The Department of Veterans Affairs (VA) did not set an adequate level of access controls for its Beneficiary Fiduciary Field System (BFFS), which put personally identifiable information (PII) and personal health information (PHI) at risk, according to a report released September 12 by VA’s Office of the Inspector General (OIG).
The BFFS system manages payments from the Veterans Benefits Administration (VBA) to fiduciaries for veterans who cannot manage their own financial affairs, and served more than 200,000 veterans in 2017.
The report found that a contractor for VA’s Office of Information and Technology (OIT) set the system’s risk level at moderate after completing a questionnaire, but did not properly assess the amount of vulnerable information in the system. That resulted in access controls for the system being set too low, and led the department to not implement real-time alerts for audit processing failures.
“Systems that contain PHI, such as BFFS, should be set at a risk security categorization level of high and include additional system controls,” the report states.
OIG also dinged VBA for not participating in the risk assessment and leaving it to OIT, which goes against agency policy on risk assessments, and led OIT to miss the PHI in the system.
“VBA, including officials from Pension and Fiduciary Service, as the information owner and steward for BFFS, should have performed the categorization process in cooperation with OIT,” OIG states.
As a result, the system did not implement least-access privileges, allowed access to audit logs, and allowed nationwide access for users based in regional hubs for the program’s administration.
The report recommended that VA reclassify the system as a FISMA High system, limit users to accessing records within their regional hub, and apply more data protections to elements within the system. OIT and VBA agreed to implement the recommendations.