Report Summary

Title: Review of Alleged Funding Security Issues of the Veterans Services Adaptable Network at VA Medical Center Orlando, FL
Report Number: 15-03059-384 Download
Report
Issue Date: 1/31/2018
City/State: Orlando, FL
VA Office: Veterans Health Administration (VHA)
Office of Information and Technology (OIT)
Report Author: Office of Audits and Evaluations
Report Type: Audit
Release Type: Unrestricted
Summary:

In March 2015, the VA Office of Inspector General received a Hotline complaint about development of the Veterans Services Adaptable Network (VSAN) at the Orlando Veterans Affairs Medical Center (VAMC). The complaint stated that VSAN development efforts were not coordinated with the Office of Information and Technology (OI&T) and that project funding was inappropriately coming from medical services appropriations rather than information technology (IT) funding. The OIG substantiated that the VSAN deployment was not fully coordinated with OI&T to ensure it met VA security requirements. Specifically, the Orlando VAMC and OI&T did not perform a security risk assessment or implement security controls to segregate VSAN from VA’s network. The OIG did not substantiate that the Orlando VAMC inappropriately used $5.2 million in medical appropriations funds to purchase IT hardware, software, and installation services in support of the VSAN system. In 2010, the Office of General Counsel (OGC) reviewed the initial $1.7 million procurement and determined that use of the medical services appropriation was proper for the initial VSAN deployment. In July 2017, the OGC reviewed the subsequent $3.5 million procurements to determine whether other medical appropriations could be used to fund additional VSAN IT enhancements beyond the original scope of the project, which was patient Wi-Fi access. The OGC concluded that because the additional $3.5 million of IT procurements were used solely for the patient Wi-Fi network, the expenditure was justified. The OIG accepts OGC’s rationale supporting the use of medical appropriations for these procurements. The OIG recommended that the Executive in Charge for the Office of the Under Secretary for Health, in conjunction with the Executive in Charge for the Office of Information Technology, ensure that all guest Wi-Fi access networks are appropriately secured in accordance with VA policy.