VA vendors warned to meet certification requirements

There is a small chance that a recent warning letter sent to vendors who handle personal medical data at the Veterans Affairs Department could lead to higher costs for the VA, the department’s assistant secretary for information and technology said.

“It could come back in the cost rates,” Roger Baker, who also is the department's chief information officer, told reporters Nov. 17.

Baker sent a letter to the CEOs of the VA vendor firms Oct. 21, reminding them of their legal obligation to certify that they meet VA information security requirements for handling veterans’ sensitive medical data.

The certification requirements apply to VA vendors that have access to personal medical data, which Baker previously estimated was the case for approximately one-third of the department’s 22,000 vendors.

The letter states that sensitive personal records for 644 veterans recently were put at risk due to a VA vendor’s loss of an unencrypted laptop computer.

“The vendor had certified that it was complying with VA security policies, but was not,” Baker’s letter to the vendors states. “As a result of this, all of their contracts with VA are currently under review.”

The letter said VA teams are auditing all affected contracts, including visiting vendor facilities when necessary, and if the auditors determine that a current certification is not in compliance with VA policies, then “appropriate contractual remedies” will be applied, Baker said.

The letter applies to current contracts, he said.

Asked about the costs to vendors of conducting the reviews and certifying the compliance, Baker said the costs were minimal. But he said there is a small chance that vendors might raise their costs in future contracts as a result of additional work performed after the letter.

“I don’t have the view that this is costing a lot" for the vendors, Baker said. On the other hand, “it could come back in the cost rates.” In any case, the certifications of information security are a common practice and should be expected as a usual cost of doing business, he added.

Baker previously said he initiated the vendor audits because a survey found that 10 to 25 percent of vendors at some VA facilities were not in compliance with the certification requirement.