The discovery isn't shocking -- consumer adoption of cloud services has in many ways outstripped corporate and government adoption -- but it does raise security concerns, as the services being used haven't necessarily gone through the rigorous certification process required to comply with federal cybersecurity guidelines.
"The government can't keep up with Google, Apple, Yahoo, and others who are creating grey apps for healthcare usage," VA CIO Roger Baker said Thursday on a monthly cybersecurity conference call with reporters. "This is an issue we're going to continue to deal with going forward. These are great tools for patient care, but at the same time we can't use them. If we don't figure out how to embrace them, our users will figure it out without us."
Baker applauded companies like Google for moving forward with government security certifications for "moderate" risk information, but said that the VA requires even higher security standards for personally identifiable information like the type its employees are beginning to store online.
For now, the agency is treating the use of services like these as a security concern, and blocking access to sites as they became known. For example, last month the agency discovered that a few orthopedics department residents at the Jesse Brown VA Medical Center have been keeping a calendar of patient data on Yahoo Calendar for more than three years.
The residents had stored full names, dates, types of surgery, and the last four digits of Social Security numbers for 878 patients on the site, sharing the same user account. When the VA discovered this, it blocked access to the site, deleted all the entries, changed the password (which hadn't been changed once during the three years of use), and began mailing out letters of notification to all affected patients.
Such a scenario has played out numerous times in recent months, Baker said. The most popular use of cloud services was by employees using Google Docs to store shift-change information and residents using it to document what type of role they played in various procedures. "While these are password-protected accounts, the issue is that they leave the VA," Baker said. "We need to figure out how to meet this demand and still meet our requirements from the standpoint of security controls."