The Office of Inspector General (OIG) conducted this inspection to determine whether the VA Beckley Healthcare System in West Virginia was meeting federal security guidance. The OIG selected the system because it had not previously been visited as part of the annual Federal Information Security Modernization Act of 2014 (FISMA) audit.The OIG identified security deficiencies with configuration management, security management, and access controls. The configuration management deficiencies involved incomplete and inaccurate information system entries on vulnerabilities needing remediation. The lack of accurate information slowed remediation efforts: the OIG team found that those efforts exceeded VA’s required 60-day time frame for 444 high-risk vulnerabilities on about 45 percent of computers. Among the weaknesses in security management, the team found the healthcare system’s special purpose system did not have an authorization to operate because it had not cleared the risk management framework established by the National Institute of Standards and Technology to meet FISMA requirements. The special purpose system comprises mechanisms that monitor the distribution of oxygen throughout the hospital, alert facility police of emergencies via panic buttons, limit access to the control room, and control the facility’s climate. As for access controls, network segments including those containing medical imaging devices were not separately controlled, allowing any network user to access them; not all systems were connected to a functional uninterrupted power supply; the medical center’s computer room and 19 communication closets had problems such as leaks, data lines being intertwined with electrical lines, and closets lacking cameras, dead bolts, and smoke detectors; and unencrypted hard drives were not being sanitized before they were shipped out for destruction.The OIG made 10 recommendations to address the deficiencies.
| Report Date | Agency Reviewed / Investigated | Report Title | Type | Location | |
|---|---|---|---|---|---|
| Department of Veterans Affairs | Information Security Inspection at the VA Beckley Healthcare System in West Virginia | Inspection / Evaluation |
|
View Report | |
| Federal Housing Finance Agency | DBR Adapted the Scope of Its Federal Home Loan Bank Supervisory Activities in 2023 in Response to Market Disruptions | Inspection / Evaluation | Agency-Wide | View Report | |
| Federal Housing Finance Agency | People Risk at FHFA’s Regulated Entities | Other | Agency-Wide | View Report | |
| Internal Revenue Service | Actions Need to Be Taken to Improve the Cyber Security Assessment and Management Application Security Controls | Audit | Agency-Wide | View Report | |
| Internal Revenue Service | Fiscal Year 2023 Statutory Review of Compliance With Notice of Federal Tax Lien Filing Collection Due Process Procedures | Audit | Agency-Wide | View Report | |
| Export-Import Bank | Audit of EXIM's Domestic and International Non-Sponsored Travel | Audit | Agency-Wide | View Report | |
| Environmental Protection Agency | The EPA Needs to Address Increasing Air Pollution at Ports | Inspection / Evaluation | Agency-Wide | View Report | |
| U.S. Agency for International Development | USAID/Ukraine Mission Staffing - Information Brief | Audit |
|
View Report | |
| U.S. Agency for International Development | Performance Audit of Incurred Costs of Making Cents International for the Fiscal Year Ended December 31, 2020 | Other |
|
View Report | |
| Social Security Administration | Dedicated Accounts for Supplemental Security Income Recipients | Audit | Agency-Wide | View Report | |
