Evaluations of cybersecurity practices for protecting veterans’ health records and other personal data at the Department of Veterans Affairs found an online system of weak passwords, security flaws and a pattern of granting excessive permissions for users on its platforms. (Stars and Stripes)
WASHINGTON — Stricter controls are needed to secure the online personal information that the Department of Veterans Affairs collects and maintains on millions of veterans enrolled in its health care services and who receive benefits, according to a new report from the agency’s inspector general.
Weak passwords, security flaws and a pattern of granting excessive permissions for users on its platforms are among the deficiencies cited in an evaluation of the VA’s security program for protecting health records and financial information of veterans and other personal data of beneficiaries, personnel and contractors.
“Security deficiencies could allow any system and database user to gain unauthorized access to critical system information,” said Michael Bowman, director of the Information Technology Security Division for the Office of Audits and Evaluations at the VA’s Office of Inspector General.
Bowman testified Wednesday at a hearing of the House Veterans’ Affairs Committee’s subpanel on technology modernization about a lack of security controls for supporting critical operations at 1,000 VA facilities and facilitating benefit payments to eligible veterans and their families.
“Improvements have been painfully slow. VA has been aware of some deficiencies for years but unable or unwilling to fix them,” Rep. Matt Rosendale, R-Mont., chairman of the subcommittee, said at the hearing. “Despite some incremental improvements, the VA’s approach is inadequate and unfocused.”
The challenges at the VA for securing and protecting online information from hackers is similar to other federal agencies, Bowman said.
“Due to advances in technology, hackers can more easily glean information about individuals from various data breaches and track someone’s activities to further malicious or criminal schemes,” he said. “Secure information storage and management are high-risk endeavors across the government.”
All federal agencies are required to develop, document and implement an information security and risk management program, with the inspector general providing yearly evaluations.
Annual reviews are a scorecard of an agency’s technology security program, Bowman said. The deficiencies identified at the VA are not new but continue year after year, he said.
“While VA has made some progress in certain areas of their security program, these can best be characterized as incremental improvements in addressing the deficiencies the audit team has repeatedly identified,” Bowman said.
The VA needs to ensure it installs security patches, makes system updates and restricts unsupported web apps to mitigate vulnerabilities, he said.
Recruiting and retaining qualified personnel to manage and maintain the VA’s computer systems hinders work to keep them secure, said Kurt DelBene, the VA’s chief information officer at the Office of Information and Technology.
There is high demand for cybersecurity professionals by government agencies and private industry that is driving up wages.
DelBene said the VA is asking for a cybersecurity budget increase from $110 million in fiscal 2024 to $707 million in fiscal 2025. A larger budget for cybersecurity will enable the agency to hire more trained staff with skills in preventing and managing cyberattacks, he said.
“There will always be a strange attack coming out that we were not expecting,” DelBene said. “We want to be in the space of making good decisions and achieving good outcomes.”
Rep. Tim Kennedy, D-N.Y., said he considers the investment reasonable given the VA’s vast operation and $369 billion spending plan for fiscal 2025. But he said the VA needs to identify measurable goals that it expects to achieve with the increase.
“We are concerned that salaries at VA may be too low to be competitive, even when combined with compensation incentives and benefits,” DelBene said.
Rep. Sheila Cherfilus-McCormick, D-Fla., said the VA “remains unable to adequately address systemic challenges. Only by investing in high-skilled staff and consistently enforcing IT standards, will the VA be successful.”
Also testifying was David Powner, executive director for data-driven policy at MITRE, a not-for-profit company that helps government agencies improve their security posture. A team from MITRE evaluated VA cybersecurity practices in 2024. Powner identified broad areas for improvement that echoed the concerns outlined in the inspector general report.
They included applying software patches, maintaining access controls and using a logging system for recording incidents that can point to suspicious activity and attacks. The team found the VA’s information security program operated under outdated cybersecurity policies and failed to effectively coordinate security practices across the enterprise. The VA also needs to focus more on identifying security vulnerabilities in medical devices and maintaining the devices over their lifespan, Powner said.
The inspector general also faulted the VA for granting access inappropriately to users and not removing or deactivating old and dormant accounts.
Though weak passwords are a well-known security vulnerability that allows malicious users to gain unauthorized access, the IG report found lapses in implementing strong password controls, Bowman said.
DelBene said the VA is moving toward adopting a zero-trust system that requires multi-factor authentication, meaning users have to provide more than one way to verify their identity before signing on and gaining access to VA systems.
Rosendale urged the VA to prioritize cybersecurity and implement remediations recommended in the reviews.
“No organization is completely safe from cyberattacks. But we expect the VA to understand their own vulnerabilities and maintain their defense,” he said. “We have to identify tomorrow’s risk and address them today. In a world of data breaches, more Americans’ personal information is being bought and sold on the dark web. The VA needs to do better.”
