Feature: VA beefs up security measures in response to stolen laptop
The U.S. Department of Veteran Affairs (VA) has put measures in place to prevent both malicious and accidental situations where personal information could be potentially compromised, Steve Kastin, MD, chief healthcare IT strategist with enterprise infrastructure engineering at the VA's Office of Information and Technology, said in an interview.

In January 2009, the VA ended three years of litigation after a laptop was stolen in what is suspected to have been a routine burglary in 2006, with the VA agreeing to pay a $20 million settlement to those whose personal information was on the laptop. After a thorough investigation, it was determined that the personal information contained on the laptop had not been accessed by the thieves.

Since then, to protect against the potential loss of sensitive information, the VA mandates full-disc encryption on all VA-issued laptops, according to Kastin. This means that for government-owned equipment, if a laptop does get misplaced or stolen, the hardware is protected not just by password protection but the hard drive is fully encrypted so “even if someone took out the disc and put it in another computer as a second disc, they still wouldn’t be able to access its information.”

However, remote access to the VA systems is accomplished using Cisco-based VPN software that the VA calls RESCUE (Remote Enterprise Security Compliance Update Environment). There are two versions of RESCUE, one for government-furnished equipment (GFE) and one for non-government furnished equipment (OE – “other equipment”).

Both versions of RESCUE establish a secure VPN tunnel through the VA’s firewall, and also scan the remote computer prior to full connection, to assure that a VA-approved firewall and anti-virus software is running, according to Kastin.

“VA employees using GFE for remote access are able to save work on the remote computer, but doing so is discouraged, and if they want to save or store sensitive data on the remote computer, special advance permission is required,” Kastin stated.

In addition, the OE version of RESCUE creates a virtual desktop on the remote computer, which gets deleted at the end of each session. The local hard drive or any kind of removable storage (like a flash drive) is inaccessible with RESCUE OE, according to Kastin. While employees could save files to the virtual desktop, they would be deleted when the employee disconnects so “when you’re coming in on personally-owned equipment, there is no technical way to save data on your local machine.”

An additional security measure VA is undertaking is to secure storage devices like flash drives and portable hard drives. Using Sanctuary Device Control (SecureWave), VA is able to disable the USB port for any non-approved input devices. The only devices for mass storage that get approved by VA are ones that are encrypted, according to Kastin.

Some input devices that VA uses are password protected and some are biometric-protected. “For the biometric devices, there is a fingerprint reader built into the device where you swipe your finger over the reader to unlock it,” Kastin stated.

“We are also in the process of implementing programs that scan outgoing e-mails to look for patterns that look like personal information that shouldn’t be emailed out, like a social security number,” Kastin said. In this example, the program would look for a pattern of numbers in outgoing emails that start with three numbers, then a dash, then two numbers, then another dash, and ending with four numbers.

As far as optical drives go, VA’s strategy is to not buy a computer with an optical drive unless it really needs one and even then, Sanctuary can disable the writing component so the optical drive becomes just a reader for educational purposes, according to Kastin.

“The goal,” said Kastin, “is to minimize the amount of VA data stored on remote equipment such as laptops, even with full disc encryption in place. And for non-government owned equipment, storing data is impossible.”

“These barriers that we’ve put in place, I think, will prevent the innocent, accidental loss of data,” affirmed Kastin. “There are many different ways that data can leak out, and we’re trying to cover all of our bases.  We’re very focused on protecting personal information, so we feel these measures are appropriate.”