- The Veterans Services Adaptable Network (VSAN) at the Orlando Veterans Affairs Medical Center (VAMC) was not fully coordinated with the Office of Information and Technology (OI&T), which included not having a security risk assessment, according to a VA Office of Inspector General (OIG) report.
Along with investigating potential security concerns, OIG reviewed project funding to ensure the money came from medical services appropriations.
However, the agency was unable to substantiate that “the Orlando VAMC inappropriately used $5.2 million in medical appropriations funds to purchase IT hardware, software, and installation services in support of the VSAN system.”
OIG conducted its review from June 2015 through July 2017, and began its investigation in response to a VA Hotline allegation.
“The OIG substantiated that the VSAN deployment was not fully coordinated with OI&T to ensure it met VA security requirements,” the report explained. “Specifically, the Orlando VAMC, in coordination with OI&T, did not perform a system risk assessment or security control testing to ensure implementation of appropriate VSAN security controls and segregation between VSAN and the VA’s internal network.”
Performing a security risk assessment using Federal Information Processing Standards 199 and implementing VA information security controls as specified by the risk impact level were some of the security requirements for VAMC.
The organization told OIG during previous site visits it did not perform a risk assessment and “management did not provide any evidence that VSAN was meeting these security requirements.”
The lack of oversight during VSAN implementation created unnecessary risks to VA’s networks, OIG maintained. Unauthorized access or other types of risk could have occurred because of the lackluster security measures.
“Without a formal security assessment, VA could not confirm implementation of VSAN security controls in accordance with information security requirements or effective protection of other VA systems from unauthorized access, modification, or disclosure,” report authors wrote.
Furthermore, other VA systems could have been put at risk.
“Prior FISMA audits also identified weaknesses associated with system risk assessments and implementation of system security controls,” OIG explained. “It is imperative that VHA coordinate the development and implementation of any future VSAN projects at other medical facilities to ensure adequate protection of veterans’ sensitive data.”
All guest internet access networks, external air-gapped networks, and industrial control systems must be appropriately segregated from VA networks, OIG recommended. The same networks and systems will also need to meet the OIG information security requirements.
“Management stated all Industrial Control Systems were removed from the VSAN in Orlando,” report authors said. “In addition, management stated that there is not a requirement for a full risk assessment because there are no Industrial Control Systems on the VSAN; the system only needs an air gap Memorandum of Understanding.”
Acting Assistant Secretary for OI&T Scott Blackburn explained in a response letter that Orlando VAMC concurred with OIG’s findings. The organization does have security requirements for Network Connected Industrial Control Systems (ICS) and Air-Gapped Networks, he stated.
There are also “security requirements and process guidance specifically for network-connected ICS and other special purpose non-medical systems and devices.”
“Any ICS or other special purpose system or devices that are proposed for installation within a device isolation architecture (DIA) Virtual Local Area Network (VLAN) must be assessed for security risks and receive formal approval through the assessment and authorization process before connection to the VA Network,” Blackburn wrote.
The letter continued to state that the VSAN was never interconnected to the VA network, and that there was only an ICS risk on the VSAN while the investigation was taking place. Blackburn also reiterated that a full risk assessment is not needed because there are no ICS systems on the VSAN.
“[Memorandums of Understanding] are in place for all network-based systems at each facility to ensure they are airgapped from VA OI&T networks and separate from VGIA,” the response letter concluded. “VHA nationally will continue to work with OI&T to ensure the airgap MOU process is used and will continue to ensure no ICS systems are connected to a public internet connection as specified in the memo dated May of 2015 also attached.”