An audit conducted by the VA’s Office of Inspector General found unaddressed security vulnerabilities and deficient devices at the Harlingen VA Health Care Center.
An IT security assessment released by the Department of Veterans Affairs’ Office of Inspector General on Tuesday found that more than half of the network switches at the Harlingen VA Health Care Center in Harlingen, Texas, used outdated operating systems and did not meet the department’s baseline configurations.
The audit was conducted to determine whether Harlingen was complying with information security protections required by the Federal Information Security Management Act, or FISMA. OIG said it selected Harlingen—which is part of the Texas Valley Coastal Bend Healthcare System that receives approximately 300,000 outpatient visits per year—for an assessment because it has not been previously reviewed during the annual FISMA audit.
OIG found deficiencies in three of the four security control areas at Harlingen, including with configuration management, contingency planning and access controls. OIG’s inspection team did not document any issues with the center’s security management.
The audit reported significant deficiencies in Harlingen’s configuration management controls used to identify and track the center’s hardware and software components, including an inaccurate component inventory list, unaddressed security flaws and an inability to identify all critical and high-risk vulnerabilities across the center’s network.
Most concerning was OIG’s finding that “almost 53 percent of the Harlingen center’s network switches used operating systems that no longer receive maintenance or vulnerability support from the vendor.” And the outdated devices did not meet the baseline configurations for network equipment mandated by the VA Office of Information and Technology Configuration Control Board, which reflect “agreed-on specifications for systems or configuration items within those systems."
“Network devices and IT systems are an organization’s most critical infrastructure,” OIG said in its assessment. “Upgrading is not just a defensive strategy but a proactive one that protects network stability.”
The OIG assessment also documented varying tallies of IT components at Harlingen, despite VA’s use of an automated inventory system. VA identified 1,568 devices at the center, while the OIG assessment team identified 1,544 devices on Harlingen’s network. However, VA’s Enterprise Mission Assurance Support Services system, or eMASS—which “allows for FISMA systems inventory tracking and reporting activities,” according to the audit—only identified 942 devices.
“Because VA’s eMASS is used for developing system security and privacy plans, without an accurate inventory of network devices in eMASS, VA has no assurance that these plans implement security controls for all the components within the system,” the audit said.
OIG’s inspection team also compared on-site vulnerability scans with those conducted remotely by VA’s Office of Information and Technology from Jan. 10 to Jan. 13, 2022, and identified 16 serious vulnerabilities on the Harlingen network that had not been mitigated within VA’s established timeframe for addressing vulnerabilities. These included “five critical vulnerabilities on less than 1% of the computers and 11 high-risk vulnerabilities on 20% of the computers,” including one vulnerability that was first identified on the network in 2013.
Other deficiencies at Harlingen that were identified by OIG’s inspection team included finding that database managers were not adequately maintaining log data; that computer rooms and communications closets across the facility lacked fire detection systems; and that the computer room housing the center’s police servers did not have a visitor access log. And OIG also found that Harlingen’s contingency plan “did not fully address reconstituting all systems to restore IT operations to a fully operational state after a disaster.”
The OIG made four recommendations to VA’s assistant secretary for information and technology and chief information officer “because they are related to enterprise-wide IT security issues similar to those identified during previous FISMA audits and IT security reviews.” OIG also made an additional recommendation to Harlingen’s director to “validate that appropriate physical and environmental security measures are implemented and functioning as intended.” VA concurred with all five recommendations.
VA has long struggled to comply with FISMA’s requirements, with the Government Accountability Office noting in a November 2019 report that VA was one of the federal agencies with deficient information security protections, including when it came to implementing effective security controls and mitigating vulnerabilities.
Tuesday’s audit also came after the OIG released a separate IT security assessment of the Alexandria VA Medical Center in Pineville, Louisiana on Sept. 22 that documented deficiencies in three of the facility’s four security control areas and found “critical and high-risk vulnerabilities on 37% of the devices” at the center.
The fiscal year 2021 FISMA audit of VA’s agencywide compliance, which was released in April, found that the department as a whole “continues to face significant challenges in complying with FISMA due to the nature and maturity of its information security program.” OIG noted in Tuesday’s assessment of Harlingen that the FY2021 FISMA audit made 26 recommendations to VA, and that “all 26 recommendations were repeated from the prior year.”