Fix The Cyber Security Defect in the Veterans Benefits Management System

0 have signed. Let’s get to 100!

Jamie Fox
Jamie Fox signed this petition

Dear Veteran,

Do you know who is watching you? Anyone who has access to the VA's computer system. Thousands of people can access your information, including contractors, Veterans Service Organizations and more. With a few strokes of the keyboard someone can view decades of information about you (depending on your age), including all of your military records, from anywhere in the country, including from someone's living room. No person, not even a government official should have that much access to so much information about a person's past and present life history, especially VA bureaucrats who are known to be unscrupulous. No manager or former manager or co-worker should have access to so much information about their current or former employees or co-workers. Except at the VA thousands of people can access the private information of basically anyone they choose, because the VA allegedly forgot to build in security measures that would prevent people from unauthorized access. As if that weren't bad enough the VA is not enforcing existing privacy laws. We have other petitions we need people to sign as we break down this enormous elephant in the room that everyone is pretending to not see. It appears the VA bureaucrats either do not want to spend the money to fix this problem or they simply do not want to fix the problem, or both. Anyway you look at it, veterans are being harmed by this major VA defect in it's computer system. 

Consider this:

1) The Department of Veterans Affairs (VA) has a history of veteran medical record and sensitive personal information privacy violations; and 

2) The Office of Inspector General (OIG) released a report April 2016, in which the VBA had not integrated proper audit logs in VBA’s new system called Veterans Benefits Management System (VBMS); and

 3) VA failed to establish satisfactory system requirements in VBMS that would ensure that accurate audit logs were created; and

 4) Veteran medical records and sensitive personal information data sit at the root of all privacy and security user training and access controls not being properly implemented nor adequately monitored.  A clear violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its’ enforcement; and

 5)  OIG discovered VBA cannot detect if an employee without proper access authorization has improperly accessed a veteran’s file, because VBMS is not compliant with audit log procedures per required Federal Information Processing regulations; and

 6) OIG reported that the security vulnerability is due in part because the Office of Business Process Integration did not create system requirements in VBMS to assure audit logs could accurately pinpoint security violations; and

 7) The VA is required by several regulations (e.g., Federal Information Processing Standards Publication) to develop, sustain, and retain audit records to supervise, analyze, and report on inappropriate access of information systems; and

 8) VA’s own VA Handbook states that information systems are required to create detailed audit logs that can help recreate a data security incident and/or breach as well as restrict certain VBMS user’s system wide, to include Tele-Work without the proper authorization access level from accessing certain claim files; and

 9) VA must establish a level of visibility that will provide VBMS system security monitors the ability to detect unusual behavior and the necessary tools to quickly identify and respond to any unauthorized user access, thus ensuring system integrity and user access authorization level is compliant with all regulations and procedures; 

 Veterans need your help with seeking legislation to change applicable regulations that will ensure VA programs containing Veterans’ Electronic Medical Records and Sensitive Personal Information restrictions are in place with appropriate security system monitors to deter any unauthorized users from accessing veterans’ information, have functional and accurate audit logs that can pinpoint security violations, as well as, compliant with existing laws and regulations minimizing any ambiguity and ensures adherence and accountability.