Inspection of Information Security at the VA Spokane Healthcare System in Washington

View Report

Date Issued

Wednesday, February 18, 2026

Submitting OIG

Department of Veterans Affairs OIG

Agencies Reviewed/Investigated

Department of Veterans Affairs

Components

Veterans Health Administration

Report Number

25-00975-234

Report Description

The VA Office of Inspector General’s (OIG) information security inspection program assesses whether VA facilities are meeting federal security requirements related to three high-risk control areas: configuration management, security management, and access. For this inspection, the OIG selected the VA Spokane Healthcare System in Washington and found deficiencies in all three areas.

Configuration management controls, which identify and manage security features for all hardware and software components of an information system, were deficient in vulnerability remediation and system baseline configurations.

Security management controls had one deficiency. The OIG identified volunteers and scheduling clerks who were granted unnecessary access to an electronic health record screen that contained unredacted personally identifiable information.

Access controls had four deficiencies. The OIG found that the Mann-Grandstaff VA Medical Center was deficient in inventory management of physical keys, unsecured network equipment, electrical grounding, and fuel storage. As a result, the facility risks unauthorized access, disruption, and destruction of critical information technology resources.

To address deficiencies, the OIG made seven recommendations to VA, all of which VA concurred with.

Report Type

Inspection / Evaluation

Location

Spokane, WA
United States

Number of Recommendations

Questioned Costs

Funds for Better Use

Report updated under NDAA 5274

External Link

https://www.vaoig.gov/reports/information-security-inspection/inspection-inform…

Open Recommendations

This report has 6 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
01	No	$0	$0
Implement vulnerability management processes to ensure all vulnerabilities are identified and plans of action and milestones are created for vulnerabilities that cannot be mitigated by VA deadlines.
02	No	$0	$0
Implement a more effective baseline configuration process to ensure network devices and databases are running authorized software that is configured to approved baselines and free of vulnerabilities.
03	No	$0	$0
Perform a cost-benefit analysis and implement appropriate controls within the federal Electronic Health Record to limit disclosure of veteran personally identifiable information based on job responsibility.
04	No	$0	$0
Segregate the duties of maintaining key stock and making keys.
05	No	$0	$0
Place network infrastructure equipment in a communications closet or approved enclosure to restrict access to only authorized personnel.
06	No	$0	$0
Complete the installation of grounding measures for all telecommunications closets to protect information technology equipment against electromagnetic pulse attack or electrostatic discharge. Ensure the work completed by contractors adheres to the requirements as defined in the work order.