Sorry, you need to enable JavaScript to visit this website.
Skip to main content
Report File
Title Full
Follow-Up Inspection of Information Security at the VA Beckley Healthcare System in West Virginia
Date Issued
Submitting OIG
Department of Veterans Affairs OIG
Agencies Reviewed/Investigated
Department of Veterans Affairs
Report Number
24-03708-141
Report Description

The VA OIG conducts information security inspections to assess whether VA facilities meet federal security requirements. The OIG followed up on an inspection it conducted at the VA Beckley Healthcare System in West Virginia in 2023.
During this follow-up inspection, the OIG identified substantial progress in addressing prior recommendations, and some continued deficiencies in configuration management, security management, and access controls.

For configuration management, the team identified one deficiency over vulnerability remediation: the healthcare system did not meet required timelines for addressing critical vulnerabilities and lacked necessary remediation plans, leaving outdated software on numerous systems. Additionally, the OIG identified several unique high and critical vulnerabilities within the network that were not reflected in the agency’s standard vulnerability reports.

The healthcare system had deficiencies in three security management controls: a special-purpose system lacked authorization to operate; a special-purpose system had inappropriate security categorizations; and staff had administrative access and a lack of separation of duties for managing a pharmacy inventory system.

Finally, the healthcare system had deficiencies in physical controls restricting access to computer rooms, although the facility was addressing these deficiencies. The team also found that the facility was not monitoring the destruction of temporary records as required.

The OIG made three recommendations to the assistant secretary of information and technology, who also serves as the chief information officer, and two recommendations to the Beckley VA Medical Center director. VA concurred with four recommendations and did not concur with one. Nevertheless, the OIG noted VA provided sufficient evidence of implementation for four of the recommendations (including the one VA did not concur with) and considers those recommendations closed. The OIG will monitor implementation of the remaining recommendation.

Report Type
Inspection / Evaluation
Location

Beckley, WV
United States

Number of Recommendations
5
Questioned Costs
$0
Funds for Better Use
$0
Report updated under NDAA 5274
No
External Link
https://www.vaoig.gov/reports/information-security-inspection/follow-inspection…

Open Recommendations

This report has 1 open recommendations.
Recommendation Number Significant Recommendation Recommended Questioned Costs Recommended Funds for Better Use Additional Details
01 No $0 $0

Implement vulnerability management processes to ensure all vulnerabilities are identified and plans of action and milestones are created for vulnerabilities that cannot be mitigated by VA deadlines.

Department of Veterans Affairs OIG

United States