Federal Reports

VA’s Office of Information Technology (OIT) manages more than 50,000 mobile devices that store and transmit veteran information that must be protected. The VA Office of Inspector General (OIG) conducted this audit to determine whether OIT’s policies and procedures provide enough security for that information. The OIG found OIT’s security practices for mobile devices generally minimized security weaknesses within VA’s network. However, the OIG did find vulnerabilities associated with configuration management. OIT did not block the use of applications to prevent malicious, vulnerable, or flawed software (“blacklisting”) as required by VA policy, increasing the risk of lost data. In addition, VA did not ensure mobile device users are completing the required annual information security training and had no way to validate the effectiveness of that training. VA also did not use configuration management tools to control and automate update releases for its mobile devices and applications—the OIG found 12,298 out of 50,618 mobile devices had unapproved operating systems. According to OIT’s director of mobile technology and endpoint security engineering, OIT decided not to use blacklisting or other configuration management tools because of concerns about workload. OIT has now awarded a contract to Lookout for a new application vetting tool, but it was not available for OIG review in time for publication of this report. The OIG recommended the assistant secretary for information and technology either enforce blacklisting or formally assess and document whether training would work to prevent users from downloading and using non-VA-approved applications. The OIG also recommended that the assistant secretary ensure users do not update devices and applications until after testing is conducted by the Mobile Device Management team and ensure mobile device users complete required annual training before accounts are activated.

This audit assessed the extent to which the Smithsonian Institution Office of Contracting and Personal Property Management and Smithsonian Enterprises have effective controls to manage revenue generating contracts.

Joshua Pearson, a marketer from St. George, Utah, pleaded guilty on October 22, 2019, in U.S. District Court, Central District of California, to receipt of illegal kickbacks related to a health care fraud scheme. As part the scheme, Pearson received kickbacks from Sheridan Medical for patient referrals for compounded drugs—drugs that were medically unnecessary. A marketer from Sheridan Medical and the owner of Fusion Rx Compounding Pharmacy, both in Los Angeles, were also charged for their role in the scheme. The Amtrak health insurance plan was fraudulently billed $17,000 as a result of the scheme. Criminal judicial proceedings for all three defendants are pending.

The Office of the Inspector General previously conducted a review of Human Resources (Evaluation Report 2016-15445-05, issued September 26, 2017) to identify operational and cultural strengths and areas for improvement that could impact Human Resources’ organizational effectiveness. Our report identified several operational and cultural areas for improvement and included recommendations for addressing those areas. In response, we received Human Resources’ management decision on December 4, 2017. The objective of this follow-up review was to assess actions taken to address concerns identified in the initial organizational effectiveness evaluation. In summary, we determined actions taken by Human Resources appear to have addressed the areas for improvement identified during our initial organizational effectiveness review.