VA Hospital 'High-Risk' Vulnerability Unaddressed for YearsOIG Audit Findings Include Weaknesses Familiar to Other Healthcare Entities
Vulnerability management issues are a common problem for many healthcare entities and can become an even bigger concern when unremediated issues are left to linger for years.
See Also: Assessing Cyber Risk for the Defense Industrial Base
Such appears to be the case at an Alabama Veterans Affairs medical center, which auditors in a report released Wednesday say nursed a "high-risk vulnerability" first identified in 2015. Auditors, who began examining the center in March, say it was still active. The report from the Department of Veterans Affairs Office of Inspector General did not describe the nature of that high-risk vulnerability.
Still, "a 'high-risk’ vulnerability identified over seven years ago that has still not yet been remediated: In the IT world, that's a really long time," says Tom Walsh, president of privacy and security consulting firm tw-Security, who reviewed the audit report at Information Security Media Group's request.
The Tuscaloosa VA Medical Center is a level-3 tertiary care facility located near the University of Alabama that serves nearly 15,000 veterans. The facility offers primary care, long-term care, mental health services and specialty care.
Auditors say they didn't uncover evidence suggesting a plan was ever developed to remediate the deficiency after it was first identified by the department's IT workers.
"Regardless of resource constraints, this should have been addressed by now, or at least a valid reason given as to why it has not been resolved," Walsh says.
Departmental officials told auditors they would put together a plan and target date to remediate the vulnerability. In a statement emailed to ISMG the day after this report was initially published, a Tuscaloosa center spokeswoman said the facility personnel are working to implement auditors' recommendations under their control, which are to improve environmental controls in rooms holding data servers and to ensure that servers have uninterruptible power supplies. "Maintaining veterans' trust is central to our mission," the spokeswoman said.*
The Tuscaloosa medical center is not the first VA facility audited by the OIG in which similar long-term vulnerability issues were identified.
A security audit report published in September said a Texas VA outpatient clinic using obsolete equipment also presented security vulnerabilities (see: VA Center's IT Legacy Flaws Common at Other Health Entities).
Auditors made eight recommendations - two for the medical center and six for the department's Office of Information Technology - for addressing the security deficiencies at the Tuscaloosa facility, including those involving vulnerability management. VA IT leadership and the medical center's director concurred with most of them and agreed to take action.
The OIG's recommendations include:
- Implementing a more effective vulnerability management program to address security deficiencies identified during the audit;
- Ensuring vulnerabilities are remediated within established time frames;
- Ensuring all databases at the facility are part of a periodic database scan process;
- Implementing improved mechanisms to ensure system managers are updating plans of action and milestones for all known security risks, including those identified during security control assessments;
- Ensuring segmentation controls are applied to all network segments with medical devices and special-purpose systems;
- Implementing capabilities for generating database audit logs and forwarding audit events for analysis;
- The medical center should ensure communication rooms with infrastructure equipment have adequate environmental controls;
- The medical center should installing uninterruptible power supplies in the communication rooms supporting infrastructure equipment.
*Update Jan. 20, 2023 16:31 UTC: Adds comment from a Department of Veterans Affairs spokeswoman and clarifies that Tuscaloosa personnel are responsible improving the physical conditions of center server infrastructure.