Slashdot Mirror

← Back to Stories (view on slashdot.org)

Most Veterans Administration Data Breaches From Paper Documents Not PCs

Posted by samzenpus on from the turn-on-the-shredder dept.

CowboyRobot writes "'Between 96 and 98 percent of our [data breach] incidents — it varies from month to month — deal with physical paper where people are not thinking about the fact that that piece of paper they're carrying around making benefits determinations has sensitive information and they need to protect it,' said Stephen Warren, VA acting assistant secretary for information and technology. 'If you consider the fact the VA has about 440,000 people that we service and that the department over 900,000 devices on the network, [a data breach count relating to IT assets] of somewhere between one and 10 in a month is pretty good,' Warren said. 'And many of those are things disappearing in inventory. Many are found subsequently because they got moved somewhere.'"

50 comments

  1. SO STAY AWAY FROM PAPER !! by Anonymous Coward · · Score: 1

    It is not safe !! BEWARE !!

  2. headline needs an "are" by rossdee · · Score: 0

    between breaches and from

    1. Re:headline needs an "are" by Anonymous Coward · · Score: 1

      No it doesn't. It's called sentence compression, and the media has been doing it for a long time in headlines.

    2. Re:headline needs an "are" by wonkey_monkey · · Score: 4, Interesting
      In this case it was a bad idea, mostly because "breaches" can be both a verb and a noun. Come to think of it the whole headline could use a rewrite, because it's not clear that "Veterans Administration" is a thing by itself and the lack of apostrophe - while quite possibly "correct" - doesn't help. I read it as:

      Most Veteran's (Administration Data) Breaches (v.) From Paper Documents Not PCs

      --
      systemd is Roko's Basilisk.
    3. Re:headline needs an "are" by Anonymous Coward · · Score: 1

      I'd go insane if they stopped using it. Reading the summary (nevermind the article) is already a chore for me, and having to read a few extra words in the title would kill me!

    4. Re:headline needs an "are" by lxs · · Score: 1

      While you're at it change breaches to breeches. I'd like to see a pair of breeches made from paper documents.

    5. Re:headline needs an "are" by HoangnhanNguyen · · Score: 0

      In this case it was a bad idea, mostly because "breaches" can be both a verb and a noun. Come to think of it the whole headline could use a rewrite, because it's not clear that "Veterans Administration" is a thing by itself and the lack of apostrophe - while quite possibly "correct" - doesn't help. I read it as:

      Most Veteran's (Administration Data) Breaches (v.) From Paper Documents Not PCs

      Ph tùng ô tô

    6. Re:headline needs an "are" by Anonymous Coward · · Score: 0

      It could use a rewrite, but in a different way... VA is Veterans Affairs, so it should've been VA, or Veterans Affairs. Which would then make sense to Americans, but not people in other countries. But data doesn't breach much of anything by itself, so I don't see what the confusion could be there.

    7. Re:headline needs an "are" by chill · · Score: 1

      Hasn't Lady Gaga done that already?

      --
      Learning HOW to think is more important than learning WHAT to think.
  3. Burn after reading? by crafty.munchkin · · Score: 1

    Well, it'll prevent further breaches... as long as the whole piece of paper burns!

    --
    ... wait, what?
  4. What on earth are they printing? by Hadlock · · Score: 4, Interesting

    It's 2013, they should have finished scanning all of their documents in by 2002, 2005 at the very latest. What on earth are they printing over there? I work in a regulated industry and we shred everything we print. On a bad week I might print all of 10 pages.
     
    Papers going to benefits recipients shouldn't receive many, if any documents with their personal information on them - that data goes in the opposite direction, which should be immediately process, or scanned for later processing.
     
    Something is fundamentally broken over there.

    --
    moox. for a new generation.
    1. Re:What on earth are they printing? by davester666 · · Score: 5, Informative

      Welcome to gov't bureaucracy. You must be new to this planet.

      --
      Sleep your way to a whiter smile...date a dentist!
    2. Re:What on earth are they printing? by AK+Marc · · Score: 2

      Try reading TFA. They manage to print beneficiary statements and send them out to the wrong address. How do you work if you don't give receipts, bills, or statements of benefits?

      --
      Learn to love Alaska
    3. Re:What on earth are they printing? by Anonymous Coward · · Score: 0

      It's really more widespread than just the government. I've seen a lot of stupid shit like print -> mail/fax -> scan in just about every type of business. It's like these people are so afraid of technology that they can't be bothered to learn how to at least send an email, much less more secure means of electronic file transmission. Not only is it insecure as hell, it makes a process that should take mere seconds take anywhere from hours to weeks.

      I really don't understand why we use paper for anything more than jotting down notes and art. There's no reason for it anymore other than pure laziness and willful ignorance.

    4. Re:What on earth are they printing? by Anonymous Coward · · Score: 0

      "or scanned for later processing."

      Ironically, if you've used a xerox scanner, they're probably in a better position than you are. At least they still have (most of) the originals.
      (http://www.businessweek.com/articles/2013-08-12/xeroxs-scanner-problem-just-got-bigger)

    5. Re:What on earth are they printing? by peragrin · · Score: 1

      the problem is the VA is the best and most efficient run health organization in this county. the va makes everyone else look like idiots.

      --
      i thought once I was found, but it was only a dream.
    6. Re:What on earth are they printing? by Anonymous Coward · · Score: 0

      Many of the records are barely legible handwritten notes. These cannot be successfully scanned, yet contain information vital to benefits claims.

    7. Re:What on earth are they printing? by sabbede · · Score: 0

      Haven't you heard? The VA is still mostly on paper. Big problem when it comes to processing medical benefits. The VA is literally collapsing under the weight of all the paper.

    8. Re:What on earth are they printing? by Anonymous Coward · · Score: 0

      These types of security problems are wetware problems. Pure and simple--take the wetware out of the medical industry and security breaches will stop!

      Obviously people prefer paper in certain types of situations.
      I was getting stitches removed after surgery in the outpatient clinic of a city hospital. A list of all the doctors in the clinic was taped to the wall with other notices. Doctor's full name, pager number, office number, home number, cell number were all listed. I took a picture of this and showed to a supervisor. The list was gone the next time I visited. I went to another city hospital for outpatient surgery. The intake person brought a stack of paper--patient intake paperwork. Put it down under a sign giving the patient's rights under HIPPA. She got up, walked away and left all the patient files sitting on top of the desk--in plain view. I brought this to her attention and she profusely apologized and put the other patient's paperwork out of sight.
      Obviously these two incidents will be repeated by the same people again and again (consistent with my observations in hundreds of similar situation). Scott McNealy said, "There isn't any privacy [security] with the Internet. Get over it." Regrettably he is correct.

    9. Re:What on earth are they printing? by Penguinisto · · Score: 4, Interesting

      As the spouse of a disabled veteran, I call bullshit to that one.

      It has its good points, but the data inefficiency is astronomical. TFA is right about the paper problems - when medication is routinely mailed, and includes a huge wad of paper (required) that lists personal patient info alongside the side effects and etc? When I could literally wander anywhere in the building, and pick up a ton of ID theft-friendly info from papers containing personal patient info sitting around on desks, nurses' stations, and et al?

      Little wonder the VA has such a huge data leakage problem from paper... I'm always rather astounded by the amount of paper that even a simple office visit at a VAMC generates.

      --
      Quo usque tandem abutere, Nimbus, patientia nostra?
    10. Re:What on earth are they printing? by Anonymous Coward · · Score: 0

      penguinisto called bullshit, and so do I. I haven't used VA medical services and I doubt I will unless I have no other choice -- I know a lot of fellow veterans and hear their horror stories. For instance, they won't prescribe Viagra, only Cialis, despite the fact that Cialis doesn't work when you're drinking and doesn't work for a lot of sober people.

    11. Re: What on earth are they printing? by Anonymous Coward · · Score: 0

      Totally agree. What kills me the most is they still print phone books.

  5. Physical breaches of security by matria · · Score: 3, Informative

    Indeed. Some years ago I worked in the medical records (excuse me... Health Information Services) department of a clinic with the University of Miami. More than once I saw a doctor leaving the building on his way home with a bag full of medical records. This was quite illegal. And, of course, our department got blamed when the patient came in and his records could not be found.

    1. Re:Physical breaches of security by sribe · · Score: 2

      This was quite illegal.

      It most certainly was not. It may well have been against hospital policy, but there is no law restricting a doctor from carrying around his patients' records and studying them where ever he wants to.

  6. paper is still less dangerous by someone1234 · · Score: 4, Insightful

    When there is an electronic data breach, there are hundreds or thousands or more records. When it is a paper breach, it is probably less than ten records at once.

    --
    Patents Drive Free Software as Hurricanes Drive Construction Industry
    1. Re:paper is still less dangerous by Sockatume · · Score: 2

      The issue with paper isn't an outside breach, it's someone throwing a two-inch stack of papers out in the recycling bucket, which might be a few hundred to a thousand records.

      https://www.google.co.uk/search?q=records+found+in+bin&oq=records+found+in+bin&aqs=chrome.0.69i57j69i60j69i65l2j0l2.2171j0&sourceid=chrome&ie=UTF-8

      --
      No kidding!!! What do you say at this point?
    2. Re:paper is still less dangerous by Overzeetop · · Score: 2

      Which is still less than losing or recycling a hard drive.

      --
      Is it just my observation, or are there way too many stupid people in the world?
    3. Re:paper is still less dangerous by Decker-Mage · · Score: 1

      Or every damn one of us is in the electronic breach (12+ million as I recall). And yes, I've been breached several times and the disgusting part is that whenever you even think about looking at anything in my records, you get presented with a restricted access screen with all sorts of extra cautions and steps since I was a VA employee in the past (and my be again, who knows). I do understand what they are driving at here, most of these breach notices are really minimal patient hazard incidents. It's just when they do make a mistake, and invariably it's a piece of lost IT equipment with exactly the wrong stuff that shouldn't even be on it in the first place, that hits the headlines and extra expenses, and overtime everywhere, become required as a result until the heat dies down and everyone can go back to sleep.

      OTOH, I do not like the attempt here to conflate electronic with paper breach incidents. Paper has weight and requires rather more energy to transfer information from one place to another. Electronic records do not, not even close. Nor is paper as easy to dispense in terms of speed (records/sec). This is the same sort of misrepresentation we are seeing from all levels of the Executive Branch from the President on down, especially the DNI, NSA, and every damn company out there that's rolled over around the surveillance scandals.. (Prolly where this VA type learned it from) I am not the least bit amused.

      And the likelihood of ever being employed by the VA just went to zero ;-).

      --
      "[I]t is a wise man who admits the limits of his knowledge or skill, and that pretending either causes harm." --Terry Go
    4. Re:paper is still less dangerous by Anonymous Coward · · Score: 0

      Not necessarily. The biggest data breach at my company was when a disgrutled employee walked off with a printed copy of the sales ledger. Only a few hundred sheets of paper, but very high value information.

    5. Re:paper is still less dangerous by Anonymous Coward · · Score: 0

      You are guessing.

      My experience is that "10" is grossly under-guessed.

  7. "That that"? by libtek · · Score: 1

    >"...people are not thinking about the fact that that piece of paper they're carrying around..."

    *That *the*?
    FTFY

    --
    Unequivocally the realest of the realz...
    1. Re:"That that"? by wonkey_monkey · · Score: 4, Funny

      That "that that" that you have pointed out is perfectly valid. That that "that that" that that person has chosen to use seems wrong to you is neither here nor there.

      --
      systemd is Roko's Basilisk.
  8. nt by shentino · · Score: 1

    Now that's what I call a paper cut.

  9. 900,000 devices? by Anonymous Coward · · Score: 1

    Why does a department which services 440,000 'customers' and presumably has far less than a tenth of that in staff need 900,000 'devices' on the network?

    1. Re: 900,000 devices? by Anonymous Coward · · Score: 1

      Because they're honest enough to count every one. Routers, bridges, thermostats, etc...

  10. Computers aren't good enough yet by Sockatume · · Score: 3, Insightful

    Not this case specifically, but in my experience where documents exist and travel in electronic form, you still print them off to do work on them.

    Computers are great tools for writing documents. Computers are great tools for looking up and reading out a single datum. Computers are great tools for large-scale data analysis. What they are not good for is sitting down with a modestly-sized group of data - say, twelve letter-sized sheets - and getting something done. You can't get a screen big enough, or an interface lean enough, to replicate the kind of easy access you get from spreading the pages across your desk, or even using fingers and bookmarks to quickly jump between places. The relationships between individual documents are never as obvious as when you pull out a sheaf of records and pore over it.

    So, people print documents off while they're working with them, and sometimes they forget that those documents are supposed to be shredded, or meticulously filed away.

    Now, this is something that computers should be good at, but it's hard, and it's not in the wheelhouse of most software developers or companies. Look at scientific publications. You have a whole lot of documents encrusted in rich, well-formatted meta-data, being used by organisations that could throw down thousands on records-management software like it was loose change. Yet we only just have Papers and Mendeley. We're only just transitioning away from filing cabinets.

    --
    No kidding!!! What do you say at this point?
    1. Re:Computers aren't good enough yet by Sockatume · · Score: 3, Insightful

      I should add that this is a problem for data security; there seems to be a mistaken belief that we entered a paperless world in 2000 and all our information security problems are now computer security problems.

      --
      No kidding!!! What do you say at this point?
  11. I think you are misreading the 440,000 by DigitalReverend · · Score: 3, Informative

    The 440,000 would be employees and volunteers of the VA. The VA itself actually handles a lot more than that. There's 21.5 million veterans, of that 3.5 million receives disability compensation. Every veteran is eligible for health care in the VA system. So for 444,000 users of the VA information technology, 900,000 devices isn't that far fetched to handle the date for 3.5 million + veterans.

    http://www.infoplease.com/spot/veteranscensus1.html
    http://www.va.gov/opa/publications/factsheets/fs_department_of_veterans_affairs.pdf

    --
    I read Slashdot for the headlines, because the headlines, unlike the articles, are usually original and never duplicated
  12. Can't be a surprise by sabbede · · Score: 0

    Haven't we been hearing about how the VA still has piles of paper records because they haven't digitized their systems yet? Seems to me that there probably isn't all that much digital data to lose.

  13. incidents != severity by Anonymous Coward · · Score: 0

    The difference in an incident with paper might be single individual. A computer breach compromises tens of thousands at a time.

    It is like the difference between dropping a penny on the ground and draining your life savings.

  14. Paper has a lot of benefits by sjbe · · Score: 3, Insightful

    It's 2013, they should have finished scanning all of their documents in by 2002, 2005 at the very latest. What on earth are they printing over there?

    Patient medical charts and financial information mostly. Getting all that digital is an incredibly difficult and a FAR more challenging problem than most people realize. In a lot of cases the economic case for paper is actually better because going digital is so difficult and/or expensive.

    I work in a regulated industry and we shred everything we print. On a bad week I might print all of 10 pages.

    The industry you work in has precisely NOTHING to do with how healthcare can or should be managed. That would be like me saying what works for engineering should be perfectly appropriate for accounting. the argument makes no sense. As it turns out health care is incredibly complex and designing IT systems to do away with paper is difficult, time consuming and frequently not actually the most efficient way to solve many of the problems they face. If there is a more complicated industry than health care I'm not aware of it. Just because theoretically we can solve problems with IT doesn't mean it can be done today or that it is necessarily the correct answer to every problem.

  15. "Data breach"=social security number by Anonymous Coward · · Score: 0

    Pure and simple.

    I have a foolproof system that safeguards my SSN: NO ONE will issue me credit at this point..

  16. MOD PARENT UP by BenEnglishAtHome · · Score: 1

    Please. People who understand proper English are becoming rare and should be rewarded.

    1. Re:MOD PARENT UP by libtek · · Score: 1

      Thanks for that, ;p

      And wonkey_monkey: Tomayto/Potahto, Apples and Oranges, really.

      --
      Unequivocally the realest of the realz...
  17. they never learn by Pedestrianwolf · · Score: 1

    I guess Kevin Mitnick and his ilk have taught them nothing.

  18. Inventory losses by BenEnglishAtHome · · Score: 4, Interesting

    The comment on inventory losses hits home. I'm retired from a large government agency. Back in the day, IT understood that it was our job to keep other, more important employees working. To that end, my division bought 110 laptops for every 100 laptop users. It kept the extras in stock as close to the users as possible.

    When a user had problems, it was a 30 minute fix to swap hard drives into a new laptop, test, do the paperwork, and send the user back to work. If a drive died, it was about an hour of work to pull a new machine off the shelf, image it, and back up the user data from the local servers.

    Unfortunately, most IT techs discovered those 30 minute hard drive swaps could be cut to 15 minutes or less if you neglected the paperwork. Laptops got lost. IT thought they were doing a great job. Our users loved us because we got them back to work asap. The executives, however, didn't like it.

    They had to sit in front of a Congressional oversight committee every year and explain why a large number of laptops seemed to be missing. They weren't lost out of the organization, of course. They were temporarily misplaced. They were always found, eventually. There were no data losses.

    Neither the executives nor Congress cared about our core mission when they had a juicy headline to bash us with in the press, every year, without fail.

    The executives and IT hashed it out. They decided that the core business of the bureau was completely unimportant. The execs decreed that no matter what it took, they should never have to sit in front of a committee and explain things ever again.

    Spare equipment was cut to the point of non-existence. All spare equipment was centralized in a half-dozen "depot" sites spread around the country. They were as far from the end users as possible. Getting anything replaced required dealing with a depot and doing overnight shipments.

    The minimum time frame to fix a dead hard drive became, at minimum, several days. A highly paid employee who brought in a dead laptop on Monday morning would give it to IT and, in the best possible case, it would get shipped out that day, arrive at the depot on Tuesday who would ship a replacement, arrive back locally on Wednesday where it would be imaged and delivered back to the user later that day. That's 2.5 days AT BEST with a highly paid employee effectively idled.

    If a single person (the IT tech, the local inventory specialist, the depot inventory specialist, the depot shipping clerk, and maybe more) was out of place, add a day to that cycle time. Average repair times, when hardware had to be replaced, jumped to ~4 days.

    Prior to that, no matter how big the meltdown, an individual user could be back to work inside 2 hours and often in less than a half hour.

    The troops were on the verge of mutiny and morale on computer issues went into the toilet.

    The executives were insanely happy. They had set up a special IT department for themselves that worked the old way so they never suffered delays. Plus, they didn't have to testify before Congress any more.

    I said all that to say this - When you read that some big government agency is losing computers it does NOT mean that data is being lost. It may well mean the IT department is actually doing their jobs instead of sacrificing the efficiency of their entire agency to cover the executive asses.

    So when the quoted source says that losing a few laptops is no big deal, cut him some slack. He's right.

    1. Re:Inventory losses by kermidge · · Score: 1

      Thanks, Ben, that explains a number of things; I recall several of the stories that hit the news and a few (very few) follow up pieces that had an explanation; until you ran through one of the common realities I'd be left wondering who was trying to pull what with alternate recountings.

  19. A lot of the Paper comes from the DoD by Anonymous Coward · · Score: 0

    People complaining about the VA not being able to deal with the Paper load, don't realize that the Department of Defense sends its information to the VA on paper. The VA doesn't have a choice about it, and has to deal with the paper. Its not that the paper is printed out by VA employees that should stay in electronic form. The VA never gets the electronic document from the DoD to begin with.

    Incidentally, this is also part of the cause for the Daily Show saying the VA is so slow with granting VA Benefits. The employees don't have the information to make the decision, because they have to funnel paper through their workflow.