Inspection of Information Security at the James E. Van Zandt VA Medical Center in Altoona, Pennsylvania

The VA Office of Inspector General (OIG) conducts information security inspections to assess whether VA facilities are meeting federal security requirements. They are typically conducted at selected facilities that have not been assessed in the sample for the annual audit required by the Federal Information Security Modernization Act of 2014 (FISMA) or at facilities that previously performed poorly. The OIG selected the James E. Van Zandt VA Medical Center in Altoona, Pennsylvania, because it had not been previously visited as part of the OIG’s annual FISMA audit. These inspections focus on four security control areas: configuration management, contingency planning, security management, and access controls. During this inspection, the OIG found deficiencies with configuration management, security management, and access controls. Deficiencies in configuration management included inaccurate component inventories and ineffective vulnerability management, increasing opportunities for exploitation. The security management weakness involved the facility’s special-purpose system, which did not have an authorization to operate, leaving it vulnerable to compromise. Weak access controls, such as inadequately restricting access to computer rooms, communication closets, and generators, increased the risk of damage or destruction. The team also found missing environmental controls in the communication closets, which could lead to damage to organizational assets and result in financial loss or harm to veterans. The OIG made four recommendations, including one addressed to the medical center director and three addressed to the assistant secretary for information and technology and chief information officer, who did not concur with one: to verify and make necessary corrections to the systems’ component inventory. The OIG stands by its recommendation, as the review identified about 2,500 devices on the facility’s network as compared to only about 1,450 devices identified by the component inventory, and OIT’s response did not include additional evidence that would prompt the OIG to reconsider its conclusion.