Inspection of Information Security at the VA Dublin Healthcare System in Georgia

Report Information

Issue Date
Report Number
23-01138-203
VA Office
Veterans Health Administration (VHA)
Report Author
Office of Audits and Evaluations
Report Type
Information Security Inspection
Major Management Challenges
Benefits for Veterans
Recommendations
7
Questioned Costs
$0
Better Use of Funds
$0
Congressionally Mandated
No

Summary

Summary

The VA Office of Inspector General (OIG) conducts information security inspections to assess whether VA facilities are meeting federal security requirements. They are typically conducted at selected facilities that have not been assessed in the sample for the annual audit required by the Federal Information Security Modernization Act of 2014 (FISMA) or at facilities that previously performed poorly. The OIG selected the VA Dublin Healthcare System in Georgia because it had not been previously visited as part of the annual FISMA audit. The OIG’s information security inspections focus on three security control areas that apply to local facilities and have been selected based on their levels of risk: configuration management, security management, and access controls. During this inspection, the OIG found deficiencies in all three areas. Deficiencies in configuration management included critical-risk vulnerabilities that VA’s Office of Information and Technology did not identify. These security vulnerabilities were not being remediated within VA’s established time frames, which could risk unauthorized access to, or the alteration or destruction of, critical systems. The team identified three security management control weaknesses at the healthcare system: several special-purpose systems did not have authorization to operate, two of these systems did not have appropriate security categorizations, and the healthcare system identified but did not remediate unapproved software. The healthcare system also had deficiencies in physical access security, emergency power, and monitoring of physical and environmental controls. The OIG made four recommendations to the assistant secretary for information and technology and chief information officer to improve controls at the facility because they are related to enterprise-wide information security issues similar to those identified on previous FISMA audits and information security inspections. The OIG also made three recommendations to the Carl Vinson VA Medical Center director.

Open Recommendation Image, SquareOpenClosed and Implemented Recommendation Image, CheckmarkClosed-ImplementedNot Implemented Recommendation Image, X character'Closed-Not Implemented
No. 1
Open Recommendation Image, Square
to Information and Technology (OIT)
Improve vulnerability management processes to ensure system changes occur within organization timelines.
No. 2
Open Recommendation Image, Square
to Information and Technology (OIT)
Develop and approve an authorization to operate for the special-purpose systems.
No. 3
Open Recommendation Image, Square
to Information and Technology (OIT)
Include system personnel during the security categorization process to ensure that all necessary information types are considered when determining the security categorization for special-purpose systems.
No. 4
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
Review the list of unauthorized software and remediate or remove unneeded software at the facility.
No. 5
Open Recommendation Image, Square
to Information and Technology (OIT)
Implement the appropriate physical security controls to restrict and monitor access to the facility, its server room, communication closets, and generators.
No. 6
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)

Implement and monitor emergency power and uninterruptible power supplies that support information technology resources.

No. 7
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)

Validate that appropriate physical and environmental security measures are implemented and functioning as intended.