VA Information Security Weaknesses Will Take Further 22 Months To Remediate
Last week, the VA Office of Inspector General issued a report of a 2015 Department of Veteran Affairs (VA) audit conducted to determine whether the VA’s Security Program complied with Federal Information Security Modernization Act (FISMA) requirements and NIST guidelines.
The audit report indicates progress has been made to improve cybersecurity protections at the VA, but there is still a long way to go before the VA’s InfoSec program raises standards to the level required by FISMA.
Auditors discovered a number of significant security deficiencies in the VA’s identity management and access controls, configuration management controls, contingency planning processes, incident response and monitoring procedures, contractor systems oversight, continuous monitoring, system development/change management controls, and its agency-wide security management program.
While some efforts have been made to improve access and configuration management controls, security control standards had not yet been applied to all servers, databases, and network devices and a number of system security vulnerabilities had yet to be remedied. According to the report, approximately 9,500 separate security risks still need to be addressed by the VA.
Get The Checklist
Free and Immediate Download
of HIPAA Compliance Checklist
Delivered via email so verify your email address is correct.
Your Privacy Respected
The report makes 31 new recommendations for improving the VA’s information security program, although there are still four unaddressed recommendations from previous audits bringing the total to 35.
Progress Is Being Made to Improve VA Cybersecurity Protections
The VA responded to the audit findings at a hearing on March 16, 2016., saying that around 30% of the recommendations would be addressed by the end of the year, but that it would take until the end of 2017 to comply with all of the recommendations detailed in the report.
While that timescale is viewed to be realistic by the VA, during the hearing of the House Oversight and Government Reform Committee’s subcommittee on IT, subcommittee chair William Hurd, R-Texas said a time frame of “two years is too long.” He went on to say, “The bad guys are moving at the speed of light, and we’ve moving at the speed of bureaucracy.” Hurd believes that more of an effort can be made to speed up the process of addressing the security vulnerabilities, saying “I think we can do better.”
The VA’s task is difficult. A considerable amount of work is required to bring all systems up to date. There are many outdated information systems in use, many of which are writing in outdated computer language, while some software dates back to the 1960’s. Medical systems are no longer supported by vendors, many hundreds of custom apps are still in use, and many medical apps are still run on the unsupported Windows XP operating system.
Plans are underway to migrate off many of the VAs custom apps to off-the-shelf options, some systems will be moved to the cloud, and email-as-a-service is to be implemented. VA CIO LaVerne Council said at the hearing that the VA “is on track to eliminate our material weaknesses by the end of 2017,” but that would require nearly twice the VA’s current cybersecurity budget. A budget increase to $370 million is planned for 2017.
The full OIG report can be viewed here.