VA struggles to balance cloud apps, security

Thursday - 12/23/2010, 6:54am EST

WFED's Jason Miller

Click below to hear the report

Download mp3

By Jason Miller
Executive Editor
Federal News Radio

The Veterans Affairs Department is trying to heed the lessons of its past. If the department doesn't provide its users with the technology they need, the employees will find it anyway.

This was true 35 years ago when a group of employees, calling themselves the Underground Railroad, began developing what is now the VISTA system because VA was too slow to develop a system capable of sharing data.

The department is starting to see a similar uprising around cloud computing.

Roger Baker, VA's assistant secretary in the Office of Information and Technology and chief information officer, said the agency shut down another instance of doctors using a cloud platform outside the VA firewall to share patient data.

"This is an issue we will continue to deal with going forward," he said during his monthly call with members of the press on VA's data breach report to Congress. "The government by itself can't keep up with Yahoo!, Google, Apple and others who are creating great applications for medical usage. We have to figure out how to embrace those and at the same time ensure that we are providing privacy and health information protections that we are committed to doing. These are great tools for patient care, and right now my position as the CIO has to be 'you can't use them.'"

But Baker fully admits that he must find a way to strike the proper balance between use and security because there is a growing call for cloud-based tools such as those from Yahoo! and Google. He added that the Underground Railroad development of VISTA is a reminder of what could happen if he doesn't find a solution fast enough.

"Users said they need the tools to let them do their job and I have that as a cautionary tale in my head whenever I talk about cloud and things going on with these sites," he said. "If we don't figure out how to use these applications, our users will figure it out for us. It is said that those who don't study history are bound to repeat it. I'm not interested in repeating history."

VA said in its data breach report that data of more than 1,000 veterans were located on this shared Yahoo! calendar tool. Doctors and residents at one VA facility were using the online tool to communicate during shift changeovers or residents needing to retain information when they left VA to work at other hospitals.

Baker said no matter the need, the doctors violated VA's data security, privacy and health information policies.

Earlier this year, VA shut down eight facilities using Google docs to share patient information under similar circumstances. Baker said he expects to shutter other instances in the future of facilities using similar tools because of their popularity and ease of use.

Baker said he is looking into how to make that balance work, but still has not found the right solution to this problem.

"I know that Google has moved forward with FISMA certification of some of the stuff they are doing so that is a possibility," he said. "The issue there is that there are various levels of certification and what they have achieved is medium and for the types of information we store, it would have to be a high certification. But we look at is there a way to embrace the tool as it stands? Is there a way to bring the tool inside the VA firewall and control access to it a bit more and meet our requirements that way?"

Baker added that last thing he would consider is building a new tool themselves because the government's development time and acquisition processes just can't keep up with technology changes.

In the meantime, Baker said cybersecurity remains a major priority. He said in 2011, his office will complete its medical device architecture to describe how to secure them on the network. VA also will expand its visibility of devices on the network beyond laptops and desktop computers to printers and other devices.

All of this will come under tight budget constraints. Baker said he prepared for Congress to cut VA's IT budget by $200 million in 2011. Agencies currently are under a continuing resolution through March 4.

"We had a substantial carry forward from 2010 to 2011 as a result of all discipline we instituted last year," he said. "The Program Management Accountability System (PMAS) generated $250 million of cost avoidance is 2010 because of number of projects we held off of until we got them to a point where we thought they could succeed."

He added that VA also carried over $700 million from 2009 to 2010 and about the same amount from 2010 to 2011.

Baker said he doesn't agree that VA needs less money, but understands the rationale and the fact every agency is facing tight budgets.

(Copyright 2010 by FederalNewsRadio.com. All Rights Reserved.)