Follow-Up Information Security Inspection at the Southwest Consolidated Mail Order Pharmacy in Tucson, Arizona

The OIG conducted this follow-up inspection to determine whether information systems at the Southwest Consolidated Mail Order Pharmacy in Tucson, Arizona, were meeting federal security guidance. The OIG inspected the facility in 2021 and made six recommendations to correct security weaknesses. During this inspection, the team identified continuing deficiencies related to configuration management, security management, and access controls designed to protect systems from unauthorized access, alteration, and destruction. Regarding configuration management, the OIG found that the facility did not create plans for remediating vulnerabilities that had not been resolved within established time frames, and that network devices were running software that no longer met security requirements. Security management controls were deficient in that an administrator account was still active five months after the user’s employment was terminated, contrary to policy. Access controls were deficient in two respects: they did not isolate special-purpose system segments from the rest of the network, giving any user access to systems that run 50 potentially vulnerable special-purpose devices; and database audit logs used to assess the effectiveness of other security controls, recognize an attack, and investigate during or after an attack were not properly retained. Unless the facility takes corrective actions, it risks unauthorized access to critical network resources, loss of personally identifiable information, and inability to respond effectively to incidents. To correct the deficiencies, the OIG made five new recommendations. Although the findings and recommendations in this report are specific to the Southwest Consolidated Mail Order Pharmacy, the OIG noted that other VA facilities could benefit from reviewing this information and considering these recommendations.