Two years after a major security breach compromised the personal information of over 4,000 veterans, the Department of Veterans Affairs (VA) continues to suffer from systemic "security weaknesses," according to a new report from the Government Accountability Office (GAO).
"While the Department of Veterans Affairs (VA) has taken actions to mitigate previously identified vulnerabilities, it has not fully addressed these weaknesses. … Until VA fully addresses previously identified security weaknesses, its information is at heightened risk of unauthorized access, modification, and disclosure and its systems at risk of disruption," the report found.
The VA has experienced multiple high-profile breaches in recent years, and the report cautions that unless it corrects "underlying" security vulnerabilities in its systems, breaches are likely to continue and could result in unauthorized access and disclosure of personal information.
Many of the weaknesses identified in the report are not new, but the inspectors say the agency has failed to sufficiently address some of the "previously identified vulnerabilities."
The VA Inspector General released a report in February 2013 that identified deficiencies in "management controls intended to ensure that VA’s critical systems have appropriate security baselines and up-to-date vulnerability patches," and made recommendations to resolve the problems.
The VA said they completed the recommendations and would continue to improve those security controls but the recent inspection found that the VA failed to deliver on that promise.
"The department has not yet effectively implemented a program to manage vulnerabilities and apply associated patches," the report notes. "Until it does so, it will remain at increased risk that known vulnerabilities could be exploited."
The IG made eight recommendations to correct the problems, but the agency appears to be off to a poor start implementing those.
The VA received a draft of the findings, and responded that six of the recommendations were implemented. However, the report notes that inspectors "are concerned that the actions VA described as completed for at least two of the six recommendations may not comprehensively address the weaknesses we identified."
The latest report marks the 16th consecutive year the agency has failed a cyber security assessment. The House Veteran Affairs Committee held a hearing on Tuesday to address the ongoing concerns.
Chairman Jeff Miller (R., Fla.) said in his opening remarks that the VA’s Technology Office has "greatly contributed to the problems of data manipulation" by failing to address the persistent weaknesses.
"These failures are not because of a lack of resources, as some VA senior officials want us to believe," he said. "Within the past decade, Congress has provided over 28 billion dollars to VA’s Office of Information and Technology to ensure its goals and actions are aligned with and driving the strategic goals of the agency. Given the availability of resources, it is apparent that this office’s lack of success and repeated underperformance is a leadership failure."