Inspection of Information Security at the VA Saginaw Healthcare System in Michigan

The VA OIG’s information security inspection program assesses whether VA facilities are meeting federal security requirements related to three high-risk control areas: configuration management, security management, and access. For this inspection, the OIG selected the VA Saginaw Healthcare System in Michigan and found deficiencies in all three areas.

Configuration management controls, which identify and manage security features for all hardware and software components of an information system, were deficient in system baseline configurations and vulnerability scanning and remediation and had unauthorized software hosted on the network.

Security management controls had one deficiency. Although a physical security issue had been previously identified, OIT staff had not developed a plan of action to address it.

Access controls had five deficiencies. The OIG found that the healthcare system staff did not implement required controls for privileged accounts, did not maintain audit logs for local databases, did not consistently verify and document identity of vendors or contractors before granting them access to systems, and did not ensure all networked medical devices were protected by access control lists for their virtual local area networks. The team also identified fire hazards in two telecommunications rooms. As a result, the facility risks unauthorized access, disruption, and destruction of critical information technology resources.

In response to the OIG’s findings, healthcare system staff eliminated the identified fire hazards. To address the other deficiencies, the OIG made 10 recommendations to VA, all of which VA concurred with. Based on evidence the healthcare system provided, the OIG considers recommendations 3 through 7, as well as 9 and 10, closed.