recommended reading

Poor security leaves VA systems open to attack, watchdog says

The Veterans Affairs Department runs unsecure Web application servers, uses weak or default passwords to protect its hardware and software, and does not comprehensively monitor connections between its systems and the Internet, according to an internal agency watchdog.

These conditions leave department systems vulnerable to penetration or attack, said VA Assistant Inspector General Belinda Finn in testimony before the House Veterans Affairs Committee Wednesday.

The 2002 Federal Information Security Management Act requires federal agencies to develop, document and adhere to detailed information security programs. But Finn said VA continues to have significant information security deficiencies.

She said the IG office found several VA database systems used outdated software that could allow unauthorized users to access mission-critical data and alter databases.

Most of VA's 153 hospitals do not segment access to their medical networks, according to Finn. As a result, IG investigators were able to penetrate the networks -- including those hosting medical diagnostic and imaging systems -- from remote locations.

VA had not identified, managed or monitored a significant number of system connections with external sources, meaning "an attacker could penetrate VA's internal network and systems over an extended period of time without being detected," she said.

The department has made progress improving its IT security during the past several years, Finn told committee members, but still needs to complete the majority of 11,000 action plans to mitigate and eliminate security risks.

Roger Baker, VA's chief information officer, testified that the department monitors its core enterprise network 24 hours a day, has deployed 160 intrusion detection systems nationally, and blocks delivery of 16.4 million e-mails a day viewed as spam or containing malware.

VA has moved to isolate networks that host X-ray machines and other medical devices from other networks, Baker said.

The department's most important ongoing security project is its Visibility to the Desktop program, which Baker said he expects to complete by September. It will allow VA to check the status of all machines in a network from a central location at the enterprise level.

"This is a huge security tool for us," he said, "and it means that VA can review and run reports on any of the 333,000 machines on our network. This also gives VA the ability to apply patches which will greatly improve the security of the network."

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.


When you download a report, your information may be shared with the underwriters of that document.