Inspection of Information Security at the Northern Arizona VA Healthcare System

Report Information

Issue Date
Report Number
22-04104-112
VA Office
Information and Technology (OIT)
Veterans Health Administration (VHA)
Report Author
Office of Audits and Evaluations
Report Type
Information Security Inspection
Report Topic
Information Technology and Security
Major Management Challenges
Information Systems and Innovation
Recommendations
11
Questioned Costs
$0
Better Use of Funds
$0
Congressionally Mandated
No

Summary

Summary

The VA Office of Inspector General (OIG) conducts information security inspections to assess whether VA facilities are meeting federal security requirements. They are typically conducted at selected facilities that have not been assessed in the sample for the annual audit required by the Federal Information Security Modernization Act of 2014 (FISMA) or at facilities that previously performed poorly. The OIG selected the Northern Arizona VA Healthcare System because it had not been previously visited as part of the annual FISMA audit. The OIG’s information security inspections focus on three control areas that apply to local facilities and have been selected based on their levels of risk: configuration management, security management, and access controls. During this inspection, the OIG found deficiencies in all three areas. Deficiencies in configuration management included previously unidentified critical vulnerabilities, uninstalled patches, and network operating systems no longer supported by the vendor—all of which could deprive users of reliable access to information and could risk unauthorized access to, or the alteration or destruction of, critical systems. The OIG identified almost twice as many devices on the network than the inventory listed, which constitutes a security management weakness. Weak access controls included missing video surveillance at a data center, inadequate fire-detection and suppression equipment, insufficient water sensors and climate controls, unmounted or stacked network equipment, and communications rooms without backup power supplies. The OIG made six recommendations to the assistant secretary for information and technology and chief information officer to improve controls at the healthcare system because they are related to enterprise-wide information security issues similar to those identified on previous FISMA audits and information security inspections. The OIG also made five recommendations to the Northern Arizona VA Healthcare System director.

Open Recommendation Image, SquareOpenClosed and Implemented Recommendation Image, CheckmarkClosed-ImplementedNot Implemented Recommendation Image, X character'Closed-Not Implemented
No. 1
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
Closure Date: 3/12/2025

Implement a more effective vulnerability management program to address security deficiencies identified during the inspection.

No. 2
Open Recommendation Image, Square
to Information and Technology (OIT)
Ensure vulnerabilities are remediated within established time frames.
No. 3
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
Closure Date: 7/11/2023
Implement more effective configuration control processes to ensure network devices maintain vendor support.
No. 4
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
Closure Date: 7/11/2023
Ensure the unmanaged database completes the transition to the VA Enterprise Cloud where it can be managed and have security baselines applied.
No. 5
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
Closure Date: 11/27/2023

Implement an improved inventory process to ensure that all connected devices used to support VA programs and operations are documented in the Enterprise Mission Assurance Support Service.

No. 6
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
Closure Date: 5/29/2025

Ensure network infrastructure equipment is properly installed.

No. 7
Closed and Implemented Recommendation Image, Checkmark
to Veterans Health Administration (VHA)
Closure Date: 5/29/2024

Ensure physical access controls are implemented for communication rooms.

No. 8
Closed and Implemented Recommendation Image, Checkmark
to Veterans Health Administration (VHA)
Closure Date: 9/24/2024

Ensure a video surveillance system is operational and monitored for the data center.

No. 9
Closed and Implemented Recommendation Image, Checkmark
to Veterans Health Administration (VHA)
Closure Date: 7/11/2023
Ensure communication rooms with infrastructure equipment have adequate environmental controls.
No. 10
Closed and Implemented Recommendation Image, Checkmark
to Veterans Health Administration (VHA)
Closure Date: 1/29/2025

Ensure communication rooms with infrastructure equipment have fire-detection and suppression systems.

No. 11
Closed and Implemented Recommendation Image, Checkmark
to Veterans Health Administration (VHA)
Closure Date: 5/29/2024

Ensure water detection sensors are implemented in the data center.