Most Veterans Administration Data Breaches From Paper Documents Not PCs 50
CowboyRobot writes "'Between 96 and 98 percent of our [data breach] incidents — it varies from month to month — deal with physical paper where people are not thinking about the fact that that piece of paper they're carrying around making benefits determinations has sensitive information and they need to protect it,' said Stephen Warren, VA acting assistant secretary for information and technology. 'If you consider the fact the VA has about 440,000 people that we service and that the department over 900,000 devices on the network, [a data breach count relating to IT assets] of somewhere between one and 10 in a month is pretty good,' Warren said. 'And many of those are things disappearing in inventory. Many are found subsequently because they got moved somewhere.'"
SO STAY AWAY FROM PAPER !! (Score:1)
It is not safe !! BEWARE !!
headline needs an "are" (Score:1)
between breaches and from
Re: (Score:1)
No it doesn't. It's called sentence compression, and the media has been doing it for a long time in headlines.
Re:headline needs an "are" (Score:5, Interesting)
Most Veteran's (Administration Data) Breaches (v.) From Paper Documents Not PCs
Re: (Score:1)
I'd go insane if they stopped using it. Reading the summary (nevermind the article) is already a chore for me, and having to read a few extra words in the title would kill me!
Re: (Score:2)
While you're at it change breaches to breeches. I'd like to see a pair of breeches made from paper documents.
Re: (Score:2)
Hasn't Lady Gaga done that already?
Burn after reading? (Score:2)
What on earth are they printing? (Score:5, Interesting)
It's 2013, they should have finished scanning all of their documents in by 2002, 2005 at the very latest. What on earth are they printing over there? I work in a regulated industry and we shred everything we print. On a bad week I might print all of 10 pages.
Papers going to benefits recipients shouldn't receive many, if any documents with their personal information on them - that data goes in the opposite direction, which should be immediately process, or scanned for later processing.
Something is fundamentally broken over there.
Re:What on earth are they printing? (Score:5, Informative)
Welcome to gov't bureaucracy. You must be new to this planet.
Re: (Score:2)
the problem is the VA is the best and most efficient run health organization in this county. the va makes everyone else look like idiots.
Re:What on earth are they printing? (Score:5, Interesting)
As the spouse of a disabled veteran, I call bullshit to that one.
It has its good points, but the data inefficiency is astronomical. TFA is right about the paper problems - when medication is routinely mailed, and includes a huge wad of paper (required) that lists personal patient info alongside the side effects and etc? When I could literally wander anywhere in the building, and pick up a ton of ID theft-friendly info from papers containing personal patient info sitting around on desks, nurses' stations, and et al?
Little wonder the VA has such a huge data leakage problem from paper... I'm always rather astounded by the amount of paper that even a simple office visit at a VAMC generates.
Re: (Score:3)
Computers aren't good enough yet (Score:4, Insightful)
Not this case specifically, but in my experience where documents exist and travel in electronic form, you still print them off to do work on them.
Computers are great tools for writing documents. Computers are great tools for looking up and reading out a single datum. Computers are great tools for large-scale data analysis. What they are not good for is sitting down with a modestly-sized group of data - say, twelve letter-sized sheets - and getting something done. You can't get a screen big enough, or an interface lean enough, to replicate the kind of easy access you get from spreading the pages across your desk, or even using fingers and bookmarks to quickly jump between places. The relationships between individual documents are never as obvious as when you pull out a sheaf of records and pore over it.
So, people print documents off while they're working with them, and sometimes they forget that those documents are supposed to be shredded, or meticulously filed away.
Now, this is something that computers should be good at, but it's hard, and it's not in the wheelhouse of most software developers or companies. Look at scientific publications. You have a whole lot of documents encrusted in rich, well-formatted meta-data, being used by organisations that could throw down thousands on records-management software like it was loose change. Yet we only just have Papers and Mendeley. We're only just transitioning away from filing cabinets.
Re:Computers aren't good enough yet (Score:4, Insightful)
I should add that this is a problem for data security; there seems to be a mistaken belief that we entered a paperless world in 2000 and all our information security problems are now computer security problems.
Paper has a lot of benefits (Score:4, Insightful)
It's 2013, they should have finished scanning all of their documents in by 2002, 2005 at the very latest. What on earth are they printing over there?
Patient medical charts and financial information mostly. Getting all that digital is an incredibly difficult and a FAR more challenging problem than most people realize. In a lot of cases the economic case for paper is actually better because going digital is so difficult and/or expensive.
I work in a regulated industry and we shred everything we print. On a bad week I might print all of 10 pages.
The industry you work in has precisely NOTHING to do with how healthcare can or should be managed. That would be like me saying what works for engineering should be perfectly appropriate for accounting. the argument makes no sense. As it turns out health care is incredibly complex and designing IT systems to do away with paper is difficult, time consuming and frequently not actually the most efficient way to solve many of the problems they face. If there is a more complicated industry than health care I'm not aware of it. Just because theoretically we can solve problems with IT doesn't mean it can be done today or that it is necessarily the correct answer to every problem.
Physical breaches of security (Score:4, Informative)
Re: (Score:3)
This was quite illegal.
It most certainly was not. It may well have been against hospital policy, but there is no law restricting a doctor from carrying around his patients' records and studying them where ever he wants to.
paper is still less dangerous (Score:5, Insightful)
When there is an electronic data breach, there are hundreds or thousands or more records. When it is a paper breach, it is probably less than ten records at once.
Re: (Score:3)
The issue with paper isn't an outside breach, it's someone throwing a two-inch stack of papers out in the recycling bucket, which might be a few hundred to a thousand records.
https://www.google.co.uk/search?q=records+found+in+bin&oq=records+found+in+bin&aqs=chrome.0.69i57j69i60j69i65l2j0l2.2171j0&sourceid=chrome&ie=UTF-8 [google.co.uk]
Re: (Score:3)
Which is still less than losing or recycling a hard drive.
Re: (Score:2)
"That that"? (Score:1)
*That *the*?
FTFY
Re:"That that"? (Score:5, Funny)
MOD PARENT UP (Score:2)
Please. People who understand proper English are becoming rare and should be rewarded.
Re: (Score:1)
And wonkey_monkey: Tomayto/Potahto, Apples and Oranges, really.
nt (Score:2)
Now that's what I call a paper cut.
900,000 devices? (Score:1)
Why does a department which services 440,000 'customers' and presumably has far less than a tenth of that in staff need 900,000 'devices' on the network?
Re: 900,000 devices? (Score:1)
Because they're honest enough to count every one. Routers, bridges, thermostats, etc...
I think you are misreading the 440,000 (Score:4, Informative)
The 440,000 would be employees and volunteers of the VA. The VA itself actually handles a lot more than that. There's 21.5 million veterans, of that 3.5 million receives disability compensation. Every veteran is eligible for health care in the VA system. So for 444,000 users of the VA information technology, 900,000 devices isn't that far fetched to handle the date for 3.5 million + veterans.
http://www.infoplease.com/spot/veteranscensus1.html [infoplease.com]
http://www.va.gov/opa/publications/factsheets/fs_department_of_veterans_affairs.pdf [va.gov]
they never learn (Score:1)
Inventory losses (Score:5, Interesting)
The comment on inventory losses hits home. I'm retired from a large government agency. Back in the day, IT understood that it was our job to keep other, more important employees working. To that end, my division bought 110 laptops for every 100 laptop users. It kept the extras in stock as close to the users as possible.
When a user had problems, it was a 30 minute fix to swap hard drives into a new laptop, test, do the paperwork, and send the user back to work. If a drive died, it was about an hour of work to pull a new machine off the shelf, image it, and back up the user data from the local servers.
Unfortunately, most IT techs discovered those 30 minute hard drive swaps could be cut to 15 minutes or less if you neglected the paperwork. Laptops got lost. IT thought they were doing a great job. Our users loved us because we got them back to work asap. The executives, however, didn't like it.
They had to sit in front of a Congressional oversight committee every year and explain why a large number of laptops seemed to be missing. They weren't lost out of the organization, of course. They were temporarily misplaced. They were always found, eventually. There were no data losses.
Neither the executives nor Congress cared about our core mission when they had a juicy headline to bash us with in the press, every year, without fail.
The executives and IT hashed it out. They decided that the core business of the bureau was completely unimportant. The execs decreed that no matter what it took, they should never have to sit in front of a committee and explain things ever again.
Spare equipment was cut to the point of non-existence. All spare equipment was centralized in a half-dozen "depot" sites spread around the country. They were as far from the end users as possible. Getting anything replaced required dealing with a depot and doing overnight shipments.
The minimum time frame to fix a dead hard drive became, at minimum, several days. A highly paid employee who brought in a dead laptop on Monday morning would give it to IT and, in the best possible case, it would get shipped out that day, arrive at the depot on Tuesday who would ship a replacement, arrive back locally on Wednesday where it would be imaged and delivered back to the user later that day. That's 2.5 days AT BEST with a highly paid employee effectively idled.
If a single person (the IT tech, the local inventory specialist, the depot inventory specialist, the depot shipping clerk, and maybe more) was out of place, add a day to that cycle time. Average repair times, when hardware had to be replaced, jumped to ~4 days.
Prior to that, no matter how big the meltdown, an individual user could be back to work inside 2 hours and often in less than a half hour.
The troops were on the verge of mutiny and morale on computer issues went into the toilet.
The executives were insanely happy. They had set up a special IT department for themselves that worked the old way so they never suffered delays. Plus, they didn't have to testify before Congress any more.
I said all that to say this - When you read that some big government agency is losing computers it does NOT mean that data is being lost. It may well mean the IT department is actually doing their jobs instead of sacrificing the efficiency of their entire agency to cover the executive asses.
So when the quoted source says that losing a few laptops is no big deal, cut him some slack. He's right.
Re: (Score:2)
Thanks, Ben, that explains a number of things; I recall several of the stories that hit the news and a few (very few) follow up pieces that had an explanation; until you ran through one of the common realities I'd be left wondering who was trying to pull what with alternate recountings.