This story was updated with new information at 2:02 PM ET on July 17, 2014.
House Veterans Affairs Committee Chairman Rep. Jeff Miller, R-Fla., has called on five senior VA officials, including acting Secretary Sloan Gibson, to testify at next week’s scheduled hearing on “longstanding information security weaknesses” that have enabled “data manipulation” throughout the agency.
Documents obtained exclusively by FedScoop show that in addition to Gibson, the committee plans to question Assistant Secretary for Information Security Stan Lowe, Executive Director for Enterprise Risk Management Tina Burnette and VA’s deputy chief information officer for product development, Lorraine Landfried.
“This hearing will address VA’s inability to provide timely access to quality care while putting patients’ data in jeopardy of being modified, stolen, or deleted,” Miller wrote in letters to each of the witnesses. Lowe “will testify on the ability to manipulate data within VA’s porous network and the overall lack of data integrity.”
A source on Capitol Hill who spoke to FedScoop on background said VA CIO Stephen Warren will not testify because he is on vacation in Europe through July 30.
“Mr. Warren is out of the country on a personal trip which has been planned for several months,” a VA spokesperson said in an email to FedScoop. “VA’s proposed witnesses are ready and able to answer the committee’s questions.”
In addition, Steve Schleissman, the newly-appointed deputy CIO for product development will likely testify in place of Landfried, whose last day at the agency is July 18.
A VA source who spoke on background said the ERM office has conducted numerous studies on vulnerabilities and risks throughout the Office of Information and Technology that have been forward to Warren. Those studies have been collected in what is called the “risk registry,” the source said. “The feeling at VA is that [Burnette’s] being called to testify about the registry, what it contained, and if anything’s been done with this information by Warren,” the source said. “The work that ERM does is more or less stifled and not discussed.”
In May, FedScoop detailed significant security weaknesses in VA’s main electronic health record system that would allow anonymous users to access patient data and other sensitive information in direct violation of existing policies and federal privacy laws.
According to internal briefing documents obtained by FedScoop, VA’s Office of Information Security briefed senior VA managers in April 2013 on threats posed by anonymous user access to the Veterans Integrated System Technology Architecture, the agency’s electronic health record system known as VistA.
A slide from an April 2013 VA Field Security Service Decision Briefing showing the lack of identity management and audit capabilities in VistA.“VistA and external systems/applications have created designs which result in anonymous user access/interaction with VistA applications and patient healthcare data and will extend to other sensitive/confidential areas,” the briefing document states. “Since the end user is anonymous to VistA, there is no roles based authorization restriction imposed on users.”
Lowe took over the Office of Information Security in February 2013 upon the controversial departure of Jerry Davis, who had accused senior officials within VA’s Office of Information Technology of pressuring him to sign and attest to the security of VA information systems. Davis went on to become the CIO of NASA’s Ames Research Center and remains in that position today.
Current and former VA sources, who spoke on condition of anonymity, also expressed concerns about Burnette’s qualifications to serve as the agency’s director for enterprise risk management. An organizational chart dated Jan. 11, 2012, obtained by FedScoop depicts an office of 120 full-time positions, the vast majority of which are listed as risk management analysts or IT compliance experts.
