VA issues report on security for mobile devices

The U.S. Department of Veterans Affairs (VA) Office of Inspector General has published the findings of its investigation into allegations made in 2011 that the organization was circumventing security requirements for Apple mobile devices.

The May 23 report exonerated the agency, stating that the VA's approach of allowing only applications that comply with the FIPS 140-2 standard to access or store sensitive encrypted data on the mobile device met the Federal Information Security Management Act of 2002 (FISMA) requirements for data protection. FIPS 140-2 refers to the Federal Information Processing Standards Security Requirements for Cryptographic Modules.

That said, the VA could improve security controls and systems management by ensuring an accurate inventory and consistent configuration for the mobile devices that are deployed throughout the system, according to Linda Halliday, the assistant inspector general for audits and evaluations.

The number of Apple mobile devices in use is currently limited to about 200 in a pilot program being tested by physicians using the VAi2 iHealth application to access patient data in the Veterans Health Information Systems and Technology Architecture (VISTA) system. But Halliday noted that the VA's infrastructure is currently being expanded to support a wide variety of mobile devices.

The report stated that the VA had performed appropriate testing and added additional encryption functionality. However, the agency did not have an accurate inventory of the mobile devices being used. Because it had not fully implemented minimum baseline security standards for all mobile devices, it did not ensure a consistent security configuration. Different geographic regions were configuring different security standards, resulting in inconsistent security profiles and risks.

This situation was not acceptable, according to the report, and a security baseline standard for mobile devices that will be updated regularly has been developed by the Office of Information Technology; it is the responsibility of VA offices deploying mobile devices to use it.

Page 1 of 603
Next Page