Inspection of Information Security at the Tuscaloosa VA Medical Center in Alabama

The VA Office of Inspector General (OIG) conducts information security inspections to assess whether VA facilities are meeting federal security requirements. They are typically conducted at selected facilities that have not been assessed in the sample for the annual audit required by the Federal Information Security Modernization Act of 2014 (FISMA) or at facilities that previously performed poorly. The OIG selected the Tuscaloosa VA Medical Center in Alabama because it had not been previously visited as part of the annual FISMA audit. The OIG’s information security inspections focus on four security control areas that apply to local facilities and have been selected based on their levels of risk: configuration management, contingency planning, security management, and access controls. During this inspection, the OIG found deficiencies with configuration management, security management, and access controls. Deficiencies in configuration management included critical-risk vulnerabilities that VA’s Office of Information and Technology did not identify, uninstalled patches, and unscannable database servers, all of which deprive users of reliable access to information and could risk unauthorized access to, or the alteration or destruction of, critical systems. The team identified a security management weakness concerning missing or insufficiently detailed action plans to address identified vulnerabilities. Weak access controls, such as missing logs, insufficient climate controls for communications equipment, and uninstalled backup power supplies, compromised the security and maintenance of the information system and its ability to withstand power disruptions. The OIG made six recommendations to the assistant secretary for information and technology and chief information officer to improve controls at the facility because they are related to enterprise-wide information security issues similar to those identified on previous FISMA audits and information security inspections. The OIG also made two recommendations to the Tuscaloosa VA Medical Center director.