House Republicans are urging the Department of Veterans Affairs to improve its IT security system to better protect veterans’ personal data.        

The House Committee on Veterans’Affairs held a hearing Tuesday examining data breaches amid a scandal where VA employees changed electronic records to cover-up long patient wait times that have been linked to veteran deaths.

{mosads}On Friday, VA Chief Information Officer Stephen Warren told the committee the department is working to replace its antiquated scheduling system and develop a new application, which will ultimately allow veterans to schedule their own appointments. 

A proposal request for a commercial scheduling program will launch on Friday, he said. A contract will be awarded in March and the program will be rolled out to facilities over a two-year period.

The hearing follows a Government Accountability Office report released Monday, which found that the VA failed to patch security software vulnerabilities on employee laptops and did not fully implement the appropriate program to test for vulnerabilities.

Rep. Jackie Walorski (R-Ind.) wanted to know how long it would take to patch the VA’s computer security systems.

“We will never be patched,” Warren said Tuesday. “Everyday industry is finding new ways things can be exploited … patching is one piece of protecting the system.”

Reviews of Veterans Affairs’ record-keeping system found that data logging programs had been turned off on certain systems, eliminating an audit trail that would have show when and where patient wait time had been changed.

“We’ve pulled back the ability for folks to change logging locally, specifically for scheduling,” Warren said. “I will go back and confirm for the other modules that we’ve done the same thing.”

Warren addressed employees directly during the hearing, at one point looking into a camera as he told them it’s not their responsibility or right to mess with audit controls. 

“And you’ll lose your job,” Rep. Tim Huelskamp (R-Ks.) suggested Warren add while he addressed the camera. “Though you probably can’t say that.”  

Responding to questions about veteran data breaches, Warren assured members of the committee that the only leaked information has been employee usernames and passwords, which were changed immediately after the system was breached in 2010 and 2012.

Rep. Mark Takano (D-Calif.) asked if the VA had a clear cost estimate for the new scheduling software and the cost to protect veteran information. 

Warren said the agency has budgeted $160 to $180 million in addition to the $300 million it needs to pay employee salaries.