25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

VA OIG Identifies Security Deficiencies in Audit of VA Spokane Healthcare System

Posted By on Feb 23, 2026

An audit of the Department of Veterans’ Affairs Spokane Healthcare System in Washington state by the Department of Veterans Affairs Office of Inspector General (VA OIG) identified deficiencies in all three control areas inspected: configuration management, security management, and access controls. The audit was conducted on the Mann-Grandstaff VA Medical Center between January 29 and February 6, 2025, which has approximately 1,300 employees and provided care to 27,000 patients in fiscal year 2024.

There were several instances where staff failed to remediate critical and high-severity vulnerabilities within the 60-day time frame stipulated by the VA, and in some cases had failed to develop the required action plans to remediate those vulnerabilities within that time frame. VA OIG also identified systems that were running unsupported software, and several devices were identified that had not been configured to VA-approved security baselines. These deficiencies increased the risk of unauthorized access and operational disruption, especially the failure to meet the security baselines on databases and core network devices.

One deficiency was identified in security management regarding the protection of personally identifiable information (PII). A screen with unredacted PII in the federal electronic health record (EHR) could be viewed by volunteers and scheduling clerks, who did not require access to that information. The failure to restrict access puts PII at risk, which could potentially be misused to cause harm to veterans.

Four access control deficiencies were identified related to physical and logical access to IT resources. There was a lack of proper segregation of duties for key distribution, unsecured network equipment was identified in two locations, eleven communications sockets did not have proper electrical grounding, and perimeter protection measures for fuel storage did not meet VA guidelines.

VA OIG made 7 recommendations in the areas of configuration management, security management, and access controls, which VA OIG said are also applicable to other VA facilities. The VA has already implemented some of the recommendations and has planned to address the remaining issues.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist