Follow-Up Inspection of Information Security at the Beckley Healthcare System in West Virginia

The VA OIG conducts information security inspections to assess whether VA facilities meet federal security requirements. The OIG followed up on an inspection it conducted at the VA Beckley Healthcare System in West Virginia in 2023.

During this follow-up inspection, the OIG identified substantial progress in addressing prior recommendations, and some continued deficiencies in configuration management, security management, and access controls.

For configuration management, the team identified one deficiency over vulnerability remediation: the healthcare system did not meet required timelines for addressing critical vulnerabilities and lacked necessary remediation plans, leaving outdated software on numerous systems. Additionally, the OIG identified several unique high and critical vulnerabilities within the network that were not reflected in the agency’s standard vulnerability reports.

The healthcare system had deficiencies in three security management controls: a special-purpose system lacked authorization to operate; a special-purpose system had inappropriate security categorizations; and staff had administrative access and a lack of separation of duties for managing a pharmacy inventory system.

Finally, the healthcare system had deficiencies in physical controls restricting access to computer rooms, although the facility was addressing these deficiencies. The team also found that the facility was not monitoring the destruction of temporary records as required.

The OIG made three recommendations to the assistant secretary of information and technology, who also serves as the chief information officer, and two recommendations to the Beckley VA Medical Center director. VA concurred with four recommendations and did not concur with one. Nevertheless, the OIG noted VA provided sufficient evidence of implementation for four of the recommendations (including the one VA did not concur with) and considers those recommendations closed. The OIG will monitor implementation of the remaining recommendation.