recommended reading

Poor security leaves VA systems open to attack, watchdog says

The Veterans Affairs Department runs unsecure Web application servers, uses weak or default passwords to protect its hardware and software, and does not comprehensively monitor connections between its systems and the Internet, according to an internal agency watchdog.

These conditions leave department systems vulnerable to penetration or attack, said VA Assistant Inspector General Belinda Finn in testimony before the House Veterans Affairs Committee Wednesday.

The 2002 Federal Information Security Management Act requires federal agencies to develop, document and adhere to detailed information security programs. But Finn said VA continues to have significant information security deficiencies.

She said the IG office found several VA database systems used outdated software that could allow unauthorized users to access mission-critical data and alter databases.

Most of VA's 153 hospitals do not segment access to their medical networks, according to Finn. As a result, IG investigators were able to penetrate the networks -- including those hosting medical diagnostic and imaging systems -- from remote locations.

VA had not identified, managed or monitored a significant number of system connections with external sources, meaning "an attacker could penetrate VA's internal network and systems over an extended period of time without being detected," she said.

The department has made progress improving its IT security during the past several years, Finn told committee members, but still needs to complete the majority of 11,000 action plans to mitigate and eliminate security risks.

Roger Baker, VA's chief information officer, testified that the department monitors its core enterprise network 24 hours a day, has deployed 160 intrusion detection systems nationally, and blocks delivery of 16.4 million e-mails a day viewed as spam or containing malware.

VA has moved to isolate networks that host X-ray machines and other medical devices from other networks, Baker said.

The department's most important ongoing security project is its Visibility to the Desktop program, which Baker said he expects to complete by September. It will allow VA to check the status of all machines in a network from a central location at the enterprise level.

"This is a huge security tool for us," he said, "and it means that VA can review and run reports on any of the 333,000 machines on our network. This also gives VA the ability to apply patches which will greatly improve the security of the network."

Threatwatch Alert

Network intrusion / Stolen credentials

85M User Accounts Compromised from Video-sharing Site Dailymotion

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security


When you download a report, your information may be shared with the underwriters of that document.