A Department of Veterans Affairs medical center in Minnesota has multiple information technology deficiencies, including outdated operating systems, missing security patches, and non-operational video surveillance, the agency’s inspector general said.
In a Thursday report, the VA’s Office of Inspector General revealed that the St. Cloud VA Medical Center didn’t meet federal information security guidelines in three of the four areas it investigated: configuration management, contingency planning, and access controls. The only category without deficiencies was security management controls.
The VA has struggled to implement the information security standards in the Federal Information Security Modernization Act of 2014 (FISMA), according to the report. The inspector general found the VA “continues to face significant challenges meeting the law’s requirements” in a fiscal year 2021 audit.
The inspector general made eight recommendations to the information and technology chief information officer and two to the medical center director in the Thursday report, including implementing more effective processes for vulnerability management, inventory of network devices, and preventing use of prohibited software.
While the inspection was specific to the St. Cloud center, the report noted “other facilities across VA could benefit from reviewing this information and considering these recommendations.”
Among the issues found in the review were deficiencies in the medical center’s vulnerability management, which the report said “prior FISMA audits have repeatedly found.”
Those issues included operating systems that weren’t supported by the vendor anymore and missing security patches in applications. While the Office of Information Technology (OIT) routinely scans for vulnerabilities, it didn’t detect all of the issues the inspection team found when it used the same tools for vulnerability scanning, the report said.
Security patches hadn’t been applied in several devices with “critical and high-risk vulnerabilities,” the report said. “Without these controls, VA may be placing critical systems at unnecessary risk of unauthorized access, alteration, or destruction.”
The review also found that the medical center failed to keep an accurate inventory of its information systems and discovered 19 “special-purpose systems” running Windows XP, which the report said “has not been supported in over eight years and is prohibited by OIT.”
The medical center’s data center also didn’t have an operational video surveillance system when the inspection team visited the facility, which it said “minimizes incident response capabilities of the security force in the event of compromised security controls.”
In a response included in the report, the assistant secretary for information and technology and chief information officer agreed with most of the recommendations and said he submitted action plans.
The CIO didn’t agree with the inspector general’s recommendation for a more effective inventory of network devices, arguing devices the inspection team found that weren’t accounted for in inventories were improperly identified.