<DOC> [109th Congress House Hearings] [From the U.S. Government Printing Office via GPO Access] [DOCID: f:28451.wais] HEARING ON SAFEGUARDING VETERANS' MEDICAL INFORMATION WITHIN THE VETERANS HEALTH ADMINISTRATION ======================================================================= HEARING before the SUBCOMMITTEE ON HEALTH of the COMMITTEE ON VETERANS' AFFAIRS HOUSE OF REPRESENTATIVES ONE HUNDRED NINTH CONGRESS SECOND SESSION __________ JUNE 21, 2006 __________ Serial No. 109-55 __________ Printed for the use of the Committee on Veterans' Affairs U.S. GOVERNMENT PRINTING OFFICE 28-451 PDF WASHINGTON : 2007 ------------------------------------------------------------------ For sale by Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC area (202) 512-1800 Fax: (202) 512-2250. Mail: Stop SSOP, Washington, DC 20402-0001 COMMITTEE ON VETERANS' AFFAIRS STEVE BUYER, Indiana, Chairman MICHAEL BILIRAKIS, Florida LANE EVANS, Illinois, TERRY EVERETT, Alabama Ranking Member CLIFF STEARNS, Florida BOB FILNER, California DAN BURTON, Indiana LUIS V. GUTIERREZ, Illinois JERRY MORAN, Kansas CORRINE BROWN, Florida RICHARD H. BAKER, Louisiana VIC SNYDER, Arkansas HENRY E. BROWN, Jr., South Carolina MICHAEL H. MICHAUD, Maine JEFF MILLER, Florida STEPHANIE HERSETH, South Dakota JOHN BOOZMAN, Arkansas TED STRICKLAND, Ohio JEB BRADLEY, New Hampshire DARLENE HOOLEY, Oregon GINNY BROWN-WAITE, Florida SILVESTRE REYES, Texas MICHAEL R. TURNER, Ohio SHELLEY BERKLEY, Nevada JOHN CAMPBELL, California TOM UDALL, New Mexico JOHN T. SALAZAR, Colorado James M. Lariviere, Staff Director SUBCOMMITTEE ON HEALTH HENRY E. BROWN, Jr., South Carolina, Chairman CLIFF STEARNS, Florida MICHAEL H. MICHAUD, Maine, RICHARD H. BAKER, Louisiana Ranking Member JERRY MORAN, Kansas BOB FILNER, California JEFF MILLER, Florida LUIS V. GUTIERREZ, Illinois MICHAEL R. TURNER, Ohio CORRINE BROWN, Florida JOHN CAMPBELL, California VIC SNYDER, Arkansas C O N T E N T S ---------- June 21, 2006--Hearing on Safeguarding Veterans' Medical Information with the Veterans Health Administration Page OPENING STATEMENTS Chairman Henry E. Brown.......................................... 1 Prepared statement of Chairman Brown............................. 23 Hon. Michael H. Michaud, Ranking Democratic Member............... 2 Prepared statement of Congressman Michaud........................ 30 STATEMENT FOR THE RECORD Hon. Corrine Brown............................................... 19 Prepared statement of Congresswoman Brown........................ 32 WITNESSES Kussman, Brig. Gen. Michael J., M.D., M.S., MACPP (US Army Ret), Principal Deputy Under Secretary for Health, Veterans Health Administration, Department of Veterans Affairs................. 4 Prepared statement of Dr. Kussman................................ 37 Seliger, Robert, Chief Executive Officer and Co-Founder, Sentillion, Inc., and Chair, Steering Committee for Integration and Interoperability, Healthcare Information and Management Systems Society (HIMSS)........................................ 6 Prepared statement of Mr. Seliger................................ 46 POST-HEARING QUESTIONS FOR THE RECORD Hon. Michael H. Michaud.......................................... 54 Hon. Corrine Brown............................................... 61 HEARING ON SAFEGUARDING VETERANS' MEDICAL INFORMATION WITH THE VETERANS HEALTH ADMINISTRATION ---------- WEDNESDAY, JUNE 21, 2006 House of Representatives, Subcommittee on Health, Committee on Veterans' Affairs, Washington, DC. The subcommittee met, pursuant to call, at 10 a.m., in room 334, Cannon House Office Building, Hon. Henry Brown (chairman of the subcommittee) presiding. Present: Representatives Brown of South Carolina, Michaud, Turner, Brown of Florida, and Snyder. Mr. Brown of South Carolina. Good morning. The Subcommittee will now come to order. We are holding this hearing today to address the vulnerability of VA's electronic medical records system and examine the access and control policies VA employs and the compliance mechanism VA uses to safeguard sensitive, personal veterans' health information from internal and external security threats. The value of VA's electronic medical records system was evident in VA's response to Hurricane Katrina. During Hurricane Katrina, VA doctors and nurses were able to treat without interruption patients transferred from VA facilities in New Orleans to VA hospitals in Houston. Because of the system's electronic medical records, all patients' records were backed up, securely transported to Houston, and were back on line and available almost immediately. At the same time, however, there are risks with holding such sensitive and personal information electronically, and the lack of a solid VA information security program greatly troubles me. The personal and sensitive data of our nation's veterans must be handled with the utmost care. The burglary of the home of a Department of Veterans Affairs employee that included a data file with personal information on millions of veterans is simply unacceptable. The Department of Veterans Affairs is working with the FBI to thoroughly investigate this matter, and this Committee will be closely monitoring this situation to help ensure that such an occurrence is not repeated. We must make sure that there are explicit and clear security and confidentiality policies to protect the health information of our nation's veterans. To that end, we are interested today in hearing from those at the Department that the most sensitive information, individually identifiable health information is currently being protected. Additionally, in light of the recent theft, I am interested in knowing what the VA anticipates doing to better protect this information in the future and what steps, if any, have already been taken. Through a series of hearings set up by the Chairman of our full Committee, Chairman Buyer, we have been able to closely examine data integrity and security issues from a number of different perspectives, but today we have the opportunity to specifically focus on health-related information. In addition to having assembled the cast before us from the VA, we have also taken the opportunity to speak with folks from the private sector. I for one welcome the opportunity to hear what is currently being considered state-of-the-art in the private sector and then benchmarking that standard against VA's current practices. Today we have this opportunity. I would like to personally thank all of our witnesses for being here today. And with that, I now yield to our Ranking Member, Mr. Michaud, for an opening statement. [The statement of Henry Brown appears on p. 23] Mr. Michaud. Thank you very much, Chairman Brown, and thank you for holding this very important oversight hearing. VA's electronic patient record system remains the technological force behind VA's state-of-the-art care. It can save lives as well as money. Last week, the VA Inspector General issued a report on VA's procedure for outsourcing medical record transcriptions. The report showed that the VA had weak controls over the veterans' medical records. In 2005, a subcontractor in India contacted the IG and threatened to expose thousands of patients' records over the internet if the subcontractor was not paid. This allegation and the IG audit showed the VA was incapable of controlling or detecting where a contractor had medical information transcribed or who had access to it. VA's procedure for acquiring medical transcription services from contractors failed to address basic security requirements. Of the VA facilities surveyed, 91 percent did not remove personal identifiers such as patients' names and Social Security numbers before transmitting the data to contractors for transcriptions. I agree with the IG that the VA needs to do this work with VA staff because this is not a practical way to ensure that contractors safeguard patients' protected health information. As the IG report says, and I quote, ``The inability to control confidential information in an era of global outsourcing leaves protected health information unprotected and patients subject to identity theft,'' end of quote. Given the clear risk with outsourcing, I cannot understand why this Administration and the Office of Management and Budget identified the jobs in medical information or records as ones that should be studied for outsourcing. I look forward to hearing from Dr. Kussman about the VA's effort to improve controls on medical transcriptions. Chairman Brown, I commend you for your leadership in holding this hearing so that we can better understand what the Veterans Health Administration has done and what they will do to preserve the security and privacy of veterans' medical records. Also, Mr. Chairman, I would like my full opening statement to be submitted for the record. Thank you. Mr. Brown of South Carolina. Okay. Without objection. Thank you, Mr. Michaud. [The statement of Michael Michaud appears on p. 30] Mr. Brown of South Carolina. Mr. Turner, do you have an opening statement? Mr. Turner. Mr. Chairman, I want to thank you for holding this hearing. I appreciate your continuing to give information to the Subcommittee members and the members of the full Committee on this important issue, and I would like permission to submit an opening statement for the record. Mr. Brown of South Carolina. Without objection. [No statement was submitted.] Mr. Brown of South Carolina. Dr. Snyder. Mr. Snyder. No thank you. Mr. Brown of South Carolina. Okay. On our first and only panel representing the Department of Veterans Affairs, we are honored to have Brigadier General Michael J. Kussman. Dr. Kussman was appointed Deputy Under Secretary of Health for the Veterans Health Administration on May 29, 2005. In this capacity, he leads the clinical policy and programs for the nation's largest integrated healthcare system. Among his many accomplishments, Dr. Kussman served as the Army Surgeon Generals chief consultant in internal medicine and governor for the Army Region of the American College of Physicians in 1988. From March 1993 to August 2005, he commanded Martin Army Community Hospital at Ft. Benning, Georgia and later commanded the Walter Reed healthcare system in Washington, DC, where he was promoted to Brigadier General. Following his tour at Walter Reed, Dr. Kussman served as commander of the Europe Regional Medical Command and was responsible for healthcare throughout Europe, the Middle East, and Africa. Dr. Kussman is accompanied by Mr. Craig B. Luigart, VHA Chief Information Officer; Dr. Robert Kolodner, Chief Health Information Officer; Ms. Stephania Putt, VHA Privacy Officer; and Ms. Gail Belles, VHA Technical Security Advisor. Also I want to welcome Mr. Robert Seliger. He's the CEO and Co-Founder of Sentillion. Mr. Seliger has led the company in creating security solutions that improve information access and work flow for customers in the healthcare information technology industry. He is widely recognized as a visionary at the forefront of converging technical markets and clinical trends in healthcare. Prior to co-founding Sentillion, Mr. Seliger was a senior R&D manager and chief architect at an International Team responsible for development of Hewlett Packard's medical products group's largest portfolio of clinical information systems products. Presently he chairs the Healthcare Information and Management Systems Society Steering Committee for Integration and Interoperability. We are very pleased to have him at our hearing today. Dr. Kussman, before you begin, I gave you all those accolades. I want to chastise you just a bit for the lateness of your prepared remarks to the Committee. We certainly wish you would be a little bit more responsive and a little bit more timely getting the information to us so we will have a better opportunity to review testimony before it is actually presented. But with that, we will now start with you. STATEMENTS OF BRIG. GEN. MICHAEL J. KUSSMAN, M.D., PRINCIPAL DEPUTY UNDER SECRETARY OF HEALTH, VETERANS HEALTH ADMINISTRATION, DEPARTMENT OF VETERANS AFFAIRS; ACCOMPANIED BY ROBERT KOLODNER, M.D., CHIEF HEALTH INFORMATICS OFFICER, VHA, DEPARTMENT OF VETERANS AFFAIRS; STEPHANIA PUTT, PRIVACY OFFICER, VHA, DEPARTMENT OF VETERANS AFFAIRS; GAIL BELLES, TECHNICAL SECURITY ADVISOR, VHA, DEPARTMENT OF VETERANS AFFAIRS; AND ROBERT SELIGER, CHIEF EXECUTIVE OFFICER AND CO- FOUNDER, SENTILLION, INC., CHAIR, STEERING COMMITTEE FOR INTEGRATION AND INTEROPERABILITY, HEALTHCARE INFORMATION AND MANAGEMENT SYSTEMS SOCIETY STATEMENT OF MICHAEL J. KUSSMAN Dr. Kussman. Good morning, Mr. Chairman, and Ranking Member, other members of the Committee. First, let me say that I apologize for the lateness of the statement, and I have talked to Counsel and we clearly need to do better and we will. Mr. Brown of South Carolina. Well, I know you are under a lot of pressure from a lot of different groups to prepare remarks, but we do need to try to resolve this problem we have. But, anyway, we are grateful to have you here today. Dr. Kussman. Yes, sir. This is a partnership and we need to do better. So thank you for your comments. Thank you for allowing me to provide an overview of the data management and security procedures that the Veterans Health Administration employs to ensure the safety and integrity of veterans' electronic health records and to safeguard sensitive personal veteran information from internal and external security threats. Before I proceed with my review of our security and privacy procedures, I want to assure both you and our nation's veterans that the recent data breach did not include any of the Veterans Health Administration's electronic health records. VHA views data privacy and security as a fundamental operational pillar. We are committed not only to ensuring that our veterans receive the best healthcare but that we also fully protect the security and privacy of their paper and electronic health records. VHA is responsible for protecting data on all systems that facilitate the delivery of healthcare benefits to our nation's veterans. Similar protections are provided for the databases that contain the veteran health records exchanged between the Department of Defense and VA. We protect many important health databases and systems that enable us to provide quality care to our veterans. Our core electronic health records system is VISTA. This widely acclaimed system has saved the lives of thousands of veterans, but it was designed 20 years ago and, as such, it is principally hospital based and is deployed in more than 100 locations. This distributed nature does not lend itself to simple security compliance. Today network and telecommunications standards and solutions exist to assist in mitigating these risks while creating greater efficiency and effectiveness, and a wide range of security and privacy procedures protect VISTA and other VHA systems. For years, VHA has required that all employees and contractors complete annual privacy and security training. VA policy is that anyone needing access to our data to perform their duties, whether a provider, a researcher, or veteran service officer, must be granted explicit approval for that access. This is just the beginning. VHA also develops its own policies and guidance focused on healthcare-specific issues and implements sophisticated technical controls to protect the veterans' health records. VHA carefully controls access to sensitive data. Only those who have a legitimate and demonstrated need are granted access to sensitive information. Even then, users' access is limited to the information needed to do their jobs. VHA also employs security measures to protect VA systems and data when VHA employees and contractors perform work outside of VA offices. All external connections into the VA network are protected by a virtual private network, VPN, which provides secure, remote access. VPN access requires management approval and approved users are required to sign and abide by a rules of behavior document that must be in place before access is granted. Across this nationwide network of systems, VHA applies many other security controls. These include intrusion detection systems that monitor and detect intruders, encryption of sensitive data exchanged with DoD, routine backups of data on our critical systems, and continuity of operations, processes, and procedures. VHA is committed to continuing to strengthen our security and privacy controls. To this end, VA is investigating the use of encryption solutions appropriate for our information systems and data protection needs that will be adopted for use across VHA. VHA is reengineering current applications that will broaden auditing capabilities. We are enhancing our current role-based access control capabilities to provide granularity with user- defined roles. And VHA has taken the lead in developing role- based access control enhancements that are being evaluated for national and international endorsement. To further strengthen security and privacy, VHA has identified a number of specific actions for strengthening data security procedures that are in the planning stages or have been identified as a result of the data security breach as follows: Provide and mandate centrally deployed security solutions; implement a department-wide encryption solution that encrypts data that is sent across VA networks; increase the use of secure web-based solutions for e-mail, scheduling, and other administrative needs; require that portable media and laptops have the capability to encrypt all sensitive data and that appropriate guidance tools training are provided to the users to implement these solutions effectively; and update VA and VHA security policies to address changes in technology's current IT environments. To further emphasize the importance of security, VA is planning a department-wide Security Awareness Week for workforce members from June 26 to 30 June with daily briefings on proper security practices. VHA is taking the lead for coordinating the week. In addition, to help veterans, VA will set up information booths across the VA so that veterans can get information on identity theft and data protection. In closing, let me reiterate that we see data privacy and security as a fundamental operational pillar. We are committed to providing the best possible care to our nation's veterans, and we will do everything in our power to fully protect the security and privacy of their health records. For our veterans, for the men and women who have fought so bravely for our country, anything else is unacceptable. And I might close, if you would not mind, sir, with a personal comment. As a veteran and a retiree, I have received a letter from the Secretary as well. It was not a surprise to me obviously, but I did receive the letter. And I can assure you that myself and others of us who are in that same situation take this very, very seriously both on a personal and professional basis. Thank you. Mr. Brown of South Carolina. Thank you, Dr. Kussman, for your testimony. Dr. Kolodner, we will take your testimony next. I am sorry. Mr. Seliger. We will get to you later. Okay. [The statement of Michael Kussman appears on p. 37] STATEMENT OF ROBERT SELIGER Mr. Seliger. Chairman Brown, Mr. Michaud, distinguished members of the Committee, thank you for the opportunity to testify before you today on a subject of critical importance for our Nation's veterans, but also to every citizen, how to safeguard sensitive personal health and related information from external and internal security threats. My name is Robert Seliger, and I am Co-Founder and CEO of Sentillion. Sentillion is the industry leading provider of identity and access management solutions to hospitals and healthcare systems. Every day Sentillion helps hundreds of institutions and hundreds of thousands of physicians, nurses, and other caregivers at those institutions employ effective security and privacy practices while also facilitating the care-delivery process. We are exceedingly proud to say that among these institutions are all 163 medical centers of the Departments of Veterans Affairs. To further introduce myself, I have 26 years of experience in the field of health information technology. I have served on numerous Standards Committees and have chaired a variety of healthcare industry initiatives. Recent activities include serving as Chair for the HIMSS Steering Committee for Integration and Interoperability and serving as an advisor on standards uptake for the Pan-Canadian Electronic Health Records Standard Steering Committee. Today I want to focus on one aspect of the complex challenge of safeguarding patient data in a clinical setting, and that is how can we safeguard patient data without also impeding the care-delivery process? Practicing safe and effective medicine will always take precedence over concerns for security and privacy. Our nation's nurses and physicians are among the smartest, most highly-trained people in the world. This fact coupled with their deep sense of mission will compel them to avoid, work around, and challenge policies that impede the care-delivery process. This is because the care-delivery process by its very nature requires immediate information access and the constant sharing of information with others. As a simple example, consider the seemingly trivial tasks of logging onto a computer in order to access patient data and then logging off the computer when done. These actions are almost never performed in the hospital. Instead computer accounts are shared in order to avoid logging in and no one logs off. The reason is that a caregiver in a busy hospital might need to log on and off 50 to 100 times a day. At a minute or two for each log on and log off, you can quickly see how this seemingly trivial best practice is avoided because it interferes with the pace of providing care. And so our nation's physicians and nurses practice good healthcare, but leave millions of personal computers across the country open to access or even simple perusal by any passerby from other healthcare workers with no valid reason to view the information to other patients to people visiting patients to anyone else who might be in the hospital. I would like to assert that the security and privacy challenge that the healthcare industry faces are not just attacks from outside but also transgressions from within. The question is, how do we as a nation change the situation without compromising the care-delivery process? Data that we have from a study we conducted shows that under circumstances in which log-on and log-off times were reduced to just a few seconds, nurses in one hospital who only logged off 50 percent ofthe time were now doing so 100 percent of the time. And physicians who were not logging off at all were now doing so 86 percent of the time. This change in behavior was not due to a new policy or the threat of punitive measures. Rather, we simply made it easier for caregivers to behave as good security and privacy citizens. The challenge we face is to make sure that the things we do to keep the bad guys out do not effectively prevent letting the good guys in. This is about making sure we engineer security and privacy solutions from a work-flow perspective and not attempt to force upon healthcare organizations mechanisms that make sense for other types of environments but which do not make sense for healthcare. Delivering effective healthcare is an intense and complicated process. It is also a truly mission-critical process. Our industry must find the right balance between applying security and privacy measures that are known to work and applying measures that could be detrimental to patient care. We can assert, for example, that every caregiver must have a password for each application that they use, but what, in fact, are we asking our caregivers to do if they need to remember ten different passwords and enter each one in dozens of times a day? To truly safeguard patient security and privacy requires a broad set of measures. These measures include not only good network security and the appropriate encryption of data but also involves tools and mechanisms that enable good people, well-meaning people to do their jobs without compromising patient health, patient security, or patient privacy. Mr. Chairman, this concludes my remarks. Thank you for the privilege of speaking before you today. I am happy to answer any questions the Committee may have. [The statement of Robert Seliger appears on p. 46] Mr. Brown of South Carolina. And I thank you very much for your testimony and also Dr. Kussman. Have you all met before? Mr. Seliger. I am sorry? Mr. Brown of South Carolina. Have you all met before? Mr. Seliger. No. Mr. Brown of South Carolina. Okay. Well, I think you both bring a great perspective to the process. And, in fact, I will ask you the first question if I might. Your testimony makes a number of sound points. I wonder if you could expand a bit on the relative importance of auditing electronic access to records. I mean, security protocol and audit capabilities are one thing, but actually doing the audit and understanding who is using the data is quite another. What security features should a healthcare system like the VA contain? Mr. Seliger. Well, the audit process begins with being able to establish the identity of the people using the system. In the example I just gave that people are not logging in, and I am using the same accounts as Dr. Kolodner or Dr. Kussman here, then an audit is irrelevant because you do not really know who is actually using the computer. So the best audit processes begin with establishing mechanisms that enable caregivers to want to, to easily sign on and sign off the computers, and do so in a secure manner, so each person is uniquely identified. Once we have that, we can then record the access and make appropriate conclusions about whether those accesses were appropriate or not. Mr. Brown of South Carolina. Dr. Kussman, do you all have a system similar to this or how do you control and audit the users? Dr. Kussman. Yes, sir. Thank you for the question. I believe we do have a process that identifies the people not only that have access to the system but makes sure that the people who have access need to have access. You know, we talk in the security realm about need to know. That is only part of it. The question is need to have. I mean, a lot of people like to have access to things that they do not necessarily need to have. From a clinical perspective, obviously, as was mentioned, our primary mission is to provide the state-of-the-art care to our veterans, and the electronic health record is a modality of delivery of care. For us, it is the same as a stethoscope or an EKG machine or CAT scan, and it has become part of our culture and used daily. I might ask Dr. Kolodner, who is an expert on this, to maybe illustrate further how that is done. Dr. Kolodner. Yes. Thank you very much. Each of our users has their own account and a two-level password, both of which are private, so the physician or nurse will log on and access the patient. We also have a third password for the electronic signature. If I am entering data, I have to add that additional password, which means that I cannot come in behind someone else and use the system since I would not know their electronic signature password. We reinforce the importance of protecting passwords to our providers on a regular basis, and we actually take action for those who violate the log-off, log-on procedures in our facilities. Dr. Kussman. Sir, I might add just one other thing is that in many ways, the electronic health record has improved the security dramatically and access to information or protection of information because many of us are old enough and dinosaurs before the electronic health record. And when we had hard copy, the records would sit around, if you will. They would be on a nurse's station or on a doctor's desk or in a records room. And in many ways, anybody could come up and pick up that record and read something about the patient. It was very difficult to have physical security on this. So what Dr. Kolodner has been mentioning is a quantum leap improvement, I think, in security in keeping that information private. Mr. Brown of South Carolina. Is it password protected on different segments so the record has different levels of authority and certain controls over parts of the record? Dr. Kolodner. Yes. We have a series of access controls in our current system. And based on the work that we have been doing, we have been developing a much more sophisticated system called role-based access that defines what parts of the record a particular individual should be allowed to read from or write to based on the role that they are serving or playing in the facility. We have taken that schema for the role-based access to the standards development organizations, working in conjunction with our Departmentof Defense and with Kaiser Permanente colleagues, and it has passed the ballot for an international standard. So we do already have a process in our current process for controlling that access, and we are devising and planning to implement in our next generation system an even more sophisticated system. Mr. Brown of South Carolina. Since the theft of those records, have you done anything different to put in place policies that would further identify in the audit if there has been a breach within your own areas and indicate who might be using this data? Are there other security measures you put in place since the event? Dr. Kussman. Yes, sir. As you know, that from a healthcare perspective, we always had a very sophisticated and controlled program known as the Health Information Portability and Accountability Act, the HIPAA, and that put in place a great deal of standards different than nonhealthcare data. And that has been inculcated into the culture of all healthcare delivery systems because everyone knows if you breach that, not only are you doing something wrong as far as an ethical, moral thing, but you can really be hurt financially and potentially go to jail for it. So there is a great deal of sensitivity about controlling healthcare information. So that was already the foundation. Because of this breach of information, and as we have said, thank goodness it was not involved with healthcare data, but it certainly has sensitized us immensely to that. And I might ask Ms. Putt, who is our privacy manager, and Gail, our security people, to comment on what are some of the newer things that we have looked at in respect to the breach. Ms. Belles. Actually, we have taken a number of steps to address issues. One thing that we have done is to issue a data access inventory to all of our VA personnel. We are identifying the access to sensitive data for every individual in our workforce, employees, contractors, students, residents, et cetera. That is a major undertaking for us. We are planning to get the results back from that access inventory at the end of June. The Security Awareness Week, we talked about. We are going out to the entire workforce to give briefings on the importance of security and privacy and the things that need to be done to protect patient data so that it is not compromised at any time. There has been policies that have been updated, rewritten to address remote access to our systems and data. We have actions to bring groups together to look at encryption methodologies for laptops and portable media so that we can address that area which we know is vulnerability. So a number of good steps as a result of this. Mr. Brown of South Carolina. Let me just follow-up on that statement. The access inventory--you will not get a response until the end of June. How often would you get a report if somebody accessed a file that should not be there? If somebody accessed a file, they would have to have access to some password. But what does the access inventory do for you? Ms. Belles. What that does is provides us with a list of the entire workforce and the systems, the sensitive data that they have, and how they access it. So if they access it remotely or if they access it from an office or they access it in paper form, we can identify that and we can also look very closely at the appropriateness of those accesses. As far as individuals accessing medical records, we have audit trails that are logged on a continuous basis and are reviewed by the facility information security officers on a regular basis to ensure that with managers that the individuals accessing these records or accessing these options have the need to know. Mr. Brown of South Carolina. And how timely is that review? Ms. Belles. I am sorry? Mr. Brown of South Carolina. How timely is that review? Ms. Belles. It is a real-time recording of the audit. Mr. Brown of South Carolina. Right. Ms. Belles. I think it's probably a 30-day review by the ISOs. Dr. Kussman. Sir, if I might add to that. With our inventory review, we are going out and looking at not only who have laptops but who have access to that virtual network that I talked about, the VPN, because over a period of time, organizations, there may be more people who have access than we think we really knew need to have. Many people may be using it just for e-mail and they do not need the laptop for that. We have Blackberries and other ways of doing that. So we are doing a very close scrub on who has laptops and what are they doing with them, and then also educating people very closely on what their responsibility is if they have a laptop. I mean, you can have it and need VPN access both when you are going some place. You have a responsibility to protect that laptop in a hotel or a restaurant or even in your car. And on top of that, you should not carry as much as possible any information that if indeed the laptop was stolen for some--I mean, obviously we cannot prevent somebody from holding somebody up on the street and taking their laptop, but we certainly would not want any information on there or as little information on there that would be incriminating or sensitive in any way. Mr. Brown of South Carolina. That leads me to my next question, and this will be my last question. I notice that your written testimony referenced the Department's interest in starting to encrypt the data that is sent between VA sites. Is there some specific reason why that has never been seen as appropriate before? Dr. Kussman. Yes, sir. Let me just make a comment that our VPN network is already encrypted. And so there is a significant amount of encryption that goes forward. And if everybody stayed within the firewall, if you will, using the encryption, then indeed we have much less of a potential problem. The question is that in data that even flows within the system or somebody downloaded something to their hard drive, can that bypass the VPN encrypted nature? And so we are looking at that. But that really is not only a VHA responsibility, it's a VA-wide responsibility to look at encryption, and we would want to coordinate that with the VA CIO so we have one system of encryption. Would either one of you like to add to that? Ms. Belles. I will just add that several years ago, we transformed from what we had in place for our network was IDCU, which is a private network, and we have gone to a more open network. So at the time we had the IDCU, we did not require any encryption between the facilities. But now that we are in this environment where we have a more open network, we need to look at encryption between the facilities. Mr. Brown of South Carolina. Thank you very much for your testimony. And, Mr. Michaud. Mr. Michaud. Thank you, Mr. Chairman. Dr. Kussman, I just want to reiterate what Chairman Brown had mentioned in his opening as far as questioning. I, too, was concerned about the lateness of your testimony, and have not had a chance to go through it. And I know next week, we have a hearing on Tuesday and VA's testimony is supposed to be in tomorrow. So hopefully we will be able to, you know, have your testimony tomorrow for next week's hearing. Dr. Kussman, in your testimony, you state that VA contracts forbid the transfer of veterans' protected health information outside the jurisdiction of the United States. A couple of questions. How will you monitor compliance with that provision? Can you give us total and complete assurance that absolutely no VA contractor will use an overseas subcontractor to transcribe veterans' medical information? Dr. Kussman. Yes. Mr. Michaud. How will you monitor the provision? Dr. Kussman. Sir, that is written into the contract and the contractors have to abide by the same security issues that we have in-house that is part of the contract. The issue that you are describing, I am well aware of, that took place. We did not realize, quite frankly, that the contractor had subcontracted. When we found out, we stopped that and we have prohibited that from occurring again. Mr. Michaud. Okay. Thank you. And are you confident that the VA can control veterans' private and personal medical information while it is outsourced for medical transcriptions here in the United States? Dr. Kussman. Yes, sir. As you are well aware of, we are a large organization. We talked about the need to balance the delivery of healthcare with safety. They are not mutually exclusive. I mean, they are together. We with our contractors will leave no stone unturned, no process unlooked at to protect the privacy and security of all our veterans. And if indeed there is a mishap, we will have in place processes that will aggressively and quickly address those issues and be sure that we inform the veterans. As you know, we have a very elaborate safety program that we do. We have briefed you and others on similar types of issues related to safety. We have an open environment. There are no secrets. We try to make sure that both you and other supervising entities as well as the patients know what we are doing. So I believe we have in place and we will aggressively enforce all the security needs to protect our patients. Having said that, as you know, the gold standard in this country is the airline industry and FAA, as I mentioned to you earlier, and we all feel fairly secure when we get on an airplane. Unfortunately, even with everything, airplanes do not work the way that they are supposed to and there are accidents. We will put in and aggressively put in all the processes that would minimize and mitigate any situations that we can anticipate. But to tell you a hundred percent that it will never happen again, you know as well as I that that would be difficult to do. Mr. Michaud. Thank you. Also in your testimony, you state that the VA conducts an annual system-wide ongoing assessment and review strategy called SOARS. What did SOARS identify to be the most significant privacy and security threat to VA's medical health data system both internal and external? Ms. Putt. Mr. Congressman, I do not have that information at this time on the finding of the SOARS assessment specifically. I do have information on other assessments. Mr. Michaud. Would you be able to provide the Committee with the SOARS assessment? Ms. Putt. I think we can. Dr. Kussman. Yes, sir. The SOARS has been a very successful program for us. It has been a self-induced, self-initiated program that looks at a whole gamut of things much like a mini joint commission assessment would volunteer. And it was originally volunteers. The facilities were not required to do this. But it has been successful, everybody asks for it. So effectively it is a guaranteed program. One of the things that we have always looked at but will look at more closely is the issue of data security. I am not aware that that has been a major problem for us that has come up in the SOARS, but we will look back at that. And with your indulgence, we will report back to you for the record on that. Mr. Michaud. Thank you. VA researchers can have access to databases with Social Security numbers identifying veterans. I understand that researchers must go through an approval process to get access codes to this database. What does VA do after a researcher has access to ensure that such data is not downloaded, put on a laptop or extended hard drive or otherwise put at risk of being lost or stolen and how do you enforce this policy? Dr. Kussman. Yes, sir. Thank you for the question. We are aware of that situation. We monitor it very closely. As you alluded to, that anybody who does research has to apply for that. There are standards that have to be met. It is part and parcel of the approval in the Institutional Review Boards at the facilities that approve the human research and protect the patients, and it is not only protection for their clinical things, but it is also protection of their information and their rules and regulations on what the researcher can do and what they can transport. But I will ask Gail or Stephania to elaborate on that. Ms. Putt. Thank you. As stated, researchers/investigators do have to follow the privacy and security of protecting their research information as outlined in their research protocol that is approved by the Institutional Review Board. The data that they use and collect cannot be used for any other purpose without going back to the Institutional Review Board for approval. They must also follow policies regarding the protection of human subjects and their data for research to ensure that the information is not shared with affiliates or colleagues who are not VA employees or do not have legal authority to see the information, and they have to safeguard it in accordance with policies if it is placed on any laptops or other devices. Mr. Michaud. But the question was, what does the VA do after they do all the research? What does the VA do after the researcher has access to all this information? How do you know that they do not download it or make copies on another CD? Ms. Putt. VA researchers should follow policies that prohibit them keeping the data after the research study has concluded. Once the study has concluded and they have maybe published their results, they are supposed to destroy the data or return the data. They are not to keep it to use for future research projects. Mr. Michaud. On that same line of questioning, how does the VA enforce a policy for researchers from taking the stuff home? Ms. Putt. There is a Research Compliance Office that is responsible for reviewing researchers' activities in terms of their research protocols and what they are doing in terms of their studies, along the same lines with the protection and security of their information. I do not have any more information on the processes of the Research Compliance Office, but facilities do actually have Research Compliance Officers at some of the facilities who are responsible for reviewing the researchers' activities. Mr. Michaud. Not being a computer whiz, how confident are you that the researchers do not take this information home? Is there any way that you can find out? I mean, just how confident are you? Dr. Kussman. I guess I got the look to answer the question. Sir, through the Office of Research Oversight, they do random samples. They look at that. They look at a process under which people adhere to the processes. We set that up--it used to be called ORCA. It is now the ORO, the Office of Research Oversight--to really look at this. Part of the reason was to look at this issue because the researchers do research. And sometimes, just like anybody else, you could get a little lax about what you are doing. And so we needed to have a process under which we looked at that. Does every protocol need to be looked at? No. We believe that the process is valid. Because of this, we will relook at our thing to see if it needs further strengthening. But to some degree, we have to trust the people who signed the pieces of paper who say that they are following what we have told them to do. We believe that the process that we have in place works pretty well because I am not aware of a significant or any episodes where things have been lost or sensitive data has been compromised. It is not to say that it could not have happened. Mr. Michaud. My last question for you, Dr. Kussman, not knowing whether it can be done or not, can you prevent any information, any of the data that you have from being downloaded? Is the technology available to do that and, if so, are you doing that? Dr. Kussman. Whether it is research or otherwise? Mr. Michaud. That is correct. Dr. Kussman. Using the VPN network, and I might ask Dr. Kolodner to comment on it, my understanding--and I am a dinosaur when it comes to this stuff too. I can just use e-mail and that is about--or a little WordPerfect and that is it. But it is not easy to download using the VPN process, and it is encrypted. The issue of downloading, as we said, that at the place of work, people can download things into their computer. We are aggressively looking at an encryption process that would protect that as well. So whatever was downloaded and making the presumption that the person had need to have this information, it was not done for any other spurious reason, that it would be encrypted and very difficult to get access to if the computer was compromised in any way, shape, or form. So we are clearly getting better and learning as we move along. Rob, would you like to comment? Dr. Kolodner. The downloading that might occur would take place mostly inside the firewalls at the office, and there are some business reasons why one might need to do that. As part of this access review, we are examining who has access to bulk data, confirming if they need access, and, what constraints we have on that access. To reiterate, there are business reasons why sometimes someone needs to download such data. We just need to know about that and to know that the proper controls are in place, the proper agreements have been signed, and a periodic review is done. Mr. Michaud. So if there is a business reason why they have to download information, would they have to get approval first? Dr. Kolodner. Yes. They would have to have requested approval, had their supervisor present that request to their information security officer, and then been given approval based on that justification. Mr. Michaud. Great. Thank you. My last question which will go to Mr. Seliger, again not being familiar with technology, I have seen situations, and as you described in your testimony, when going through a hospital, you see someone's medical record up there on the screen, people can see it. And I can understand where it would be cumbersome to log off, log on quite frequently, which will take time, but I have also seen technology, particularly actually in Maine, with Bangor Mental Health, where when the employees punch in to go to work, they use their finger which identifies the employee. Is the technology available so if someone wants to access quickly a medical record that you can use your thumbprint to open up the system and then a certain time frame, it automatically goes off? Is that something that your organization has looked at and might be available? Mr. Seliger. The answer is yes. We have a number of hospitals and healthcare organizations in the private sector using technology exactly as you described. For the record, I would like to point out it is not your thumbprint but any of the other three fingers that one tends to use for technical reasons. But having said that, we have caregivers who are using interesting combinations of devices. So fingerprint, as you said, for authentication, but also devices that are called active proximity devices, not much bigger than my card holder here, and they detect your arrival or departure from a workstation. And the operative word here is departure. When you leave the vicinity of a computer, it locks it up. Okay? So having to remember--and this is the kind of technologies I was alluding to in my testimony, being able to accommodate the caregiver work flow. Imagine yourself in an emergency room coming and going, patients coming and going, computers all over the place. Even if it was fast, you still have to remember to do it. And by equipping caregivers with devices to make the log-on process fast and easy, to make the log-off process implicit by just leaving, we can achieve the kind of safeguards I alluded to and actually facilitatethe care-delivery process. People are actually going to use the computers rather than paper as Dr. Kussman referred to, which is still the primary source of information data in most healthcare organizations in a general sense. Now, the VA itself has made a number of steps to be, I guess the better way of putting it, quite pioneering in a number of regards relative to information security in the caregiver workplace. And as recently as this summer, we are proud to be working with the VA at its Hines Facility on a project that has been code named Medical Sign-On which is about taking this process, these work flows with good security to a whole other level. We will pilot at Hines, work out the kinks, make sure it works properly, and then hopefully have a basis to roll this out to the other VA medical centers. Dr. Kussman. Sir, we also have instituted a program where the computers would automatically log off in five minutes is what we are doing. It drives me crazy in my office because I will have logged on, I will answer the phone, and then I have got to log back in and things. But it certainly works, I can assure you, because it logs off and then I have to log back in. That would be the same thing around the system, whether it is a nurse's station or anything else, that if a nurse walks away or a physician walks away, if they do not get back on and they are not sitting there within five minutes, it automatically logs off. It is an irritant to people, but it is a protection. Mr. Michaud. If I might, Mr. Chairman. Is the VA looking at the same technology that was just talked about as far as using your---- Dr. Kussman. We are looking at that and I think it will be looked at as an agency issue with the CIO of whether we are going to embark on that technology or not. I do not have enough information. I do not think any of us know how much that would cost or whatever. Would you like to comment on that? Ms. Belles. We are working on a Medical Sign-On pilot with Sentillion at Hines as Mr. Seliger said. We are looking at all kinds of technologies that can improve that interface for clinicians and nurses so that we do not have a situation where people just get up and walk away because they are called out for an emergency or other things. You know, we have been in the position where the clinicians come to us and say you have got to make this process better for us. And Sentillion is partnering with us to find out the right methods to do that. Mr. Michaud. Thank you very much. Thank you, Mr. Chairman. Mr. Brown of South Carolina. Okay. Thank you, Mr. Michaud. Dr. Snyder, do you have a question? Mr. Snyder. I do. Thank you, Mr. Chairman. Dr. Kussman, it is good to see you again and your colleagues there. You got me curious, Dr. Kussman, with what I thought was a bit of a cryptic response when you were gently chastised for your tardy statement here, which I know you try to get them here, when you made some mention of lawyers or legal opinions or something. And I always remember the old Art Linkletter show, Kids Say The Darnedest Things, and his best question always was, is there anything your mother did not want you to talk about to tell us on the show today. And so now I am curious. Did your statement get overly scrubbed by OMB and you had to redo it or were there things that you had included in your original statement that caused you to make that reference to lawyers or legal folks? Dr. Kussman. I am sorry. I do not remember what I said. Mr. Snyder. But was there some delay in the process? The Congress has lots of problems with folks that want to do opening statements and tell us things, and the statements, anything written goes through OMB and gets scrubbed, and we do not get the information we want. And I was just curious if there were some things that you had intended to tell us that got removed in the process of your statement being approved for delivery to the Congress. Dr. Kussman. Not that I am aware of. So I am not even sure I can give you a thorough explanation of why, other than people being busy as the Chairman mentioned and lots of hearings. And all I can say is they apologize for the delay and we will do everything we can to prevent that from happening. Mr. Snyder. You had mentioned the days of written records which a lot of medical facilities still rely on. And I remember, and I do not know how long ago, it was 15 years ago or so when I was still practicing medicine. I had seen this young boy. I can still see him in the exam room. He was about eight. And his grandmother asked me about some behavioral things that he was doing. And sometimes medicine is like doing a crossword puzzle. You know, a week later, you think, oh, that is what that answer was. Well, I knew right away that the kid had Tourette's and I just did not--it did not come to my mind when I was talking to the grandmother. Well, we had an all-handwritten medical section. I could not remember anything. We could not figure out who the boy was. So I had one staff member who over several Saturdays, because we were slow, it was a slower day, went through every medical record, opened up and tried to find the chart. Now, if we had had a computerized system, we could put in an approximate age range. I think I even remember what the diagnosis was I actually saw him for. We could have pulled up those charts. We never did find the chart. I always felt bad about that because I can still see that little boy sitting there probably being chastised by his grandmother for some of his behavioral stuff. I suspect that he had Tourette's. So my point is, while we had those written records, there was a built-in protection which is it is a pain in the butt to go through those written records trying to find something compared to having access to a CD that holds, you know, 500,000 Social Security numbers of veterans or something, which is the issue that we are dealing with. I want to pick up on what Mr. Michaud said, was asking about the research aspect of this and the ability of people to take information off. My first question is, why does the VA--and this is years and decades before you got there, Dr. Kussman--why does the VA have to use Social Security numbers? Why do your researchers have to use Social Security? Why do they even have to have that? Why do the researchers even have to have the name? Why can you not develop a program for the researchers that would delete name, birth date, Social Security numberthroughout the medical record, pretty much throughout the medical record? There might be a reference in a note that, well, he was born in the same year as his, you know, twin sister. But they do not have to have the name or Social Security number or birth date. All they need is an identifying, this is subject number one whose age is 23. Have you all considered that as part of your security, of getting away from using Social Security numbers and what information those researchers have to have? Dr. Kussman. Thank you for that question. As you probably know, it was not so long ago when we did not use Social Security numbers. The military had a military ID number that transposed to the VA when the person left---- Mr. Snyder. Though we all still remember, right? Dr. Kussman. Yes, I remember. I had a military ID. I am old enough to have one of those, just like I would not say you are old, sir, but---- Mr. Snyder. No. And I also got a letter by the way. Dr. Kussman. And I think it was 1970 or 1971, and somebody correct me, where the military decided to go to Social Security numbers, and we went along with that. I do not think anybody anticipated the second, third, fourth level effects of the Social Security number and it became so valuable. It was not so long ago that when you tried to cash a check in the military PX or something, you had to write your Social Security number on the check to get it. They have stopped doing that because people rose up in righteous indignation. But the Social Security number became the key to almost everything, and we kind of went along. I think there are a lot of people looking at this now to determine whether or not we ought to just get away from the Social Security number for one thing and go back to some other type of identification number, and that would have to be done in conjunction with a government-wide thing, I think, particularly with DoD for us. The other part of the question was do we need to have that information in research things or any sensitive information, and the answer is I do not think we need it in each case. And another thing that we are looking at is what information is needed for people to do their job, whether it is research or administrative things. Do they need to have dates of birth, Social Security numbers, and things like that? And I might ask Ms. Belles to add to that. Ms. Belles. I do not think I have much to add to that. As Dr. Kussman said, there are a lot of groups that are looking at the issue of SSNs as identifiers. I know that in our environment, we use the SSN for patient safety reasons, to ensure that we have got the right veteran when we are providing care. But outside of that, it is an issue. I know it has been an issue for a number of years, talked about across government agencies. And at this point, I do not think we have come to a resolution. But certainly with everything that is going on around us related to identity theft and the importance of protecting SSNs, we need to address it. Dr. Kussman. I think, Doctor, you hit the nail on the head. The good thing about the electronic health record and other electronic process is you do not have to carry big things. I mean, nobody is going to go out of the office with two tons of records to get anything or it limited what you did. So electrifying the records is a good thing. The bad thing is now we are confronted with the challenge of protecting that information because people in a small thumb thing can walk out with lots of records. So it is a balance and we are learning how to handle that. Mr. Snyder. I notice the clock. The only comment I would make is I think the reality is we are not going to be able to protect that information. We are all going to try and try and try. The reality is, I think we are going to have to get to the point where financial institutions will not accept some handwritten things scrawled out by the new person who moves into the house that I lived in ten years ago and some mass mailing got there ten years too late and they will accept that. I think we are going to have to go to--I mean, I would think banks would want to go where we have to walk in and have a picture made and three fingerprints just to get a card because there is no way we are going to protect this information. Thank you, Mr. Chairman. Mr. Brown of South Carolina. Thank you, Dr. Snyder. Ms. Brown, do you have a question? Ms. Brown of Florida. Yes, sir. Thank you, Mr. Chairman and Ranking Member, for hosting this hearing on this subject. And I got to tell you it is very disturbing to me, 26 and a half million veterans' information compromised. And I know someone close to me had this happen to them in this area and it took them 18 months to get it cleared up. They went to co-sign for someone and they said you need a co-signer. So my question to you--and I do not feel that this is an isolated incident. I mean, it may be an incident that we found out about it, members of Congress and the public. But I do not think it is just isolated. If this has happened, it has happened before. And what I want to know is, what have you done to ensure the safety of the data since the loss of this data and how can you assure us that this is just a one-time major incident? Dr. Kussman. As we mentioned earlier, ma'am, the---- Ms. Brown of Florida. And that is okay. You can tell us over and over again because I am not convinced that you all get it. Dr. Kussman. The issue that came up was not data that was related to the Veterans Health Administration or health records. We have programs in place that we believe significantly protect our patients from loss of data both from a security and privacy perspective. We operate under the principles of the Health Information Portability and Accountability Act that puts very stringent requirements in and holds people accountable both from an ethical, moral perspective, but as well as a legal and financial perspective. So we believe we have inplace situations that will protect our patients from loss of information and protection or privacy. Ms. Brown of Florida. So you are saying that none of the veterans', in the healthcare system, information have been compromised in the past and you can assure us it is not going to be compromised in the future? Dr. Kussman. No. I think as I mentioned to Mr. Michaud earlier, it is a very large organization with lots of people. Just like the FAA and its gold standard in the airline industry of protecting patients and making flyers and making people assured, but even in spite of that, there are airplane accidents. Our process and our goal is to put in place processes that would minimize or mitigate as much as conceivable the loss of information. But could I promise you that there would never be or that there has never been a loss of information? No. That would be impossible to do. Ms. Brown of Florida. Yes. But with FAA, we put in certain safeguards. And so I guess I am asking you what additional safeguards have you all put in place since this incident occurred? Ms. Belles. We talked about this earlier as well. We have done a number of things as a result of the data breach. A couple of things that we have done is we have instituted a Security Awareness week to raise the awareness with our entire workforce about the importance of data security, data protections. We have got a technical group that is being convened to look at encryption. One of the areas that we recognize is a vulnerability as a result of this is that the data, we do not have guards at the door. We are not stopping people from walking out the door with this because we do not check these people as they walk out the door. But what we can do is put technical controls in place to protect that data. We can put encryption on laptops and we can require encryption of files so that if that data is on a laptop, that if anyone accesses it, if it is stolen, then the data is protected, that people cannot use it or cannot see it. Ms. Brown of Florida. A lot of people work from home. What kind of safeguards do you have there? I am not a technical person, but the amount of information that they can pull down, how does that work? Ms. Belles. We do have what is called a virtual private network in place, and everyone who is an approved telework status is able to dial into our networks via that VPN connection. That is an encrypted connection between the individual's laptop and the computer systems. We also allow on a very limited basis some of our contractors and business partners to access that VPN as well, and they are held to specific systems based on IP address so that they can only go to that system. The same with myself and everybody around the table. I have a VPN connection. I can only go to those systems that I would access if I were sitting at my desk at work. Ms. Brown of Florida. Do you have extra safeguards for those private contractors that you all contract with? Ms. Belles. We have business associate agreements that discuss the date use, the protection of that data. We have contracts in place that have the security language in them that requires background investigations at the same level as VA workforce members. We have requirements for them to take security and privacy training just like our workforce members. Ms. Brown of Florida. Thank you, Mr. Chairman. I guess the only other follow-up question I would have was what kind of penalties if someone breached the agreement. Mr. Brown of South Carolina. I assume that the person that was involved before, Dr. Kussman, lost his job. Is that kind of the penalty? Dr. Kussman. I have not been directly involved in that as you probably know. But, yeah, that is my understanding. But to answer the question that was asked, there is a whole human resource protocol for actions that are inconsistent with our policies and programs all the way from letters of admonition to firing and fines and things. So that process would be used in this instance if somebody violated our procedures and policies as well. Mr. Brown of South Carolina. Thank you, Ms. Brown. Mr. Michaud, you have a question? Mr. Michaud. Just two quick questions, Dr. Kussman. You had mentioned that we can have all the policies we want and it is not a hundred percent. There is one area where when you look at medical transcription when you contract that out, which actually you can help, is by going to, I believe it is called voice recorders versus contracting out. I think that will definitely be more secure. Are you seriously looking at doing that sort of thing versus contracting out? Yes or no? Dr. Kussman. Yes. Mr. Michaud. The second one is, the VA and when you look at Department of Defense for our active military, when they deal with medical records, are you working closely with the DoD particularly when you look at medical records? Dr. Kussman. Yes, sir. The transfer of information for the FHIE and the BHIE, the forward flow and the backward flow of information, the working together of the two agencies, as you know, is unprecedented with the partnering that is going on. All that information, and it is my understanding, and I will ask Dr. Kolodner to confirm, is that all that information is encrypted. Dr. Kolodner. The systems have not only met VA's standards and government standards, but also DoD standards for security, and all the data moving back and forth is encrypted as we move it between the Departments. Mr. Brown of South Carolina. Thank you very much, Mr. Michaud. I remind all members they have five legislative days to submit questions. And, panel, thank you very much for coming. I hope that we were able to gather some information from you that the VA might be able to use. I know you are working already with them, and look forward to a continued dialogue on this. Dr. Kussman, keep us abreast of what you come up with in order to prevent a breach similar to what we have just experienced. Dr. Kussman. Yes, sir. Thank you very much for inviting us. Mr. Brown of South Carolina. I also might remind members they have five legislative days to submit opening statements. And with that, the meeting stands adjourned. A P P E N D I X [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]