The Department of Veterans Affairs has confirmed what many people suspected: The “popular devices” VA will soon allow on its network will be Apple’s iPhones and iPads.
VA had previously announced October 1 as the date it would allow a new generation of consumer tablets and smartphones to connect and access department data. But until now, VA has been declining to say precisely which ones. VA chief information officer Roger Baker told reporters on a Monday conference call that the department start with devices based on Apple’s iOS.
The next questions to answer are how VA will buy those tablets and smartphones, and whether employees will be allowed to use their own personal devices to access VA networks.
“We haven’t settled on exactly how we’ll acquire the devices,” Baker said. “These devices move so fast, you have to be worried about the fact that the moment you let an acquisition for a lot of them you’re going to end up buying one or two generations back, and we certainly don’t want to be doing that.”
He said he had not yet decided whether employee-owned iPhones and iPads should be allowed on VA’s network in October. But if VA does establish a bring-your-own-device policy, employees will have to agree to let the department enforce the same mobile device management procedures on their personal devices as it does on government-owned equipment.
“We’ve got to make certain that the applications we allow on the device are broad enough that we aren’t going to be draconian, but on the other hand, users are going to have to realize there could be apps on there that could cause security issues,” Baker said. “If we haven’t checked it out, our primary concern is going to be the security of any information on that device.”
He said using government-furnished mobile devices could help reduce VA’s IT costs, since they are generally cheaper than laptops. He envisions employees being given a choice between a department-issued laptop and a tablet.
VA’s new mobile pilot projects are focused in two areas. One is using mobile devices as information viewers that let authenticated users access data in VA systems, but not download it or store it. That generic approach will allow the department to easily extend support to other smartphones and tablets down the road, Baker said.
A second track is more device-specific. Apps would be able to store VA data on the device, but the department would have to make sure the software can encrypt and store data securely on an app-by-app basis. An example is an iPhone and iPad version of VA’s clinician interface, the Computerized Patient Record System.
“It would reside on the device and actually store information device in an encrypted fashion. It would allow clinicians to use it as their native interface for seeing patients,” he said.
One hurdle the VA needs to overcome before mobile devices become ubiquitous work tools, however, is the quality of the internal Wi-Fi networks in its facilities. Baker said most of the larger VA hospitals now have WiFi networks deployed.
“But the issue has been that it’s not 100 percent coverage,” he said. “We’re about a third of the way through renovating the facilities for Wi-Fi signal so that they achieve pretty close to 100 percent coverage throughout the campus. We unfortunately had to go back and are going through the process of reawarding that contract, so we’re kind of set back in getting it done. There tends to be Wi-Fi signal, but it’s not the kind of coverage that you’d like to see if you’re going to use it for the sorts of things we’d like to use it for long-term.”
Baker said the department’s security procedures would also let email be downloaded and stored, since VA already has encryption protocols to secure sensitive data in its email system.
But encryption on iPhones and iPads won’t necessarily mean compliance with Federal Information Processing Standard 140-2, the government benchmark for cryptography published by the National Institute of Standards and Technology.
“FIPS 140-2 certification is not instantaneous,” he said. “One of the things we actually had a study done on was the advisability of accepting the risk of encryption that is not FIPS 140-2 certified for the types of information we’re putting on the device. Our expectation with the pilot is that we’ll determine the encryption that’s being done on the device is sufficient to be adequate for our purposes, and that I will accept the risk for our organization that that encryption is sufficiently strong and doesn’t create and undue risk of information breach.”
Baker said he doubts that NIST would take a dim view of VA proceeding on iPhones and iPads without FIPS certification. For one reason, many of the encryption technologies being used on iOS devices have already been submitted to NIST for certification. For another, he said, not finding a way to let employees use the devices in a way that VA policy can accommodate creates risks of its own.
“I’ve got 330,000 users out there. They’re using these devices,” he said. “Would I like them to use them the way that I’ve defined so I feel like there’s a high degree of security, or would I like the users to define how they’re going to use them? IT is a pragmatic science. Users will tend to do what users tend to do, and as a CIO, if I’m the chief ‘no’ officer, my users are going to find a way to have yes be the answer.”
Another way Baker said VA is trying to say yes is in the area of commercial cloud-based information sharing services like Google Docs and Microsoft’s Office 365. VA has experienced data breaches in the past when employees used public sites to collaborate on VA documents. So Baker said the department is working with one major provider to create a secure, walled-off portion of their public cloud that’s accessible only to VA users.
“Our clinicians, in looking for tools to better do their job, have found ways of doing things like shift handoff that are easier to use and more broadly available from cloud service providers than the things VA has available,” he said. “What we determined was that rather than try to replicate what the cloud service providers clearly were already doing very well, we explored with a number of them the possibility of having a VA-dedicated area for information storage. The only way into that area is through a direct link from the VA and authentication from the VA.”
Baker declined to name the cloud vendor VA is working with, but he said that if everything works well, the department wants to expand the idea to cloud-based information sharing products from multiple companies.