Weak passwords, easy access, and unsupported web applications hamper VA online security

WASHINGTON. Stronger controls are needed to protect personal information online that the Department of Veterans Affairs collects and stores about millions of veterans enrolled in its health care services and receiving benefits, according to a new report by the agency’s inspector general.

Weak passwords, security flaws and a pattern of over-authorizing users on its platforms are among the weaknesses identified in an evaluation of the VA’s security program to protect veterans’ medical records and financial information and other personal data of beneficiaries, staff and contractors.

“Security flaws can allow any system and database user to gain unauthorized access to critical system information,” said Michael Bowman, director of the Information Technology Security Division of the Office of Audits and Evaluations in the VA Office of the Inspector General.

Bowman testified Wednesday at a House Veterans Affairs Committee hearing about the lack of security controls to support critical operations at the VA’s 1,000 facilities and facilitate payments to veterans and their families.

“Improvements are happening very slowly. Virginia has known about some of the deficiencies for years, but has been unable or unwilling to fix them,” subcommittee chairman Matt Rosendale, R-Mont., said at the hearing. “Despite some incremental improvements, VA’s approach is inadequate and unfocused.”

According to Bowman, the challenges of securing and protecting online information from hackers are similar to those of other federal agencies.

“With advances in technology, it’s easier for hackers to collect information about people from various data sources and track someone’s activities to further malicious or criminal schemes,” he said. “Storing and managing information securely is a very risky undertaking for government.”

All federal agencies are required to develop, document, and implement an information security and risk management program, and the inspector general provides an annual assessment.

The annual inspections are indicators of the agency’s technology security program, Bowman said. The deficiencies found at the VA are not new, he said, but persist year after year.

“While VA has made some progress in certain areas of its security program, it can best be characterized as incremental improvement in addressing deficiencies repeatedly identified by the audit team,” Bowman said.

The VA should make sure it installs security patches, makes system updates and restricts unsupported web applications to reduce vulnerabilities, he said.

Hiring and retaining qualified staff to manage and maintain VA computer systems hinders the work of keeping them secure, said Kurt DelBene, VA’s chief information officer in the Office of Information and Technology.

There is a high demand for cybersecurity professionals from government agencies and private businesses, which contributes to the growth of wages.

DelBen said the VA is asking for an increase in the cybersecurity budget from $110 million in fiscal year 2024 to $707 million in fiscal year 2025. A bigger cybersecurity budget would allow the agency to hire more trained staff with skills to prevent and manage cyberattacks, he said.

“There’s always going to be the odd attack that we don’t expect,” DelBene said. “We want to be in the space of making the right decisions and achieving good results.”

Rep. Tim Kennedy, D-N.Y., said he thinks the investment is reasonable given the VA’s massive operations and the $369 billion spending plan for fiscal year 2025. But he said the VA should define measurable goals it expects to achieve with the increase.

“We are concerned that VA salaries may be too low to be competitive, even when combined with compensatory incentives and benefits,” DelBen said.

Rep. Sheila Scherfilus-McCormick, R-Fla., said the VA “remains unable to adequately address systemic problems. Only by investing in highly qualified staff and consistently following IT standards will the VA be successful.”

David Powner, executive director of data-driven policy at MITRE, a nonprofit that helps government agencies improve security, also testified. In 2024, a team from MITER assessed the VA’s cybersecurity practices. Powner identified broad areas for improvement that echoed the concerns outlined in the inspector general’s report.

These included applying software patches, maintaining access controls, and using a logging system to log incidents that might indicate suspicious activity and attacks. The team found that the VA’s information security program operated under outdated cybersecurity policies and failed to effectively coordinate security practices across the enterprise. The VA also needs to focus more on identifying security vulnerabilities in medical devices and maintaining devices throughout their lifespan, Powner said.

The inspector general also accused the VA of improperly granting access to users and failing to remove or deactivate old and inactive accounts.

While weak passwords are a well-known security vulnerability that allows attackers to gain unauthorized access, the IG report found weaknesses in the implementation of strong password controls, Bowman said.

DelBen said the VA is moving toward a zero-trust system that requires multifactor authentication, meaning users must provide more than one way to verify their identity before logging in and accessing VA systems.

Rosendale urged the VA to prioritize cybersecurity and implement measures recommended in the reviews.

“No organization is completely protected from cyber attacks. But we expect Virginia to understand its own vulnerability and maintain its defenses,” he said. “We must identify tomorrow’s risks and address them today. In the world of data leaks, more and more Americans’ personal information is being bought and sold on the dark web. The VA needs to do better.”