An inspection of information security at Tuscaloosa VA Medical Center in Alabama by the VA Office of Inspector General (OIG) uncovered deficiencies in three of the four assessed security control areas. The OIG inspection covered configuration management, contingency planning, security management, and access controls, with deficiencies identified in configuration management, security management, and access controls.
Configuration management controls are required to identify and manage security features for all hardware and software components of an information system. OIG found deficiencies in vulnerability management, flaw remediation, and database scans. The Office of Information and Technology (OIT) routinely scans for vulnerabilities, and while OIG and OIT used the same vulnerability-scanning tools, OIT failed to identify all vulnerabilities. OIG identified 119 critical-risk vulnerabilities that OIT failed to detect. OIG also identified 301 vulnerabilities that had not been mitigated within the required 30- or 60-day windows, with 134 critical-risk vulnerabilities identified on 14% of devices, and 134 high-risk vulnerabilities found on 46% of devices. One of the high-risk vulnerabilities had remained unpatched for seven years.
Several devices were discovered to be missing important security patches, which were available but had not been applied, which placed VA systems at risk of unauthorized access, alteration, or destruction. While database scans are performed every quarter, OIT was only able to provide scans for half of the databases, as it was not possible to reach all databases due to a port-filtering issue. Without those completed scans, OIT would be unaware of security control weaknesses that could impact the security posture of databases.
Security management controls were assessed, and OIG found one deficiency: several plans of actions and milestones were discovered to be missing or lacked sufficient details to be actionable. Four access control deficiencies were identified related to network segmentation, audit and monitoring controls, environmental controls, and emergency power. Network segmentation is required for medical devices and special-purpose systems, which should be placed on isolated networks for protection. Several network segments that contained medical and special-purpose systems did not have network segmentation controls in place. 19 network segments containing 221 medical devices and special-purpose systems did not have access control lists applied, which allowed any user to access those devices. Logs need to be monitored to evaluate the effectiveness of security controls, recognize attacks, and investigate during or after any attacks. Half of the databases supporting the Tuscaloosa VAMC were found to be missing. The missing logs were for the databases that had not been subjected to vulnerability scanning.
Several communication rooms were found to lack temperature or humidity controls, which could have a significant adverse impact on the availability of systems, and uninterruptible power supplies were also discovered to be missing, which means infrastructure equipment would cease to function during power fluctuations or outages, resulting in interruption of data flow and disruption of access to network resources.
OIG made 8 recommendations to address the deficiencies, 6 to the assistant secretary for information and technology and chief information officer related to the security issues and 2 to the Tuscaloosa VAMC director, who must ensure communication rooms have adequate environmental controls and uninterruptible power supplies for infrastructure equipment.
The post Vulnerability Management and Remediation Deficiencies Identified at Alabama VA Medical Center appeared first on HIPAA Journal.