From: InfoSec News (alertsinfosecnews.org)
Date: Wed Jul 25 2007 - 00:28:47 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.govexec.com/story_page.cfm?articleid=37563

By Ben Evans
Associated Press
July 24, 2007

WASHINGTON (AP) -- More than a quarter of the computer equipment at the
Veterans Affairs Medical Center in Washington could not be found by
investigators, government auditors reported Tuesday.

Three other VA facilities showed slightly better results but still could
not locate between 6 percent and 11 percent of their equipment,
including computers, hard drives, monitors and other devices. In all,
the four facilities audited by the Government Accountability Office
reported more than 2,400 missing items originally worth $6.4 million.

Aside from decrying potentially wasted tax dollars, lawmakers said the
report raises fresh questions about the security of the agency's
information, including sensitive medical records and Social Security
numbers.

The audit follows a series of computer data security breaches at the
agency that exposed millions of veterans and medical providers to
possible identity theft.

"It has a very corrosive effect on trust in the VA in general," said
Rep. Tim Walz, D-Minn. "I think all of us up here are sensing the
frustrations of our constituents and our veterans."

For the audit, the GAO sampled equipment inventories at medical centers
in Washington, San Diego, Indianapolis and at VA headquarters offices.

The auditors said much of the equipment that could be found was not
where inventory records said it should be. Equipment often was moved or
set aside for discard without documentation. As a result, it was
difficult or impossible to determine what had happened to the missing
equipment, the report said.

Equipment slated for disposal -- some containing sensitive records --
often sat unprotected in storage rooms for months or years, the report
said.

"Essentially no one was accountable for IT equipment," it said.

The GAO found similar weaknesses in a survey of six VA facilities in
2004. GAO officials testified at a House hearing Tuesday that the VA has
made some improvements since then but still has not established
effective inventory controls or held users accountable for equipment.

VA officials did not dispute the findings, but said they were making
progress. Since the three-month audit was completed, officials said they
had located much of the missing equipment or had verified that it was
sent to surplus.

Robert Howard, VA's assistant secretary for information and technology,
said he did not believe the agency has enough manpower to keep up with
the problem.

"It is a situation that we are working hard to remedy," he said.

The VA has been under intense scrutiny in the past year over the quality
of its care for veterans and a series of information technology
blunders.

Last year, the VA lost data on 26.5 million veterans when computer
equipment was allegedly stolen in Maryland. In January, a VA hospital in
Birmingham, Ala., lost sensitive data on more than 1.5 million people
when a hard drive went missing. A recent internal review of that
incident found that the medical center repeatedly failed to follow
policies and regulations to protect information -- including in storing
the hard drive.

VA Secretary Jim Nicholson announced his resignation last week.

Copyright 2007 The Associated Press

_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas,
the world's premier technical event for ICT security
experts. Featuring 30 hands-on training courses and
90 Briefings presentations with lots of new content
and new tools. Network with 4,000 delegates from
70 nations. Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on
June 1 so register today. http://www.blackhat.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]