VA OIG Audit Uncovers Vulnerability Management Weaknesses

Configuration management – especially vulnerability patching – is a significant challenge for many healthcare entities, including some Veterans Affairs medical facilities. A recent watchdog agency security inspection found configuration issues to be a top weakness at a VA healthcare system in Arizona.

See Also: Live Webinar | Reclaim Control over Your Secrets – The Secret Sauce to Secrets Security

The Veterans Affairs Office of Inspector General in a report issued Tuesday said a recent information security inspection of the Northern Arizona VA Health Care System found deficiencies in three security control areas reviewed in accordance with the Federal Information Security Modernization Act of 2014.

Control areas inspected included configuration management, security management and access controls. While the review found issues in each of the three areas examined, configuration management issues – most notably related to vulnerability management – were among the top critical deficiencies found at the Arizona system, according to the VA OIG report.

The Northern Arizona VA Health Care System was chosen for a security inspection because it had not been previously visited as part of a FISMA audit, the VA OIG said. That regional VA healthcare system, which includes the Bob Stump Department of Veterans Affairs Medical Center in Prescott plus 11 clinics, provides medical services to 33,000 veterans throughout a 65,000-square mile region in northern Arizona.

Inspection Findings

Comparisons of vulnerability scans by the VA OIG inspectors showed that the VA Office of IT handling the Northern Arizona system did not identify all critical or high-risk vulnerabilities in the network or remediate flaws, the report said.

For instance, despite the VA’s patch management protocol, the OIG inspection team found several devices missing security patches. “Several devices with critical and high-risk vulnerabilities had patches available that were not applied. Without these controls, critical systems may be at unnecessary risk of unauthorized access, alteration or destruction,” the watchdog agency wrote.

The OIG said it also found that 71 of 80 healthcare system network switches used operating systems that did not meet VA Office of IT baseline requirements and were no longer supported by the vendor.

“Consequently, these devices will not receive maintenance or vulnerability support, which can result in an opportunity for adversaries to exploit weaknesses in components. Additionally, noncurrent software may be vulnerable to malicious code,” the VA OIG wrote.

“Network devices and IT systems are critical infrastructure to an organization. Upgrading is not just a defensive strategy but a practical one that protects network stability.”

Persistent Challenges

The review of the Northern Arizona system is not the first time the OIG VA has found vulnerability management issues at various VA medical facilities. For instance, in January, a similar VA OIG audit report on the Tuscaloosa VA Medical Center in Alabama also found unpatched flaws, including a “high-risk vulnerability” first identified in 2015 that had gone unmitigated for years (see: VA Hospital ‘High-Risk’ Vulnerability Unaddressed for Years).

But whether it is a VA or private sector medical entity, the overall healthcare sector seems to struggle significantly with vulnerability management, some experts say.

“Several factors make patch management particularly difficult for healthcare organizations. For many, the first problem is resource constraints. They don’t have the resources to keep up with demand for patching,” said Jon Moore, chief risk officer at privacy and security consultancy Clearwater.

The complexity of IT environments in healthcare adds to the problem. “The diversity of systems and devices and the vendors who supply and support them can make it particularly challenging to drive vulnerability and patch management efficiently,” he said.

Also, importantly, downtime to patch is a major concern, Moore said. “Taking systems offline or disrupting system availability for maintenance purposes can be life-threatening for patients receiving treatment from these organizations.”

On top of that, interoperability is a big consideration, he said. “Patching a system may break its ability to share critical patient health information with other systems, and therefore significant testing may be necessary before applying a patch.”

Other Control Weaknesses

Besides configuration management, the OIG also found some deficiencies in the two other main security areas inspected at the VA’s Northern Arizona healthcare system – security management and access controls.

Among the security management findings, the OIG said it had identified almost twice as many devices on the network than the inventory listed. “By not routinely updating the hardware inventory, management is making risk decisions based on inaccurate system information,” the OIG wrote.

Weak access controls identified included physical controls, such as missing video surveillance at a data center, inadequate fire detection and suppression equipment, insufficient water sensors and climate controls, unmounted or stacked network equipment, and communications rooms without backup power supplies.

Some experts say the OIG’s audit not only highlights important security risk management issues at the VA, but also in the healthcare sector overall. “The report rightly called out configuration management and security management,” said Wendell Bobst, senior security consultant at tw-Security.

“There are too many devices to patch individually and computer management software should be installed on each ‘regular’ computer to track the pending patches, and if reboots have occurred,” he said.

“Where the VA likely failed was the lack of network segmentation to isolate the devices that don’t support the computer management software – for example, radiology modalities – or regular patching,” he said. This type of isolation would contain most malicious software in time for IT to address an issue, he added.

The OIG said it made several recommendations to the VA assistant secretary for IT and the CIO to improve security controls at the Northern Arizona healthcare system “because they are related to enterprisewide information security issues similar to those identified on previous FISMA audits and information security inspections.”

The OIG also said that it made five recommendations to the Northern Arizona VA Health Care System director.

These included having the VA implement a more effective vulnerability management program to address the kinds of security deficiencies identified in the Northern Arizona system, including ensuring issues are remediated within established time frames.

The report said VA IT management concurred with the watchdog agency’s recommendations.

The VA did not immediately respond to Information Security Media Group’s request for comment on the OIG’s report.