Skip to main content
Report File
Date Issued
Submitting OIG
Department of Veterans Affairs OIG
Agencies Reviewed/Investigated
Department of Veterans Affairs
Components
Office of Information and Technology
Veterans Health Administration
Report Number
24-02575-50
Report Description

The VA Office of Inspector General’s information security inspection program assesses whether VA facilities are meeting federal security requirements related to three control areas the OIG determined to be at highest risk: configuration management controls, security management controls, and access controls. For this inspection, the OIG selected the Battle Creek Healthcare System in Michigan. The OIG found deficiencies in all three areas inspected.

Configuration management controls, which identify and manage security features for all hardware and software components of an information system, were deficient in vulnerability remediation, system baseline configurations, and unauthorized software remediation.

Security management controls had one deficiency. The OIG found biomedical staff relied on incomplete security remediation reports to manage vulnerabilities on medical devices. The inspection team identified 25 vulnerabilities on seven biomedical devices that were not tracked in security remediation reports used by biomedical staff.

Access controls had three deficiencies. The OIG found the Battle Creek facility was deficient in physical access, environmental controls, and network segmentation. As a result, the facility risks unauthorized access, disruption, and destruction of critical information technology resources.

The OIG made three recommendations to the assistant secretary for information and technology and chief information officer to improve vulnerability management processes, implement a more effective baseline configuration process, and improve the remediations reporting process for the Continuous Readiness in Information Security Program. The OIG also made three recommendations to the healthcare system’s director, in conjunction with the assistant secretary for information and technology and chief information officer, to implement improved physical access controls, ensure network segmentation controls are applied as appropriate, and implement improved, consistent environmental controls for network communications closets.

Report Type
Inspection / Evaluation
Location

MI
United States

Number of Recommendations
6
Questioned Costs
$0
Funds for Better Use
$0
Report updated under NDAA 5274
No

Open Recommendations

This report has 2 open recommendations.
Recommendation Number Significant Recommendation Recommended Questioned Costs Recommended Funds for Better Use Additional Details
01 No $0 $0

Improve vulnerability management processes to ensure all vulnerabilities are identified and plans of action and milestones are created for vulnerabilities that cannot be mitigated by VA deadlines.

02 No $0 $0

Implement a more effective baseline configuration process to ensure network devices are running authorized software that is configured to approved baselines and free of vulnerabilities.

Department of Veterans Affairs OIG

United States