According to an IT security assessment released on Tuesday by the Department of Veterans Affairs' Office of Inspector General, more than half of the network switches at the Harlingen VA Health Care Center in Harlingen, Texas, were running outdated operating systems and did not meet the department's baseline configurations.
The audit was conducted to evaluate whether Harlingen was complying with the Federal Information Security Management Act, or FISMA, information security safeguards. The OIG stated that it chose Harlingen for an assessment because it had not previously been reviewed during the annual FISMA audit.
Harlingen is part of the Texas Valley Coastal Bend Healthcare System, which receives approximately 300,000 outpatient visits per year.
The OIG discovered flaws in three of the four security control areas at Harlingen, including configuration management, contingency planning and access controls. OIG’s inspection team did not document any issues with the center’s security management.
OIG discovered flaws in three of Harlingen's four security control areas, including configuration management, contingency planning, and access controls. The OIG inspection team found no problems with the centre's security management.
The audit found significant flaws in Harlingen's configuration management controls, which were used to identify and track the centre's hardware and software components. These flaws included an inaccurate component inventory list, unaddressed security flaws, and an inability to identify all critical and high-risk vulnerabilities across the centre's network.
Most concerning was OIG’s finding that “almost 53 per cent of the Harlingen centre’s network switches used operating systems that no longer receive maintenance or vulnerability support from the vendor.” And the outdated devices did not meet the baseline configurations for network equipment mandated by the VA Office of Information and Technology Configuration Control Board, which reflect “agreed-on specifications for systems or configuration items within those systems."
“Network devices and IT systems are an organization’s most critical infrastructure,” OIG said in its assessment. “Upgrading is not just a defensive strategy but a proactive one that protects network stability.”
Despite VA's use of an automated inventory system, the OIG assessment revealed varying tallies of IT components at Harlingen. The VA discovered 1,568 devices at the centre, while the OIG assessment team discovered 1,544 devices on the Harlingen network. However, according to the audit, VA's Enterprise Mission Assurance Support Services system, or eMASS, which "allows for FISMA systems inventory tracking and reporting activities," only identified 942 devices.
“Because VA’s eMASS is used for developing system security and privacy plans, without an accurate inventory of network devices in eMASS, VA has no assurance that these plans implement security controls for all the components within the system,” the audit said.
OIG's inspection team also compared on-site vulnerability scans from Jan. 10 to Jan. 13, 2022, with those conducted remotely by VA's Office of Information and Technology, and discovered 16 serious vulnerabilities on the Harlingen network that had not been mitigated within VA's established timeframe for addressing vulnerabilities. These included "five critical vulnerabilities on less than 1% of the computers and 11 high-risk vulnerabilities."
The OIG's inspection team also discovered that database managers were not adequately maintaining log data; that computer rooms and communications closets throughout the facility lacked fire detection systems; and that the computer room housing the center's police servers lacked a visitor access log. Furthermore, the OIG discovered that Harlingen's contingency plan "did not fully address reconstituting all systems to restore IT operations to a fully operational state following a disaster."
The OIG made four recommendations to the VA's assistant secretary for information and technology and chief information officer "due to enterprise-wide IT security issues similar to those identified during previous FISMA audits and IT security reviews." The OIG also made another recommendation to Harlingen's director to “validate that appropriate physical and environmental security measures are implemented and functioning as intended.” VA concurred with all five recommendations.
VA has long struggled to meet FISMA requirements, with the Government Accountability Office stating in a November 2019 report that VA was one of the federal agencies with inadequate information security protections, including when it came to implementing effective security controls and mitigating vulnerabilities.
On Sept. 22, the OIG released a separate IT security assessment of the Alexandria VA Medical Center in Pineville, Louisiana, documenting deficiencies in three of the facility's four security control areas and discovering "critical and high-risk vulnerabilities on 37% of the devices."
The FISMA audit of VA's agencywide compliance for fiscal year 2021, released in April, found that the department as a whole "continues to face significant challenges in complying with FISMA due to the nature and maturity of its information security program.” OIG noted in Tuesday’s assessment of Harlingen that the FY2021 FISMA audit made 26 recommendations to VA, and that “all 26 recommendations were repeated from the prior year.”