Inspection of Information Technology Security at the Harlingen VA Health Care Center in Texas

The VA Office of Inspector General (OIG) conducted this inspection to determine whether the Harlingen VA Health Care Center in Texas was meeting federal security guidance. The OIG selected the Harlingen center because it had not been previously visited as part of the OIG’s annual Federal Information Security Modernization Act audit of VA’s information security program and practices. The OIG team found deficiencies in the center’s component inventory, vulnerability management, and system life-cycle management. Specifically, the center had an inaccurate component inventory; unsupported versions of applications, missing patches, and vulnerable plug-ins; and critical or high-risk vulnerabilities in the network that had gone unidentified. Additionally, the inspection team found the system life cycle did not replace applications before they became unsupported. Without effective configuration management, users do not have adequate assurance that the system and network will perform as intended. The team also found the Harlingen VA Health Care Center was deficient in contingency planning. The center did not adequately plan for restoring local IT operations. Consequently, after a disaster, the center may not be able to readily restore all operations as they existed before. Further, the center had deficiencies in three access controls. Database managers did not adequately maintain log data for local databases, computer rooms and communications closets were not equipped with fire detection devices, and the center’s VA police computer room did not have a visitor access log. These deficiencies could impede the center’s ability to respond to incidents. The OIG made five recommendations to address the deficiencies.