The U.S. Department of Veterans Affairs has installed encryption software on 15,000 agency-owned laptops over the past two weeks as part of a broader effort to improve information security following last May's massive data compromise.
It is also working to furnish government-owned laptops to VA employees who currently use their personal machines to do official work at home, the VA's supervisor of information and technology, Robert Howard, told lawmakers on Tuesday.
Howard testified before the Senate Veterans' Affairs Committee looking to confirm his nomination as the VA's new assistant secretary for information and technology. He was nominated to that post by President Bush in August.
So far, all but 100 or so VA laptops have had encryption software installed on them to prevent the misuse of sensitive data, Howard said. The agency is working with its hardware suppliers and encryption software vendors -- GuardianEdge Technologies Inc. and Trust Digital -- to sort out the problems that have prevented the encryption software from being installed on the remaining systems, he said.
The VA has previously said that it also plans to encrypt sensitive data on desktops and portable storage media such as flash drives and CDs.
The encryption measures are only part of the new technology controls being implemented to protect sensitive data at the VA following the May breach, which resulted in the exposure of sensitive data of more than 26.5 million veterans. A laptop containing the data was stolen from a private residence and later recovered. Investigators said there was no evidence the data was ever actually accessed.
Another technology measure already being rolled out at the VA is aimed at managing and restricting the use of Universal Serial Bus storage devices such as memory sticks on department systems, Howard said. The tools allow administrators to control the use of USB devices by simply shutting down the port so that people are not able to "plug in a thumb drive and pull out information," he said.
The VA is also looking into other tools that will help it "visualize what's happening with respect to the passing of information" on its networks, Howard said, without elaborating. And it has undertaken several "management" activities such as updating its policy directives for how sensitive data is to be handled by all employees, he said.
In the first phase of the security revamp, which began shortly after the breach was disclosed in May, the VA began an agencywide data security assessment program. It is now performing a similar risk assessment of all non-VA entities such as contractors that also handle sensitive VA data, he said. The assessments have yielded a 322-item action plan that is a "living document that will guide our work," Howard said.
"Its successful implementation is without doubt my highest priority," he said.
Howard took over as the supervisor of the office of IT at the VA in May. If confirmed, he will be the first CIO at the agency to have the rank of an assistant secretary. He will be in charge of a new, highly centralized, 4,600-person IT organization responsible for all technology operations and maintenance jobs across the VA. The centralized organization is the result of a massive IT reorganization that began almost a year ago in a bid to reduce costs and improve efficiencies.