The Department of Veterans Affairs (VA) is getting a cybersecurity facelift. Updates will include a more intensive system monitoring program, adjustments to health IT protocol, new training tools and enhanced wireless capabilities.
At a recent Armed Forces Communications and Electronics Association (AFCEA) breakfast on the role of Chief Information Security Officers, Jaren Doherty, Deputy Secretary for Information Protection and Risk Management at the VA, spoke with Federal News Radio’s Jason Miller about his agency’s security programs.
Doherty said that by September 30, VA will have status updates every 24 hours on every network desktop and every data platform. It is part of the agency’s long term project to gain visibility of every device on the network and infrastructure including routers, switchers and servers.
Health IT is another major security concern for VA. Doherty said VA recently sat down with an FDA security team to discuss potential malware on insufficiently protected medical devices.
“Medical devices have common operating systems at their bases, yet the updating of those devices sometimes takes more than a year after a new patch is released. So if there is a security vulnerability, you’re vulnerable for over a year,” he said.
VA is working with industry partners and FDA to put the patches on the VA Web site as soon as they are released so VA can download and apply them without waiting for a company to install the fix on agency devices.
“We will have all of the devices secured behind a [preliminary barrier called a] V-LAN by September 30. We will have them firewalled off by December 31 and have these other problems addressed some time during FY 2011,” he said.
According to Doherty, many of these problems surfaced during the Conficker computer worm attack, prompting the agency to develop a Medical Device Isolation Architecture. “We found out that if we did about four different things in our security program that we could pretty much ensure that there would not be malware on the these machines and that we could adequately protect them,” he said.
The agency is also working to improve education and training around cybersecurity. “In real-estate it’s all about location, location, location,” Doherty said. “But in security, it’s all about communication, communication, communication.”
He said that communicating the security program at all levels throughout the agency is a challenge. His department uses social media such as a blog, Twitter, Facebook, and Yammer as well as more traditional ways of communicating such as emails, telephone and video conferences. Every Friday the agency holds a threat briefing to talk about cyber threats in general and those that have specifically exploited VA vulnerabilities.
The agency is also trying to balance the need for wireless security in parts of hospitals while being responsive to the needs of today’s Veteran. Doherty said once the proper infrastructure is in place, veterans will be able to access the internet in the waiting room and determine their place in line.
“Patients, when they’re in our hospitals, want to do email, wan to tell their families how they are, all of those communications that are not currently available in VA hospitals will be available in the future,” he said.