Audit Reveals IT Security Gaps at Texas VA Health Center

An Office of the Inspector General for the Department of Veterans Affairs at Harlingen VA Health Care Center in Texas has identified some IT security gaps in configuration management, contingency planning and access controls.

To determine compliance with the Federal Information Security Modernization Act of 2014 (FISMA), the VA Office of Inspector General (OIG) conducts an annual audit of the VA’s security program and practices. information from the VA.

The FY2021 FISMA Audit, conducted by CliftonLarsonAllen LLP, an independent public accounting firm, assessed VA’s information security program through investigation, observation, and performance testing. selected controls supporting 50 core applications and general support systems across 24 VA facilities and across the VA enterprise. Cloud, including selected management, technical, and operational controls tests defined by NIST. CliftonLarsonAllen LLP made 26 recommendations, all of which are repeated from the previous annual audit, indicating that VA continues to face significant challenges in complying with FISMA requirements. These recommendations included addressing gaps in configuration management, contingency planning, security management, and access controls.

The OIG chose to audit the Harlingen AV because it was not part of the recent FISMA audit. In a report released on September 27, 2022, the OIG identified deficiencies in configuration management, contingency planning, and access controls at Harlingen. The inspection team did not identify any shortcomings in safety management.

The Harlingen VA Health Care Center had security vulnerabilities in the following configuration management controls:

• Inventory of components is a descriptive record of an organization’s IT assets down to the system level.

• Vulnerability management is the process by which the Office of Information and Technology (OIT) identifies and corrects software defects and often includes system updates, such as security patches.

• System lifecycle is the process of initiating, developing, implementing, maintaining, and replacing or disposing of systems.

The center did not have accurate lists of information systems hardware in VA’s corporate mission assurance support department, despite OIT and VA’s use of automated inventories of its systems. A complete, accurate and up-to-date inventory is necessary to implement an effective security program. Inaccurate component inventories make vulnerability management ineffective.

The OIG determined that the vulnerability identification process and ILO analyzes were effective; however, the process of fixing identified vulnerabilities needs to be improved. OIT scans for vulnerabilities routinely, randomly and when new vulnerabilities are identified and reported.

The inspection team and the ILO used the same vulnerability analysis tools. The inspection team identified 16 vulnerabilities – five critical vulnerabilities on less than 1% of computers, which also had unsupported operating systems, and 11 high-risk vulnerabilities on 20% of computers – which had been previously identified by ILO but have not been mitigated within the timelines established by the ILO.

VA requires critical vulnerabilities to be patched within 30 days and high-risk vulnerabilities to be patched within 60 days. The oldest vulnerability was identified on the network in 2013. The OIG found one critical vulnerability on approximately 1% of computers and six high-risk vulnerabilities on 32% of computers that were detectable but not included in the scan results. previous ILO analysis.

Despite VA’s extensive patch management measures, the OIG inspection team identified several devices that were missing available patches. Some of these vulnerabilities had been present on the network for nine years after their initial discovery by VA. Without patches, VA can put critical systems at unnecessary risk of unauthorized access, modification, or destruction.

More than half of the center’s network switches were running operating systems beyond their vendor’s support dates, meaning they would not receive maintenance or vulnerability support. In addition, deficient devices did not respond to basic VA configurations. These devices must have been refreshed on systems supported by the vendor before the vendor ends support. Network devices and computer systems are an organization’s most critical infrastructure. Upgrading is not just a defensive strategy, but a proactive strategy that protects network stability. Basic configurations for network equipment are mandated by the VA OIT Configuration Control Card.

In addition, the inspection team identified deficiencies in the recording of administrative actions, the retention of logs and the review of logs for databases at the center. For example, administrative access database event logs were overwritten within minutes, in violation of VA policy. The center had not deployed a mechanism to copy database log files to long-term storage or prevent them from being overwritten. Logs often provide value when analyzing security incidents by recording accounts accessed and actions taken. Without this information, an investigation may be limited or fail to determine the unauthorized use or modification of center information.

The inspection team found that the center did not have fire detection systems in its two computer rooms and five communication cabinets. Without these systems, the center may not be able to respond quickly to a fire before the sprinkler systems are activated. This could damage the organization’s assets and result in financial loss or harm to veterans.

The inspection team also noted that one of the computer rooms did not use a visitor access log. As a result, the information security officer and system owner could not verify that appropriate physical security measures were implemented and working as intended. Without visitor access logs, there is no record of visitors entering the computer room. Therefore, searches would be hampered in the event of intentional or unintentional damage to equipment or the room.

Center officials implemented visitor access logs in the computer rooms after the OIG brought this issue to their attention.

The OIG recommended that the Assistant Secretary for Information and Technology and the Chief Information Officer implement (1) a more efficient process to maintain consistent inventory information for all network segments, ( 2) a vulnerability management program that ensures system changes occur within organizational timelines, (3) an effective system lifecycle process to ensure that network devices meet standards mandated by the VA OIT Configuration Control Board and (4) a process to retain database logs for a period consistent with VA’s records retention policy.

The OIG made these recommendations to the Assistant Secretary as they relate to enterprise-wide IT security issues similar to those identified in previous FISMA audits and IT security reviews. The OIG also recommended that the director of the Harlingen VA Health Care Center confirm that appropriate physical and environmental safety measures are implemented and working as intended.

Comments are closed.