Despite a high-profile data breach six years ago at the Department of Veterans Affairs, the agency has installed encryption software on only 16% of its computers, according to a report from the VA Office of Inspector General, InformationWeek reports.
VA's OIG launched an investigation after receiving an anonymous tip on the VA complaint hotline a year ago, alleging that encryption software was installed on only 40,000 computers.
In 2006, an unencrypted external hard drive with personal data on 26 million veterans was stolen from a VA employee's home.
In response to the security breach, James Nicholson, then VA secretary, called for encryption software to be installed on all the agency's laptops and PCs (Wait, InformationWeek, 10/19).
VA purchased 300,000 encryption licenses in 2006 and purchased another 100,000 licenses in 2011, at a total cost of $5.9 million, according to the OIG report (Whiting, FierceGovernmentIT, 10/16).
The report comes after Roger Baker -- VA CIO and assistant secretary for VA's Office of Information and Technology -- in August said VA verified that 99% of agency laptops now are encrypted (iHealthBeat, 8/7).
In the report, which is dated Oct. 11, OIG said VA has installed and activated only 65,000 -- or about 16% -- of the Guardian Edge encryption licenses it purchased since the 2006 breach.
OIG said the figure is based on the number of computers that had logged onto the Guardian Edge/Symantec server over a three-month period earlier this year and could include duplicate counts for computers.
The unused 335,000 licenses have led to "about $5.1 million in questioned costs," and their inactive status means that "veterans' personally identifiable information remains at risk of inadvertent or fraudulent access," according to the report.
Officials from VA's OIT told OIG auditors that the main reason for the lack of encryption was incompatibility issues between different VA computers and the encryption software.
According to OIG, "OIT discontinued installation of the encryption software until OIT could upgrade and standardize VA's computer equipment."
OIG recommended that VA's CIO assess the encryption software project to determine if the software still is compatible with VA systems and meets its needs.
OIT then should create a plan to install and activate the remaining licenses, according to OIG (FierceGovernmentIT, 10/16).