We use cookies and other similar technologies (Cookies) to enhance your experience and to provide you with relevant content and ads. By using our website, you are agreeing to the use of Cookies. You can change your settings at any time. Cookie Policy.

Anne Stuart’s BPM in Action

Michael Dortch

When Business Processes Fail: Data Protection at the VA – Virtually Absent

Vote 0 Votes

According to an Information Week story posted today, the U.S. Department of Veterans Affairs, otherwise known as the "VA," has updated the details of the lost hard drive announced in January. At that time, the VA said a hard drive lost from its Birmingham, AL Medical Center contained approximately 48,000 veterans' records, with as many as 20,000 unencrypted, despite explicit policies requiring such protection.

In February, the VA said the January numbers were a little off. The lost drive could have actually contained personal information about as many as 535,000 people, and about as many as 1.5 million physicians not affiliated with the VA.

Now comes a report dated June 29 from the VA Office of Inspector General (OIG). According to the report, the IT "specialist" who lost the hard drive deleted and encrypted files on his own system, to hide and to minimize the extent of the information lost with the hard drive. Said specialist only confessed after confronted with information from a forensic analysis the VA OIG had performed.

Further, the report states that the lost hard drive might not have even been lost, had incumbent physical and electronic security policies been followed and enforced. Policies such as encrypting sensitive data, something a local VA administrator apparently decided was unnecessary, if he just asked his workers not to remove the hard drives from the office. Which they did. And to lock them in a safe when not in use. Which they did not. Which likely wouldn't have mattered, since the safe had no access log, nor partitioned access, which meant that every employee who did use the safe had access to every other employee's hard drive. Or at least, the hard drive of any other employees who had bothered to lock their hard drives in the safe.

This laxity in policy enforcement also extended to the unnamed IT specialist. He was also given sufficient access to supposedly private personal information that he could extract information from medical records into a research database. Access he did not need and should not have been granted.

So, what have we learned?

1. Security policies are exactly like business processes. Without consistent documentation and enforcement, and frequent "re-inculcation" among users, they are basically useless.

2. Electronic and physical security policies and processes require close integration and synchronized management, if either is to be truly effective.

3. Enough is enough. That is, don't provide anyone access to more information than they absolutely need to do their jobs. Especially if any or all of that information is considered personal and private.

4. Process management is continuous. Anytime anyone thinks any process is completely managed and requires no more oversight, something bad is about to happen. Especially if there's a poorly managed IT specialist involved…

Leave a comment

Business process management and optimization -- philosophies, policies, practices, and punditry.

Anne Stuart

I am the editor of ebizQ.

Recently Commented On

Monthly Archives