The Tuscaloosa VA Medical Center in Alabama. (Veterans Health Administration)

Department of Veterans Affairs’ Office of Inspector General audits of the security programs of the Southern Oregon Rehabilitation Center and Clinics and Tuscaloosa VA Medical Center revealed serious flaws, including insufficient plans to address identified vulnerabilities.

One of the most concerning findings was detected at the Tuscaloosa VA Medical Center in Alabama. The care site only created plans of actions and milestones “for a very small percentage of the hosts” operating with critical-risk vulnerabilities.

As a result, a high-risk vulnerability identified by its Office of Information Technology in 2015 was left unpatched and without any evidence to suggest the tech team “acted or developed a plan to remediate the deficiency.” Without such plans, vulnerability risks can’t be effectively managed.

“Although the findings and recommendations in this report are specific to the Tuscaloosa VAMC, other facilities across VA could benefit from reviewing this information and considering these recommendations,” according to the OIG audit report.

Tuscaloosa and SORCC were chosen for separate audits as the sites had not been previously visited as part of the VA OIG’s annual Federal Information Security Modernization Act of 2014 (FISMA) review. The conducted inspections of information security programs aim to assess whether VA facilities are meeting federal security requirements. 

The audits look at controls used for configuration management, contingency planning, security management, and access. The audit reports should serve as a tool for other healthcare providers looking to improve the state of their own security programs.

The audit confirms the VA’s struggles: “The fiscal year 2021 FISMA audit indicated that VA continues to face significant challenges meeting the law’s requirements. The audit resulted in 26 recommendations made to VA. Repeat recommendations included addressing deficiencies in configuration management, contingency planning, security management, and access controls.”

The OIG report for both Tuscaloosa and SORCC shows similar security issues with the infrastructure security programs and also mirrors past audit findings of the Department of Health and Human Services.

The findings reflect the overall difficulty in securing healthcare and government networks.

Tuscaloosa audit findings reveal patch management struggles

The audit of Tuscaloosa VA Medical Center found deficiencies with configuration management, security management, and access controls. In short, the care site does have “a vulnerability management program but it can be improved.”

The most concerning findings were tied to configuration management: unidentified critical-risk vulnerabilities, uninstalled patches, and unscannable database servers. OIG stressed that all of these gaps “deprive users of reliable access to information” and increase the risk of unauthorized access to, deletion, or alteration of critical systems.”

The security management issues stem from missing or insufficiently detailed action plans for addressing known vulnerabilities, as well as flaw remediation, weak access controls, and deficiencies in its database scans used to identify vulnerabilities in database applications.

For example, the OIG used the same vulnerability scanning tools as its OIT, but didn’t detect all the vulnerabilities found by OIG. The auditors found 119 critical-risk vulnerabilities, undetected by OIT. OIG also identified 301 vulnerabilities: 167 of which were found on 14% of the devices.

A whopping 134 high-risk vulnerabilities were found on 46% of all devices. These serious gaps were not mitigated by the Tuscaloosa team within the required 30- or 60-day windows. OIT is aware of many of the vulnerabilities, but the “plans of actions and milestones did not always list remediations.”

OIG identified several devices that were missing security patches: “For instance, several devices with critical- and high-risk vulnerabilities had patches available that were not applied. Without these controls, VA may be placing critical systems at unnecessary risk of unauthorized access, alteration, or destruction.”

In addition, plans of actions and milestones didn’t necessarily “list remediation actions or resource constraints for remediation not yet implemented,” and “plans of actions and milestones were created for a very small percentage of the hosts with critical-risk vulnerabilities.”

OIG also identified weaknesses in its network segmentation controls and audit and monitoring, along with physical security weaknesses, such as insufficient climate controls for communications equipment and uninstalled backup power supplies.

OIG finds fault in Southern Oregon Rehabilitation Center' and Clinic's vulnerability management

The audit did not find any deficiencies with SORCC’s contingency planning controls, but identified gaps with its configuration management, security management, and access controls.

The most serious deficiencies were found in its network segmentation, physical access, environmental, audit and monitoring, and records management controls. The audit found SORCC didn’t have segmentation controls for eight network segments, including medical systems.

Eight network segments held 26 medical computers or devices, which failed to use access control lists that OIG stressed are needed for protection.

“Without effective network segmentation controls in place, any user can access these potentially vulnerable medical systems. A breach could have a negative impact on the functionality and safety of the medical system,” according to the report.

The configuration management and security management controls each had one deficiency: the vulnerability management process to identify, classify, and remediate weaknesses, and the lack of an approved security plan for its special-purpose system.

The tech team “scans for vulnerabilities routinely, randomly, and when new vulnerabilities are identified and reported.” Using the same tools as OIT, the audit team found 92 vulnerabilities, and 24 of those were critical flaws on fewer than 1% of the computers. Another 68 high-risk vulnerabilities were found in more than 9%of the computers.

Some of the security flaws existed in software and operating systems not supported by the vendor. 

The oldest vulnerability was identified on the network in 2017. What’s more, OIT had previously identified these vulnerabilities but the gaps were not mitigated within the required 30- or 60-day windows.

A November 2022 follow-up on these security gaps showed “48% of the critical- and high-risk vulnerabilities had remediation actions completed, while the remaining vulnerabilities were awaiting updates or had corresponding plans of actions and milestones.”

“Without an effective vulnerability management program, vulnerabilities such as security and functionality problems in software and firmware might not be mitigated, increasing opportunities for exploitation,” according to the report.

Meanwhile, the management control deficiency was found in the system security planning. The special-purpose system had segments containing vulnerable devices, but weren’t authorized to operate as it hadn’t “cleared the NIST risk management framework process, nor did it have an approved system security plan.”

As a result, OIG found four devices within the care site’s climate control system that were connected to the special-purpose system “using a vulnerable unsupported operating system and were owned and maintained by a contractor.” The contract language didn’t include requirements to adhere to federal and VA security requirements.

Without required controls for contractors, OIG stressed that there’s no way to ensure the security measure will be implemented as required. The exploit of even a “climate control system could cause a loss of air-conditioning or heating and threaten the safety of patients, staff members, and visitors.”

The HHS OIG audit of the agency found similar supply chain issues last year.

The findings reaffirm that even one deficient control can create a possible weakness for threat actors to target.

OIG made nine recommendations, which were largely agreed upon by the SORCC director. However, the assistant secretary didn’t concur with the recommendation to verify access control lists are applied to network segments tied to medical systems. The concern for OIG is that segmentation gaps involve vulnerable tech, including imaging, telehealth, and medical devices.