All Reports

Inspection of Information Security at the VA Dublin Healthcare System in Georgia

9/28/2023

|

23-01138-203

Open

Closed-Implemented

Closed-Not Implemented

No. 1

to Information and Technology (OIT)

Improve vulnerability management processes to ensure system changes occur within organization timelines.

No. 2

to Information and Technology (OIT)

Develop and approve an authorization to operate for the special-purpose systems.

No. 3

to Information and Technology (OIT)

Include system personnel during the security categorization process to ensure that all necessary information types are considered when determining the security categorization for special-purpose systems.

No. 4

to Information and Technology (OIT)

Review the list of unauthorized software and remediate or remove unneeded software at the facility.

No. 5

to Information and Technology (OIT)

Implement the appropriate physical security controls to restrict and monitor access to the facility, its server room, communication closets, and generators.

No. 6

to Information and Technology (OIT)

Implement and monitor emergency power and uninterruptible power supplies that support information technology resources.

No. 7

to Information and Technology (OIT)

Validate that appropriate physical and environmental security measures are implemented and functioning as intended.

Inspection of Information Security at the VA El Paso Healthcare System in Texas

9/27/2023

|

23-01179-204

Open

Closed-Implemented

Closed-Not Implemented

No. 1

to Information and Technology (OIT)

Implement a more effective vulnerability management program to address security deficiencies identified during the inspection.

No. 2

to Information and Technology (OIT)

Ensure vulnerabilities are remediated within OIT’s established time frames.

No. 3

to Information and Technology (OIT)

Ensure that physical access for the data center and communication rooms are reviewed on a quarterly basis.

No. 4

to Information and Technology (OIT)

Ensure physical access controls are implemented for communication rooms.

No. 5

to Information and Technology (OIT)

Ensure a video surveillance system is operational and monitored for the data center.

No. 6

to Information and Technology (OIT)

Ensure communication rooms with infrastructure equipment have adequate environmental controls.

No. 7

to Information and Technology (OIT)

Ensure water detection sensors are implemented in the data center.

No. 8

to Information and Technology (OIT)

Test the emergency power bypass during annual uninterruptible power supply testing and document results.

Inspection of Information Security at the VA Beckley Healthcare System in West Virginia

9/21/2023

|

23-00089-144

Open

Closed-Implemented

Closed-Not Implemented

No. 1

to Information and Technology (OIT)

The assistant secretary for information and technology and chief information officer implement a process to minimize the Information Central Analytics and Metrics Platform data reliability issues.

No. 2

to Information and Technology (OIT)

The assistant secretary for information and technology and chief information officer improve vulnerability management processes to ensure system changes occur within organization timelines.

No. 3

to Information and Technology (OIT)

The assistant secretary for information and technology and chief information officer develop and approve an authorization to operate for the special-purpose system.

No. 4

to Information and Technology (OIT)

The assistant secretary for information and technology and chief information officer include system personnel during the security categorization process to ensure that all necessary information types are considered when determining the security categorization for special-purpose systems.

No. 5

to Information and Technology (OIT)

The assistant secretary for information and technology and chief information officer implement improved mechanisms to ensure system stewards are creating plans of action and milestones for all controls that have not been implemented or assessed.

No. 6

to Information and Technology (OIT)

The assistant secretary for information and technology and chief information officer ensure network segmentation controls are applied to all network segments with special-purpose systems.

No. 7

to Veterans Health Administration (VHA)

The VA medical center director install uninterruptible power supplies to eliminate single points of electrical failure supporting the facility.

No. 8

to Veterans Health Administration (VHA)

The VA medical center director ensure that hot and cold aisles in computer rooms, and electric and data cables are installed in accordance with VA standards.

No. 9

to Veterans Health Administration (VHA)

The VA medical center director validate that appropriate physical and environmental security measures are implemented and functioning as intended.

No. 10

to Veterans Health Administration (VHA)

The VA medical center director implement media sanitization methods in accordance with VA policy requirements.

Inspection of Information Security at the Northern Arizona VA Healthcare System

7/11/2023

|

22-04104-112

Open

Closed-Implemented

Closed-Not Implemented

No. 1

to Information and Technology (OIT)

Implement a more effective vulnerability management program to address security deficiencies identified during the inspection.

No. 2

to Information and Technology (OIT)

Ensure vulnerabilities are remediated within established time frames.

No. 3

to Information and Technology (OIT)

Implement more effective configuration control processes to ensure network devices maintain vendor support.

No. 4

to Information and Technology (OIT)

Ensure the unmanaged database completes the transition to the VA Enterprise Cloud where it can be managed and have security baselines applied.

No. 5

to Information and Technology (OIT)

Implement an improved inventory process to ensure that all connected devices used to support VA programs and operations are documented in the Enterprise Mission Assurance Support Service.

No. 6

to Information and Technology (OIT)

Ensure network infrastructure equipment is properly installed.

No. 7

to Veterans Health Administration (VHA)

Ensure physical access controls are implemented for communication rooms.

No. 8

to Veterans Health Administration (VHA)

Ensure a video surveillance system is operational and monitored for the data center.

No. 9

to Veterans Health Administration (VHA)

Ensure communication rooms with infrastructure equipment have adequate environmental controls.

No. 10

to Veterans Health Administration (VHA)

Ensure communication rooms with infrastructure equipment have fire-detection and suppression systems.

No. 11

to Veterans Health Administration (VHA)

Ensure water detection sensors are implemented in the data center.

Inspection of Information Security at the St. Cloud VA Medical Center in Minnesota

6/8/2023

|

22-02961-71

|

Topics: Information Technology and Security

Open

Closed-Implemented

Closed-Not Implemented

No. 1

to Information and Technology (OIT)

The assistant secretary for information and technology and chief information officer implement a more effective vulnerability management program to identify all critical security deficiencies on the network and to remediate vulnerabilities within policy timelines.

No. 2

to Information and Technology (OIT)

The assistant secretary for information and technology and chief information officer implement a more effective inventory process to identify network devices.

No. 3

to Information and Technology (OIT)

The assistant secretary for information and technology and chief information officer implement processes to prevent the use of prohibited software on agency devices.

No. 4

to Information and Technology (OIT)

The assistant secretary for information and technology and chief information officer test the emergency power bypass during annual uninterruptible power supply testing and document results.

No. 5

to Information and Technology (OIT)

The assistant secretary for information and technology and chief information officer ensure network segmentation controls are applied to all network segments with medical devices and special-purpose systems.

No. 6

to Information and Technology (OIT)

The assistant secretary for information and technology and chief information officer ensure access authorization memorandums are present in all communication rooms.

No. 7

to Information and Technology (OIT)

The assistant secretary for information and technology and chief information officer ensure that physical access for the data center and communication rooms are reviewed on a quarterly basis.

No. 8

to Information and Technology (OIT)

The assistant secretary for information and technology and chief information officer ensure visitor access records are available and reviewed on a quarterly basis.

No. 9

to Veterans Health Administration (VHA)

The St. Cloud VA Medical Center director ensure video surveillance systems are operational and monitored for the data center.

No. 10

to Veterans Health Administration (VHA)

The St. Cloud VA Medical Center director ensure communication rooms with infrastructure equipment have adequate environmental controls.

Inspection of Information Security at the James E. Van Zandt VA Medical Center in Altoona, Pennsylvania

6/7/2023

|

22-02960-70

|

Topics: Information Technology and Security

Open

Closed-Implemented

Closed-Not Implemented

No. 1

to Information and Technology (OIT)

Verify and make necessary corrections to the systems’ component inventory in the VA’s Enterprise Mission Assurance Support Service.

No. 2

to Information and Technology (OIT)

Improve vulnerability management processes to ensure system changes occur within organization timelines.

No. 3

to Information and Technology (OIT)

Develop and approve an authorization to operate for the special-purpose system.

No. 4

to Information and Technology (OIT)

Validate that appropriate physical and environmental security measures are implemented and functioning as intended.

Inspection of Information Security at the Tuscaloosa VA Medical Center in Alabama

1/18/2023

|

22-01854-13

|

Topics: Information Technology and Security

Open

Closed-Implemented

Closed-Not Implemented

No. 1

to Information and Technology (OIT)

Implement a more effective vulnerability management program to address security deficiencies identified during the inspection.

No. 2

to Information and Technology (OIT)

Ensure vulnerabilities are remediated within established time frames.

No. 3

to Information and Technology (OIT)

Ensure all databases at the Tuscaloosa VA Medical Center are part of the periodic database scan process.

No. 4

to Information and Technology (OIT)

Implement improved mechanisms to ensure system stewards are updating plans of actions and milestones for all known risks and weaknesses, including those identified during security control assessments.

No. 5

to Information and Technology (OIT)

Ensure network segmentation controls are applied to all network segments with medical devices and special-purpose systems.

No. 6

to Information and Technology (OIT)

Implement capabilities for generating database audit logs and forwarding audit events for review, analysis, and reporting.

No. 7

to Veterans Health Administration (VHA)

Ensure communication rooms with infrastructure equipment have adequate environmental controls.

No. 8

to Veterans Health Administration (VHA)

Install uninterruptible power supplies in the communication rooms supporting infrastructure equipment.

Inspection of Information Security at the Southern Oregon Rehabilitation Center and Clinics

1/18/2023

|

22-01836-12

|

Topics: Information Technology and Security

Open

Closed-Implemented

Closed-Not Implemented

No. 1

to Information and Technology (OIT)

Implement a vulnerability management program that ensures system changes within established deadlines.

No. 2

to Information and Technology (OIT)

Develop and approve a system security plan and an authorization to operate for the special-purpose system.

No. 3

to Information and Technology (OIT)

Include language for contractors to follow federal and VA information technology security requirements in contracts that have an information technology component.

No. 4

to Information and Technology (OIT)

Verify that access control lists have been applied to network segments that contain medical systems.

No. 5

to Information and Technology (OIT)

Develop and implement a process to retain database logs for a period consistent with VA’s record retention policy.

No. 6

to Veterans Health Administration (VHA)

Develop and implement controls to remove an individual’s access rights to computer rooms when access is no longer necessary.

No. 7

to Veterans Health Administration (VHA)

Implement a process to regularly review applicable reports to ensure that only authorized individuals have computer room access and update the system access authorization memo to include only those individuals necessary to perform job functions.

No. 8

to Veterans Health Administration (VHA)

Validate that appropriate physical and environmental security measures are implemented and functioning as intended.

No. 9

to Veterans Health Administration (VHA)

Inventory and verify that records containing personally identifiable information and personal health information are adequately secured.

Inspection of Information Technology Security at the Harlingen VA Health Care Center in Texas

9/27/2022

|

22-00973-215

|

Topics: Information Technology and Security

Open

Closed-Implemented

Closed-Not Implemented

No. 1

to Information and Technology (OIT)

Implement a more effective process to maintain consistent inventory information for all network segments.

No. 2

to Information and Technology (OIT)

Implement a vulnerability management program that ensures system changes occur within organization timelines.

No. 3

to Information and Technology (OIT)

Implement effective system life-cycle processes to ensure network devices meet standards mandated by the VA Office of Information and Technology Configuration Control Board.

No. 4

to Information and Technology (OIT)

Develop and implement a process to retain database logs for a period consistent with VA’s record retention policy.

No. 5

to Information and Technology (OIT)

Validate that appropriate physical and environmental security measures are implemented and functioning as intended.

Inspection of Information Technology Security at the Alexandria VA Medical Center in Louisiana

9/22/2022

|

22-00971-217

|

Topics: Information Technology and Security

Open

Closed-Implemented

Closed-Not Implemented

No. 1

to Information and Technology (OIT)

Implement a more effective process to maintain consistent inventory information for all network segments.

No. 2

to Information and Technology (OIT)

Improve the vulnerability and flaw remediation program to accurately identify vulnerabilities and enforce flaw remediation.

No. 3

to Information and Technology (OIT)

Implement effective configuration control processes that ensure network devices maintain vendor support.

No. 4

to Information and Technology (OIT)

Perform security control assessments of the video surveillance system and obtain an authorization to operate in accordance with set policy.

No. 5

to Information and Technology (OIT)

Ensure installation of distributed network infrastructure equipment that meets VA installation standards, to include proper equipment mounting and clearance.

No. 6

to Information and Technology (OIT)

Ensure routine maintenance is conducted on uninterruptible power supplies.

No. 7

to Information and Technology (OIT)

Implement database authentication processes that comply with VA security requirements.

No. 8

to Information and Technology (OIT)

Implement a physical access control system for the data center and core switch room that is supportable and can meet VA logging requirements.

Inspection of Information Technology Security at the Consolidated Mail Outpatient Pharmacy in Tucson, Arizona

6/1/2022

|

21-02453-99

|

Topics: Information Technology and Security

Open

Closed-Implemented

Closed-Not Implemented

No. 1

to Information and Technology (OIT)

Implement more effective inventory management tools for all network segments.

No. 2

to Information and Technology (OIT)

Implement a more effective vulnerability and flaw remediation program that can accurately identify vulnerabilities and enforce flaw remediation.

No. 3

to Information and Technology (OIT)

Develop and implement methods to ensure delivery, receipt, and understanding of assigned roles and responsibilities for Consolidated Mail Outpatient Pharmacy activities to ensure full implementation of approved policy.

No. 4

to Information and Technology (OIT)

Develop and implement a disaster recovery plan and capability that will restore operations in the event of a disruption to critical operations.

No. 5

to Information and Technology (OIT)

Task the facility manager to change the default username and password for the security camera system.

No. 6

to Information and Technology (OIT)

Request the Office of Information and Technology to configure audit logging on the misconfigured devices in accordance with established baselines, policy, and procedures.

Inspection of Information Technology Security at the Consolidated Mail Outpatient Pharmacy in Dallas, Texas

6/1/2022

|

21-03305-139

|

Topics: Information Technology and Security

Open

Closed-Implemented

Closed-Not Implemented

No. 1

to Information and Technology (OIT)

Implement an effective inventory management system for all network segments.

No. 2

to Information and Technology (OIT)

Implement an effective vulnerability and flaw remediation program that can accurately identify vulnerabilities and enforce flaw remediation

No. 3

to Information and Technology (OIT)

Develop and implement methods to ensure delivery, receipt, and understanding of assigned roles and responsibilities for local activities to ensure full implementation of approved policy.

No. 4

to Information and Technology (OIT)

Implement effective configuration control processes that ensure network devices maintain standards mandated by the VA Office of Information and Technology Configuration Control Board.

No. 5

to Information and Technology (OIT)

Remove or disable group accounts to comply with established requirements and criteria.

No. 6

to Information and Technology (OIT)

Ensure employees lock devices when they are unattended.

No. 7

to Information and Technology (OIT)

Implement database authentication processes that comply with National Institute of Standards and Technology standards and VA security requirements.

No. 8

to Information and Technology (OIT)

Implement a process to retain database logs for a period consistent with VA’s record retention policy.

No. 9

to Information and Technology (OIT)

Establish a process for validating and logging the sanitization of hard drives.

No. 10

to Information and Technology (OIT)

Implement parking barriers that meet VA Physical Security & Resiliency Design Manual requirements.

Inspection of Information Technology Security at the VA Financial Services Center

3/31/2022

|

21-01221-24

|

Topics: Information Technology and Security

Open

Closed-Implemented

Closed-Not Implemented

No. 1

to Information and Technology (OIT)

The Financial Services Center director implements measures to maintain an accurate system inventory.

No. 2

to Information and Technology (OIT)

The Financial Services Center director implements a more effective patch and vulnerability management program that can accurately identify vulnerabilities and enforce patch application.

No. 3

to Information and Technology (OIT)

The Financial Services Center director implements systems and information integrity procedures that detail how policies are applied to local systems, and create a mechanism for informing employees of new or updated policies and procedures.

No. 4

to Information and Technology (OIT)

The Financial Services Center director, in conjunction with the system owner, develops and implements capabilities for all systems to generate audit logs and collect and forward audit events to the Cybersecurity Operations Center for review, analysis, and reporting.

No. 5

to Information and Technology (OIT)

The Financial Services Center director continues to upgrade the video surveillance system and ensure new capabilities provide full surveillance and video retention to improve monitoring and incident response.

Inspection of Information Technology Security at the VA Outpatient Clinic in Austin, Texas

6/22/2021

|

20-01485-114

|

Topics: Information Technology and Security

Open

Closed-Implemented

Closed-Not Implemented

No. 1

to Veterans Health Administration (VHA)

The OIG recommended the area manager for the Central Texas Veterans Health Care System implement more effective automated inventory management tools.

No. 2

to Veterans Health Administration (VHA)

The OIG recommended the area manager for the Central Texas Veterans Health Care System implement a more effective patch and vulnerability management program that can accurately identify vulnerabilities and enforce patch application.

No. 3

to Veterans Health Administration (VHA)

The OIG recommended the area manager for the Central Texas Veterans Health Care System ensure compliance with the media protection standard operating procedure for all employees who work with media storage and ensure compliance with marking and sanitization provisions.

Appointment Scheduling and Wait Times
Care Coordination
Claims and Appeals
Claims and Fiduciary
Claims and Medical Exams
Clinical Care Services Operations
Community Care
Contract Integrity
COVID-19
Education and Loan Guaranty
Electronic Health Records Modernization (EHRM)
Financial Management
FISMA
Healthcare Infrastructure
Information Technology and Security
Leases and Major Contracts
Maintenance and Construction
Medical Staff Privileging Credentialing
Mental Health
Military Sexual Trauma
PACT Act
Patient Care Services Operations
Patient Safety
Purchase Cards
Staffing
Suicide Prevention
Supplies and Equipment
System Development and Implementation
VA Police
Women’s Health

Accountability and Whistleblower Protection (OAWP)
Acquisitions, Logistics, and Construction (OALC)
Advisory Committee Management
Asset Enterprise Management (OAEM)
Board of Veterans’ Appeals (BVA)
Center for Faith-Based and Neighborhood Partnerships
Center for Minority Veterans
Center for Women Veterans
Congressional and Legislative Affairs (OCLA)
Electronic Health Record Modernization Integration Office (EHRM IO)
Employment Discrimination Complaint Adjudication
Federal Recovery Coordination
General Counsel (OGC)
Human Resources and Administration Office/Operations, Security, and Preparedness (HRA/OSP)
Information and Technology (OIT)
National Cemetery Administration (NCA)
Non-Governmental Organization Gateway Initiative
Office of Enterprise Integration (OEI)
Office of Management (OM)
Office of the Secretary (SVA)
Policy and Planning
Public and Intergovernmental Affairs (OPIA)
Small & Disadvantaged Business Utilization (OSDBU)
Survivors Assistance
Veterans Benefits Administration (VBA)
Veterans Health Administration (VHA)
Veterans Service Organizations Liaison

Alabama
Alaska
Arizona
Arkansas
California
Colorado
Connecticut
Delaware
District of Columbia
Florida
Georgia
Hawaii
Idaho
Illinois
Indiana
Iowa
Kansas
Kentucky
Louisiana
Maine
Maryland
Massachusetts
Michigan
Minnesota
Mississippi
Missouri
Montana
Nebraska
Nevada
New Hampshire
New Jersey
New Mexico
New York
North Carolina
North Dakota
Ohio
Oklahoma
Oregon
Pennsylvania
Rhode Island
South Carolina
South Dakota
Tennessee
Texas
Utah
Vermont
Virginia
Washington
West Virginia
Wisconsin
Wyoming
American Samoa
Federated States of Micronesia
Guam
Marshall Islands
Northern Mariana Islands
Palau
Puerto Rico
Virgin Islands
Armed Forces Africa
Armed Forces Americas
Armed Forces Canada
Armed Forces Europe
Armed Forces Middle East
Armed Forces Pacific

Recommendations (7)

Recommendations (8)

Recommendations (10)

Recommendations (11)

Recommendations (10)

Recommendations (4)

Recommendations (8)

Recommendations (9)

Recommendations (5)

Recommendations (8)

Recommendations (6)

Recommendations (10)

Recommendations (5)

Recommendations (3)