House lawmakers warn VA officials about data privacy risks for veterans posed by AI
Stars and Stripes January 31, 2024
WASHINGTON — House lawmakers on Monday grilled officials from the Department of Veterans Affairs over how they plan to protect millions of veterans’ medical records from data breaches as the VA increasingly uses artificial intelligence in health care.
Rep. Keith Self, R-Texas, questioned the VA’s ability to safeguard patient privacy as AI systems require a massive amount of data for decision-making processes to perform clinical and administrative tasks at the VA.
“How will you protect against the cascading release [of patient data] across the commercial sector?” Self, a member of the technology modernization subpanel of the House Committee on Veterans’ Affairs, asked at a hearing that looked at the rise of AI at the VA and steps underway to secure data.
Rep. Matt Rosendale, R-Mont., who is the chairman of the subcommittee, said the VA has a history of problems keeping the health, financial and personal information of veterans secure.
“Data breaches happen every few months, and they have taken many different forms,” he said, noting private patient information has been disclosed from errors in mass postal mailings and employee error and theft.
But those data breaches “represent the Stone Age compared to the privacy risks posed by artificial intelligence,” Rosendale said. “The VA has thousands of contractors and partner companies that access veterans’ health and personal data today. Controlling how they apply AI will be extremely difficult.”
Gil Alterovitz, director of the VA’s National Artificial Intelligence Institute, responded the VA can cancel contracts with commercial vendors that improperly share or “release” private patient data to individuals or parties that do not have the legal right to see or use the information.
The Office of Inspector General is notified to investigate cases of “egregious activity” that involve major breaches of “sensitive patient information” improperly accessed, viewed or extracted by a contractor in the course of performing work for the VA.
The VA prioritizes patient privacy when developing and analyzing AI programs internally and when contracting with vendors for AI services, said Charles Worthington, the VA’s chief technology officer.
Worthington described the VA’s processes for continually monitoring, detecting and responding to online intrusions and cyber threats. They include “identity management” with a tiered system for user permissions to access data resources.
He said the VA has implemented what is known as the National Institute of Standards and Technology risk management framework. The process enables the VA to manage privacy and security.
The VA also is organizing a governance council to provide strategic direction in the development and deployment of AI in the health care setting, Worthington said. The committee is being formed at the request of the Office of Management and Budget.
Oversight committees also are being piloted at VA hospitals, he said.
“You’ve got to have sanctions in place that are fairly severe, and they’ve got to be clarified in policies upfront,” Self said.
The VA employs AI to scan patients for cancer and to identify words associated with suicidal behavioral risks in patients’ medical records, Rosendale said. AI is used to “extract signals of suicide risk from clinical progress notes and other medical records.”
Rosendale warned about the accuracy of computer software and the potential impacts of wrongly identifying a veteran as a suicide risk.
“We need to do whatever we can to prevent veteran suicide,” he said. “But I’m concerned that this could lead to violation of veterans rights, limiting personal freedoms and gun ownership.”
Rosendale asked whether veterans know that the VA is using the AI technology.
“Shouldn’t this be disclosed to the patients so they understand who is performing this analysis?” he asked.
Alterovitz acknowledged there is not a consistent policy across the VA for informing veterans about the use of AI in their health care.
“That has to be elevated to a top priority,” Rosendale said.