Security Vulnerabilities Identified in VA-OIG Audit of Bedford VA Healthcare System
An audit of Bedford VA Healthcare System in Massachusetts by the Department of Veteran Affairs Office of Inspector General (VA-OIG) identified several security failures that are putting systems and veterans’ data at risk. The Federal Information Security Modernization Act of 2014 (FISMA) requires the VA-OIG to conduct annual security audits to determine if facilities are meeting federal security requirements. The Bedford VA Healthcare System was selected for an audit as it had not been visited as part of the annual FISMA audit. The VA-OIG inspection focused on three security control areas: configuration management, security management, and access controls, and deficiencies were identified in each of those areas.
VA-OIG determined that 87% of network devices used operating systems that did not meet federal minimum security requirements including 4% of devices that had reached end of life, were no longer supported by the vendor, and did not receive security patches to fix vulnerabilities. Those devices had 12 unpatched vulnerabilities that are included in the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerability (KEV) Catalog, meaning they are being actively exploited by threat actors. When vulnerabilities are added to the KEV Catalog, they must be remediated by all federal civilian executive branch agencies.
If devices do not meet VA baseline security requirements they must be updated with vendor-supported system software during the development lifecycle process. Bedford VA Healthcare System said the VA allowed outdated software to continue to be used; however, it is VA policy that unsupported end-of-life software must not be used. Other security deficiencies in configuration management included 10 databases that stored personally identifiable information that were not being monitored in quarterly scans. The database servers where the databases were stored had been reimaged in the past 6 months; however, if those databases were compromised, Bedford VA Healthcare System would be unlikely to detect a data breach.
The failure to include the databases in the quarterly scans also meant Bedford VA Healthcare System could not confirm that they were compliant with VA configuration security baselines. VA-OIG determined that 66% of the databases did not meet the minimum security standards as they were not scanned for vulnerabilities and had not been configured to capture audit logs. The failure to capture audit logs means it is not possible to monitor for unauthorized access.
Three deficiencies were identified in security management. A framework should be established for assessing risk, developing and implementing effective security procedures, and monitoring the effectiveness of those procedures. Deficiencies were found in authorization to operate, security categorization, and continuous monitoring of the Lynx Duress panic button system to verify that it contains complete and accurate user location information.
Four deficiencies were identified in access management. Physical access to the facility and IT resources were not effectively controlled. For instance, 39 individuals who should not have been permitted to enter the server room had badges that granted access to the room, including 10 former employees. Communications closets had card devices that did not function correctly and did not restrict and record physical access. While compensating controls had been implemented – key access – process controls over the key inventory were inadequate. Six percent of communications closets did not have uninterruptible power supplies, and 78% had uninterruptible power supplies that were not connected to outlets that were connected to emergency power. There was also a lack of environmental controls. Equipment in 93% of the communication closets was not grounded.
VA-OIG made 9 recommendations to correct the deficiencies, including obtaining an up-to-date inventory of locally managed databases and performing compliance scans; implementing a process to verify system owners review user account access to locally managed databases; implementing effective system life-cycle management processes; implementing controls to ensure the accuracy of user locations supporting the Lynx Duress system; implementing effective physical security controls; implementing and monitoring emergency power and UPS in communications closets; and grounding all equipment in communication closets.
