VA detects data-leak prevention vulnerability

Contributed by Roumiana Deltcheva (Tuesday, December 28, 2010) | Category : Email security

The Department of Veterans Affairs recently uncovered a vulnerability in its data-leak prevention when it was found hospital employees were accessing unauthorized cloud services, such as hosted email, while on the job.

President Obama has pushed for federal agencies to embrace cloud computing, but only in a secure and highly regulated manner. In this instance, employees accessed the services without the department's knowledge.

"While these are password-protected accounts, the issue is that they leave the VA," department chief information officer Roger Baker said. "We need to figure out how to meet this demand and still meet our requirements from the standpoint of security controls."

In one case, VA hospital resident doctors were storing confidential patient information in a Yahoo web service. Full names, dates and types of surgery and the last four digits of Social Security numbers for 878 patients were stored on the site using a shared username and password.

Such unauthorized web service use is a growing concern for companies. A recent survey from network management firm Ipswitch revealed 40 percent of IT executives send business data through personal email to avoid detection by their company's audit trail and data-leak prevention.