Vulnerability management and remediation deficiencies identified at Alabama VA Medical Center

An information security inspection at Tuscaloosa VA Medical Center in Alabama by the VA Office of Inspector General (OIG) revealed deficiencies in three of the four security control areas assessed. The OIG inspection covered configuration management, contingency planning, security management and access controls, identifying deficiencies in configuration management, security management and access controls.

Configuration management controls are required to identify and manage security features for all hardware and software components of an information system. OIG found deficiencies in vulnerability management, debugging, and database scans. The Office of Information and Technology (OIT) routinely scans for vulnerabilities, and although OIG and OIT used the same vulnerability scanning tools, OIT could not identify all vulnerabilities. OIG identified 119 critical risk vulnerabilities that OIT could not detect. OIG also identified 301 vulnerabilities that were not remediated within the required 30- or 60-day windows, with 134 critical-risk vulnerabilities found on 14% of devices and 134 high-risk vulnerabilities on 46% of devices. One of the high-risk vulnerabilities has not been patched for seven years.

Several devices were found to be missing critical security patches that were available but not yet applied, leaving VA systems at risk of unauthorized access, alteration or destruction. While database scans are performed every quarter, OIT was only able to provide scans for half of the databases because it was unable to reach all databases due to a port filtering issue. Without these completed scans, OIT would not detect security control vulnerabilities that could impact the security posture of databases.

Safety management controls were evaluated, and OIG identified a deficiency: it found that several action plans and milestones were missing or did not contain enough detail to be actionable. Four access control deficiencies were identified in relation to network segmentation, audit and surveillance controls, environmental controls, and power backup. Network segmentation is required for medical equipment and specialty systems that should be placed on isolated networks for protection. Several network segments containing medical and specialty systems did not have network segmentation controls. 19 network segments containing 221 medical devices and specialty systems did not have ACLs applied that allowed any user to access those devices. Logs must be monitored to assess the effectiveness of security controls, detect attacks, and investigate during or after attacks. It was found that half of the databases supporting Tuscaloosa’s VAMC were missing. The missing logs affected the databases that were not subjected to a vulnerability scan.

Compliance Checklist

Free and instant download

Will be delivered by email so make sure you enter your email address correctly.

Your privacy respected

HIPAA Journal Privacy Policy

Several communications rooms were found to lack temperature or humidity controls, which could have a significant adverse impact on system availability, and also found a lack of uninterruptible power supplies, meaning infrastructure equipment would stop working during power fluctuations or outages would. resulting in disruption of data flow and disruption of access to network resources.

The OIG made 8 recommendations to address the deficiencies, 6 to the Assistant Secretary of Information and Technology and the Chief Information Officer regarding security issues, and 2 to the Tuscaloosa VAMC Director, who must ensure that communications spaces have adequate environmental controls and are uninterrupted Power supply for the infrastructure have equipment.