search.noResults

search.searching

saml.title
dataCollection.invalidEmail
note.createNoteMessage

search.noResults

search.searching

orderForm.title

orderForm.productCode
orderForm.description
orderForm.quantity
orderForm.itemPrice
orderForm.price
orderForm.totalPrice
orderForm.deliveryDetails.billingAddress
orderForm.deliveryDetails.deliveryAddress
orderForm.noItems
CYBER CORNER


VA Gets 11 Cybersecurity Recommendations After Arizona Audit


By David Raths U


nderstandably, health systems are reluctant to discuss the results of vulnerability scans of their data


networks. That is why the information security reports published by the Veterans Administration Office of


Inspector


General (OIG) are so valuable. On July 11, the VA OIG published a


report detailing an audit of whether the Northern Arizona VA Healthcare System was meeting federal security guidance. The OIG’s inspections are focused on


three security control areas: 1. Configuration management controls identify and manage security features for all hardware and software components of an information system. 2. Security management controls “estab- lish a framework and continuous cycle of activity for assessing risk, developing and implementing effective security pro- cedures, and monitoring the effectiveness of the procedures.” 3. Access controls provide reasonable assurance that computer resources are restricted to authorized individuals. Access also includes physical and environ- mental controls associated with physical security, such as authorization, visitors, monitoring, delivery, and removal. The OIG identified deficiencies in all


three areas at the Northern Arizona VA Healthcare System. The OIG noted that 71 out of 80 of the


healthcare system’s network switches used operating systems that did not meet Office of Information Technology (OIT) baseline requirements and were no longer supported by the vendor. Consequently, these devices will not receive maintenance or vulnerability sup- port, which can result in an opportunity for adversaries to exploit weaknesses in components. Additionally, noncurrent software may be vulnerable to malicious code. Network devices and IT systems are critical infrastructure to an organization. Upgrading is not just a defensive strategy but a practical one that protects network stability, the report noted. The OIG identified a local database


with multiple vulnerabilities caused by configurations that deviated from the OIT


baseline. After the OIG made the system steward aware of this issue, he began the process of moving the application to the VA Enterprise Cloud, where base- line configurations can be applied and managed by the Database Management Service Line. Data stored in a database has become a more frequent target for malicious users. Such attacks can result in identity theft, financial loss, loss of privacy, a breach of national security, or other types of corruption that can result from unauthorized access to sensitive data. Without managing and applying baseline configuration, OIT is unaware of weaknesses that could adversely impact the database. The OIG identified one security man-


agement control weakness: continuous monitoring of the inventory was defi- cient. The inspection team discovered almost twice the number of devices on the network when compared to those identified in the Enterprise Mission Assurance Support Service (eMASS), VA’s cybersecurity management service for workflow automation and continuous monitoring. OIT provided an inventory that was close to the inventory the team identified, leading the team to determine that OIT is aware of the devices in use but was not routinely updating the inventory in eMASS. Continuous moni- toring facilitates ongoing awareness of the system security and privacy posture to support organizational risk manage- ment decisions. The report stressed that a key component of VA’s continuous monitoring program is frequent updates to hardware and software inventories. During the inspection, the team identi-


fied seven deficiencies in access controls. In one example, the OIG discovered mul- tiple communication rooms where physi- cal access was not effectively controlled. The healthcare system had an automated physical access control system in which staff use badges to enter buildings and rooms. However, the system was not fully deployed or operational. Instead, employ- ees routinely use keys to gain access. Key inventories, which are required every six months, have not been conducted at


32 hcinnovationgroup.com | SEPTEMBER/OCTOBER 2023


the facility in more than two years due to locksmith turnover and a failure to accurately track key distribution. The OIG made six recommendations to


the assistant secretary for information and technology and chief information officer: 1. Implement a more effective vulner- ability management program to address security deficiencies identified during the inspection. 2. Ensure vulnerabilities are remediated within established time frames. 3. Ensure the unmanaged database com- pletes the transition to the VA Enterprise Cloud where it can be managed and have security baselines applied. 4. Implement more effective configura- tion control processes to ensure network devices maintain vendor support. 5. Implement an improved inventory pro- cess to ensure that all connected devices used to support VA programs and opera- tions are documented in the Enterprise Mission Assurance Support Service. 6. Ensure network infrastructure equip- ment is properly installed. 7. The OIG also made five recommen- dations to the Northern Arizona VA Healthcare System director: 8. Ensure physical access controls are implemented for communication rooms. Ensure a video surveillance system is opera- tional and monitored for the data center. 9. Ensure communication rooms with infrastructure equipment have adequate environmental controls. 10.Ensure communication rooms with infrastructure equipment have fire- detection and suppression systems. 11.Ensure water detection sensors are implemented in the data center. The OIG said that the assistant secretary


for information and technology and chief information officer concurred with all 11 recommendations. Responsive actions plans were submitted for all recommen- dations except one. While the response to recommendation 9 did not address the rec- ommendation, evidence was provided that allowed the OIG to validate that actions had been taken to meet the intent of the recommendation, and the OIG considers it closed. HI


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36