OIG Finds Vulnerability Management and Remediation Inadequacies at Alabama VA Medical Center

The VA Office of Inspector General (OIG) examined the data security at Tuscaloosa VA Medical Center located in Alabama and found inadequacies in three out of the four evaluated security control sections. The OIG inspection included contingency planning, configuration management, security management, and access controls, with inadequacies found in configuration management, access controls, and security management.

Configuration management controls are needed to spot and handle security functions for all hardware and software parts of a data system. OIG discovered inadequacies in database scans, vulnerability management, and remediation. The Office of Information and Technology (OIT) regularly scans for vulnerabilities, and when OIG and OIT utilized similar vulnerability-scanning tools, OIT did not discover all vulnerabilities. OIG found 119 critical-risk vulnerabilities that OIT couldn’t identify. OIG additionally found 301 vulnerabilities that were not mitigated in the expected 30- or 60-days. There were 134 critical-risk vulnerabilities determined on 14% of devices, and there were 134 high-risk vulnerabilities identified on 46% of devices. One high-risk vulnerability was not patched for 7 years.

A number of devices were found to be lacking crucial security patches, which were accessible but were not applied, which put VA systems in danger of unauthorized access, modification, or breakdown. Although database scans are done each quarter, OIT just provided scans for 50 % of the databases, because it could not access all databases as a result of port-filtering problems. Without the finished scans, OIT wouldn’t know of security control flaws that can affect the security position of databases.

Security management settings were evaluated, and OIG discovered one deficiency: a number of actionable plans and milestones were not found or didn’t have adequate information to be actionable. Four access control inadequacies were discovered associated with network segmentation, environmental controls, audit and monitoring controls, and emergency power.

Network segmentation is necessary for medical devices and special-purpose systems, which ought to be put on singled-out systems for protection. A number of network segments that included medical and special-purpose systems didn’t have the required network segmentation controls. 19 network segments made up of 221 medical devices and special-purpose systems didn’t have access control lists used, which permitted any user to gain access to those devices. Logs must be monitored to assess the efficiency of security controls, identify attacks, and investigate at the time of or following any attacks. 50 % of the databases of the Tuscaloosa VAMC were missing. The missing records were for the databases that were not put through vulnerability scanning.

A number of communication rooms were lacking temperature or humidity adjustments, which can have a considerable negative effect on the accessibility of systems, and uninterruptible power supplies were likewise found to be gone, meaning infrastructure equipment would stop to work in power imbalances or outages, bringing about the interruption of information flow and interruption to network resources access.

OIG created 8 recommendations to deal with the inadequacies, 6 to the assistant secretary for data and technology and chief data officer associated with the security problems, and 2 to the Tuscaloosa VAMC director, who needs to make sure communication rooms have enough environmental adjustments and uninterruptible power resources for infrastructure equipment.