Inspection of Information Security at the VA Bedford Healthcare System in Massachusetts

The OIG conducts information security inspections to assess whether VA facilities are meeting federal security requirements. They are typically conducted at selected facilities that have not been assessed in the sample for the annual audit required by the Federal Information Security Modernization Act of 2014 (FISMA) or at facilities that previously performed poorly. The OIG selected the VA Bedford Healthcare System because it had not been recently visited as part of the annual FISMA audit.

The OIG’s information security inspection focused on three security control areas: configuration management, security management, and access controls. During this inspection, the OIG found deficiencies with all three areas.

Configuration management deficiencies included databases hosting personally identifiable information not monitored with quarterly compliance scans, thereby increasing the risk of an undetected data breach. The team also found that devices not meeting VA baseline security configurations should have been updated with vendor-supported systems software during the standard system development life-cycle process.

Within security management, the OIG determined that special-purpose systems did not have an authorization to operate and the special-purpose systems at Bedford included one that warranted higher security levels. The OIG also identified deficiencies with the continuous monitoring of the Lynx Duress panic button system.

Finally, restricting physical access, monitoring of physical access, and implementing appropriate physical and environmental controls were also deficient. At the Edith Nourse Rogers Memorial Veterans’ Hospital, concerns were identified with badge and key access, hospital video surveillance of the server room and communications closet, and emergency power controls and proper grounding.

The OIG made five recommendations to the assistant secretary for information and technology and chief information officer and four recommendations to the VA Bedford Healthcare System director in conjunction with the assistant secretary for information technology.