much.
Thank you, Mr. Chairman.
Mr. Brown of South Carolina. Okay. Thank you, Mr. Michaud.
Dr. Snyder, do you have a question?
Mr. Snyder. I do. Thank you, Mr. Chairman.
Dr. Kussman, it is good to see you again and your
colleagues there.
You got me curious, Dr. Kussman, with what I thought was a
bit of a cryptic response when you were gently chastised for
your tardy statement here, which I know you try to get them
here, when you made some mention of lawyers or legal opinions
or something.
And I always remember the old Art Linkletter show, Kids Say
The Darnedest Things, and his best question always was, is
there anything your mother did not want you to talk about to
tell us on the show today.
And so now I am curious. Did your statement get overly
scrubbed by OMB and you had to redo it or were there things
that you had included in your original statement that caused
you to make that reference to lawyers or legal folks?
Dr. Kussman. I am sorry. I do not remember what I said.
Mr. Snyder. But was there some delay in the process? The
Congress has lots of problems with folks that want to do
opening statements and tell us things, and the statements,
anything written goes through OMB and gets scrubbed, and we do
not get the information we want.
And I was just curious if there were some things that you
had intended to tell us that got removed in the process of your
statement being approved for delivery to the Congress.
Dr. Kussman. Not that I am aware of. So I am not even sure
I can give you a thorough explanation of why, other than people
being busy as the Chairman mentioned and lots of hearings. And
all I can say is they apologize for the delay and we will do
everything we can to prevent that from happening.
Mr. Snyder. You had mentioned the days of written records
which a lot of medical facilities still rely on. And I
remember, and I do not know how long ago, it was 15 years ago
or so when I was still practicing medicine. I had seen this
young boy. I can still see him in the exam room. He was about
eight. And his grandmother asked me about some behavioral
things that he was doing.
And sometimes medicine is like doing a crossword puzzle.
You know, a week later, you think, oh, that is what that answer
was. Well, I knew right away that the kid had Tourette's and I
just did not--it did not come to my mind when I was talking to
the grandmother.
Well, we had an all-handwritten medical section. I could
not remember anything. We could not figure out who the boy was.
So I had one staff member who over several Saturdays, because
we were slow, it was a slower day, went through every medical
record, opened up and tried to find the chart.
Now, if we had had a computerized system, we could put in
an approximate age range. I think I even remember what the
diagnosis was I actually saw him for. We could have pulled up
those charts. We never did find the chart.
I always felt bad about that because I can still see that
little boy sitting there probably being chastised by his
grandmother for some of his behavioral stuff. I suspect that he
had Tourette's.
So my point is, while we had those written records, there
was a built-in protection which is it is a pain in the butt to
go through those written records trying to find something
compared to having access to a CD that holds, you know, 500,000
Social Security numbers of veterans or something, which is the
issue that we are dealing with.
I want to pick up on what Mr. Michaud said, was asking
about the research aspect of this and the ability of people to
take information off.
My first question is, why does the VA--and this is years
and decades before you got there, Dr. Kussman--why does the VA
have to use Social Security numbers? Why do your researchers
have to use Social Security? Why do they even have to have
that? Why do the researchers even have to have the name? Why
can you not develop a program for the researchers that would
delete name, birth date, Social Security numberthroughout the
medical record, pretty much throughout the medical record?
There might be a reference in a note that, well, he was
born in the same year as his, you know, twin sister. But they
do not have to have the name or Social Security number or birth
date. All they need is an identifying, this is subject number
one whose age is 23.
Have you all considered that as part of your security, of
getting away from using Social Security numbers and what
information those researchers have to have?
Dr. Kussman. Thank you for that question.
As you probably know, it was not so long ago when we did
not use Social Security numbers. The military had a military ID
number that transposed to the VA when the person left----
Mr. Snyder. Though we all still remember, right?
Dr. Kussman. Yes, I remember. I had a military ID. I am old
enough to have one of those, just like I would not say you are
old, sir, but----
Mr. Snyder. No. And I also got a letter by the way.
Dr. Kussman. And I think it was 1970 or 1971, and somebody
correct me, where the military decided to go to Social Security
numbers, and we went along with that. I do not think anybody
anticipated the second, third, fourth level effects of the
Social Security number and it became so valuable.
It was not so long ago that when you tried to cash a check
in the military PX or something, you had to write your Social
Security number on the check to get it. They have stopped doing
that because people rose up in righteous indignation. But the
Social Security number became the key to almost everything, and
we kind of went along.
I think there are a lot of people looking at this now to
determine whether or not we ought to just get away from the
Social Security number for one thing and go back to some other
type of identification number, and that would have to be done
in conjunction with a government-wide thing, I think,
particularly with DoD for us.
The other part of the question was do we need to have that
information in research things or any sensitive information,
and the answer is I do not think we need it in each case.
And another thing that we are looking at is what
information is needed for people to do their job, whether it is
research or administrative things. Do they need to have dates
of birth, Social Security numbers, and things like that?
And I might ask Ms. Belles to add to that.
Ms. Belles. I do not think I have much to add to that. As
Dr. Kussman said, there are a lot of groups that are looking at
the issue of SSNs as identifiers.
I know that in our environment, we use the SSN for patient
safety reasons, to ensure that we have got the right veteran
when we are providing care. But outside of that, it is an
issue. I know it has been an issue for a number of years,
talked about across government agencies.
And at this point, I do not think we have come to a
resolution. But certainly with everything that is going on
around us related to identity theft and the importance of
protecting SSNs, we need to address it.
Dr. Kussman. I think, Doctor, you hit the nail on the head.
The good thing about the electronic health record and other
electronic process is you do not have to carry big things. I
mean, nobody is going to go out of the office with two tons of
records to get anything or it limited what you did.
So electrifying the records is a good thing. The bad thing
is now we are confronted with the challenge of protecting that
information because people in a small thumb thing can walk out
with lots of records. So it is a balance and we are learning
how to handle that.
Mr. Snyder. I notice the clock. The only comment I would
make is I think the reality is we are not going to be able to
protect that information. We are all going to try and try and
try.
The reality is, I think we are going to have to get to the
point where financial institutions will not accept some
handwritten things scrawled out by the new person who moves
into the house that I lived in ten years ago and some mass
mailing got there ten years too late and they will accept that.
I think we are going to have to go to--I mean, I would
think banks would want to go where we have to walk in and have
a picture made and three fingerprints just to get a card
because there is no way we are going to protect this
information.
Thank you, Mr. Chairman.
Mr. Brown of South Carolina. Thank you, Dr. Snyder.
Ms. Brown, do you have a question?
Ms. Brown of Florida. Yes, sir. Thank you, Mr. Chairman and
Ranking Member, for hosting this hearing on this subject.
And I got to tell you it is very disturbing to me, 26 and a
half million veterans' information compromised. And I know
someone close to me had this happen to them in this area and it
took them 18 months to get it cleared up. They went to co-sign
for someone and they said you need a co-signer.
So my question to you--and I do not feel that this is an
isolated incident. I mean, it may be an incident that we found
out about it, members of Congress and the public. But I do not
think it is just isolated. If this has happened, it has
happened before.
And what I want to know is, what have you done to ensure
the safety of the data since the loss of this data and how can
you assure us that this is just a one-time major incident?
Dr. Kussman. As we mentioned earlier, ma'am, the----
Ms. Brown of Florida. And that is okay. You can tell us
over and over again because I am not convinced that you all get
it.
Dr. Kussman. The issue that came up was not data that was
related to the Veterans Health Administration or health
records. We have programs in place that we believe
significantly protect our patients from loss of data both from
a security and privacy perspective.
We operate under the principles of the Health Information
Portability and Accountability Act that puts very stringent
requirements in and holds people accountable both from an
ethical, moral perspective, but as well as a legal and
financial perspective. So we believe we have inplace situations
that will protect our patients from loss of information and protection
or privacy.
Ms. Brown of Florida. So you are saying that none of the
veterans', in the healthcare system, information have been
compromised in the past and you can assure us it is not going
to be compromised in the future?
Dr. Kussman. No. I think as I mentioned to Mr. Michaud
earlier, it is a very large organization with lots of people.
Just like the FAA and its gold standard in the airline industry
of protecting patients and making flyers and making people
assured, but even in spite of that, there are airplane
accidents.
Our process and our goal is to put in place processes that
would minimize or mitigate as much as conceivable the loss of
information. But could I promise you that there would never be
or that there has never been a loss of information? No. That
would be impossible to do.
Ms. Brown of Florida. Yes. But with FAA, we put in certain
safeguards. And so I guess I am asking you what additional
safeguards have you all put in place since this incident
occurred?
Ms. Belles. We talked about this earlier as well. We have
done a number of things as a result of the data breach. A
couple of things that we have done is we have instituted a
Security Awareness week to raise the awareness with our entire
workforce about the importance of data security, data
protections.
We have got a technical group that is being convened to
look at encryption. One of the areas that we recognize is a
vulnerability as a result of this is that the data, we do not
have guards at the door. We are not stopping people from
walking out the door with this because we do not check these
people as they walk out the door.
But what we can do is put technical controls in place to
protect that data. We can put encryption on laptops and we can
require encryption of files so that if that data is on a
laptop, that if anyone accesses it, if it is stolen, then the
data is protected, that people cannot use it or cannot see it.
Ms. Brown of Florida. A lot of people work from home. What
kind of safeguards do you have there? I am not a technical
person, but the amount of information that they can pull down,
how does that work?
Ms. Belles. We do have what is called a virtual private
network in place, and everyone who is an approved telework
status is able to dial into our networks via that VPN
connection. That is an encrypted connection between the
individual's laptop and the computer systems.
We also allow on a very limited basis some of our
contractors and business partners to access that VPN as well,
and they are held to specific systems based on IP address so
that they can only go to that system. The same with myself and
everybody around the table. I have a VPN connection. I can only
go to those systems that I would access if I were sitting at my
desk at work.
Ms. Brown of Florida. Do you have extra safeguards for
those private contractors that you all contract with?
Ms. Belles. We have business associate agreements that
discuss the date use, the protection of that data. We have
contracts in place that have the security language in them that
requires background investigations at the same level as VA
workforce members. We have requirements for them to take
security and privacy training just like our workforce members.
Ms. Brown of Florida. Thank you, Mr. Chairman.
I guess the only other follow-up question I would have was
what kind of penalties if someone breached the agreement.
Mr. Brown of South Carolina. I assume that the person that
was involved before, Dr. Kussman, lost his job. Is that kind of
the penalty?
Dr. Kussman. I have not been directly involved in that as
you probably know. But, yeah, that is my understanding.
But to answer the question that was asked, there is a whole
human resource protocol for actions that are inconsistent with
our policies and programs all the way from letters of
admonition to firing and fines and things. So that process
would be used in this instance if somebody violated our
procedures and policies as well.
Mr. Brown of South Carolina. Thank you, Ms. Brown.
Mr. Michaud, you have a question?
Mr. Michaud. Just two quick questions, Dr. Kussman. You had
mentioned that we can have all the policies we want and it is
not a hundred percent. There is one area where when you look at
medical transcription when you contract that out, which
actually you can help, is by going to, I believe it is called
voice recorders versus contracting out. I think that will
definitely be more secure.
Are you seriously looking at doing that sort of thing
versus contracting out? Yes or no?
Dr. Kussman. Yes.
Mr. Michaud. The second one is, the VA and when you look at
Department of Defense for our active military, when they deal
with medical records, are you working closely with the DoD
particularly when you look at medical records?
Dr. Kussman. Yes, sir. The transfer of information for the
FHIE and the BHIE, the forward flow and the backward flow of
information, the working together of the two agencies, as you
know, is unprecedented with the partnering that is going on.
All that information, and it is my understanding, and I
will ask Dr. Kolodner to confirm, is that all that information
is encrypted.
Dr. Kolodner. The systems have not only met VA's standards
and government standards, but also DoD standards for security,
and all the data moving back and forth is encrypted as we move
it between the Departments.
Mr. Brown of South Carolina. Thank you very much, Mr.
Michaud.
I remind all members they have five legislative days to
submit questions.
And, panel, thank you very much for coming. I hope that we
were able to gather some information from you that the VA might
be able to use. I know you are working already with them, and
look forward to a continued dialogue on this. Dr. Kussman, keep
us abreast of what you come up with in order to prevent a
breach similar to what we have just experienced.
Dr. Kussman. Yes, sir. Thank you very much for inviting us.
Mr. Brown of South Carolina. I also might remind members
they have five legislative days to submit opening statements.
And with that, the meeting stands adjourned.
A P P E N D I X
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
�