Several House members expressed concern today over the Department of Veterans Affairs’ (VA) approach to managing cyber risks and the agency’s cybersecurity strategies, while the agency’s chief information security officer countered that VA cyber programs are on par with those at work in other Federal agencies.
“VA prides itself as being the nation’s largest integrated health care provider. In that role, VA should be at the forefront of addressing many of these risks, and should be a leader in healthcare cybersecurity,” said Rep. Frank Mrvan, D-Ind., chairman of the House Veterans Affairs Subcommittee on Technology Modernization, at a subcommittee hearing today.
“As VA continues the process of modernizing its IT systems to deliver health care, adjudicate disability claims, and provide educational benefits, information security management should be a key component from the onset,” Rep. Mrvan said.
“The subcommittee is still concerned that VA has not done enough to assess risks and develop long term information security strategies,” he said.
Chairman Mrvan cited ongoing challenges within the VA, saying “numerous Inspector General and Government Accountability Office reports continue to cite management failures, and lack of internal oversight. They also repeat recommendations, year after year, seemingly without adequate progress in resolving them.”
Ranking Member Matt Rosendale, R-Mont., also expressed concerns about VA’s IT capabilities, and cited the relatively small budget for the agency’s Office of Information and Technology as cause for concern.
“VA has a crucial mission to provide timely benefits and high quality health care to our veterans. I know significant information technology requirements go along with that. However, I don’t think the department’s IT capabilities have kept pace with the growth everywhere else,” Rep. Rosendale said.
“I do not measure results in the terms of dollars that are spent, I measure results in terms of outcomes. But that being said, the budget for the Office of Information and Technology has been flat for years, while the rest of VA ballooned,” the congressman said.
However, Paul Cunningham, deputy assistant secretary of VA and the agency’s CISO, said he feels “VA is on par or slightly above par with the rest of the Federal space” when it comes to its cybersecurity program.
“My work with Department of Energy, and my discussions with other CISOs, I find that the challenges that we see [at VA] are equally shared across the Federal space,” Cunningham said. “Although the type of information that we’re protecting is a little bit of a challenge, a little bit different from my counterparts, I do find that we do suffer from the same set of challenges.”
Cunningham said VA has looked to each of the eight elements in the Federal Information Security Modernization Act (FISMA) of 2014 “to improve our understanding of risk from an organization mission and system level. That’s been a standard discussion, again cybersecurity, for the last two years that I’ve been here.”