According to a report first released as part of a monthly cybersecurity report posted on the VA's website, an iPad2 was likely stolen out of one of the VA's IT offices in Washington, D.C., in early September, before the agency ever authorized iPads for broader use. The iPad hadn't been configured for employee use, wasn't storing personally identifiable information, and had its data service canceled as soon as the agency discovered it was missing. However, the device's theft speaks to larger security concerns as iPads become more prevalent on federal agencies' networks.
That day is rapidly approaching. The VA became one of the first agencies to authorize iPads on its networks earlier this month. While Baker estimated on a call with reporters Wednesday that fewer than 500 iOS devices (including iPads and iPhones) currently have access to VA networks, he expects the number of iPads to quickly grow to a thousand and eventually tens of thousands. Other agencies, including the Department of Transportation and the Department of Homeland Security, are also piloting the devices.
"It's very clear from the public demand and the clinician demand that there's a real use for them in areas that would make a clear business case," Baker said.
[Learn about the government's new "future-ready" approach to IT in U.S. CIO VanRoekel Outlines What's Next For Fed Tech.]
While Apple devices aren't currently compliant with the key federal encryption standard, Federal Information Processing Standard 140-2, the VA will require encrypted applications, including email, which is one of the first applications supported on iOS devices inside VA. The agency is also developing an iPad version of the VA's Computerized Patient Record application that will support encryption. "Since the device doesn't support encryption, we are enforcing encryption at the application level," Baker said.
The VA is also piloting mobile device management software to manage mobile device security by locking down configuration settings, controlling what apps can be installed on devices, and by remotely wiping devices if they go missing or stolen.
In a request for information issued October 20, the VA indicated that it was looking for mobile device management software that could control up to 100,000 tablets, including iPads, Androids, and Windows devices. The VA is looking for a suite of features, including reporting, automated enforcement of enterprise rules via actions like device locking or wiping, ability to offer an enterprise application store, ability to view a device's GPS history, and white and blacklisting of apps.
Finally, VA will track instances of iTunes installed on laptops and desktops inside VA. "We're going to watch every [computer] where iTunes is loaded and make sure it's specifically approved for an iPad user," he said. In other words, he said, security with tablets isn't just about the tablet itself, but also about the devices that support that tablet, such as a PC loaded with iTunes.
The VA's monthly security report indicated that police are combing through camera footage at the scene of the crime for any clues on the iPad2's theft. The iPad was one of 21 desktops and laptops that went missing or were stolen in September. All of those computers were either encrypted or stored no sensitive or personally identifiable information.