Inspection of Information Technology Security at the Consolidated Mail Outpatient Pharmacy in Tucson, Arizona

The VA Office of Inspector General (OIG) conducted this inspection to determine whether the Tucson Consolidated Mail Outpatient Pharmacy (CMOP) was meeting federal security guidance. The inspection team selected the Tucson CMOP because it is home to the CMOP Local Area Network, which establishes an interface for electronically transferring information between all Veterans Health Administration medical centers and the CMOP host systems located at each of the seven CMOPs, which form an integrated and highly automated outpatient prescription dispensing system. The OIG team found deficiencies in configuration management, contingency planning, and access controls. Specifically, the Tucson CMOP had inaccurate component inventories, ineffective vulnerability management, and inadequate flaw remediation and had not implemented the configuration management plan; lacked a disaster recovery plan; and had not changed the default username and password for the security camera system and did not consistently generate or forward audit records to the Cybersecurity Operations Center. Without these controls, VA may be placing critical systems at unnecessary risk of unauthorized access, alteration, or destruction. The OIG made six recommendations to the Tucson CMOP director: implement effective inventory management tools, an effective vulnerability and flaw remediation program, and a disaster recovery plan; ensure CMOP staff understand their assigned roles and responsibilities; task the facility manager to change the default username and password for the security camera system; and request the Office of Information and Technology to configure audit logging on the misconfigured devices in accordance with established baselines, policy, and procedures.