×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Most Veterans Administration Data Breaches From Paper Documents Not PCs

samzenpus posted about 8 months ago | from the turn-on-the-shredder dept.

United States 50

CowboyRobot writes "'Between 96 and 98 percent of our [data breach] incidents — it varies from month to month — deal with physical paper where people are not thinking about the fact that that piece of paper they're carrying around making benefits determinations has sensitive information and they need to protect it,' said Stephen Warren, VA acting assistant secretary for information and technology. 'If you consider the fact the VA has about 440,000 people that we service and that the department over 900,000 devices on the network, [a data breach count relating to IT assets] of somewhere between one and 10 in a month is pretty good,' Warren said. 'And many of those are things disappearing in inventory. Many are found subsequently because they got moved somewhere.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

50 comments

SO STAY AWAY FROM PAPER !! (1)

Anonymous Coward | about 8 months ago | (#44605109)

It is not safe !! BEWARE !!

headline needs an "are" (0)

rossdee (243626) | about 8 months ago | (#44605123)

between breaches and from

Re:headline needs an "are" (1)

Anonymous Coward | about 8 months ago | (#44605141)

No it doesn't. It's called sentence compression, and the media has been doing it for a long time in headlines.

Re:headline needs an "are" (4, Interesting)

wonkey_monkey (2592601) | about 8 months ago | (#44605291)

In this case it was a bad idea, mostly because "breaches" can be both a verb and a noun. Come to think of it the whole headline could use a rewrite, because it's not clear that "Veterans Administration" is a thing by itself and the lack of apostrophe - while quite possibly "correct" - doesn't help. I read it as:

Most Veteran's (Administration Data) Breaches (v.) From Paper Documents Not PCs

Re:headline needs an "are" (0)

Hoangnhan Nguyen (3024019) | about 8 months ago | (#44605511)

In this case it was a bad idea, mostly because "breaches" can be both a verb and a noun. Come to think of it the whole headline could use a rewrite, because it's not clear that "Veterans Administration" is a thing by itself and the lack of apostrophe - while quite possibly "correct" - doesn't help. I read it as:

Most Veteran's (Administration Data) Breaches (v.) From Paper Documents Not PCs

Ph tùng ô tô [quangdenoto.com]

Re:headline needs an "are" (0)

Anonymous Coward | about 8 months ago | (#44605531)

It could use a rewrite, but in a different way... VA is Veterans Affairs, so it should've been VA, or Veterans Affairs. Which would then make sense to Americans, but not people in other countries. But data doesn't breach much of anything by itself, so I don't see what the confusion could be there.

Re:headline needs an "are" (1)

Anonymous Coward | about 8 months ago | (#44605295)

I'd go insane if they stopped using it. Reading the summary (nevermind the article) is already a chore for me, and having to read a few extra words in the title would kill me!

Re:headline needs an "are" (1)

lxs (131946) | about 8 months ago | (#44605407)

While you're at it change breaches to breeches. I'd like to see a pair of breeches made from paper documents.

What on earth are they printing? (4, Interesting)

Hadlock (143607) | about 8 months ago | (#44605209)

It's 2013, they should have finished scanning all of their documents in by 2002, 2005 at the very latest. What on earth are they printing over there? I work in a regulated industry and we shred everything we print. On a bad week I might print all of 10 pages.
 
Papers going to benefits recipients shouldn't receive many, if any documents with their personal information on them - that data goes in the opposite direction, which should be immediately process, or scanned for later processing.
 
Something is fundamentally broken over there.

Re:What on earth are they printing? (5, Informative)

davester666 (731373) | about 8 months ago | (#44605273)

Welcome to gov't bureaucracy. You must be new to this planet.

Re:What on earth are they printing? (1)

peragrin (659227) | about 8 months ago | (#44605797)

the problem is the VA is the best and most efficient run health organization in this county. the va makes everyone else look like idiots.

Re:What on earth are they printing? (4, Interesting)

Penguinisto (415985) | about 8 months ago | (#44607199)

As the spouse of a disabled veteran, I call bullshit to that one.

It has its good points, but the data inefficiency is astronomical. TFA is right about the paper problems - when medication is routinely mailed, and includes a huge wad of paper (required) that lists personal patient info alongside the side effects and etc? When I could literally wander anywhere in the building, and pick up a ton of ID theft-friendly info from papers containing personal patient info sitting around on desks, nurses' stations, and et al?

Little wonder the VA has such a huge data leakage problem from paper... I'm always rather astounded by the amount of paper that even a simple office visit at a VAMC generates.

Re:What on earth are they printing? (0)

Anonymous Coward | about 8 months ago | (#44607445)

penguinisto called bullshit, and so do I. I haven't used VA medical services and I doubt I will unless I have no other choice -- I know a lot of fellow veterans and hear their horror stories. For instance, they won't prescribe Viagra, only Cialis, despite the fact that Cialis doesn't work when you're drinking and doesn't work for a lot of sober people.

Re:What on earth are they printing? (2)

AK Marc (707885) | about 8 months ago | (#44605323)

Try reading TFA. They manage to print beneficiary statements and send them out to the wrong address. How do you work if you don't give receipts, bills, or statements of benefits?

Re:What on earth are they printing? (0)

Anonymous Coward | about 8 months ago | (#44605351)

It's really more widespread than just the government. I've seen a lot of stupid shit like print -> mail/fax -> scan in just about every type of business. It's like these people are so afraid of technology that they can't be bothered to learn how to at least send an email, much less more secure means of electronic file transmission. Not only is it insecure as hell, it makes a process that should take mere seconds take anywhere from hours to weeks.

I really don't understand why we use paper for anything more than jotting down notes and art. There's no reason for it anymore other than pure laziness and willful ignorance.

Re: What on earth are they printing? (0)

Anonymous Coward | about 8 months ago | (#44629053)

Totally agree. What kills me the most is they still print phone books.

Re:What on earth are they printing? (0)

Anonymous Coward | about 8 months ago | (#44605365)

"or scanned for later processing."

Ironically, if you've used a xerox scanner, they're probably in a better position than you are. At least they still have (most of) the originals.
(http://www.businessweek.com/articles/2013-08-12/xeroxs-scanner-problem-just-got-bigger)

Computers aren't good enough yet (3, Insightful)

Sockatume (732728) | about 8 months ago | (#44605949)

Not this case specifically, but in my experience where documents exist and travel in electronic form, you still print them off to do work on them.

Computers are great tools for writing documents. Computers are great tools for looking up and reading out a single datum. Computers are great tools for large-scale data analysis. What they are not good for is sitting down with a modestly-sized group of data - say, twelve letter-sized sheets - and getting something done. You can't get a screen big enough, or an interface lean enough, to replicate the kind of easy access you get from spreading the pages across your desk, or even using fingers and bookmarks to quickly jump between places. The relationships between individual documents are never as obvious as when you pull out a sheaf of records and pore over it.

So, people print documents off while they're working with them, and sometimes they forget that those documents are supposed to be shredded, or meticulously filed away.

Now, this is something that computers should be good at, but it's hard, and it's not in the wheelhouse of most software developers or companies. Look at scientific publications. You have a whole lot of documents encrusted in rich, well-formatted meta-data, being used by organisations that could throw down thousands on records-management software like it was loose change. Yet we only just have Papers and Mendeley. We're only just transitioning away from filing cabinets.

Re:Computers aren't good enough yet (3, Insightful)

Sockatume (732728) | about 8 months ago | (#44605987)

I should add that this is a problem for data security; there seems to be a mistaken belief that we entered a paperless world in 2000 and all our information security problems are now computer security problems.

Re:What on earth are they printing? (0)

Anonymous Coward | about 8 months ago | (#44606155)

Many of the records are barely legible handwritten notes. These cannot be successfully scanned, yet contain information vital to benefits claims.

Re:What on earth are they printing? (1)

sabbede (2678435) | about 8 months ago | (#44606315)

Haven't you heard? The VA is still mostly on paper. Big problem when it comes to processing medical benefits. The VA is literally collapsing under the weight of all the paper.

Paper has a lot of benefits (3, Insightful)

sjbe (173966) | about 8 months ago | (#44606661)

It's 2013, they should have finished scanning all of their documents in by 2002, 2005 at the very latest. What on earth are they printing over there?

Patient medical charts and financial information mostly. Getting all that digital is an incredibly difficult and a FAR more challenging problem than most people realize. In a lot of cases the economic case for paper is actually better because going digital is so difficult and/or expensive.

I work in a regulated industry and we shred everything we print. On a bad week I might print all of 10 pages.

The industry you work in has precisely NOTHING to do with how healthcare can or should be managed. That would be like me saying what works for engineering should be perfectly appropriate for accounting. the argument makes no sense. As it turns out health care is incredibly complex and designing IT systems to do away with paper is difficult, time consuming and frequently not actually the most efficient way to solve many of the problems they face. If there is a more complicated industry than health care I'm not aware of it. Just because theoretically we can solve problems with IT doesn't mean it can be done today or that it is necessarily the correct answer to every problem.

Re:What on earth are they printing? (0)

Anonymous Coward | about 8 months ago | (#44606839)

These types of security problems are wetware problems. Pure and simple--take the wetware out of the medical industry and security breaches will stop!

Obviously people prefer paper in certain types of situations.
I was getting stitches removed after surgery in the outpatient clinic of a city hospital. A list of all the doctors in the clinic was taped to the wall with other notices. Doctor's full name, pager number, office number, home number, cell number were all listed. I took a picture of this and showed to a supervisor. The list was gone the next time I visited. I went to another city hospital for outpatient surgery. The intake person brought a stack of paper--patient intake paperwork. Put it down under a sign giving the patient's rights under HIPPA. She got up, walked away and left all the patient files sitting on top of the desk--in plain view. I brought this to her attention and she profusely apologized and put the other patient's paperwork out of sight.
Obviously these two incidents will be repeated by the same people again and again (consistent with my observations in hundreds of similar situation). Scott McNealy said, "There isn't any privacy [security] with the Internet. Get over it." Regrettably he is correct.

Physical breaches of security (3, Informative)

matria (157464) | about 8 months ago | (#44605249)

Indeed. Some years ago I worked in the medical records (excuse me... Health Information Services) department of a clinic with the University of Miami. More than once I saw a doctor leaving the building on his way home with a bag full of medical records. This was quite illegal. And, of course, our department got blamed when the patient came in and his records could not be found.

Re:Physical breaches of security (2)

sribe (304414) | about 8 months ago | (#44606883)

This was quite illegal.

It most certainly was not. It may well have been against hospital policy, but there is no law restricting a doctor from carrying around his patients' records and studying them where ever he wants to.

paper is still less dangerous (4, Insightful)

someone1234 (830754) | about 8 months ago | (#44605313)

When there is an electronic data breach, there are hundreds or thousands or more records. When it is a paper breach, it is probably less than ten records at once.

Re:paper is still less dangerous (2)

Sockatume (732728) | about 8 months ago | (#44605953)

The issue with paper isn't an outside breach, it's someone throwing a two-inch stack of papers out in the recycling bucket, which might be a few hundred to a thousand records.

https://www.google.co.uk/search?q=records+found+in+bin&oq=records+found+in+bin&aqs=chrome.0.69i57j69i60j69i65l2j0l2.2171j0&sourceid=chrome&ie=UTF-8 [google.co.uk]

Re:paper is still less dangerous (1)

Decker-Mage (782424) | about 8 months ago | (#44606157)

Or every damn one of us is in the electronic breach (12+ million as I recall). And yes, I've been breached several times and the disgusting part is that whenever you even think about looking at anything in my records, you get presented with a restricted access screen with all sorts of extra cautions and steps since I was a VA employee in the past (and my be again, who knows). I do understand what they are driving at here, most of these breach notices are really minimal patient hazard incidents. It's just when they do make a mistake, and invariably it's a piece of lost IT equipment with exactly the wrong stuff that shouldn't even be on it in the first place, that hits the headlines and extra expenses, and overtime everywhere, become required as a result until the heat dies down and everyone can go back to sleep.

OTOH, I do not like the attempt here to conflate electronic with paper breach incidents. Paper has weight and requires rather more energy to transfer information from one place to another. Electronic records do not, not even close. Nor is paper as easy to dispense in terms of speed (records/sec). This is the same sort of misrepresentation we are seeing from all levels of the Executive Branch from the President on down, especially the DNI, NSA, and every damn company out there that's rolled over around the surveillance scandals.. (Prolly where this VA type learned it from) I am not the least bit amused.

And the likelihood of ever being employed by the VA just went to zero ;-).

Re:paper is still less dangerous (0)

Anonymous Coward | about 8 months ago | (#44606489)

Not necessarily. The biggest data breach at my company was when a disgrutled employee walked off with a printed copy of the sales ledger. Only a few hundred sheets of paper, but very high value information.

Re:paper is still less dangerous (0)

Anonymous Coward | about 8 months ago | (#44606857)

You are guessing.

My experience is that "10" is grossly under-guessed.

Slashdot requires javascript enabled now? (-1)

Anonymous Coward | about 8 months ago | (#44605335)

Who is the tard who changed the function of /.'s OLDER news button? Without javascript enabled it does nothing!

You do know this is alienating a large amount of your viewers? For shame /. , for shame!

What's next - Flash plugin to be required to load content?

"That that"? (1)

libtek (902569) | about 8 months ago | (#44605425)

>"...people are not thinking about the fact that that piece of paper they're carrying around..."

*That *the*?
FTFY

Re:"That that"? (4, Funny)

wonkey_monkey (2592601) | about 8 months ago | (#44605625)

That "that that" that you have pointed out is perfectly valid. That that "that that" that that person has chosen to use seems wrong to you is neither here nor there.

900,000 devices? (1)

Anonymous Coward | about 8 months ago | (#44605493)

Why does a department which services 440,000 'customers' and presumably has far less than a tenth of that in staff need 900,000 'devices' on the network?

Re: 900,000 devices? (1)

Anonymous Coward | about 8 months ago | (#44605507)

Because they're honest enough to count every one. Routers, bridges, thermostats, etc...

I think you are misreading the 440,000 (3, Informative)

DigitalReverend (901909) | about 8 months ago | (#44606153)

The 440,000 would be employees and volunteers of the VA. The VA itself actually handles a lot more than that. There's 21.5 million veterans, of that 3.5 million receives disability compensation. Every veteran is eligible for health care in the VA system. So for 444,000 users of the VA information technology, 900,000 devices isn't that far fetched to handle the date for 3.5 million + veterans.

http://www.infoplease.com/spot/veteranscensus1.html [infoplease.com]
http://www.va.gov/opa/publications/factsheets/fs_department_of_veterans_affairs.pdf [va.gov]

In other news (-1)

Anonymous Coward | about 8 months ago | (#44605541)

Most men's anal breaches are from faggots' erect penises.

Can't be a surprise (1)

sabbede (2678435) | about 8 months ago | (#44606303)

Haven't we been hearing about how the VA still has piles of paper records because they haven't digitized their systems yet? Seems to me that there probably isn't all that much digital data to lose.

incidents != severity (0)

Anonymous Coward | about 8 months ago | (#44606331)

The difference in an incident with paper might be single individual. A computer breach compromises tens of thousands at a time.

It is like the difference between dropping a penny on the ground and draining your life savings.

"Data breach"=social security number (0)

Anonymous Coward | about 8 months ago | (#44606909)

Pure and simple.

I have a foolproof system that safeguards my SSN: NO ONE will issue me credit at this point..

Inventory losses (4, Interesting)

BenEnglishAtHome (449670) | about 8 months ago | (#44607785)

The comment on inventory losses hits home. I'm retired from a large government agency. Back in the day, IT understood that it was our job to keep other, more important employees working. To that end, my division bought 110 laptops for every 100 laptop users. It kept the extras in stock as close to the users as possible.

When a user had problems, it was a 30 minute fix to swap hard drives into a new laptop, test, do the paperwork, and send the user back to work. If a drive died, it was about an hour of work to pull a new machine off the shelf, image it, and back up the user data from the local servers.

Unfortunately, most IT techs discovered those 30 minute hard drive swaps could be cut to 15 minutes or less if you neglected the paperwork. Laptops got lost. IT thought they were doing a great job. Our users loved us because we got them back to work asap. The executives, however, didn't like it.

They had to sit in front of a Congressional oversight committee every year and explain why a large number of laptops seemed to be missing. They weren't lost out of the organization, of course. They were temporarily misplaced. They were always found, eventually. There were no data losses.

Neither the executives nor Congress cared about our core mission when they had a juicy headline to bash us with in the press, every year, without fail.

The executives and IT hashed it out. They decided that the core business of the bureau was completely unimportant. The execs decreed that no matter what it took, they should never have to sit in front of a committee and explain things ever again.

Spare equipment was cut to the point of non-existence. All spare equipment was centralized in a half-dozen "depot" sites spread around the country. They were as far from the end users as possible. Getting anything replaced required dealing with a depot and doing overnight shipments.

The minimum time frame to fix a dead hard drive became, at minimum, several days. A highly paid employee who brought in a dead laptop on Monday morning would give it to IT and, in the best possible case, it would get shipped out that day, arrive at the depot on Tuesday who would ship a replacement, arrive back locally on Wednesday where it would be imaged and delivered back to the user later that day. That's 2.5 days AT BEST with a highly paid employee effectively idled.

If a single person (the IT tech, the local inventory specialist, the depot inventory specialist, the depot shipping clerk, and maybe more) was out of place, add a day to that cycle time. Average repair times, when hardware had to be replaced, jumped to ~4 days.

Prior to that, no matter how big the meltdown, an individual user could be back to work inside 2 hours and often in less than a half hour.

The troops were on the verge of mutiny and morale on computer issues went into the toilet.

The executives were insanely happy. They had set up a special IT department for themselves that worked the old way so they never suffered delays. Plus, they didn't have to testify before Congress any more.

I said all that to say this - When you read that some big government agency is losing computers it does NOT mean that data is being lost. It may well mean the IT department is actually doing their jobs instead of sacrificing the efficiency of their entire agency to cover the executive asses.

So when the quoted source says that losing a few laptops is no big deal, cut him some slack. He's right.

Re:Inventory losses (1)

kermidge (2221646) | about 8 months ago | (#44613907)

Thanks, Ben, that explains a number of things; I recall several of the stories that hit the news and a few (very few) follow up pieces that had an explanation; until you ran through one of the common realities I'd be left wondering who was trying to pull what with alternate recountings.

A lot of the Paper comes from the DoD (0)

Anonymous Coward | about 8 months ago | (#44635261)

People complaining about the VA not being able to deal with the Paper load, don't realize that the Department of Defense sends its information to the VA on paper. The VA doesn't have a choice about it, and has to deal with the paper. Its not that the paper is printed out by VA employees that should stay in electronic form. The VA never gets the electronic document from the DoD to begin with.

Incidentally, this is also part of the cause for the Daily Show saying the VA is so slow with granting VA Benefits. The employees don't have the information to make the decision, because they have to funnel paper through their workflow.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...