VA OIG just reported that Palo Alto VA Health Care System unlawfully gave patient data to a private IT company despite employees not having cleared background checks.
The watchdog investigated allegations that the Palo Alto VA informatics chief entered into an illegal agreement with a health care company called Kyron.
VA OIG confirmed allegations that the patient data was given to Kyron prior to its employees getting background checks. It also confirmed that patient data was loaded into the Kyron’s extraction software prior to receiving approval from VA information security officers.
VA OIG does claim all identifiable information was removed prior to it being shared with Kyron. OIG further indicated the allegations that the contract was illegal was unconfirmed.
I pasted the executive summary below. When you read it, I suggest reading it from the bottom up. The reason is because VA OIG almost always diminishes allegations by making negative comments at the beginning but then admitting all the failures later. When you read these reports starting from the recommendations, you do not get pulled into the semantic games… and believe me, there are many games going on with these reports.
The VA OIG Palo Alto VA report summary reads:
Review of Alleged Data Sharing Violations at the Palo Alto VA Health Care System
In October 2014, the House Committee on Veterans’ Affairs provided the VA Office of Inspector General (OIG) a complainant’s allegation that the VA Palo Alto Health Care System (PAHCS) Chief of Informatics entered into an illegal agreement with Kyron, a health technology company, to allow data sharing of sensitive VA patient information. This allegation involved veterans’ personally identifiable information (PII), protected health information (PHI), and other sensitive information being vulnerable to increased risks of compromised confidentiality. Allegedly, sensitive VA patient information was transmitted outside of VA’s firewall. The complainant also alleged Kyron personnel received access to VA patient information through VA systems and networks without appropriate background investigations.
We did not substantiate the allegations that the Chief of Informatics formed an illegal agreement with Kyron or that sensitive patient information was transmitted outside of VA’s firewall. However, we substantiated the allegation that Kyron personnel received access to VA patient information without appropriate background investigations. We determined there was a signed agreement between PAHCS and Kyron and its personnel received access to de-identified VA patient information within VA’s information technology enterprise. The agreement allowed Kyron, as part of a pilot program, to test technical implementation of its extraction software on a VA server by transforming de-identified VA patient information into structured patient profiles. The profiles allowed search and query of patient interventions and outcomes in more timely and cost-effective ways and facilitated data mining that could potentially assist VA in improving the delivery of healthcare.
Based on our interviews, review of available documentation and relevant criteria, and our judgment, we determined the Chief of Informatics, who was also the local program manager for the pilot program, failed to ensure Kyron personnel met the appropriate background investigation requirements before granting access to VA patient information. The Chief of Informatics also failed to ensure Kyron personnel completed VA’s security and privacy awareness training. Further, the Information Security Officers (ISOs) failed to execute their required responsibilities in accordance with VA Handbook 6500, Information Security Program, by not providing PAHCS management and staff guidance on information security matters. More specifically, the ISOs did not coordinate, advise, and participate in the development and maintenance of system security documentation and system risk analysis prior to Kyron placing its software on a VA server. As a result, Kyron did not have formal authorization to operate its software on a VA server.
We concluded the lack of coordination between the Chief of Informatics and ISOs in executing the Kyron agreement potentially jeopardized the confidentiality of veteran’s PII, PHI, and other sensitive information. The Chief of Informatics admitted to proceeding with the pilot before obtaining documented support from the local ISOs. In addition, the PAHCS and regional ISOs failed to execute their required responsibilities in accordance with VA Handbook 6500. After the OIG informed PAHCS officials of the initial results in November 2014, they discontinued Kyron’s personnel access to VA de-identified patient information until Kyron’s personnel received VA completed background investigations, appropriate security, and privacy training.
However, given the nature and seriousness of sensitive veteran data being vulnerable to increased risks of compromised confidentiality, we recommended the VA Assistant Secretary for Information and Technology take immediate action to ensure the local and regional ISOs determine the appropriate security level for Kyron’s software and pilot program. We also recommended the VA Assistant Secretary for Information and Technology implement appropriate controls to ensure that unauthorized software is not procured or installed on VA networks without a formal risk assessment and approval to operate. We recommended the PAHCS management, in conjunction with VA’s Assistant Secretary for Information and Technology, ensure Kyron personnel receive commensurate background investigations and obtain the required information security documentation that authorizes Kyron’s software to operate.
Further, we recommended the PAHCS management, in conjunction with VA’s Assistant Secretary for Information and Technology, require Kyron personnel complete security awareness training and sign the Contractor Rules of Behavior to ensure full awareness of VA information security requirements when accessing VA systems and networks. The Assistant Secretary for Information and Technology concurred with our findings and recommendations and provided an appropriate action plan. We will follow up on the implementation of the corrective actions.