iPhones, iPads on the way, VA confirms

Monday - 7/25/2011, 7:43pm EDT

Jared Serbu, Reporter, Federal News Radio

Download mp3

By Jared Serbu
Federal News Radio

The Department of Veterans Affairs has confirmed what many people suspected: The "popular devices" VA will soon allow on its network will be Apple's iPhones and iPads.

VA had previously announced October 1 as the date it would allow a new generation of consumer tablets and smartphones to connect and access department data. But until now, VA has been declining to say precisely which ones. VA chief information officer Roger Baker told reporters on a Monday conference call that the department start with devices based on Apple's iOS.

The next questions to answer are how VA will buy those tablets and smartphones, and whether employees will be allowed to use their own personal devices to access VA networks.

"We haven't settled on exactly how we'll acquire the devices," Baker said. "These devices move so fast, you have to be worried about the fact that the moment you let an acquisition for a lot of them you're going to end up buying one or two generations back, and we certainly don't want to be doing that."

He said he had not yet decided whether employee-owned iPhones and iPads should be allowed on VA's network in October. But if VA does establish a bring-your-own-device policy, employees will have to agree to let the department enforce the same mobile device management procedures on their personal devices as it does on government-owned equipment.

"We've got to make certain that the applications we allow on the device are broad enough that we aren't going to be draconian, but on the other hand, users are going to have to realize there could be apps on there that could cause security issues," Baker said. "If we haven't checked it out, our primary concern is going to be the security of any information on that device."

He said using government-furnished mobile devices could help reduce VA's IT costs, since they are generally cheaper than laptops. He envisions employees being given a choice between a department-issued laptop and a tablet.

VA's new mobile pilot projects are focused in two areas. One is using mobile devices as information viewers that let authenticated users access data in VA systems, but not download it or store it. That generic approach will allow the department to easily extend support to other smartphones and tablets down the road, Baker said.

A second track is more device-specific. Apps would be able to store VA data on the device, but the department would have to make sure the software can encrypt and store data securely on an app-by-app basis. An example is an iPhone and iPad version of VA's clinician interface, the Computerized Patient Record System.

"It would reside on the device and actually store information device in an encrypted fashion. It would allow clinicians to use it as their native interface for seeing patients," he said.

One hurdle the VA needs to overcome before mobile devices become ubiquitous work tools, however, is the quality of the internal Wi-Fi networks in its facilities. Baker said most of the larger VA hospitals now have WiFi networks deployed.

"But the issue has been that it's not 100 percent coverage," he said. "We're about a third of the way through renovating the facilities for Wi-Fi signal so that they achieve pretty close to 100 percent coverage throughout the campus. We unfortunately had to go back and are going through the process of reawarding that contract, so we're kind of set back in getting it done. There tends to be Wi-Fi signal, but it's not the kind of coverage that you'd like to see if you're going to use it for the sorts of things we'd like to use it for long-term."

Baker said the department's security procedures would also let email be downloaded and stored, since VA already has encryption protocols to secure sensitive data in its email system.

But encryption on iPhones and iPads won't necessarily mean compliance with Federal Information Processing Standard 140-2, the government benchmark for cryptography published by the National Institute of Standards and Technology.

"FIPS 140-2 certification is not instantaneous," he said. "One of the things we actually had a study done on was the advisability of accepting the risk of encryption that is not FIPS 140-2 certified for the types of information we're putting on the device. Our expectation with the pilot is that we'll determine the encryption that's being done on the device is sufficient to be adequate for our purposes, and that I will accept the risk for our organization that that encryption is sufficiently strong and doesn't create and undue risk of information breach."