HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Office of Inspector General Releases Results of VA FISMA Audit

The Department of Veteran Affairs’ Office of Inspector General has conducted its annual security review of the VA, the largest healthcare provider in the United States. The aim of the security review is to assess the VA’s information security program in accordance with the Federal Information Security Modernization Act (FISMA).

The report reveals there are many ongoing security vulnerabilities that need to be addressed, although this year’s report only adds three new recommendations. In total, OIG made 33 recommendations about how the VA can make improvements to addresses security weaknesses.

Those 33 recommendations are spread across 8 areas: The security management program, identity management and access controls, configuration management controls, system development and change management controls, contingency planning, incident response/planning, continuous monitoring and contractor systems oversight.

The three new recommendations in this year’s report are:

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

  • Weaknesses have been identified in the agencywide information and risk management program. OIG recommends processes are implemented to ensure all systems used by the VA are formally Authorized to Operate. System security controls should also be evaluated prior to systems connecting to the Internet or the VA network.
  • Weaknesses have been identified in the VA’s configuration management controls. OIG recommends the VA should improve and implement processes to ensure all devices and platforms are evaluated using credentialed vulnerability assessments.
  • Weaknesses have been discovered in incident response and monitoring. OIG recommends that the VA’s Network Security and Operations Center should be provided with full access to security incident data to help raise awareness of information security events.

The OIG report says considerable improvements have been made and security has been improved. New policies and procedures have been implemented and great strides are being made to improve agencywide security; however, many vulnerabilities persist and the VA faces considerable challenges implementing various components of its information security continuous monitoring and risk management program. OIG found significant deficiencies in the VA’s access controls, configuration management controls, continuous monitoring controls and service continuity practices.

OIG says the VA must concentrate its efforts on four key areas to better achieve FISMA outcomes. These are:

  • Address security issues that contributed to the information technology material weaknesses detailed in the FY 2016 audit of VA’s Consolidated Financial Statements.
  • Address process deficiencies to ensure system Authorizations to Operate and conducted in accordance with VA policy.
  • Make improvements to the speed of deployment of system upgrades, system configurations and security patches to address known vulnerabilities, and enforce a consistent process across all field offices.
  • Make improvements to performance monitoring to ensure security controls are operating as intended in all facilities. Identified security deficiencies should also be effectively communicated to appropriate personnel to ensure action can be taken to mitigate risks.

Many of the deficiencies identified in the report are common in the healthcare industry. While it is not possible to totally eliminate risks, it is possible to reduce those risks to an acceptable level. Some of the vulnerabilities are expected to be addressed when the VA transitions from its VistA EHR to the new Cerner EHR.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.