Cybersecurity, Interoperability Central to VA’s Current IT Efforts

The Department of Veterans Affairs cannot find any evidence of its networks being hacked by a nation-state, despite the insistence of a member of the House Veterans Affairs Committee that such an intrusion took place.

“I’m a little perplexed because we’ve been going back and forth with the committee,” VA CIO Steph Warren said during his monthly public cybersecurity briefing. “[W]e’ve had conversations with the National Security Council, we’ve had conversations with the Homeland Security Department, we’ve had conversations with the FBI [in] the counter intelligence and cybercrimes area, and we’ve asked specifically ‘Are you aware of’ and they’ve all come back and said, ‘No.’

Rep. Jackie Walorski (R-Ind.) made the allegation March 19 during a committee hearing.

Warren presented statistical data in the VA’s monthly report showing that cybersecurity measures blocked more than 4.3 million intrusion attempts and blocked or contained more than 930 million attempts to insert malware, as well as more than 68 million suspicious or malicious emails.

“The amount of bad stuff out there is not dropping off,” Warren said. “We’re still seeing an increase in the amount of malware blocked [or] contained.”

Also noted in the report, to date – that is, not just in February – nine medical devices infected with malware have been identified and contained, with remediation under way, Warren said.

“We have upward of 65,000 medical devices connected to the network,” he said. “We track and monitor [these] with a particular level of care.”

The department is making headway in establishing interoperability between VA and the Defense Department, Warren said. There are three major elements to an electronic healthcare management system, he explained – the interface on the monitor used by physicians and nurses, the back-end systems needed to run a hospital or medical center, and the connection level that knits those together.

VA is connected to DoD in that third element, called Janus, so the department can “translate” the data sent it by DoD, or DoD can translate VA data.

“On the DoD side they’re getting a new presentation layer and new back-end, but the connection layer is in place,” he said.

VA has a pilot under way for an enterprise-level healthcare management platform (EHMP) that will replace Janus. The pilot is running at two sites now; Warren said VA is looking at expanding the pilot to 30 sites between now and this fall.

“Working with clinicians is the effort, not the software development,” he said.