Skip to main content
Report File
Date Issued
Submitting OIG
Department of Veterans Affairs OIG
Other Participating OIGs
Department of Veterans Affairs OIG
Agencies Reviewed/Investigated
Department of Veterans Affairs
Components
Veterans Health Administration
Office of Information and Technology
Report Number
23-01179-204
Report Description

The VA Office of Inspector General (OIG) conducts information security inspections to assess whether VA facilities are meeting federal security requirements. They are typically conducted at selected facilities that have not been assessed in the sample for the annual audit required by the Federal Information Security Modernization Act of 2014 (FISMA) or at facilities that previously performed poorly. The OIG selected the El Paso VA Healthcare System because it had not previously been visited as part of the OIG’s annual FISMA audit.The OIG focused on three control areas it determined to be at highest risk—configuration management, security management, and access controls. The OIG identified two deficiencies in configuration management controls, none in security management controls, and six in access controls. The configuration management deficiencies were in vulnerability management and flaw remediation. The healthcare system’s vulnerability management controls did not identify all network weaknesses, such as unsupported versions of applications, and flaw remediation controls did not ensure comprehensive patch management. Further, some vulnerabilities were not remediated within established time frames. Additionally, the software system used to report vulnerabilities to facilities was not complete and accurate. For example, it did not have host names for 16 percent of the entries.The OIG identified multiple access deficiencies: inventories of keys used by employees to gain access to buildings and rooms were not completed, reviews of physical access logs were not done quarterly as required, temperature and humidity controls were lacking in communications rooms, surveillance cameras were inoperable, water detection controls were not working, and the emergency power shutoff was not tested annually.The OIG made eight recommendations to address the noted deficiencies.

Report Type
Inspection / Evaluation
Agency Wide
Yes
Number of Recommendations
6
Questioned Costs
$0
Funds for Better Use
$0

Open Recommendations

This report has 3 open recommendations.
Recommendation Number Significant Recommendation Recommended Questioned Costs Recommended Funds for Better Use Additional Details
02 No $0 $0

Ensure vulnerabilities are remediated within OIT’s established time frames.

05 No $0 $0

Ensure a video surveillance system is operational and monitored for the data center.

07 No $0 $0

Ensure water detection sensors are implemented in the data center.

Department of Veterans Affairs OIG

United States