The agency seeks to implement large-scale information security reforms designed to meet White House goals and counter an evolving threat landscape.
The Department of Veterans Affairs is requesting a $107 million increase in its cybersecurity budget for fiscal year 2023, providing increased funding to all areas of its broader information security program with a special focus on implementing zero confidence precautions.
The VA has sought to align its overall IT systems with contemporary cybersecurity standards, as part of a broader push across the federal government to implement measures like zero trust and protect against large indirect breaches like the 2021 SolarWinds attack, as well as mitigate the growing threat. of ransomware attacks.
The latter is a special priority for VA in particular, as ransomware attackers increasingly focus their efforts on healthcare IT systems and hospital networks whose closure leaves a particular risk to human life and which, therefore, Therefore, they have a greater incentive to comply with the demands of the attackers.
The Biden White House released Executive Order to Improve the Nation’s Cybersecurity in May 2021 following the discovery of the SolarWinds hack in which Russian state-backed malicious actors gained access to a wide range of servers within the US government. The attackers went undetected for months and successfully used various forms of indirect breaches and interconnected access to expand the reach of infiltration.
As a result, there has been a movement across government away from an exclusive focus on perimeter security toward identity and access credential-based protection designed to limit the damage of system breaches and prevent attackers from infiltrating deeper into the network of an organization.
VA officials have discussed the need for revamped zero-trust security both within the agency and across government in general, with director of enterprise security architecture Royce Allen noting that adhering to older cybersecurity models it is a liability in today’s threat environment.
“We must focus on a practice of continuity, verifying identity, authorization and authentication on data uses and our devices. This is why we do what we do and why zero trust is critical,” Allen said in previous comments to GovCIO Media & Research.
Much of VA’s cybersecurity approach relies on its rapidly modernizing healthcare IT systems, with newly released budget documents noting that “Modernizing VHA’s medical team, while improving its security, cybersecurity, and compatibility with VA’s electronic health record (EHR), requires deliberate systems engineering and extensive collaboration between VA lines of business and VHA clinical programs.
This includes measures to protect both medical devices and patient information contained in the agency’s electronic health records modernization system that is currently in its first wave of on-site deployments.
Device security appears to be a particular focus of the new funding allocations, with budget documents revealing that “VA currently uses approximately 1,034,513 discrete medical devices company-wide to provide healthcare to veterans. Approximately 109,028 medical devices/clinical systems communicate on the VA and VHA information technology network – 342 medical services must be specially managed and routinely updated to address known and emerging cybersecurity risks.”
More than 10% of the VA’s requested cyber budget increase, totaling nearly $13 million, would go to privacy and records management. The agency requested a similar $13 million increase for Continuous Readiness in Information Security Protection (CRISP) operations “designed to reduce systemic information security risks in VA programs and systems to comply with federal security and safety regulations.” Privacy”. This represents an increase of nearly 25% over the 2022 CRISP budget, bringing the total proposed funding to $60 million in FY 2023.
Although the most substantial increase to the VA’s cybersecurity budget was requested for general information security operations, an increase of $43 million that represents almost half of the total increase from fiscal year 2023. It appears that a considerable amount of this was will devote to zero-trust security reforms, with the VA’s particular emphasis on what the agency has categorized as “Emerging Preparedness Initiatives.”
The agency’s budget documents described that “adapting and implementing this new security posture provides a robust and strategic approach to address systemic deficiencies for VA (e.g., enterprise security governance, fundamental capacity gaps, data gaps, and identity governance). This stance initiates a paradigm shift in existing VA security resources from the current compliance mindset to a mindset that assumes breach and embraces adopting zero-trust capabilities as a first step.”