VA OIG Discovers Security Vulnerabilities Introduced at Orlando VA Medical Center
The VA Office of Inspector General has discovered a Wi-Fi network was set up at a Florida VA medical center without being coordinated with the VA’s Office of Information & Technology (OI&T). As a result, vulnerabilities were introduced that could have been exploited to gain unauthorized access to VA systems.
The VA Office of Inspector General conducted an audit of the Orlando Veterans Affairs Medical Center (VAMC) at Lake Nona, FL after receiving a complaint that the Veterans Services Adaptable Network (VSAN) was being developed without coordination with the Office of Information & Technology (OI&T), and that appropriate funding for the project had not been obtained through proper channels.
While evidence of funding irregularities was not uncovered, the VA OIG did confirm that a WiFi network for patients had been set up without coordination with OI&T, and that the network did not have the appropriate security controls applied in accordance with VA policies.
After the network had been set up, a risk assessment was not performed and there was no segregation between the VSAN and VA network. The VA OIG explained in its report that the lack of oversight by local OI&T staff resulted in unnecessary risks being introduced that could have resulted in other VA systems being compromised. No evidence was uncovered to suggest any vulnerabilities had been exploited.
The VA OIG reports that staff did not ensure security controls were applied in accordance with the VA’s security requirements due to competing priorities and resources. A security risk assessment was not performed because management did not allocate the necessary resources to the task.
The VA OIG has recommended the executive in charge for the Office of the Under Secretary for Health and the executive in charge for the Office of Information and Technology ensure that all guest Internet networks, industrial control systems, and external air-gapped networks are properly segregated and meet VA security requirements.
The report highlights a common problem: The installation of software or use of hardware that has not been authorized by IT departments. Referred to as shadow IT, the unauthorized hardware and software can introduce vulnerabilities that may not be discovered and corrected by IT departments.
Without the oversight of the IT department, software may not be kept up to date and vulnerabilities could easily be exploited to gain access to healthcare networks.
Health IT departments can implement controls that prevent the installation of software by employees and employees should be instructed, in no uncertain terms, that the installation of software or use of devices without first having obtained authorization from the IT department is strictly prohibited.
IT departments should also consider conducting scans of the network to identify rogue devices that have been connected, although that means that IT departments must also maintain an accurate inventory of all authorized devices.
Network access tools can also be deployed to further protect healthcare networks. These tools restrict network access to authorized devices that have the appropriate security controls, AV software, and latest versions of software installed.