Inspection of Information Technology Security at the VA Outpatient Clinic in Austin, Texas

Information technology controls protect VA systems and data from unauthorized access, use, modification, or destruction. The VA Outpatient Clinic in Austin, Texas, is VA’s largest freestanding outpatient clinic— conducting almost 300,000 outpatient visits annually. The OIG inspected this clinic to determine whether it was meeting federal guidance in four security control areas related to configuration management, physical security, security management, and access controls. The team identified security deficiencies in the clinic’s configuration management controls related to component inventory and vulnerability and patch management. Although the inspection team and VA’s Office of Information and Technology (OIT) both used the same vulnerability scanning tools, OIT did not detect 150 of the 246 vulnerabilities the team identified. OIT’s standard vulnerability identification process and scans were ineffective. The poor component inventories and vulnerability management contributed to inadequate patch management. Without these controls, VA may be placing critical systems at unnecessary risk of unauthorized access, alteration, or destruction. The team also discovered three hard drives that potentially held personally identifiable information and personal health information that were not labeled or processed for sanitization. Media protection deficiencies like these increase the risk of unauthorized disclosure of veterans’ information. The team did not identify deficiencies with the maintenance, physical, and environmental security controls or security management and access controls. The clinic’s existing policies and procedures addressed these areas, and no recommendations were made for them. The OIG recommended maintaining an accurate inventory, implementing a more effective patch and vulnerability management program, distributing the media protection standard operating procedure, and ensuring compliance with the procedure’s labeling and sanitization provisions.