Summary: In September 1998, GAO reported that computer security weaknesses at the Department of Veterans Affairs (VA) placed critical operations, including health care delivery, at risk of misuse and disruption. Although two VA health care systems have corrected most of the computer security weaknesses identified in 1998, serious computer security problems persist throughout the Veterans Health Administration (VHA) and the Department. These problems persist because VA had not yet fully implemented an integrated security management program and VHA had not devoted adequate resources to effectively manage computer security at its medical facilities. Consequently, financial transaction data and personal information continue to face increased risk of inadvertent or deliberate misuse, fraudulent use, improper disclosure, or destruction. GAO recommends that VA: (1) ensure that remaining computer security weaknesses at each health care system are corrected in accordance with action plans developed by each of the medical facilities; and (2) provide security oversight resources as prescribed in VHA policy to effectively implement and oversee VA's computer security management program through assessing risk, implementing policies and controls, promoting awareness, and evaluating the effectiveness of information system controls at VHA facilities.
