HOUSE VETERANS' AFFAIRS COMMITTEE
R. JAMES NICHOLSON
SECRETARY OF VETERANS AFFAIRS
June 29, 2006
Mr. Chairman and Members of the Committee.
Thank you for the opportunity to appear before the Committee to follow up on what has occurred within the Department of Veterans Affairs since the unfortunate theft of data from the home of a VA employee on May 3rd. Let me begin by making one thing clear. This loss was tragic on many levels, but the data that was stolen was a copy of other data that is still in VA's possession. That is to say, it was not lost to the VA.
I would also like to highlight the fact that, even as we have been addressing this issue, VA has been attending to its core mission of caring for veterans - providing health care, benefits and burials - with no diminution of quality or commitment.
Since this theft occurred and came to my attention, I have been proactive on many fronts. All of my actions have been guided by one question: What is best for our veterans?
This Committee, and its various subcommittees, has had at least one hearing a week since this theft became public, mostly focused on elements of the data theft and its aftermath. Other Committees have held hearings on this as well, and we have provided briefings for various members and their staffs since then. For that reason, much of what I say today will likely be familiar to you.
I would like to organize my presentation into a few basic parts: (1) what we have done; (2) what we are doing; (3) what needs to be done; and (4) how we will measure our progress. Our goal, when this unfortunate situation is behind us, is to have the VA be the Gold Standard in the realm of cyber and information security, just as it has become in the realm of electronic medical records.
What we have done
Following the theft of data from a VA employee's home, we attempted to determine the scope of the loss. We retained forensic experts to assist us in this very complicated analysis. Once the magnitude of the loss was more fully understood, we began working non-stop to assess what steps are appropriate - going forward - to protect our veterans.
As previously announced:
- I have directed a series of personnel changes in the Office of Policy and Planning, where the breach occurred. Recently-retired Admiral Patrick Dunne has been nominated by the President to be Assistant Secretary for Policy and Planning. With his confirmation, he will bring the much needed leadership to that office. Admiral Dunne is working now at VA as a consultant.
- I have retained Richard Romley as an outside, independent advisor to me personally. He has significant experience in data theft, governmental reorganization and critical issue development. As a former prosecutor, Rick has a reputation for independence and a unique ability to get to the bottom of issues.
- I have directed expedited completion of Cyber Security Awareness Training and Privacy Awareness Training for all VA employees. All employees must have this training prior to the end of June, and I am receiving daily reports as to the completion of the training in each of our offices.
- And I have directed that VA facilities across the country - every hospital, Community-Based Outpatient Clinic (CBOC), regional office, national cemetery, field office and VA's Central Office - observe Security Awareness Week beginning Monday, June 26th. Throughout this week, each office will focus on different aspects of cyber and information security, how those pertain to their particular operation, and how to assure that security is an integral part of the work place ethic.
- VA's initial response to the data loss included creating a call center with the capacity to handle up to 260,000 calls a day. We reprogrammed up to $25 million in our IT account for this effort. The volume of calls has been far, far less than we expected, and to date we have spent just under $9 million for the call center. Another critical part of our initial response was to mail over 17.5 million letters advising individuals of this data loss, and providing them with proactive steps they can take to protect themselves. The cost of this mailing was about $7 million, which we were able to cover in our operating expenses account.
Yesterday, Congress received a request from the Administration to provide VA the additional resources needed to fund our initiative to provide a comprehensive monitoring solution for veterans, Active Duty, Guard and Reserve. We are asking Congress for $131.5 million in our IT account, to supplement the $1.2 billion already appropriated for that account in FY 2006. This amount is fully offset by small reductions in seven non-VA accounts in five other agencies. The offsets proposed would not impact current operations in those programs - in fact, the funds were not expected to be obligated this year.
Also, VA will make available $29 million from VBA's $1.1 billion payroll budget to fund credit monitoring. VBA is aggressively recruiting and training this calendar year, but has experienced lower payroll costs, and some delays in hiring new employees. Still, VBA's onboard staffing level has grown throughout the year, and is on track to enter next fiscal year at or above plan, which is 13,104 employees.
This $29 million was known to be available before the data breach on May 3, and not because of it. Simply put, there is no impact on VBA's recruitment effort or claims processing from shifting these funds.
I urge Congress to provide these funds immediately - the funds will allow VA to seek competitive credit monitoring proposals, and begin to offer the opportunity to sign up for credit monitoring in August.
What we are doing - Specific Actions
A week ago, I announced that VA would be providing free credit monitoring, to include an insurance component, to all affected veterans who sought that service. We were preparing to issue a request for proposals to vendors capable of providing this service. Last Friday, the Federal District Court in Kentucky hearing one of the class action lawsuits emanating from this data theft, issued a Temporary Restraining Order barring the government from publicizing its free credit monitoring offer to veterans whose personal data was stolen.
Let me assure you that I believe that credit monitoring is essential to provide veterans with some level of protection. I have spoken with our lawyers to be sure they clearly understand that I consider credit monitoring a priority and to do everything in their power to lift this stay.
I have also directed that every laptop computer in VA undergo a security review to ensure that all security and virus software is current, including the immediate removal of any unauthorized information or software and the application of appropriate encryption programs. But, because of the pending lawsuits, this directive has been placed on hold until we obtain guidance from the courts.
In addition, we have been in discussions with corporations which provide unique data breach analysis to see if data is being exploited, and we anticipate entering into a contract shortly for this service.
We are making an effort to be responsive to concerns, expressed by you, Mr. Chairman, at a recent hearing, that we provide "detection, protection and insurance," essentially a "Veterans' Credit Protection Package," for those possibly affected. It is appropriate that we do this. We are committed to doing everything possible to protect our veterans and to keep them from incurring loss or expense.
I have directed that VA conduct an inventory of all positions requiring access to sensitive VA data to ensure that only those employees who need such access to do their jobs have it. And we will be developing the procedures necessary to assure that employees have an appropriate level of background check in place, and that those be updated on a regular basis. For example, the employee from whom data was stolen had not had a background investigation for 32 years.
What we are doing - Major IT Reorganization within VA
Historically, IT has been highly decentralized within VA. That proved advantageous in certain situations - keeping IT closer to the ultimate user. For example, the highly regarded VHA electronic medical record system was developed in this way, with substantial input from the clinicians. Yet, this has led to a system that is highly complex, frequently incompatible, and very difficult to manage. This became clear to me shortly after coming to the VA 16 months ago. My predecessor issued at least two memoranda to correct this situation which were ignored.
After reviewing the recommendations of a consultant who studied the IT situation at the VA after the ill-fated Core FLS endeavor in Florida, in October 2005 I signed a memorandum directing the reorganization of IT within VA. Pursuant to that reorganization, more than 4,610 IT professionals engaged in operations and maintenance of the Department's IT infrastructure, plus 560 unencumbered positions, have been detailed to the Office of Information and Technology, under the direction of the Chief Information Officer. As of the beginning of the new Fiscal Year on October 1, 2006, those details will become permanent, thereby establishing a new career field within OIT. Given collective bargaining agreements with our unions regarding the terms and conditions of employment, this has resulted in the filing of grievances and an attempt to prevent this change.
In this IT reorganization, all IT professionals are being consolidated into the Office of Information and Technology, except for certain software developers, mostly in VHA and VBA. And even for those, the CIO will be responsible for enterprise architecture, project planning approval through the OMB 300 process, funding and cyber and information security. In my concept, this is an incremental process, and my goal is for these developers to also be brought under the control of the CIO.
Various other functions are being centralized within VA IT as well. The position of Chief Financial Officer with budget authority has been established in the Office of Information and Technology. Security has also been consolidated within the Office of Cyber and Information Security in OIT.
Additionally, I want to assure you that I have been paying close attention to these hearings. I have heard your concerns as to whether or not the CIO has sufficient enforcement authority to insure compliance with the deficiencies noted in the past and to ensure future compliance. I have looked into this issue, and agree with you that there has been ambiguity in our directives. Therefore, I have just issued a Memorandum making it absolutely clear that all functionalities, including enforcement, lie with the CIO.
I want to thank you, Mr. Chairman, for bringing this matter to my attention.
Further, I have directed that responsibility for information security be included among the critical elements of all senior executives' performance plans. Tying security to performance plans will have this effect.
We already have several subject matter experts engaged to assist VA to develop a consolidated Data Security Program. These include many recognized names in the industry. They will be supporting a program whereby responsibility, authority, accountability and enforcement are consolidated under the CIO. We have also engaged one of the world's leaders in the field of cyber and information security, Carnegie-Mellon/SEI, to independently verify and validate our data security plan and measure its implementation. In addition, we will be retaining an acknowledged expert on program management operations, to manage this entire process.
I am pleased to announce that yesterday we entered into a contract with IBM to assist us in implementing our overall IT realignment plan. IBM is a recognized expert in IT integration. They themselves have experienced the difficulties of IT realignment. I am confident that, with our commitment and the assistance of IBM, we will meet our goal of completing our transition to a fully realigned IT Management System by July 2008.
What we are doing - IT Assessment
The range of IT programs administered by the Department on behalf of our veteran clientele is extensive. Many of those programs or services require that the IT to back them up be interactive, with VA professionals having a need to access and manipulate data elements in the course of providing health care or benefits, often in locations outside a VA facility. (For example, VBA employees checking on the care a fiduciary may be providing to incompetent veterans, Loan Guarantee employees doing field examinations of appraisers, or home healthcare providers for housebound veterans.)
As a result, the array of hardware and software, where it is located, the number of systems, the number of persons having access to data, how that access is granted or denied, how the data is utilized and by whom, what background checks are needed - all have grown tremendously over the years. These are areas that require our immediate review, and, where necessary, remediation.
This theft of VA data has been a wake up call to all of us. IG reports in the past years have highlighted specific weaknesses, but as an institution, VA did not respond to those with the sense of urgency that, in retrospect, was called for. With benefit of hindsight, that need for urgency is overwhelmingly apparent today. We recognize that we must change the culture of the Department, and we have embarked on doing just that.
On May 24, 2006, I instructed the Deputy Secretary to establish a three phase program to assess existing conditions, strengthen internal controls, and establish enforcement mechanisms. The assessment phase is now nearly complete. We are now reissuing guidelines and regulations clarifying and emphasizing requirements and the ramifications for failure to follow them. In addition, I have directed that all VA sensitive data be kept on VA equipment, such as laptop computers. In the past, many employees have utilized their own personal computers to conduct VA business. We are assessing just who is doing that and why, and will be issuing guidance regarding that in the near future.
I have also directed that previously authorized work procedures which allowed employees to transport hard copies of claims folders to alternative work sites be stopped. It is a government wide practice to encourage telework or telecommuting, especially in the Washington metropolitan area. Yet we must assure that our policies and procedures implementing this are such that sensitive data relating to our veterans is properly protected. I have asked our Acting Undersecretary for Benefits to review and revise his own guidance to his staff in this area to ensure the protection of veterans' vital records and sensitive data prior to resuming this practice, if at all.
What we are doing - Regulations and Guidelines
As I mentioned, VA is revising its regulations, policies, guidelines and directives in the entire area of information technology and information security. This has been a wake up call to us, and we are working to assure that we have clear guidance for all VA employees in place, and that they are aware of what is required of them - and of the consequences, should they fail to adhere to that guidance. We are revising VA Directive 6500 which sets forth the guidelines for information security and the enforcement mechanisms pertaining to that. This is a fast track initiative, and I anticipate issuing the revised directive shortly.
But I am convinced that, coming out of a very bad situation, we can make the VA a model for data security. I believe we can craft a structure that will be the Gold Standard for the government, much as the VA's vaunted electronic medical records and health care system are being held up as a standard to be emulated.
Measurement of Success
How will we measure our success in this endeavor?
Of course we have our own Inspector General who has pointed out shortcomings in the past. While the IG is housed at VA, he is independent, reporting directly to the President. I think you will see that he offers a critical overview of what we are doing here. And initially, that will be to correct deficiencies noted by the IG in the past.
In addition, we are scored each year on FISMA compliance. As I noted, in the past we received an "F" on the FISMA scorecard. That is unacceptable, and we must do better in the future.
What needs to be done - Legislation
The Health Insurance Portability and Accountability Act (HIPAA) governs all aspects of the privacy of sensitive information pertaining to an individual's health. HIPAA provides for criminal penalties of up to 20 years imprisonment and a fine of up to $250,000 for intentional misuse of health information for private gain.
There is no comparable law pertaining to the misuse of other non-health, sensitive, personal information, and I believe that the Congress should enact such a law. Someone intent on fraudulently using personal information may think twice if he or she focuses on severe penalties that could be encountered for such a crime.
I also now serve on the President's new Task Force on Identity Theft and I will be making similar requests there for tougher laws, greater deterrence and other actions that may minimize the likelihood of an event such as this occurring again.
Conclusion
Mr. Chairman, unfortunately a very bad thing happened. A monumentally awful thing. I am outraged by it and the slow response of some of my otherwise very good subordinates. But I am the responsible person, and it is to me that you are entitled to look to see that the victims are treated right and that this is fixed. It won't be easy, and it won't be overnight, but I am absolutely convinced that we can do it. We are already on the way to establishing a culture of security within the VA, with the policies, procedures and people in place to maintain that.
Mr. Chairman, that concludes my testimony. I would be pleased to answer any questions that the Committee may have.