Cloud
News
12/23/2010
10:37 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

VA Employees Using Unauthorized Cloud Services

Department of Veterans Affairs staff have been using Google and Yahoo tools without the agency's knowledge, raising privacy, security concerns.

Top 10 Government Stories Of 2010
(click image for larger view)
Slideshow: Top 10 Government Stories Of 2010
The Obama administration might be pushing federal agencies to adopt cloud computing, but federal workers are already ahead of the curve, as the Department of Veterans Affairs recently discovered when it found out hospital employees were using Web-based tools from companies like Google and Yahoo on the job.

The discovery isn't shocking -- consumer adoption of cloud services has in many ways outstripped corporate and government adoption -- but it does raise security concerns, as the services being used haven't necessarily gone through the rigorous certification process required to comply with federal cybersecurity guidelines.

"The government can't keep up with Google, Apple, Yahoo, and others who are creating grey apps for healthcare usage," VA CIO Roger Baker said Thursday on a monthly cybersecurity conference call with reporters. "This is an issue we're going to continue to deal with going forward. These are great tools for patient care, but at the same time we can't use them. If we don't figure out how to embrace them, our users will figure it out without us."

Baker applauded companies like Google for moving forward with government security certifications for "moderate" risk information, but said that the VA requires even higher security standards for personally identifiable information like the type its employees are beginning to store online.

For now, the agency is treating the use of services like these as a security concern, and blocking access to sites as they became known. For example, last month the agency discovered that a few orthopedics department residents at the Jesse Brown VA Medical Center have been keeping a calendar of patient data on Yahoo Calendar for more than three years.

The residents had stored full names, dates, types of surgery, and the last four digits of Social Security numbers for 878 patients on the site, sharing the same user account. When the VA discovered this, it blocked access to the site, deleted all the entries, changed the password (which hadn't been changed once during the three years of use), and began mailing out letters of notification to all affected patients.

Such a scenario has played out numerous times in recent months, Baker said. The most popular use of cloud services was by employees using Google Docs to store shift-change information and residents using it to document what type of role they played in various procedures. "While these are password-protected accounts, the issue is that they leave the VA," Baker said. "We need to figure out how to meet this demand and still meet our requirements from the standpoint of security controls."

Comment  | 
Print  | 
More Insights
2014 Next-Gen WAN Survey
2014 Next-Gen WAN Survey
While 68% say demand for WAN bandwidth will increase, just 15% are in the process of bringing new services or more capacity online now. For 26%, cost is the problem. Enter vendors from Aryaka to Cisco to Pertino, all looking to use cloud to transform how IT delivers wide-area connectivity.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July 22, 2014
Sophisticated attacks demand real-time risk management and continuous monitoring. Here's how federal agencies are meeting that challenge.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.