Watchdog says VA failed to protect its Veterans Benefits Management System (VBMS) against fraud using a standard audit log feature.
The VBMS system was supposed to be the silver bullet fixing the backlog of benefits claims back in 2013. Former Under Secretary Allison Hickey repeatedly told Congress this system would fix all problems. That fix cost taxpayers over $1 billion.
For that kind of money, is it too much to ask for that VA would ensure the system had a standard audit log to prevent fraud? Don’t veterans deserve protections against fraudulent or careless VA employees?
Last year, VA OIG received an anonymous complaint that alleged the Veterans Benefits Administration failed to integrate audit logs into its VBMS system. OIG confirmed the allegations publicly yesterday.
That system was designed to replace paper claims, but some were skeptical of the agency’s ability to protect veterans against fraudulent intentions of dishonest VA employees. Historically, VA employees have shown a tendency to shred or alter veterans claims files. The move to electronic claims would lend itself to employees merely hitting the “delete” button.
The new report shows VBA failed to protect veterans against such fraudulent intentions. The standard audit log would track who accessed the file when. This audit is required for information security officers to protect against fraud.
During the investigation, VA employees were able to access veterans files without being tracked, and even OIG was unable to tell exactly how the employees were untrackable.
Does this surprise anyone?
VETERAN BENEFITS MANAGEMENT SYSTEM AUDIT
The OIG report summary says:
“In April 2015, the Office of Inspector General (OIG) received an anonymous allegation that the Veterans Benefits Administration (VBA) failed to integrate suitable audit logs into the Veterans Benefits Management System (VBMS). We substantiated the allegation that VBA failed to integrate suitable audit logs that clearly reported all security violations occurring in VBMS. We tested the existence and accuracy of audit logs by having 17 employees at 3 VA Regional Offices (VAROs) attempt to access same station veteran employee compensation claims in VBMS. Although audit logs identified security violations for 15 of the 17 employees, the logs did not show that the security violations occurred within VBMS. Instead, the audit logs indicated that the violations occurred in the Share application used by VARO employees or an unknown system. The other two employees did not appear on the audit logs. We could not determine why the two employees did not appear on the audit logs. This occurred because VBA officials did not develop sufficient system requirements to ensure that audit logs exist and are accessible to Information Security Officers (ISO). As a result, ISOs were unable to effectively detect, report, and respond to security violations occurring within VBMS. Until VBA resolves this issue, its VAROs will be more susceptible to fraudulent compensation claims processing. We recommended the Acting Under Secretary for Benefits develop system requirements for integrating audit logs into VBMS. We also recommended the Assistant Secretary for Information and Technology integrate audit logs into VBMS based on the requirements provided by the Acting Under Secretary for Benefits. Finally, we recommended the Acting Under Secretary for Benefits test the audit logs to ensure the logs capture all potential security violations. The Acting Under Secretary for Benefits and the Assistant Secretary for Information and Technology concurred with our recommendations and provided acceptable corrective action plans. We will monitor their implementation. The Acting Under Secretary also provided technical comments, which we took into consideration.”