Forgot your password?
typodupeerror
United States Your Rights Online

Most Veterans Administration Data Breaches From Paper Documents Not PCs 50

Posted by samzenpus
from the turn-on-the-shredder dept.
CowboyRobot writes "'Between 96 and 98 percent of our [data breach] incidents — it varies from month to month — deal with physical paper where people are not thinking about the fact that that piece of paper they're carrying around making benefits determinations has sensitive information and they need to protect it,' said Stephen Warren, VA acting assistant secretary for information and technology. 'If you consider the fact the VA has about 440,000 people that we service and that the department over 900,000 devices on the network, [a data breach count relating to IT assets] of somewhere between one and 10 in a month is pretty good,' Warren said. 'And many of those are things disappearing in inventory. Many are found subsequently because they got moved somewhere.'"
This discussion has been archived. No new comments can be posted.

Most Veterans Administration Data Breaches From Paper Documents Not PCs

Comments Filter:
  • by Anonymous Coward

    It is not safe !! BEWARE !!

  • between breaches and from

    • by Anonymous Coward

      No it doesn't. It's called sentence compression, and the media has been doing it for a long time in headlines.

      • by wonkey_monkey (2592601) on Monday August 19, 2013 @03:12AM (#44605291) Homepage
        In this case it was a bad idea, mostly because "breaches" can be both a verb and a noun. Come to think of it the whole headline could use a rewrite, because it's not clear that "Veterans Administration" is a thing by itself and the lack of apostrophe - while quite possibly "correct" - doesn't help. I read it as:

        Most Veteran's (Administration Data) Breaches (v.) From Paper Documents Not PCs

      • by Anonymous Coward

        I'd go insane if they stopped using it. Reading the summary (nevermind the article) is already a chore for me, and having to read a few extra words in the title would kill me!

    • by lxs (131946)

      While you're at it change breaches to breeches. I'd like to see a pair of breeches made from paper documents.

  • Well, it'll prevent further breaches... as long as the whole piece of paper burns!
  • by Hadlock (143607) on Monday August 19, 2013 @02:47AM (#44605209) Homepage Journal

    It's 2013, they should have finished scanning all of their documents in by 2002, 2005 at the very latest. What on earth are they printing over there? I work in a regulated industry and we shred everything we print. On a bad week I might print all of 10 pages.
     
    Papers going to benefits recipients shouldn't receive many, if any documents with their personal information on them - that data goes in the opposite direction, which should be immediately process, or scanned for later processing.
     
    Something is fundamentally broken over there.

    • by davester666 (731373) on Monday August 19, 2013 @03:02AM (#44605273) Journal

      Welcome to gov't bureaucracy. You must be new to this planet.

      • by peragrin (659227)

        the problem is the VA is the best and most efficient run health organization in this county. the va makes everyone else look like idiots.

        • by Penguinisto (415985) on Monday August 19, 2013 @10:28AM (#44607199) Journal

          As the spouse of a disabled veteran, I call bullshit to that one.

          It has its good points, but the data inefficiency is astronomical. TFA is right about the paper problems - when medication is routinely mailed, and includes a huge wad of paper (required) that lists personal patient info alongside the side effects and etc? When I could literally wander anywhere in the building, and pick up a ton of ID theft-friendly info from papers containing personal patient info sitting around on desks, nurses' stations, and et al?

          Little wonder the VA has such a huge data leakage problem from paper... I'm always rather astounded by the amount of paper that even a simple office visit at a VAMC generates.

    • by AK Marc (707885)
      Try reading TFA. They manage to print beneficiary statements and send them out to the wrong address. How do you work if you don't give receipts, bills, or statements of benefits?
    • by Sockatume (732728) on Monday August 19, 2013 @07:11AM (#44605949)

      Not this case specifically, but in my experience where documents exist and travel in electronic form, you still print them off to do work on them.

      Computers are great tools for writing documents. Computers are great tools for looking up and reading out a single datum. Computers are great tools for large-scale data analysis. What they are not good for is sitting down with a modestly-sized group of data - say, twelve letter-sized sheets - and getting something done. You can't get a screen big enough, or an interface lean enough, to replicate the kind of easy access you get from spreading the pages across your desk, or even using fingers and bookmarks to quickly jump between places. The relationships between individual documents are never as obvious as when you pull out a sheaf of records and pore over it.

      So, people print documents off while they're working with them, and sometimes they forget that those documents are supposed to be shredded, or meticulously filed away.

      Now, this is something that computers should be good at, but it's hard, and it's not in the wheelhouse of most software developers or companies. Look at scientific publications. You have a whole lot of documents encrusted in rich, well-formatted meta-data, being used by organisations that could throw down thousands on records-management software like it was loose change. Yet we only just have Papers and Mendeley. We're only just transitioning away from filing cabinets.

    • by sjbe (173966) on Monday August 19, 2013 @09:32AM (#44606661)

      It's 2013, they should have finished scanning all of their documents in by 2002, 2005 at the very latest. What on earth are they printing over there?

      Patient medical charts and financial information mostly. Getting all that digital is an incredibly difficult and a FAR more challenging problem than most people realize. In a lot of cases the economic case for paper is actually better because going digital is so difficult and/or expensive.

      I work in a regulated industry and we shred everything we print. On a bad week I might print all of 10 pages.

      The industry you work in has precisely NOTHING to do with how healthcare can or should be managed. That would be like me saying what works for engineering should be perfectly appropriate for accounting. the argument makes no sense. As it turns out health care is incredibly complex and designing IT systems to do away with paper is difficult, time consuming and frequently not actually the most efficient way to solve many of the problems they face. If there is a more complicated industry than health care I'm not aware of it. Just because theoretically we can solve problems with IT doesn't mean it can be done today or that it is necessarily the correct answer to every problem.

  • by matria (157464) on Monday August 19, 2013 @02:56AM (#44605249)
    Indeed. Some years ago I worked in the medical records (excuse me... Health Information Services) department of a clinic with the University of Miami. More than once I saw a doctor leaving the building on his way home with a bag full of medical records. This was quite illegal. And, of course, our department got blamed when the patient came in and his records could not be found.
    • by sribe (304414)

      This was quite illegal.

      It most certainly was not. It may well have been against hospital policy, but there is no law restricting a doctor from carrying around his patients' records and studying them where ever he wants to.

  • by someone1234 (830754) on Monday August 19, 2013 @03:17AM (#44605313)

    When there is an electronic data breach, there are hundreds or thousands or more records. When it is a paper breach, it is probably less than ten records at once.

  • >"...people are not thinking about the fact that that piece of paper they're carrying around..."

    *That *the*?
    FTFY
  • by shentino (1139071)

    Now that's what I call a paper cut.

  • by Anonymous Coward

    Why does a department which services 440,000 'customers' and presumably has far less than a tenth of that in staff need 900,000 'devices' on the network?

  • I guess Kevin Mitnick and his ilk have taught them nothing.
  • Inventory losses (Score:5, Interesting)

    by BenEnglishAtHome (449670) on Monday August 19, 2013 @11:26AM (#44607785)

    The comment on inventory losses hits home. I'm retired from a large government agency. Back in the day, IT understood that it was our job to keep other, more important employees working. To that end, my division bought 110 laptops for every 100 laptop users. It kept the extras in stock as close to the users as possible.

    When a user had problems, it was a 30 minute fix to swap hard drives into a new laptop, test, do the paperwork, and send the user back to work. If a drive died, it was about an hour of work to pull a new machine off the shelf, image it, and back up the user data from the local servers.

    Unfortunately, most IT techs discovered those 30 minute hard drive swaps could be cut to 15 minutes or less if you neglected the paperwork. Laptops got lost. IT thought they were doing a great job. Our users loved us because we got them back to work asap. The executives, however, didn't like it.

    They had to sit in front of a Congressional oversight committee every year and explain why a large number of laptops seemed to be missing. They weren't lost out of the organization, of course. They were temporarily misplaced. They were always found, eventually. There were no data losses.

    Neither the executives nor Congress cared about our core mission when they had a juicy headline to bash us with in the press, every year, without fail.

    The executives and IT hashed it out. They decided that the core business of the bureau was completely unimportant. The execs decreed that no matter what it took, they should never have to sit in front of a committee and explain things ever again.

    Spare equipment was cut to the point of non-existence. All spare equipment was centralized in a half-dozen "depot" sites spread around the country. They were as far from the end users as possible. Getting anything replaced required dealing with a depot and doing overnight shipments.

    The minimum time frame to fix a dead hard drive became, at minimum, several days. A highly paid employee who brought in a dead laptop on Monday morning would give it to IT and, in the best possible case, it would get shipped out that day, arrive at the depot on Tuesday who would ship a replacement, arrive back locally on Wednesday where it would be imaged and delivered back to the user later that day. That's 2.5 days AT BEST with a highly paid employee effectively idled.

    If a single person (the IT tech, the local inventory specialist, the depot inventory specialist, the depot shipping clerk, and maybe more) was out of place, add a day to that cycle time. Average repair times, when hardware had to be replaced, jumped to ~4 days.

    Prior to that, no matter how big the meltdown, an individual user could be back to work inside 2 hours and often in less than a half hour.

    The troops were on the verge of mutiny and morale on computer issues went into the toilet.

    The executives were insanely happy. They had set up a special IT department for themselves that worked the old way so they never suffered delays. Plus, they didn't have to testify before Congress any more.

    I said all that to say this - When you read that some big government agency is losing computers it does NOT mean that data is being lost. It may well mean the IT department is actually doing their jobs instead of sacrificing the efficiency of their entire agency to cover the executive asses.

    So when the quoted source says that losing a few laptops is no big deal, cut him some slack. He's right.

    • by kermidge (2221646)

      Thanks, Ben, that explains a number of things; I recall several of the stories that hit the news and a few (very few) follow up pieces that had an explanation; until you ran through one of the common realities I'd be left wondering who was trying to pull what with alternate recountings.

If at first you don't succeed, you must be a programmer.

Working...