Case Study:

IT Security Engineering Support

The U.S. Department of Veterans Affairs (VA) provides patient care and federal benefits to Veterans and their dependents. VA operates the nation’s largest integrated health care system, administers benefits and services for Service members, Veterans, their dependents and survivors, and provides burial and memorial benefits. In terms of healthcare alone, VA serves 9 million enrolled Veterans each year.

The Challenge

Enhancing the Department of Veterans Affairs’ (VA) cybersecurity posture across the enterprise is one of the most difficult operational challenges. As the VA continues to buy, build, and enhance its departmental infrastructure and Veteran-facing capabilities including mobile apps, cloud computing, and implementation of the Cerner EHR to replace VistA, it inevitably creates a hybrid of legacy and new systems, interfaces and networks that must be properly managed and controlled. It also further deepens its vulnerability to the material weaknesses identified by the IG and by FISMA and FISCAM audits.

With tens of millions of individuals accessing healthcare and other VA services, it is vital to protect every individual’s Personally Identifiable Information (PII) and Protected Health Information (PHI). PII is any information that can be used alone or in combination with other information to distinguish or trace an individual’s identity. PHI as defined by U.S. Department of Health and Human Service, “HIPAA Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of personal health information needed for patient care and other important purposes.

The Solution

AbleVets is an acknowledged expert in provisioning IT security strategies, engineering support and cloud solutions to federal agencies. Our security engineers are developing and implementing consistent and repeatable security engineering processes and procedures aligned with Risk Management Framework to build security into applications, systems and networks thus improving VA’s security posture and reduce the risk profile in accordance with Federal mandates such as FISMA, Executives Orders, National Institute of Standards and Technology (NIST) computer security standards. We provide security engineering expertise to ensure VA security requirements, design patterns and standards are implemented throughout the VA Enterprise. Some of our services include but not limited to:

  • Security Assessment for acquisition type solutions and emerging technologies
  • Incorporate system security engineering guidance to data centers, cloud, mobile environment
  • Support assessment and authorization process to ensure security controls are implemented and test results are properly reviewed and documented
  • Conduct system impact analysis and risk assessments for compliance and threat-based analysis
  • Create system security engineering training modules to enhance the workforce.

Our risk assessments and security impact analyses dependably provide VA leadership with the information they need for informed decisions.

The Benefits

VA has enhanced its security posture and reduced its risk profile through engineering processes and tasks that are repeatable and achievable. Veterans, Active Duty and their family members can access VA healthcare and other services through secure connections and applications that protect their PII and PHI. At the same time, protect the VA and important systems and data are properly protected from emerging cyber attacks.

Next Steps

AbleVets will continue to provide strategy and vision support for VA. We will offer security engineering and analytical support to projects and apply Risk Management Framework steps and activities to build security into the system development lifecycle and ensure the security posture is maintained throughout operations

Learn More

To learn more about how the AbleVets approach is addressing complex security issues in federal IT systems, please visit We are proud of the tangible impact our efforts continue to have on the health, security and welfare of American citizens.

Cathy O’Hagan

Author, Information Security Manager

Cathy O’Hagan is a certified information security manager with 20 years of experience in helping government agencies develop secure information systems, reduce risk profile and improve security posture.