Internet Risk and Cybercrime at the U.S. Department of Veterans Affairs Internet Risk

Cybercrime

Today, the mission of the U.S. Department of Veterans Affairs (VA) as taken from President Lincoln's second inaugural address is, "To care for him who shall have borne the battle, and for his widow, and his orphan." To this end, this cabinet-level organization provides healthcare services through the Veterans Health Administration (VHA) to nine million veteran patients each year. In an effort to improve the quality of these healthcare services, the VHA has implemented a number of technological solutions including electronic healthcare records and a nationwide communication network. These solutions, though, have also introduced a number of security risks and a number of high-profile security breaches have drawn increased scrutiny on the VHA in recent years. This paper provides an overview of the VHA and what types of Internet-related security threats it faces. A discussion concerning cybercrime at the VA is followed by a summary of the research and important findings concerning these issues in the paper's conclusion.

Today, through its Veterans Health Administration (VHA), the Department of Veterans Affairs (VA) is the largest healthcare provider in the United States, and millions of veteran patients receive care from its nationwide network of medical centers, outpatient clinics and Vet Centers. In recent years, the VA has committed itself to improving the quality of patient care it provides by implementing a wide range of technological solutions, including electronic healthcare records and a sophisticated communications system (Boyer, 2011). These same innovations, though, have also introduced a number of security problems for this cabinet-level organization, including most especially the compromise of sensitive patient data. Although the VA is not unique in experiencing these types of security problems, the fact that the organization is so large and its mission is so critical makes these breaches an important issue for all stakeholders. To determine the facts, this paper provides an overview of the VA, and a critical analysis of the strategic approaches that are used to identify analyze and address these types of cyber-threats within this organization, taking account the impact of managing the risk throughout this organization. Finally, a summary of the research and important findings concerning these issues are provided in the conclusion.

Review and Discussion

Overview of the Department of Veterans Affairs

The VHA is the nation's largest integrated health care system, and consists of more than 1,700 healthcare facilities that provide care for nearly 9 million veteran patients annually as shown in Figure 1 below (Veterans Health Administration, 2016).

Figure 1. Regional breakdown of VA facilities in the United States

Source: http://www.va.gov/directory/images/VHA/VHAmap.gif

The healthcare facilities identified in Figure 1 above comprise the VHA's integrated services network of 23 divisions as follows:

VISN 1: VA New England Healthcare System

VISN 2: VA Health Care Upstate New York

VISN 4: VA Healthcare - VISN 4

VISN 5: VA Capitol Health Care Network

VISN 6: VA Mid-Atlantic Health Care Network

VISN 7: VA Southeast Network

VISN 8: VA Sunshine Healthcare Network

VISN 9: VA MidSouth Healthcare Network

VISN 10: VA Healthcare System

VISN 12: VA Great Lakes Health Care System

VISN 15: VA Heartland Network

VISN 16: South Central VA Health Care Network

VISN 17: VA Heart of Texas Health Care Network

VISN 18: VA Southwest Health Care Network

VISN 19: Rocky Mountain Network

VISN 20: Northwest Network

VISN 21: Sierra Pacific Network

VISN 22: Desert Pacific Healthcare Network

VISN 23: VA Midwest Health Care Network (Veterans Health Administration, 2016).

In these regions, the VHA operates of 150 medical centers, almost 1,400 community-based outpatient clinics, community living centers, Vet Centers and domiciliaries staffed by more than 53,000 healthcare practitioners (Veterans Health Administration, 2016). With an annual budget exceeding $182 billion (Annual budget submission, 2016), it is clear that an enormous amount of resources have been allocated to the VA to fulfill its mission "To care for him who shall have borne the battle, and for his widow, and his orphan." The organization, though, has failed in this mission in a number of ways in recent years, including most especially the compromise of millions of patient data records as discussed below.

Internet Risk at the Department of Veterans Affairs

Given its far-flung operations and thousands of employees, it is little wonder that the VA has experienced a number of Internet-related security breaches in recent years. Many of the risks that are associated with the Internet directly relate to the advantages the medium provides. As Eastmond (2004) cautions, "The Internet is indeed a technology of freedom -- but it can free the...

70). Notwithstanding these constraints, it is clear that the Internet has introduced fundamental changes in the manner in which people work, live, recreate and communicate with others. For instance, Ball, Haggerty and Lyon (2012) report that, "Digital technologies and the Internet have made the sharing and dissemination of information instantaneous and without restriction across geographical borders" (p. 58). These same technologies, though, introduce risks of data comprise and security breaches that can have devastating effects on individuals, organizations and governmental agencies. In this regard, Barlow also observed early on that, "Cyberspace has a lot in common with the 19th Century West. It is vast, unmapped, culturally and legally ambiguous. . . . It is, of course, a perfect breeding ground for both outlaws and new ideas about liberty" (para. 4).
This assertion is certainly applicable to the VA, and the organization reports that it blocked 181,188,372 intrusion attempts, blocked or contained 546,969,366 malware attacks, and 100,778,911 suspicious or malicious emails in December 2015 alone (Monthly report to Congress of data incidents, 2015). Of these incidents, 394 veterans were affected in some fashion, including 47 lost or stolen electronic communication devices and 240 in relation to protected health information incidents that were reported to Health and Human Services in accordance with the Health Information Technology for Economic and Clinical Health (HITECH) Act (Monthly report to Congress of data incidents, 2015).

Some of the most severe Internet-related security breaches at the VHA are described in Table 1 below.

Table 1

Internet-related security breaches at the VHA

Type of Breach and Date

Description

Stolen Veterans Affairs laptop and hard drive (June 29, 2002)

A laptop computer and hard drive containing sensitive data for more than 26 million veterans, their spouses, and active-duty military personnel was stolen but subsequently recovered by the FBI. Documents show that Veterans Affairs had given permission in 2002 for an analyst, from whom the equipment was stolen, to work from home with data that included millions of Social Security numbers, disability ratings and other personal information. Agency officials previously said the analyst was fired because he violated agency procedure by taking the data home (Electronic Privacy Information Center, 2016, para. 2). According to Konkel (2013), then-VA Secretary James Nicholson was not notified about the incident until three weeks after it took place (para. 4).

Computers donated contained patient data

A report concerning discarded hard drives and disk sanitization practices revealed that in August 2002 the United States Veterans Administration Medical Center in Indianapolis sold or donated 139 of its computers without removing confidential information from their hard drives, including the names of veterans with AIDS and mental illnesses (Matwyshyn, 2009, p. 107).

Personal information comprised (June 7, 2006)

The personal information of about 1.1 million active-duty military personnel, 430,000 members of the National Guard and 645,000 members of the Reserves, was stolen in the recent theft of computer data from the Department of Veterans Affairs. The agency previously said that all 26.5 million people affected by the data theft were veterans and their spouses. The data include Social Security numbers and disability ratings. The VA has estimated that it will cost between $100 million to $500 million to prevent and cover possible losses from the data theft. Though the theft occurred on May 3, 2006, the VA waited until May 22 to inform those who were affected. The delay was just one of many failures by Veterans Affairs in this incident (Electronic Privacy Information Center, 2016, para. 4).

Mismanaged software update (January 15, 2014)

This breach occurred when a bungled software update to VA's eBenefits system exposed at least 5,300 veterans' medical and financial information to the public (Konkel, 2014).

Contractor data breach (December 24, 2014)

This data breach placed more than 7,000 veterans at risk of identity theft. A potential flaw in one of its patient databases managed by a vendor to provide home telehealth services may have exposed personal information of veterans. The contractor alerted VA on Nov. 4 [2014] of the potential security flaw. VA says more than 690,000 veterans took advantage of the national telehealth program in 2014. An investigation was immediately initiated and security scans were conducted by VA, which confirmed the concern. The VA has notified and offered credit protection to all 7,054 veterans in the database. VA says the type of security flaw was one that could have exposed veterans' data, including name, address, dates of birth, phone numbers and VA patient identification number, via the Internet (Contractor security flaw puts data of 7,000 veterans at risk, 2014, para. 2).

The stolen laptop and hard drive shown in Table 1 above resulted…