The Veterans Affairs Department runs unsecure Web application servers, uses weak or default passwords to protect its hardware and software, and does not comprehensively monitor connections between its systems and the Internet, according to an internal agency watchdog.
These conditions leave department systems vulnerable to penetration or attack, said VA Assistant Inspector General Belinda Finn in testimony before the House Veterans Affairs Committee Wednesday.
The 2002 Federal Information Security Management Act requires federal agencies to develop, document and adhere to detailed information security programs. But Finn said VA continues to have significant information security deficiencies.
She said the IG office found several VA database systems used outdated software that could allow unauthorized users to access mission-critical data and alter databases.
Most of VA's 153 hospitals do not segment access to their medical networks, according to Finn. As a result, IG investigators were able to penetrate the networks -- including those hosting medical diagnostic and imaging systems -- from remote locations.
VA had not identified, managed or monitored a significant number of system connections with external sources, meaning "an attacker could penetrate VA's internal network and systems over an extended period of time without being detected," she said.
The department has made progress improving its IT security during the past several years, Finn told committee members, but still needs to complete the majority of 11,000 action plans to mitigate and eliminate security risks.
Roger Baker, VA's chief information officer, testified that the department monitors its core enterprise network 24 hours a day, has deployed 160 intrusion detection systems nationally, and blocks delivery of 16.4 million e-mails a day viewed as spam or containing malware.
VA has moved to isolate networks that host X-ray machines and other medical devices from other networks, Baker said.
The department's most important ongoing security project is its Visibility to the Desktop program, which Baker said he expects to complete by September. It will allow VA to check the status of all machines in a network from a central location at the enterprise level.
"This is a huge security tool for us," he said, "and it means that VA can review and run reports on any of the 333,000 machines on our network. This also gives VA the ability to apply patches which will greatly improve the security of the network."