As a result, sensitive data is still at risk of being accidentally or deliberately misused across the VA, the auditors warned this week at a congressional hearing on the agency's information and security management processes.

In response, VA Deputy Secretary Gordon Mansfield said the agency is working hard to implement a series of recommended changes and has made "substantial progress in a relatively short time frame." He acknowledged, though, that the VA has yet to achieve its overall goal of becoming a security role model for other federal agencies. "We have done a lot of work and come a long way since last May's major incident occurred," Mansfield said. "But we still have an awful long way to go."

The hearing was held by the oversight and investigations subcommittee of the House Committee on Veterans' Affairs. U.S. Rep. Harry Mitchell (D-Ariz.), the subcommittee's chairman, said the panel originally planned to review the VA's information security efforts later this year. But the review was accelerated after the VA disclosed last month that a portable hard drive with information on up to 1.8 million veterans and doctors had been from its medical center in Birmingham, Ala., on Jan. 22.

Gregory Wilshusen, director of information security issues at the U.S. Government Accountability Office, said at the hearing that the VA has taken several "important steps" to improve its IT security practices. That includes an ongoing centralization of security functions and personnel under the CIO's office and the establishment of "a data security corrective plan" to serve as a guideline for some of the planned changes, he said.

But many of those changes have yet to be fully implemented, Wilshusen added. For example, policies for assessing risks and implementing enterprise patch management capabilities haven't been developed. Nor does the VA have a plan for proactively mitigating known vulnerabilities across all of its systems, he said.