Inspection of Information Technology Security at the VA Outpatient Clinic in Austin, Texas

Report Information

Issue Date
Report Number
20-01485-114
VISN
17
State
Texas
District
VA Office
Information and Technology (OIT)
Report Author
Office of Audits and Evaluations
Report Type
Information Security Inspection
Report Topic
Information Technology and Security
Recommendations
3
Questioned Costs
$0
Better Use of Funds
$0
Congressionally Mandated
No

Summary

Summary
Information technology controls protect VA systems and data from unauthorized access, use, modification, or destruction. The VA Outpatient Clinic in Austin, Texas, is VA’s largest freestanding outpatient clinic— conducting almost 300,000 outpatient visits annually. The OIG inspected this clinic to determine whether it was meeting federal guidance in four security control areas related to configuration management, physical security, security management, and access controls. The team identified security deficiencies in the clinic’s configuration management controls related to component inventory and vulnerability and patch management. Although the inspection team and VA’s Office of Information and Technology (OIT) both used the same vulnerability scanning tools, OIT did not detect 150 of the 246 vulnerabilities the team identified. OIT’s standard vulnerability identification process and scans were ineffective. The poor component inventories and vulnerability management contributed to inadequate patch management. Without these controls, VA may be placing critical systems at unnecessary risk of unauthorized access, alteration, or destruction. The team also discovered three hard drives that potentially held personally identifiable information and personal health information that were not labeled or processed for sanitization. Media protection deficiencies like these increase the risk of unauthorized disclosure of veterans’ information. The team did not identify deficiencies with the maintenance, physical, and environmental security controls or security management and access controls. The clinic’s existing policies and procedures addressed these areas, and no recommendations were made for them. The OIG recommended maintaining an accurate inventory, implementing a more effective patch and vulnerability management program, distributing the media protection standard operating procedure, and ensuring compliance with the procedure’s labeling and sanitization provisions.

Open Recommendation Image, SquareOpenClosed and Implemented Recommendation Image, CheckmarkClosed-ImplementedNot Implemented Recommendation Image, X character'Closed-Not Implemented
No. 1
Closed and Implemented Recommendation Image, Checkmark
to Veterans Health Administration (VHA)
The OIG recommended the area manager for the Central Texas Veterans Health Care System implement more effective automated inventory management tools.
No. 2
Closed and Implemented Recommendation Image, Checkmark
to Veterans Health Administration (VHA)
The OIG recommended the area manager for the Central Texas Veterans Health Care System implement a more effective patch and vulnerability management program that can accurately identify vulnerabilities and enforce patch application.
No. 3
Closed and Implemented Recommendation Image, Checkmark
to Veterans Health Administration (VHA)
The OIG recommended the area manager for the Central Texas Veterans Health Care System ensure compliance with the media protection standard operating procedure for all employees who work with media storage and ensure compliance with marking and sanitization provisions.