Multiple Security Vulnerabilities Identified at Arizona VA Healthcare System
A recent inspection of the Northern Arizona VA Healthcare System by the Department of Veterans Affairs Office of Inspector General (OIG) found deficiencies in all three security control areas that were investigated – configuration management, security management, and access controls.
The Northern Arizona VA Healthcare System includes the Bob Stump Department of Veteran Affairs Medical Center in Prescott and 11 clinics in the state and serves approximately 33,000 veterans. The inspection was performed as the Northern Arizona VA Healthcare System had not previously been visited as part of a Federal Information Security Modernization Act of 2014 (FISMA) audit.
The inspection revealed the Northern Arizona VA Healthcare System had deficiencies in four configuration management controls – vulnerability management, flaw remediation, unsupported components, and baseline configurations. While the VA has a vulnerability management program, the inspectors identified vulnerabilities that the Office of Information and Technology (OIT) had failed to identify, even though the same scanning tools were used. Many of those vulnerabilities were rated critical or high severity.
Several devices were found to be missing security patches. Patches were available to address the critical and high-severity flaws but they had not been applied, leaving the devices at risk of unauthorized access, alteration, or destruction. Components continued to be used despite reaching end-of-life. For instance, 71 of the 80 healthcare system network switches were using operating systems that were no longer supported by the vendor, which means security patches are no longer issued. Consequently, weaknesses and vulnerabilities would not be addressed and could be exploited by malicious actors. Baseline configurations were identified that deviated from the OIT baseline. For instance, a local database had multiple vulnerabilities as a result of baseline configurations that deviated from the OIT baseline. If the OIT baseline configuration is not used, OIT would be unaware of any weaknesses impacting the database.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
One deficiency was identified in security management – continuous monitoring of the inventory. The inspectors found almost twice the number of devices on the network than were identified in the VA’s cybersecurity management service for workflow automation and continuous monitoring (eMASS). While OIT had an inventory of devices that contained most of the networked devices, the inventory was not routinely updated in eMASS. As a result of the failure to update the inventory, management was making risk decisions based on inaccurate system information.
The inspectors also found 7 deficiencies in access controls: physical access, video surveillance, environmental controls, equipment installation, emergency power, fire protection controls, and water detection. For instance, the healthcare system had an automated physical access control system where employees use badges to enter buildings and rooms, but it had not been fully deployed, with staff often using keys for access. While key inventories are required every 6 months, they had not been conducted in more than two years due to locksmith turnover and the failure to accurately track key distribution.
The OIG made 11 recommendations, 6 to the assistant secretary for information and technology and chief information officer and five to the Northern Arizona VA Healthcare System director. VA IT management and the Northern Arizona VA Healthcare System director concurred with all of the recommendations. The recommendations include implementing an effective vulnerability management program, ensuring vulnerabilities are remediated within established time frames, transitioning unmanaged databases to the VA Enterprise Cloud, ensuring all network devices maintain vendor support, implementing an improved inventory process, ensuring network infrastructure is properly installed, and ensuring physical access controls are implemented.
While the findings of the audit were specific to the Northern Arizona VA Healthcare System, similar vulnerabilities are likely to exist in other VA healthcare systems. The OIG recommends all VA healthcare systems review the findings of the inspection and implement the same recommendations if similar security deficiencies are identified.
