According to govhealthit.com, the Veterans Affairs Department has gone from being the icon of incompetence to “model for how to effectively integrate touch safeguards into its daily operations.” It has listed six “lasting effects” (positive ones) from the 2006 VA data breach that affected 26.5 million veterans. Two of those slots are reserved for the use of encryption, specifically including laptop encryption software like AlertBoot.
Best Practices at VA
According to an interview with govhealthit.com, Roger Baker, VA CIO, has listed the following as “among the best practices…[that the] VA has established to shore up its information security protections” (my emphases):
1. VA has an independent privacy breach analysis team made up of legal, technology, business and privacy officers who examine each incident that is reported to Congress, how it was handled and what else can be done to prevent it in the future;
2. VA encourages reporting of near-misses, a technique learned from NASA, without repercussions unless it was egregious or violated laws in order to fix problems before they become bigger;
3. Transparency on data breaches helps to drive employee training because they have read about it in the press, and they don’t do it anymore;
4. All VA laptops are encrypted;
5. Personal data does not flow outside the VA unless it’s encrypted according to the latest federal information processing standard from the National Institute of Standards and Technology (NIST);
6. VA CIO reports daily to the VA secretary about any information protection incidents.
You’ll notice that the points 4 and 5 involve encryption. Seeing how the 2006 data breach was triggered by the loss of a laptop computer and external hard disk, it shouldn’t come as a surprise that encryption is featured prominently as a security measure. But, the use of encryption software is not mere window-dressing for placating critics. As long as laptop computers are being used, and as long as employees are authorized to take these same laptops home, the use of disk encryption will be the solution that prevents a sizable chunk of potential data breaches.
You should also notice that the rest of the points actually concern best practices in safeguarding data, such as running an analysis of weak points and ensuring that employees are trained and updated on security issues. I especially like point #2.
The VA’s Come A Long Way
The Veterans Affairs Department should be congratulated. It did take a while, but it finally got there. Along the way, I learned quite a bit covering their progress.
For example, it took the VA approximately 5 years to encrypt all of their laptops. Things were complicated by the fact that the VA is not actually one organization situated in one building (there were geographic boundaries to be covered) plus the usual set of complications, like computer hardware specs that a solution like AlertBoot managed encryption software would fix in no time (we deploy the encryption software via the web using a centralized cloud-based console, and the solution automatically checks for incompatibilities before attempting the installation).
On the whole, it didn’t look like it ought to be taking half a decade. But, it dragged out for five years because certain laptops used with medical applications were incompatible with the use of disk encryption. Plus, there was the unusual situation where contractors to the VA refused to use encryption (and not just a handful, but 578 of them).
Coulda, woulda, shoulda: don’t get caught with your pants down when a data breach hits you. Learn from the mistakes of others. Prepare for a data breach, not only by having a battle plan — who to contact when it happens, who should be contacted, etc. — but by putting up the proper defenses.
Following the six best practices listed above are a pretty good way to get started.
Related Articles and Sites: