The Department of Veterans Affairs has mostly met a new requirement, in place since March 31, that all of its laptop computers have encrypted hard drives. Currently, 99 percent laptops used by VA personnel are encrypted, according to CIO Roger Baker.
"We see on a regular basis reports that come in in our morning brief to the secretary that report a laptop that was stolen or a laptop that is missing for some reason," Baker told Federal News Radio (WFED AM-1500) in Washington.
In its most recent monthly report to Congress of data breaches, the VA said that 13 laptops went missing between June 4 and July 1. All had encrypted hard drives. "You can imagine the level of relief that a CIO has when every one of them says, 'But the laptop was encrypted,'" Baker said in the radio interview.
"In our world that means that it's not the CIO's problem anymore. It is a physical security issue for the protection of the device," he added. It also can save the department a lot of money. It costs about $1,000 for a new laptop with an encrypted hard drive, according to Baker. But a breach costs far more.
A 2006 breach involving personal information of more than 26 million veterans cost the VA $20 million in compensation for potential victims of identity theft. That incident prompted the new rule requiring encrypted hard drives.
VA does have methods for verifying that laptops said to be encrypted actually have the security in place. "What it enables us to do is see exactly what software is running and what's going on in every [computer] in our organization," Baker said. "You can make an awful-lot-closer-to-absolute statement when you have visibility to every device than you can by having to do a data call believe what you get out of 210 organizations," he added.
"There's just no way of making an absolute assertion that nothing has happened to the information unless they're encrypted."
A handful of portable computers still are not encrypted and Baker said the VA is trying to identify the remaining 1 percent of unencrypted laptops and remedy the situation. The encryption rule does have some exceptions, too, such as for computers that are part of FDA-cleared medical equipment because modifying the hard drive might change how a medical device works.
The VA also recently has had what Baker called a "near-miss." It involved a laptop falling out of a VA clinician's car trunk that popped open. Fortunately, according to Baker, a military serviceman was driving immediately behind that car and retrieved the computer. Because the laptop was only in VA and military hands, the incident did not make the monthly security report, Baker said.
In the June report, department also reported five missing or stolen desktop PCs and 20 lost BlackBerry smartphones, but did not detail how those were dealt with. Enterprise-issued BlackBerrys can be remotely disabled.