The Department of Veterans Affairs generally does a good job managing department-issued mobile devices, a recent report by the agency’s inspector general has found.
However, as with most topics of cybersecurity, there’s a bit of an asterisk here — specifically when it comes to overseeing and enforcing a “blacklist” of potentially malicious mobile applications. VA’s Office of Information and Technology told the IG that it had decided not to enforce a blacklist on its roughly 50,000 mobile devices because of the work associated with it. This, the IG says, introduces some potential vulnerability.
“Because OIT has not implemented blacklisting, users can download applications that are not authorized on VA mobile devices, such as cloud-based applications,” the report reads. “Cloud-based applications could allow users to transfer locally stored VA data into uncontrolled storage, increasing the risk of lost VA data.”
The VA does offer mobile security training for device users, but it doesn’t confirm whether users have actually participated in this training or not.
The IG report makes a total of three recommendations, including that VA OIT figures out how to enforce app blacklisting, and make sure that mobile device users participate in security training.
The VA agreed with all of the recommendations and stated that it is already working toward them. For example, a principal deputy assistant secretary said, the VA is “working on” installing the “Lookout” app on all its mobile devices — a service that scans mobile apps on the device for malicious behavior.
Protection of VA data, especially data that involves the personally identifiable information (PII) of veterans, is an important topic. An IG report from earlier this month found that sensitive data from a field office in Milwaukee had been erroneously stored on a shared network drive.
While the IG could not find evidence of a breach in that instance, it did state that the mistake had put veteran data at unnecessary risk. “Until VA officials take steps to guard against user negligence, implement technical controls that prevent users from storing sensitive personal information on shared network drives, and issue oversight procedures to adequately monitor shared network drives, veterans’ sensitive personal information remains at risk,” the report stated.