- The Nimitz Report
- Posts
- Protecting Veteran Data at the VA
Protecting Veteran Data at the VA
Cybersecurity challenges and proposed solutions following an independent assessment by MITRE.
⚡NIMITZ NEWS FLASH⚡
"VA Cybersecurity: Protecting Veteran Data from Evolving Threats"
House Veterans Affairs Committee, Technology Modernization Subcommittee Hearing
November 20, 2024 (recording here)
HEARING INFORMATION
Witness & Written Testimony (linked):
The Honorable Kurt DelBene: Assistant Secretary for Information and Technology and Chief Information Officer, U.S. Department of Veterans Affairs
Ms. Lynette Sherrill: Deputy Assistant Secretary for Information Security and Chief Information Security Officer, U.S. Department of Veterans Affairs, Office of Information and Technology
Mr. Jeff Spaeth: Deputy Chief Information Security Officer and Executive Director of Information Security Operations, U.S. Department of Veterans Affairs, Office of Information and Technology
Mr. Michael Bowman: Director, Information Security Audits, U.S. Department of Veterans Affairs, Office of Inspector General
Mr. David Powner: Executive Director, Center for Data-Driven Policy, MITRE
Keywords mentioned:
Cybersecurity, vulnerabilities, risk management, audits, recommendations, staffing, budget, partnerships, zero-trust, incident response, cloud computing, contractor systems, cyber hygiene, data breaches
IN THEIR WORDS
“Veterans represent a pillar of American democracy for many, making them open to additional threats from those that seek to sow discord and gain access to the U.S. system. As such, cybersecurity must be at the forefront of all veterans’ minds.”
“No organization that is connected to the internet is ever completely safe from cyber attacks, but we expect the VA to understand their vulnerabilities and maintain every possible defense. When breaches happen, we expect the VA to detect them immediately, contain the damage, and to notify the affected individuals.”
"Despite our efforts, we face recurring challenges, including budget limitations and recruitment and retention of highly qualified personnel. We have discussed our budgetary limitations in the past. Recruiting and retaining individuals with high demand cybersecurity expertise is a top priority for OIT and industry leaders alike.”
Assistant Secretary Kurt DelBene recognized the VA’s cybersecurity challenges while pledging to do more to protect veterans’ data.
OPENING STATEMENTS FROM THE SUBCOMMITTEE
Chairman Matt Rosendale welcomed the witnesses to discuss cybersecurity at the Department of Veterans Affairs (VA), mentioning the critical need to protect veterans’ medical and personal data from cyberattacks. He noted the alarming frequency of data breaches in healthcare, including VA systems, sharing that over 519 million health records have been exposed over the past 15 years. Despite Congress allocating resources for cybersecurity, Chairman Rosendale expressed frustration at the slow progress in addressing long-standing vulnerabilities and disagreements over audit findings. He called for accountability, improvement in governance, and measurable progress in achieving a zero-trust cybersecurity posture to protect veterans’ data effectively.
Ranking Member Sheila Cherfilus-McCormick underscored the importance of cybersecurity in protecting veterans’ sensitive information and pointed to systemic issues that persist despite incremental increases in funding. She drew attention to the risks posed by claim sharks, phishing attempts, and breaches involving VA contractors, urging the VA to adopt a holistic approach to cybersecurity. The Ranking Member called for partnerships with agencies like the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS) to address resource gaps and stressed the need for Congress to provide sufficient funding to implement necessary cybersecurity solutions.
SUMMARY OF KEY POINTS
Assistant Secretary Kurt DelBene discussed the VA’s cybersecurity practices, including the deployment of defense-in-depth strategies, partnerships with federal agencies, and the adoption of a zero-trust cybersecurity approach. While noting progress in safeguarding veterans’ data, he acknowledged challenges in recruiting and retaining qualified personnel due to competitive salary limitations. He then noted ongoing efforts to address vulnerabilities identified in audits, implement multi-factor authentication, and secure IT systems, calling for increased resources to strengthen the VA's cybersecurity posture.
Mr. Michael Bowman detailed the Office of Inspector General’s (OIG) findings from the Federal Information Security Modernization Act (FISMA) audits, which revealed recurring vulnerabilities in the VA’s IT security program. Despite incremental improvements, all 25 recommendations from the most recent audit were repeat findings. The VA disputed 10 of them. Mr. Bowman praised the VA’s responsiveness to facility-level inspections but urged the department to proactively address systemic weaknesses and implement corrective actions to better protect sensitive veteran information.
Mr. David Powner provided an overview of MITRE’s independent cybersecurity assessment, which identified high, moderate, and low-risk vulnerabilities in the VA’s systems. He commended the VA for remediating many findings but noted systemic issues in risk management, cloud security, and incident response. Mr. Powner made recommendations to improve VA’s cybersecurity program, such as enhancing risk management frameworks, reducing shadow IT, and configuring security solutions more effectively. He acknowledged the VA’s progress and expressed confidence that continued oversight and commitment would strengthen the department’s cybersecurity posture.
Chairman Rosendale questioned Mr. Bowman about the VA’s long-standing cybersecurity issues. Mr. Bowman confirmed that most of the 25 recommendations from the 2023 FISMA audit had remained unresolved for over a decade, despite slight modifications. He also noted that the VA generally did not disprove OIG’s findings and pointed to high-risk vulnerabilities in areas such as access control, configuration management, and database security. Mr. Powner added that MITRE’s findings aligned with OIG’s, though MITRE provided deeper insights into shadow IT and detection capabilities. Both experts agreed that addressing the combined recommendations would significantly enhance VA cybersecurity.
Ranking Member McCormick asked Mr. DelBene about the adequacy of the $707 million cybersecurity budget. Mr. DelBene explained that the budget was insufficient to meet the VA’s needs, with staffing shortages and a lack of funding for tools like logging capabilities hindering progress. He credited anti-phishing initiatives for reducing email-based attacks but deferred providing detailed answers on the rise in equipment theft incidents.
Rep. Keith Self raised concerns about VA contractors’ cybersecurity practices and the fragmented Electronic Health Records (EHR) system. Mr. DelBene assured him that the VA enforced strict security baselines with contractors and noted that consolidating the EHR system would reduce vulnerabilities.
Rep. Tim Kennedy referenced cybersecurity breaches at VA facilities and asked about their financial and personal impact. Mr. DelBene acknowledged that costs were difficult to quantify but stressed that better cybersecurity hygiene, such as encryption, could prevent many incidents. Rep. Kennedy mentioned over 1,000 privacy-related incidents in one quarter. Mr. DelBene clarified that they were not necessarily cyber breaches but could involve other privacy issues, such as mailing errors. Both agreed on the need for better funding and staffing to protect veterans' sensitive data effectively.
Rep. Morgan Luttrell expressed frustration with the VA’s reactive approach and repeated findings in OIG reports over the past decade. Mr. DelBene defended the VA’s efforts, describing a risk-based approach to cybersecurity and acknowledging that while additional funding would help significantly, it would not eliminate all risks. Rep. Luttrell restated the ongoing challenge of securing the VA’s extensive systems and urged a proactive mindset, especially given the sensitive nature of veterans’ data.
Chairman Rosendale noted the 62% increase in cybersecurity funding since 2023 and called for accountability rather than continuous budget requests. He pressed Mr. DelBene for data on the costs of cyber breaches and the effectiveness of the requested funding increases. Mr. DelBene explained the challenges of providing a definitive number but agreed to provide further information. The Chairman reiterated the importance of protecting veterans’ data and called for detailed estimates to justify the VA’s budget requests.
Mr. Powner clarified that MITRE’s assessments were not audits but independent evaluations with a focus on deep technical testing. He revealed that out of 442 findings, only 26 were pre-identified by the VA, suggesting a significant gap in internal awareness. Mr. Powner defended MITRE’s methodology and the value of their findings, particularly in addressing systemic vulnerabilities. Mr. DelBene acknowledged the importance of external assessments but maintained that the VA’s risk-based strategy allowed for prioritizing the most critical threats.
Ranking Member Cherfilus-McCormick questioned the witnesses on contractor security and repeated findings in FISMA audits. Mr. Bowman attributed recurring issues to the VA’s large, decentralized structure, which complicates the consistent application of cybersecurity controls. He noted incremental improvements, such as a reduction in legacy vulnerabilities, but outlined the persistent challenges in securing a system as extensive as the VA’s. The Ranking Member raised concerns about audit overload on the VA’s staff, to which Mr. DelBene responded by advocating for automation and increased accountability for system owners.
Rep. Self asked about the qualifications and background of MITRE’s team responsible for conducting their assessment. He then asked Mr. DelBene about how much money they believe they will return to Congress to ask for in the budget for FY 26. Mr. DelBene did not provide an answer.
Rep. Kennedy brought up the vulnerability of the VA’s healthcare system to ransomware attacks and other breaches, stressing that veterans expect their data to be secure. Mr. DelBene articulated ongoing efforts, such as increased logging and monitoring, to mitigate risks but reiterated that achieving complete security is impossible. He agreed to provide further data on breach costs and funding requirements, stating that sustained investment over multiple years would be necessary to address the VA’s cybersecurity needs comprehensively.
Chairman Rosendale questioned the lack of a formal cybersecurity risk strategy at the VA, asking how risk management decisions were made without such a strategy. Mr. Powner explained that while the VA had tools and processes for assessing risks, a comprehensive strategy would ensure consistent assessments across the organization. Mr. DelBene stood behind the VA’s approach of prioritizing critical systems with sensitive veteran data, focusing on high-value targets for hackers. Ms. Lynette Sherrill elaborated on the VA’s layered defenses and efforts to secure vulnerable systems like medical devices but acknowledged the need to mature these strategies further.
Chairman Rosendale then criticized the VA’s 95% compliance benchmark, questioning why the most basic cybersecurity measures, such as password complexity and access control audits, were not consistently implemented. Mr. DelBene admitted gaps in coverage, citing the VA’s decentralized structure and large scale, but argued that focusing resources on the highest risks was necessary. He spoke on efforts to improve multi-factor authentication and automate access controls to reduce human error, but he again noted the challenges of achieving 100% compliance in a system as expansive as the VA.
Ranking Member Cherfilus-McCormick asked about plans for additional independent reviews of other critical systems, such as the EHR and Veterans Benefits Management System (VBMS). Mr. DelBene expressed interest in conducting more reviews but highlighted cost constraints, suggesting a risk-based approach to selecting systems for assessment. Mr. Bowman outlined the value of site-specific security inspections in supplementing enterprise-wide FISMA audits and mentioned the importance of facilities proactively addressing vulnerabilities rather than waiting for external audits.
Rep. Self raised concerns about whether the VA’s incremental improvements in cybersecurity could keep up with rapidly evolving threats. Both Mr. Bowman and Mr. Powner discussed the need for continuous monitoring, faster remediation, and proactive measures like endpoint detection and response. Mr. Powner called for streamlining processes, reducing reliance on outdated plans of action, and updating the FISMA framework to better align with modern cybersecurity challenges.
Chairman Rosendale questioned why previously identified vulnerabilities, such as weak passwords and unpatched systems, persisted despite repeated findings in OIG reports. Mr. DelBene acknowledged recurring issues but argued that thematic problems, rather than specific systems, were often the focus of findings. He pointed out that the VA prioritized addressing the most critical risks, but some lower-priority issues remained unresolved due to resource constraints.
Mr. Bowman explained discrepancies in vulnerability scans conducted by OIG, clarifying that some scans were conducted outside the pre-approved scope, leading to gaps in the VA’s ability to detect malicious traffic. He noted improvements in 2024, with the VA demonstrating better detection capabilities during similar tests. Chairman Rosendale stressed the importance of unannounced testing to mimic real-world attack scenarios and identify vulnerabilities effectively.
Ranking Member Cherfilus-McCormick asked about steps the VA takes to improve veterans’ cyber hygiene. Mr. DelBene detailed measures such as multi-factor authentication for VA systems, protections against phishing and man-in-the-middle attacks, and outreach programs to educate veterans on cybersecurity best practices. Ms. Sherrill explained that during cyber incidents, the VA communicates with veterans service organizations (VSOs), Congress, and local medical centers to ensure consistent messaging and support.
The Ranking Member then inquired about future-proofing VA’s cybersecurity efforts. Mr. DelBene spoke on the importance of training a skilled cybersecurity workforce capable of anticipating emerging threats and leveraging technologies like AI. He described the ongoing implementation of a zero-trust framework, which assumes no default trust within systems, to strengthen defenses. He acknowledged the challenges of adapting to new and unexpected attack methods but focused on logical decision-making and risk assessment to mitigate vulnerabilities.
👨💻 IT issues:
IT issues were a central focus of the hearing. The larger topics discussed included outdated infrastructure, decentralization challenges, electronic health records (EHR), audit overload, and a zero-trust architecture.
📋 Government contracting:
Government contracting was addressed in the context of VA partnerships with private vendors like Change Healthcare and Optum. These entities are critical for billing and data management but were identified as vulnerabilities in the VA’s cybersecurity framework. The February 2024 Change Healthcare breach, which exposed over 100 million records, raised concerns about contractors’ cybersecurity practices and highlighted the VA’s reliance on external systems for sensitive operations. Discussions led to calls for stricter contractor oversight and adherence to federal security baselines to safeguard veterans’ information.
NIMITZ TECH COLLAB
This week, we combined efforts with Nimitz Tech to bring you coverage of this hearing on both veterans affairs and technology issues. If you are interested in receiving these updates for all things tech, please click the subscribe link below:
|
ADD TO THE NIMITZ NETWORK
Know someone else who would enjoy our updates? Feel free to forward them this email and have them subscribe here.