The Department of Veterans Affairs Office of Inspector General has warned of key cybersecurity deficiencies at the agency’s Northern Arizona health system.
In an audit, the watchdog said it had detected previously unidentified critical vulnerabilities, uninstalled patches and network operating systems that are no longer supported by vendors.
According to the IG, the issues could “deprive users of reliable access to information and could risk unauthorized access to, or the alteration or destruction of, critical systems.”
In addition, the VA watchdog said it had identified almost twice as many devices on the health care system’s network than listed in an inventory and also found a range of weak access controls including missing video surveillance at a data center and inadequate fire detection and suppression equipment.
As a result of its investigation, the watchdog made six recommendations to the VA CIO to improve controls at the health care system because they are related to enterprise-wide information security issues similar to those identified through previous FISMA audits and information security inspections. It also made five recommendations to the director of the Northern Arizona VA Health Care System.
VA management agreed with the six recommendations made to the VA CIO.
The watchdog typically carries out such audits at VA facilities that have not been assessed in the sample for the annual audit required by the Federal Information Security Modernization Act of 2014 (FISMA).