Veterans Affairs OIG Finds Cybersecurity Deficiencies at AZ Health System

July 14, 2023 - The US Department of Veterans Affairs (VA) Office of Inspector General (OIG) inspected the information security program at the Northern Arizona VA Healthcare System and discovered significant security deficiencies.

The VA OIG conducts annual audits of the VA’s information security program and practices to determine compliance with the Federal Information Security Modernization Act of 2014 (FISMA). The 2022 FISMA audit discovered significant compliance challenges across the VA network.

In addition to the FISMA audits, the OIG frequently inspects individual VA facilities to assess whether these facilities are meeting federal security requirements pertaining to three control areas: configuration management controls, security management controls, and access controls.

For this audit, the OIG selected the Northern Arizona VA Healthcare System because it was not previously visited as part of the annual FISMA audit. The OIG detected deficiencies in all three control areas.

In the configuration management controls space, the Northern Arizona VA Healthcare System had deficiencies in vulnerability management, flaw remediation, unsupported components, and baseline configurations.

“VA has a vulnerability management program, but it can be improved,” the report noted. “Prior FISMA audits repeatedly found deficiencies in VA’s vulnerability management. Consistent with those findings, the team found operating systems that were no longer supported by the vendor and applications with missing security patches at the healthcare system.”

The OIG noted several devices missing security patches, despite having high-risk vulnerabilities with patches available. Unpatched devices can serve as a network entry point for threat actors, resulting in data breaches and risks to patient safety and operations.

In terms of security management controls, the OIG found the Northern Arizona VA Healthcare System to be deficient in one area: continuous monitoring of inventory. Inspectors found almost twice thenumber of devices on the healthcare system’s network compared to the number tracked in the Enterprise Mission Assurance Support Service (eMASS), VA’s cybersecurity management service for continuous monitoring.

The inspection also revealed physical access deficiencies, video surveillance gaps, and temperature and humidity issues.

As a result of the investigation, the OIG recommended that the healthcare system implement a more effective vulnerability management system, ensure vulnerabilities are properly remediated, and implement a more effective configuration control process to ensure that devices receive vendor support. In addition, the OIG made recommendations to improve the healthcare system’s physical access controls.

The healthcare system concurred with all 11 recommendations and submitted responsive action plans to resolve these issues.

“Although the findings and recommendations in this report are specific to the Northern Arizona VA Healthcare System, other facilities across VA could benefit from reviewing this information and considering these recommendations,” the report noted.