The Veterans Affairs Department is on track to open up its network to employees using smartphone and tablet devices starting Monday. But Roger Baker, VA’s assistant secretary for information technology and chief information officer, tried to tamp down the excitement — at least for a little while.
“We may have set some level of expectations from our users they all will be able to go out and get one next Monday, but the fact is there still will be a bar set for the performance of your duties,” said Baker during his weekly call with reporters about VA’s data breach report. “And if not, then like anything else, it’s an investment.”
Still, VA expects to issue about 1,000 devices — mostly Apple iPhones and iPads — over the next year.
“We will limit growth initially to make certain there is actually a bona fide business requirement for the mobile device before the government acquires the device and provides it to the individual,” Baker said. “We also will require a trade in. In other words, you can’t acquire one of the new mobile devices unless you give up your BlackBerry or your laptop. In other words, if you were a mobile user before, you have a pretty good case why you would want to be a mobile user with a different device going forward.”
Baker wouldn’t confirm Apple is the product of choice, but he said earlier this yearit would be the popular devices.
Currently, 17,000 VA employees have BlackBerry devices, and Baker said his office will pay close attention to how the first 1,000 employees with new smartphones and tablets are meeting the agency’s mission goals.
“At this introduction point, it’s not going to have dramatic effect,” Baker said. “For what you can do with it right now, it’s only somewhat more useable than the other mobile devices we’ve had in our infrastructure. It will have the same level of encryption, but you will be able to access our information gateway that is more viewable.”
How to pay for devices?
Over the next few days, Baker said there still are a couple of issues he’s wrestling with and that may be one reason for the slower rollout.
Baker said he has to figure out where the money comes from to pay for the smartphone or tablet devices. But the way VA classifies laptops is an example of why the decision is complicated, he said.
“We actually classify laptops as either medical equipment or IT equipment depending on what the use will be,” he said. “About 25 percent to a third of the laptops owned at VA are actually medical equipment and about 75 percent, then, are IT equipment. We’ve had to go through and look at — for everything we buy — the purpose for it. If it’s medical, then it’s bought out of the medical appropriation. If it’s IT, then it’s bought out of the IT appropriation.”
Baker says he will make that decision this week. Currently VA has not set up an enterprisewide contract to buy smartphone or tablet devices.
While the initial roll out will be slow, Baker expects both the demand and the devices’ usefulness to increase over the next year.
VA also plans to set up an apps store to host internally and externally developed software.
“Right now there are a number of apps relative to medical care that are in various stages of development,” Baker said. “None of them yet are ready for roll out across the enterprise. They have to do with everything from a version of CPRS, our clinician interface, that’s built specifically for mobile devices to things that allow clinicians to look at various statistics for either their facility or their portfolio of patients.”
In the meantime, Baker said users will be able to use the smartphone and tablet devices for two main functions: secure email and information viewing.
“We know the email client uses FIPS 140-2 encryption. The other side is visibility, being able to view information through an information viewer from that device so no storage of information on the device,” he said. “We are being very careful not to increase our information breach exposure as we roll these things out. And frankly, that simple fact has been why it has taken so long to get to this point to be able to say that.”
Baker said VA is paying close attention to ensuring the best security features are in place.
“The email client has an encrypted tunnel as it exchanges information with the server,” he said. “So we made a decision relative to what email client you can use. We are making decisions relative to whether or not we will allow 3G as an access method. The major thing we are doing is deciding we are going to utilize a mobile device manager (MDM) that will enforce policies throughout VA.”
He said if a user wants to download an unencrypted email client on to the device, the MDM would block the user from access VA data until the email client was removed.
VA also will have strict rules for downloading apps to the device from iTunes or other libraries, Baker added.
“We will control what software is allowed to run on these devices that are allowed to access the VA network,” he said. “Information protection is a priority in utilizing these devices. We can’t let information protection get away from us.”