The Department of Veteran Affairs (VA) has been warned that social app security vulnerabilities have potential to expose the data of veterans, according to a recent audit conducted by the VA Office of Inspector General (OIG).
The warning came after the OIG discovered that a number of VA employees had been using the social media app, Yammer. The app was found to contain security vulnerabilities that could potentially be exploited by hackers seeking access to Social Security numbers and other protected data of veterans.
VA Policy Violations Aplenty
The main security issue with Yammer is the website lacks an administrator who could remove former VA employers from the site. There was also no automated system in place to ensure contractor employees were removed when access rights should be terminated, in accordance with VA policies and HIPAA Rules. Numerous other security vulnerabilities were discovered to exist.
Other social app security vulnerabilities discovered included a lack of control over the information employees could post and share via the website. As such, a registered user could easily upload Protected Health Information (PHI) or Personally Identifiable Information (PII), even by accident.
The website frequently suffered malfunctions, and the OIG also determined that the app was not a productive use of employees’ time, which could be better spent on work duties.
The report also pointed out “One VA Technical Reference Model (TRM) approved, with constraints, the installation of Yammer’s Notifier, a Windows desktop application, [however] use of the Yammer social network was not VA-approved for employee use.”
Employees Believed Yammer had been Approved for Use
Employees from many business sectors use social media apps against the recommendations of their employers; however the OIG found that in the case of the VA, the use of the app appeared to have been sanctioned by the VA. Mr. Stephen W. Warren, the former Executive in Charge of Information Technology (IT) and Chief Information Officer (CIO), showcased use of the app in June 2013, and according to the report, used the social app “for an open chat forum.” He again referred to it “in a June 2014 CIO Message reminding employees to comply with VA Directive 6515 when using Yammer, giving the false impression that VA approved the use of Yammer.com.”
As a result of this, and a lack of communication with the staff, “VA employees believed Yammer was an approved tool for downloading, uploading, and sharing files, which it was not.”
William Cerniuk, Veterans Health Administration (VHA) Technology Director, along with VA employees, were interviewed by the OIG as part of its investigation. Cerniuk told the investigators that Yammer was a “social media site which is semi-private, allowing the ability for VA employees who have VA email addresses, contractor [or] permanent, to have discussions that do not involve PII or PHI.” He also told investigators that he was one of the first three VA employees to sign up for Yammer.
Cerniuk said that while the app was in use, it was evaluated and deemed not to be cost effective. He confirmed that Yammer had considerable benefits and value, but it would only be a viable option if the cost of using the service could be negotiated. He also pointed out security controls were in place and said the app would allow the VA to be “able to actually moderate conversations.”
If it was possible to monitor data uploaded or downloaded via the app, it had potential to be useful, although the social app security vulnerabilities are a serious issue. It would be all too easy for an individual to upload PHI by accident, such as by sharing a Powerpoint presentation that contained PHI or PII of veterans. That was a major security risk.
He said uploads were actually monitored by him, “but obviously that’s not part of my overall job. So it’s very difficult for me to take that on as a full responsibility.”
VA OIG Makes Recommendations on Social Media App Use by the VA
After conducting its investigation, the VA OIG made a number of recommendations covering the use of the social media app.
The OIG said VA Yammer must be formally evaluated, resulting in official approval or disapproval being issued for its use by the VA. If that process resulted in the app being approved for use, it must satisfy federal regulations on data privacy and security as well as meeting VA security policies. However, if unapproved, the social app should be blocked to prevent its use by employees.
The OIG also said the VA must “determine appropriate administrative action, if any, to take against accountable officials, as well as other VA and contractor employees.” The staff would need to be trained and made aware of the permitted use of social media applications and other web-based collaboration technologies, including being provided with a list of those which had been approved as well as those which were expressly prohibited.
Robert Nabors, Chief of Staff for the VA, agreed with the recommendations and will ensure they are implemented by October 1, 2015.