"Watchdog Identifies Multiple Security Deficiencies at VA Medical Center in Louisiana"
An audit performed by the Department of Veterans Affairs' Office of Inspector General (OIG) discovered several flaws in the IT systems used by the Alexandria VA Medical Center in Pineville, Louisiana, including uninstalled security patches and outdated operating systems, which could expose critical systems to unauthorized access, alteration, or destruction. OIG conducted the IT security assessment to find out whether Alexandria was in compliance with federal guidelines under the Federal Information Security Modernization Act (FISMA) of 2014, which requires federal agencies to implement information security programs. Alexandria, having more than 37,000 active patients, was chosen for an audit because it had not previously been assessed as part of the annual FISMA review. The audit identified weaknesses in three of Alexandria's four security control areas, including configuration management, security management, and access controls. The assessment found no flaws in the center's contingency planning controls. The most serious flaws were found in Alexandria's configuration management controls, which identify and manage security features for all hardware and software components of an information system. Inaccurate component inventories, a flawed vulnerability management process, devices lacking security patches, and outdated operating systems were among the issues. According to the audit, the lack of accurate inventories at Alexandria resulted in undetected and unaddressed critical and high-risk vulnerabilities. The inspection team compared on-site vulnerability scans to those performed remotely by the VA's Office of Information and Technology and discovered five critical vulnerabilities and three high-risk vulnerabilities that had not been detected. The assessment also discovered 33 vulnerabilities, including 17 critical flaws on 8 percent of the devices and 16 high-risk flaws on 29 percent of the devices that were not addressed within the VA's mandated remediation timeframe. This article continues to discuss findings from the IT security assessment of the Louisiana-based medical center.