More than six years after the Veterans Administration (VA) suffered one of the worst data breaches in history, it is still a long way from closing off the vulnerability that made the breach possible: lack of encryption.
It was on May 3, 2006, that a laptop and external hard drive containing an unencrypted national database with names, Social Security numbers, dates of births, and some disability ratings for 26.5 million veterans, active-duty military personnel and spouses was stolen from a VA analyst's Maryland home
The laptop was returned almost two months later by an unknown person, but the VA still spent about $20 million to notify those whose information had been compromised and for credit monitoring.
Three months later, in August, the VA secretary ordered the agency's Office of Information Technology (OIT) to upgrade all VA lap and desktop computers with enhanced data security encryption software.
But today, more than 80% of the VA's computers are unencrypted, even though the agency spent $5.9 million for 300,000 Guardian Edge (now owned by Symantec) encryption software licenses in 2006, and another 100,000 licenses in 2011.
The VA, in a statement, contends that 99% of its laptops now carry the encryption software.
But a report issued last month by the VA's Office of the Inspector General (OIG) found that as of this past July, the VA had, "installed and activated only a small portion, about 65,000 (16%), of the total 400,000 licenses procured, [even though]our annual Federal Information Security Management Act reviews have repeatedly identified the need for VA to address information security weaknesses, including inadequate implementation and enforcement of oversight controls over access to information systems."
The number could be even less than 65,000. The report said it could include duplicate counts "when computers are turned off, reimaged, then turned on again or when computers are upgraded and not scrubbed."
"[The 65,000 is] the number of computers that had logged into the Guardian Edge/Symantec server within the previous 90 days," the report said.
This, the report said, was due to inadequate planning and management of the project, which included the fact that the VA bought the software without knowing if it was compatible with their computers, and failed to allow time to test the software to ensure compatibility.
Not surprisingly, the report's conclusion was not reassuring. "Veterans' personally identifiable information remains at risk of inadvertent or fraudulent access or use," it said.
"[The VA] has successfully encrypted over 99% of our laptop computers. We have begun deploying Windows 7 with Symantec Full Disk Encryption across the VA enterprise," a statement provided by spokeswoman Josephine Schuda said. "The rate of deployment will be approximately 2% per week, with expected completion of September 30, 2013. We are committed to installing and activating all of the purchased encryption licenses."
The statement said there was an issue with using encryption on desktop computers. "The encryption software had a significantly detrimental effect on computers used by clinicians in their care of patients," it said. "However, improvements in software and hardware since that time have reduced much of that impact, and we have begun rolling out encryption to all of VA's desktops."
But some security experts say that since 2006, a much better option has come on the market. Lark Allen, executive vice president of Wave Systems, said all the major computer manufacturers have been offering self-encrypting drives (SEDs) as an option for about five years. For about the same price as software, he said, they make encryption vastly easier for both IT departments and end users.
"Software encryption is very complex to install," Allen said. "It's almost like the encryption has to hack the OS to get it to work correctly. When you start it up, the software must come up first so you can authenticate yourself, and then it unlocks the rest of the system. It has to make sure it takes control before the OS boots. It almost operates like malware put into the system."
Installation is very slow as well, he said -- somewhere between three and 48 hours for a 500G hard drive. He said an automotive company found it was taking a week to install it on a single laptop. "And if you're doing things like running antivirus or copying large files, the performance degrades dramatically," he said.
He said a user frustrated by the slow pace could disable it to get the computer to work faster, but that means the information is no longer encrypted.
A self-encrypting drive "encrypts as you image the drive," he said. "The OS has no knowledge that it's been encrypted, and the user doesn't notice anything either. And it's always on -- a user can't disable it."
While it makes the most financial sense to buy the self-encrypting drive with a new computer, the turnover rate is usually about three years, so Allen said the VA could have solved the problem by now simply by including self-encrypting drives with every new computer it bought.
The VA said it has considered and rejected that option. While self-encrypting drives are "excellent for consumer use, [they are] very difficult to manage in an enterprise environment, especially one centered around patient care and safety."
"Encryption software gives the VA better control over its IT devices than encrypted drives would," the statement said.