Audit Finds IT Security Deficiencies at Texas VA Health Center
A Department of Veterans Affairs Office of Inspector General of the Harlingen VA Health Care Center in Texas identified some IT security deficiencies in configuration management, contingency planning, and access controls.
To determine compliance with the Federal Information Security Modernization Act of 2014 (FISMA), the VA Office of Inspector General (OIG) conducts an annual audit of VA’s information security program and practices.
The fiscal year 2021 FISMA audit, conducted by CliftonLarsonAllen LLP, an independent public accounting firm, assessed VA’s information security program through inquiries, observations, and tests of selected controls supporting 50 major applications and general support systems at 24 VA facilities and on the VA Enterprise Cloud, including the testing of selected management, technical, and operational controls outlined by NIST. CliftonLarsonAllen LLP made 26 recommendations, all of which are repeated from the prior annual audit, indicating that VA continues to face significant challenges in complying with FISMA requirements. These recommendations included addressing deficiencies in configuration management, contingency planning, security management, and access controls.
The OIG chose to audit the Harlingen VA because it was not part of the recent FISMA audit. In a report published Sept. 27, 2022, OIG identified deficiencies with configuration management, contingency planning, and access controls at Harlingen. The inspection team did not identify deficiencies with security management.
The Harlingen VA Health Care Center had security deficiencies in the following configuration management controls:
• Component inventory is a descriptive record of IT assets in an organization down to the system level.
• Vulnerability management is the process by which the Office of Information and Technology (OIT) identifies and corrects software defects and often includes system updates, such as security patches.
• System life cycle is the process of initiating, developing, implementing, maintaining, and replacing or disposing of systems.
The center did not have accurate listings of information systems’ hardware in VA’s Enterprise Mission Assurance Support Service, despite OIT and VA’s use of automated inventories of its systems. A complete, accurate, and up-to-date inventory is required to implement an effective security program. Inaccurate component inventories render vulnerability management ineffective.
The OIG determined that OIT’s vulnerability identification process and scans were effective; however, the process to remediate identified vulnerabilities needs improvement. OIT scans for vulnerabilities routinely, randomly, and when new vulnerabilities are identified and reported.
The inspection team and OIT used the same vulnerability-scanning tools. The inspection team identified 16 vulnerabilities—five critical vulnerabilities on less than 1 percent of the computers, which also had unsupported operating systems, and 11 high-risk vulnerabilities on 20 percent of the computers—that were previously identified by OIT but were not mitigated within OIT’s established time frames.
VA requires that critical vulnerabilities be remediated within 30 days and high-risk vulnerabilities be remediated in 60 days. The oldest vulnerability was identified on the network in 2013. The OIG found one critical vulnerability on about 1 percent of computers and six high-risk vulnerabilities on 32 percent of the computers that were detectible but not included in prior OIT scan results.
Despite VA’s significant patch management measures, the OIG inspection team identified several devices that were missing available patches. Some of these vulnerabilities had been on the network for as long as nine years after initial discovery by VA. Without patches, VA may be placing critical systems at unnecessary risk of unauthorized access, alteration, or destruction.
Over half of the center’s network switches used operating systems past their vendor support dates, meaning they would not receive maintenance or vulnerability support. Furthermore, the deficient devices did not meet VA baseline configurations. These devices should have been refreshed to vendor-supported systems before the vendor terminated support. Network devices and IT systems are an organization’s most critical infrastructure. Upgrading is not just a defensive strategy but a proactive one that protects the stability of the network. The baseline configurations for network equipment are mandated by the VA OIT Configuration Control Board.
In addition, the inspection team identified deficiencies in logging administrative actions, retaining logs, and reviewing logs for databases at the center. For instance, database event logs of administrative access were overwritten within minutes, in violation of VA policy. The center had not deployed a mechanism to copy the database’s log files to long-term storage or prevent them from being overwritten. Logs frequently provide value during security incident analysis by recording which accounts were accessed and what actions were performed. Without this information, an investigation may be limited or unsuccessful in determining the unauthorized use or modification of center information.
The inspection team found that the center did not have fire detection systems in its two computer rooms and five communication closets. Without these systems, the center may not be able to readily respond to a fire before the activation of sprinkler systems. This could damage organizational assets and result in financial loss or harm to veterans.
The inspection team also noted that one of the computer rooms did not use a visitor access log. As a result, the information security officer and system owner could not verify that appropriate physical security measures were implemented and functioning as intended. Without visitor access logs, there is no record of visitors who enter the computer room. Consequently, research would be impeded in the event of intentional or unintentional damage to equipment or the room.
Center officials implemented visitor access logs in the computer rooms after the OIG brought this issue to their attention.
The OIG recommended that the assistant secretary for information and technology and chief information officer implement (1) a more effective process to maintain consistent inventory information for all network segments, (2) a vulnerability management program that ensures system changes occur within organization timelines, (3) an effective system life-cycle process to ensure network devices meet standards mandated by the VA OIT Configuration Control Board and (4) a process to retain database logs for a period consistent with VA’s record retention policy.
The OIG made these recommendations to the assistant secretary because they are related to enterprise-wide IT security issues similar to those identified during previous FISMA audits and IT security reviews. The OIG also recommended that the Harlingen VA Health Care Center director validate that appropriate physical and environmental security measures are implemented and functioning as intended.