Most Veterans Administration Data Breaches From Paper Documents Not PCs 50
CowboyRobot writes "'Between 96 and 98 percent of our [data breach] incidents — it varies from month to month — deal with physical paper where people are not thinking about the fact that that piece of paper they're carrying around making benefits determinations has sensitive information and they need to protect it,' said Stephen Warren, VA acting assistant secretary for information and technology. 'If you consider the fact the VA has about 440,000 people that we service and that the department over 900,000 devices on the network, [a data breach count relating to IT assets] of somewhere between one and 10 in a month is pretty good,' Warren said. 'And many of those are things disappearing in inventory. Many are found subsequently because they got moved somewhere.'"
What on earth are they printing? (Score:5, Interesting)
It's 2013, they should have finished scanning all of their documents in by 2002, 2005 at the very latest. What on earth are they printing over there? I work in a regulated industry and we shred everything we print. On a bad week I might print all of 10 pages.
Papers going to benefits recipients shouldn't receive many, if any documents with their personal information on them - that data goes in the opposite direction, which should be immediately process, or scanned for later processing.
Something is fundamentally broken over there.
Re:headline needs an "are" (Score:5, Interesting)
Most Veteran's (Administration Data) Breaches (v.) From Paper Documents Not PCs
Re:What on earth are they printing? (Score:5, Interesting)
As the spouse of a disabled veteran, I call bullshit to that one.
It has its good points, but the data inefficiency is astronomical. TFA is right about the paper problems - when medication is routinely mailed, and includes a huge wad of paper (required) that lists personal patient info alongside the side effects and etc? When I could literally wander anywhere in the building, and pick up a ton of ID theft-friendly info from papers containing personal patient info sitting around on desks, nurses' stations, and et al?
Little wonder the VA has such a huge data leakage problem from paper... I'm always rather astounded by the amount of paper that even a simple office visit at a VAMC generates.
Inventory losses (Score:5, Interesting)
The comment on inventory losses hits home. I'm retired from a large government agency. Back in the day, IT understood that it was our job to keep other, more important employees working. To that end, my division bought 110 laptops for every 100 laptop users. It kept the extras in stock as close to the users as possible.
When a user had problems, it was a 30 minute fix to swap hard drives into a new laptop, test, do the paperwork, and send the user back to work. If a drive died, it was about an hour of work to pull a new machine off the shelf, image it, and back up the user data from the local servers.
Unfortunately, most IT techs discovered those 30 minute hard drive swaps could be cut to 15 minutes or less if you neglected the paperwork. Laptops got lost. IT thought they were doing a great job. Our users loved us because we got them back to work asap. The executives, however, didn't like it.
They had to sit in front of a Congressional oversight committee every year and explain why a large number of laptops seemed to be missing. They weren't lost out of the organization, of course. They were temporarily misplaced. They were always found, eventually. There were no data losses.
Neither the executives nor Congress cared about our core mission when they had a juicy headline to bash us with in the press, every year, without fail.
The executives and IT hashed it out. They decided that the core business of the bureau was completely unimportant. The execs decreed that no matter what it took, they should never have to sit in front of a committee and explain things ever again.
Spare equipment was cut to the point of non-existence. All spare equipment was centralized in a half-dozen "depot" sites spread around the country. They were as far from the end users as possible. Getting anything replaced required dealing with a depot and doing overnight shipments.
The minimum time frame to fix a dead hard drive became, at minimum, several days. A highly paid employee who brought in a dead laptop on Monday morning would give it to IT and, in the best possible case, it would get shipped out that day, arrive at the depot on Tuesday who would ship a replacement, arrive back locally on Wednesday where it would be imaged and delivered back to the user later that day. That's 2.5 days AT BEST with a highly paid employee effectively idled.
If a single person (the IT tech, the local inventory specialist, the depot inventory specialist, the depot shipping clerk, and maybe more) was out of place, add a day to that cycle time. Average repair times, when hardware had to be replaced, jumped to ~4 days.
Prior to that, no matter how big the meltdown, an individual user could be back to work inside 2 hours and often in less than a half hour.
The troops were on the verge of mutiny and morale on computer issues went into the toilet.
The executives were insanely happy. They had set up a special IT department for themselves that worked the old way so they never suffered delays. Plus, they didn't have to testify before Congress any more.
I said all that to say this - When you read that some big government agency is losing computers it does NOT mean that data is being lost. It may well mean the IT department is actually doing their jobs instead of sacrificing the efficiency of their entire agency to cover the executive asses.
So when the quoted source says that losing a few laptops is no big deal, cut him some slack. He's right.