Federal Reports

The VA Office of Inspector General (OIG) conducted this inspection to determine whether the Tucson Consolidated Mail Outpatient Pharmacy (CMOP) was meeting federal security guidance. The inspection team selected the Tucson CMOP because it is home to the CMOP Local Area Network, which establishes an interface for electronically transferring information between all Veterans Health Administration medical centers and the CMOP host systems located at each of the seven CMOPs, which form an integrated and highly automated outpatient prescription dispensing system.The OIG team found deficiencies in configuration management, contingency planning, and access controls. Specifically, the Tucson CMOP had inaccurate component inventories, ineffective vulnerability management, and inadequate flaw remediation and had not implemented the configuration management plan; lacked a disaster recovery plan; and had not changed the default username and password for the security camera system and did not consistently generate or forward audit records to the Cybersecurity Operations Center. Without these controls, VA may be placing critical systems at unnecessary risk of unauthorized access, alteration, or destruction. The OIG made six recommendations to the Tucson CMOP director: implement effective inventory management tools, an effective vulnerability and flaw remediation program, and a disaster recovery plan; ensure CMOP staff understand their assigned roles and responsibilities; task the facility manager to change the default username and password for the security camera system; and request the Office of Information and Technology to configure audit logging on the misconfigured devices in accordance with established baselines, policy, and procedures.

As part of our annual audit plan, we performed an audit of Tennessee Valley Authority’s (TVA) non-power dam control system cybersecurity. Our objective was to determine if the cybersecurity controls of TVA’s non-power dam control system were operating effectively.In summary, we found (1) no clear ownership of the non-power dam control system, (2) vulnerable versions of operating systems and control system software, (3) inappropriate logical and physical access, and (4) internal information technology controls were not operating effectively or had not been designed and implemented. Prior to completion of our audit, TVA clarified the ownership of the control system and took actions to address the inappropriate logical and physical access. We recommend the Senior Vice President, Resource Management and Operations Services, update the non power dam control system to address the identified vulnerabilities and information technology control weaknesses. TVA management agreed with our recommendation and provided information on planned actions.

The VA Office of Inspector General (OIG) conducts information technology (IT) inspections to assess whether VA facilities are meeting federal security requirements. They are typically conducted at selected facilities that have not been assessed in the sample for the annual audit required by the Federal Information Security Modernization Act of 2014 (FISMA) or at facilities that previously performed poorly. The OIG selected the Dallas Consolidated Mail Outpatient Pharmacy (CMOP) because it had not been previously visited as part of the annual FISMA audit.The OIG inspections are focused on four security control areas that apply to local facilities and have been selected based on their level of risk: configuration management controls, contingency planning controls, security management controls, and access controls. The OIG found deficiencies in configuration management and access controls at the Dallas CMOP, but none in contingency planning or security management controls.Without effective configuration management, users do not have adequate assurance that the system and network will perform as intended and to the extent needed to support the CMOP’s missions. The access control deficiencies create risks of unauthorized access to critical network resources, inability to respond effectively to incidents, loss of personally identifiable information, or loss of life.The OIG made 10 recommendations to the Dallas CMOP director aimed at fixing the control deficiencies. The assistant secretary for information and technology provided comments for the Dallas CMOP. The assistant secretary concurred with nine recommendations and did not concur with one recommendation. The OIG disagrees with the nonconcurrence.

The objective of the audit was to determine whether the Office of Postsecondary Education (OPE) has an adequate process in place to ensure that institutions of higher education (schools) use Higher Education Emergency Relief Fund (HEERF) grant funds appropriately and that performance goals are met. OPE needs to strengthen its oversight processes to ensure that schools use HEERF grant funds appropriately and that performance goals are met. OPE established and implemented several controls to promote transparency and accountability in program administration, including providing guidance and other technical assistance to schools on the appropriate uses of HEERF grant funds, requiring that schools post to their websites or submit to OPE various reports on their uses of funds as well as other information (HEERF reports), and taking steps to expand independent audit coverage for schools. However, OPE did not perform or document several key activities that are essential to effective program oversight.

The Veterans Data Integration and Federation Enterprise Platform (VDIF) allows VA to share sensitive health information with the Department of Defense and community care providers. VA is required by law to ensure the safe sharing of veterans’ sensitive personal information. Linking information across an extremely diverse and highly fragmented healthcare system can create technical challenges and increase vulnerabilities. Therefore, establishing the appropriate security categorization for VDIF is essential. Moreover, veterans who do not trust VA to protect their information may be more reluctant to seek treatment.The Office of Inspector General (OIG) audited whether VA’s Office of Information and Technology (OIT) developed and implemented sufficient security controls for VDIF to ensure confidentiality, data integrity, and the safeguarding of veterans’ sensitive health information in accordance with federal standards.The OIG found OIT allowed VDIF to become operational without effectively executing all the risk management framework steps developed by the National Institute of Standards and Technology (NIST). While OIT followed the steps, it inappropriately categorized the confidentiality and availability security objectives. This resulted in 22 important security controls not being applied, increasing the risk to personal health information within more than 10 million veteran records. Furthermore, OIT did not adequately determine whether the implemented controls were executed correctly and produced the desired security outcome. OIT did not properly follow NIST and VA policy requirements because of ineffective oversight. Consequently, VDIF became operational with inadequate security controls.The assistant secretary for information and technology did not concur with two OIG recommendations to ensure VDIF’s security objectives are set at high and to reestablish VDIF, instead proposing a privacy overlay as sufficient. The OIG disagrees and also recommended OIT develop appropriate oversight for following proper program management processes and protocols when establishing and monitoring security controls. VA concurred with this recommendation.

The Office of Inspector General (OIG) evaluated the availability and utilization of metrics more than a year after the Mann-Grandstaff VA Medical Center became the first facility to implement the new Electronic Health Record (EHR) system. The OIG determined that, one year after go-live, gaps existed between required and available metrics using new EHR data.The OIG learned that many quality, patient safety, and organizational performance metrics were unavailable, including metrics needed for hospital accreditation. Additionally, the OIG found that access metrics were largely unavailable. The OIG remains concerned that deficits in new EHR metrics may negatively affect organizational performance, quality and patient safety, and access to care.Challenges with the new EHR’s metrics included the following: Cerner failed to deliver metrics reports, new EHR’s metrics could not be assessed prior to go-live, utility was impaired, and training was deficient. VHA-generated metrics using new EHR data also created challenges. VHA resources were insufficient for generating new EHR metrics, VHA metrics using new EHR data were not validated and unavailable, and VHA changed the metrics required from the facility.The OIG determined that deficiencies related to the new EHR’s metrics and challenges with VHA-generated metrics using new EHR data impaired the facility’s access to and utilization of metrics.The OIG is concerned that further deployment of the new EHR in VHA without addressing the gap in metrics available to the facility will affect the facility and future sites’ ability to utilize metrics effectively. Accordingly, to address the gaps in metrics available to the facility and future sites, VA must resolve the factors identified by the OIG that affect the availability of metrics.The OIG made two recommendations to the Deputy Secretary regarding evaluating gaps in new EHR metrics and the factors affecting the availability of metrics and taking action as warranted.