Understandably, health systems are reluctant to discuss the results of vulnerability scans of their data networks. That is why the information security reports published by the Veterans Administration Office of Inspector General (OIG) are so valuable. The deficiencies they identify at VA systems are likely similar to ones that other health systems are experiencing and could address.
On July 11, the VA OIG published a report detailing an audit of whether the Northern Arizona VA Healthcare System was meeting federal security guidance.
The OIG’s inspections are focused on three security control areas:
1. Configuration management controls identify and manage security features for all hardware and software components of an information system.
2. Security management controls “establish a framework and continuous cycle of activity for assessing risk, developing and implementing effective security procedures, and monitoring the effectiveness of the procedures.”
3. Access controls provide reasonable assurance that computer resources are restricted to authorized individuals. Access also includes physical and environmental controls associated with physical security, such as authorization, visitors, monitoring, delivery, and removal.
The OIG identified deficiencies in all three areas at the Northern Arizona VA Healthcare System.
The OIG noted that 71 out of 80 of the healthcare system’s network switches used operating systems that did not meet Office of Information Technology (OIT) baseline requirements and were no longer supported by the vendor. Consequently, these devices will not receive maintenance or vulnerability support, which can result in an opportunity for adversaries to exploit weaknesses in components. Additionally, noncurrent software may be vulnerable to malicious code. Network devices and IT systems are critical infrastructure to an organization. Upgrading is not just a defensive strategy but a practical one that protects network stability, the report noted.
The OIG identified a local database with multiple vulnerabilities caused by configurations that deviated from the OIT baseline. After the OIG made the system steward aware of this issue, he began the process of moving the application to the VA Enterprise Cloud, where baseline configurations can be applied and managed by the Database Management Service Line. Data stored in a database has become a more frequent target for malicious users. Such attacks can result in identity theft, financial loss, loss of privacy, a breach of national security, or other types of corruption that can result from unauthorized access to sensitive data. Without managing and applying baseline configuration, OIT is unaware of weaknesses that could adversely impact the database.
The OIG identified one security management control weakness: continuous monitoring of the inventory was deficient. The inspection team discovered almost twice the number of devices on the network when compared to those identified in the Enterprise Mission Assurance Support Service (eMASS), VA’s cybersecurity management service for workflow automation and continuous monitoring. OIT provided an inventory that was close to the inventory the team identified, leading the team to determine that OIT is aware of the devices in use but was not routinely updating the inventory in eMASS. Continuous monitoring facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The report stressed that a key component of VA’s continuous monitoring program is frequent updates to hardware and software inventories. Continuous monitoring reports and metrics in eMASS provide management with information about the system and its security posture, which in turn supports risk management and authorization decisions. By not routinely updating the hardware inventory, management is making risk decisions based on inaccurate system information.
During the inspection, the team identified seven deficiencies in access controls. In one example, the OIG discovered multiple communication rooms where physical access was not effectively controlled. The healthcare system had an automated physical access control system in which staff use badges to enter buildings and rooms. However, the system was not fully deployed or operational. Instead, employees routinely use keys to gain access. Key inventories, which are required every six months, have not been conducted at the facility in more than two years due to locksmith turnover and a failure to accurately track key distribution.
The OIG made six recommendations to the assistant secretary for information and technology and chief information officer:
1. Implement a more effective vulnerability management program to address security deficiencies identified during the inspection.
2. Ensure vulnerabilities are remediated within established time frames.
3. Ensure the unmanaged database completes the transition to the VA Enterprise Cloud where it can be managed and have security baselines applied.
4. Implement more effective configuration control processes to ensure network devices maintain vendor support.
5. Implement an improved inventory process to ensure that all connected devices used to support VA programs and operations are documented in the Enterprise Mission Assurance Support Service.
6. Ensure network infrastructure equipment is properly installed.
The OIG also made five recommendations to the Northern Arizona VA Healthcare System director:
7. Ensure physical access controls are implemented for communication rooms.
8. Ensure a video surveillance system is operational and monitored for the data center.
9. Ensure communication rooms with infrastructure equipment have adequate environmental controls.
10. Ensure communication rooms with infrastructure equipment have fire-detection and suppression systems.
11. Ensure water detection sensors are implemented in the data center.
The OIG said that the assistant secretary for information and technology and chief information officer concurred with all 11 recommendations. Responsive actions plans were submitted for all recommendations except one. While the response to recommendation 9 did not address the recommendation, evidence was provided that allowed the OIG to validate that actions had been taken to meet the intent of the recommendation, and the OIG considers it closed.