VA struggles to balance cloud apps, security

Assistant secretary Baker said he can\'t let doctors store veterans\' data on unsecured systems in the cloud. But Baker said he wants to figure out how to solve...


        Join us Apr. 25 at 1 p.m. EST for Federal News Network's StateRAMP Exchange where we'll explore how the StateRAMP program provides cyber assurances as state agencies continue their IT modernization journeys. | Register today!

Roger Baker, VA’s assistant secretary in the Office of Information and Technology and chief information officer, said the agency shut down another instance of doctors using a cloud platform outside the VA firewall to share patient data.

“This is an issue we will continue to deal with going forward,” he said during his monthly call with members of the press on VA’s data breach report to Congress. “The government by itself can’t keep up with Yahoo!, Google, Apple and others who are creating great applications for medical usage. We have to figure out how to embrace those and at the same time ensure that we are providing privacy and health information protections that we are committed to doing. These are great tools for patient care, and right now my position as the CIO has to be ‘you can’t use them.'”

But Baker fully admits that he must find a way to strike the proper balance between use and security because there is a growing call for cloud-based tools such as those from Yahoo! and Google. He added that the Underground Railroad development of VISTA is a reminder of what could happen if he doesn’t find a solution fast enough.

“Users said they need the tools to let them do their job and I have that as a cautionary tale in my head whenever I talk about cloud and things going on with these sites,” he said. “If we don’t figure out how to use these applications, our users will figure it out for us. It is said that those who don’t study history are bound to repeat it. I’m not interested in repeating history.”

VA said in its data breach report that data of more than 1,000 veterans were located on this shared Yahoo! calendar tool. Doctors and residents at one VA facility were using the online tool to communicate during shift changeovers or residents needing to retain information when they left VA to work at other hospitals.

Baker said no matter the need, the doctors violated VA’s data security, privacy and health information policies.

Earlier this year, VA shut down eight facilities using Google docs to share patient information under similar circumstances. Baker said he expects to shutter other instances in the future of facilities using similar tools because of their popularity and ease of use.

Baker said he is looking into how to make that balance work, but still has not found the right solution to this problem.

“I know that Google has moved forward with FISMA certification of some of the stuff they are doing so that is a possibility,” he said. “The issue there is that there are various levels of certification and what they have achieved is medium and for the types of information we store, it would have to be a high certification. But we look at is there a way to embrace the tool as it stands? Is there a way to bring the tool inside the VA firewall and control access to it a bit more and meet our requirements that way?”

Baker added that last thing he would consider is building a new tool themselves because the government’s development time and acquisition processes just can’t keep up with technology changes.

In the meantime, Baker said cybersecurity remains a major priority. He said in 2011, his office will complete its medical device architecture to describe how to secure them on the network. VA also will expand its visibility of devices on the network beyond laptops and desktop computers to printers and other devices.

All of this will come under tight budget constraints. Baker said he prepared for Congress to cut VA’s IT budget by $200 million in 2011. Agencies currently are under a continuing resolution through March 4.

“We had a substantial carry forward from 2010 to 2011 as a result of all discipline we instituted last year,” he said. “The Program Management Accountability System (PMAS) generated $250 million of cost avoidance is 2010 because of number of projects we held off of until we got them to a point where we thought they could succeed.”

He added that VA also carried over $700 million from 2009 to 2010 and about the same amount from 2010 to 2011.

Baker said he doesn’t agree that VA needs less money, but understands the rationale and the fact every agency is facing tight budgets.

(Copyright 2010 by All Rights Reserved.)

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

    Pentagon Austin

    Pentagon finishes review of Austin’s failure to tell Biden and other leaders about his cancer

    Read more
    Congress Defense

    Big pay raise for troops in defense bill sent to Biden. Conservatives stymied on cultural issues

    Read more