The Department of Veterans Affairs is looking to use emerging technologies in ways that also meet its broader goals of adopting zero trust security, which is driving a more unified approach to technology adoption across the agency.
This is a special concern for VA due to its exceptional scope of responsibility and size of the agency as well as the variable security concerns these produce. This drive to modernize an enterprise of VA’s breadth has spurred a corresponding focus on ensuring this process is managed in a way that protects critical data and information systems.
Recently, this has driven VA to focus on anticipating and meeting the rate of technological change rather than being purely reactive.
“There are 170-plus VA hospitals out there that we're constantly figuring out how to adjust policy for. So we're constantly having to look into where health care is going, where technology is going, so that we can enact some change. We’re staring pilots to collaborate with vendors so we can get some provisions in place, so we can see where both the health care and technology are going in the future in the hopes of improving health care for veterans,” said Joseph Ronzio, deputy CTO at the Veterans Health Administration, at ATARC's Zero Trust Summit Tuesday.
A key component of VA’s health care modernization has been using mobile devices and remote capacities that provide a new speed and access to care while presenting distinct security vulnerabilities. Reconciling these as part of a cohesive process has quickly become one of VA’s major IT security goals.
“We're constantly trying to push the envelope of how we get further out there and have more mobile devices for both patients and providers with more data coming from different edge devices," Ronzio said. "It gets to be very difficult to govern because the type of data being provided could potentially be making a life-or-death decision for a patient. So how do you balance your security with your functionality in the long run, and then how do you afford to secure all those devices?”
Meeting these goals will require a consolidation of security protocol, especially in providing a singular kind of evaluation for determining whether a device or piece of software adopted from the private sector is up to the broader security standards of an organization of VA’s size.
“We're not always getting a holistic look at security from a device or even from an application perspective. So we do have problems where different systems, especially within medical technologies, will go through a HIPAA audit and say, 'Well we're HIPAA-compliant.’ Well, that's great, but how about FISMA? And we have that split between what the government requires versus the general population. And I really think that we need more people to understand how truly everything needs to be secured,” Ronzio said.
The general divide in security protocol between individual organizations, and between the government and private sector more broadly, is another challenge that VA technologists are attempting to address while implementing these new capacities. This has become a particular concern with the greater data and device dispersal that comes with a modernizing network.
“We do have that problem where it's split. Either you're doing industry business or you're doing government business. And if you're in the government business, especially in health care, you have to have a high level of security,” Ronzio said.
Ronzio has found that sustaining internal discussion between separate departments — particularly those responsible for enterprise security and end-user operations — has been a useful means of fostering a stronger culture of security that reconciles their separate priorities around unified zero trust standards.
“You do need the end user to participate in that discussion and evaluate how valuable their data is and what’s at risk,” Ronzio said.
VA tech leadership ultimately ties these concerns directly back to applied data and interoperability, with the development of capacities like a modernized health record system providing both a greater continuity of care and greater information vulnerabilities that the agency seeks to address in tandem.
“If you're a veteran, when you first come into the service your first record might be done when you're 16 or 17. And now you're going to have that transition to the VA, we're going to have to keep it for the rest of their life," Ronzio said. "Everyone wants to talk about data modernization, but I don't think they have a grasp of how that reflects within the mission as much as I think they should."