Inspection of Information Security at the Health Eligibility Center in Atlanta, Georgia

Report Information

Issue Date
Report Number
24-01232-02
VA Office
Information and Technology (OIT)
Veterans Health Administration (VHA)
Report Author
Office of Audits and Evaluations
Report Type
Information Security Inspection
Report Topic
Information Technology and Security
Major Management Challenges
Information Systems and Innovation
Recommendations
5
Questioned Costs
$0
Better Use of Funds
$0
Congressionally Mandated
No

Summary

Summary

The VA Office of Inspector General’s information security inspection program assesses whether VA facilities are meeting federal security requirements related to four control areas the OIG determined to be at highest risk. For this inspection, the OIG selected the Health Eligibility Center (HEC) in Atlanta, Georgia. The OIG found deficiencies in three of the four areas inspected.

Configuration management controls, which identify and manage security features for all hardware and software components of an information system, were deficient in vulnerability remediation, system life-cycle management, and remediation of unauthorized software.

There were no deficiencies in contingency planning controls, which include physical and environmental controls.

In the area of security management, about 3.3 million veterans’ records containing sensitive personal information were not encrypted. VA security policy requires the encryption of sensitive information hosted on computer systems.

Access controls provide reasonable assurance that computer resources are restricted to authorized individuals. At the HEC, the OIG found deficiencies with access controls in the inventory of facility keys as well as in logging administrative actions, log retention, and log reviews.

The OIG made five recommendations aimed at correcting the identified deficiencies.
 

Open Recommendation Image, SquareOpenClosed and Implemented Recommendation Image, CheckmarkClosed-ImplementedNot Implemented Recommendation Image, X character'Closed-Not Implemented
No. 1
Open Recommendation Image, Square
to Information and Technology (OIT)

Improve vulnerability management processes to ensure all vulnerabilities are identified and that plans of action and milestones are created for vulnerabilities that cannot be mitigated by VA deadlines.

No. 2
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
Closure Date: 4/7/2025

Implement a more effective system life-cycle process to ensure network devices are running authorized software and operating systems that are configured to approved baselines and free of vulnerabilities.

No. 3
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
Closure Date: 4/7/2025

Ensure all file systems holding veteran information are encrypted in accordance with NIST and VA policy requirements.

No. 4
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT),Veterans Health Administration (VHA)
Closure Date: 11/13/2024

Maintain an accurate inventory of personnel with key access to the facility.

No. 5
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT),Veterans Health Administration (VHA)
Closure Date: 4/7/2025

Enable improved audit logging capability to monitor administrator access to sensitive information hosted on the Workload Reporting and Productivity Assessing file server.