The VA Office of the Inspector General (OIG) has recently issued the findings of its administrative examination of into improper web-based collaboration technology by the Department of Veteran Affairs (VA). It found the agency is particularly vulnerable to data exposure from members of staff using social media applications.
Employee’s use of the social media application from Yammer.com could possibly lead to the exposure of sensitive veteran data. The OIG discovered employees have been using the social media app, even though the app had not been approved by the VA. VA policy requires all social media applications to be sanctioned before use, and have usage monitored.
The OIG found that the application “had vulnerable security features, recurring website malfunctions, and users engaged in a misuse of time and resources.” Yammer Notifier, a desktop application, was approved by one Technical Reference Model (TRM) with restrictions; however use of the Yammer social network was not.
The application has a lack of security measures and it was too easy for Protected Health Information (PHI) and Personally Identifiable Information (PII) to be uploaded and shared. Another problem was the lack of an administrator or system to remove contractors and former members of staff, allowing veteran data to possibly be accessed, downloaded and shared even after employment contracts have ended.
The Technology Director of the Veterans Health Administration (VHA), William Cerniuk, was interviewed as part of the review and told the OIG, Yammer was a “social media site which is semi-private, allowing the ability for VA employees who have VA email addresses, contractor [or] permanent, to have discussions that do not involve PII or PHI.”
He also said that “Staff began using Yammer in early 2012 as an “organizational approach” to disseminate product development messaging,” and explained that the app is “essentially, for lack of a better definition, Facebook for your company.”
However, there were security concerns. He said there was no centralized administrator, but “at any given point in time you or I or anyone else in Yammer can hit a button next to my name that says, ‘this person is no longer in the network.’ The system would then disable that person’s login”. That person would then need to confirm by email if they still needed access to that network. If no email is sent, the login remains disabled. However, he went on to say “Now, this is not done by any rigor of any sort. No one is assigned this duty of going through and digging out who belongs. So people will be able to log into Yammer after they leave the VA if their account isn’t disabled either by themself or otherwise.”
The OIG found some employees were routinely breaking VA policy by uploading, downloading and sharing files, and that the activity on Yammer had potential allow malware and viruses to spread quickly from the site. The report added, “users were unable to remove the Online Now instant messaging feature, resulting in every user violating VA policy simply by logging onto the site.”
The security weaknesses introduced by the use of Yammer were not the only issues the OIG had with the use of the app. The OIG report said Yammer was not an appropriate use of employees’ time and resources, and much time was being wasted on non-work related business. In some cases, users were even using the platform to send spam, and the widespread uploading, downloading and sharing of data via the platform could potentially have an adverse effect on the speed of the VA’s network.
The OIG issued three recommendations in its report and gave the VA until October 1, 2015 to adhere.
The use of VA Yammer must be formally reviewed, and its use by the Department of Veteran Affairs must be either approved or disapproved. If the decision is taken to approve use of the social media application, it must first meet the minimum requirements for data security laid down by federal laws, in addition to internal VA policy and guidance. However, should it be disapproved, its use must be strictly forbidden on all VA-equipment and networks. The VA must confer with the Offices OIT, OPIA, and General Counsel (OGC) on this.
The VA Chief of Staff has must consult with the Offices of Human Resources (OHR), Accountability Review (OAR), and the OGC to determine whether it is necessary to move against accountable officials or other contractors or employees who were involved in the matter.
Finally, the VA Chief of Staff must ensure that all members of staff receive instruction on the web-based collaboration technologies that have been authorized for use by workers, as well as those which are prohibited.