Inspection of Information Security at the VA Beckley Healthcare System in West Virginia

The Office of Inspector General (OIG) conducted this inspection to determine whether the VA Beckley Healthcare System in West Virginia was meeting federal security guidance. The OIG selected the system because it had not previously been visited as part of the annual Federal Information Security Modernization Act of 2014 (FISMA) audit. The OIG identified security deficiencies with configuration management, security management, and access controls. The configuration management deficiencies involved incomplete and inaccurate information system entries on vulnerabilities needing remediation. The lack of accurate information slowed remediation efforts: the OIG team found that those efforts exceeded VA’s required 60-day time frame for 444 high-risk vulnerabilities on about 45 percent of computers. Among the weaknesses in security management, the team found the healthcare system’s special purpose system did not have an authorization to operate because it had not cleared the risk management framework established by the National Institute of Standards and Technology to meet FISMA requirements. The special purpose system comprises mechanisms that monitor the distribution of oxygen throughout the hospital, alert facility police of emergencies via panic buttons, limit access to the control room, and control the facility’s climate. As for access controls, network segments including those containing medical imaging devices were not separately controlled, allowing any network user to access them; not all systems were connected to a functional uninterrupted power supply; the medical center’s computer room and 19 communication closets had problems such as leaks, data lines being intertwined with electrical lines, and closets lacking cameras, dead bolts, and smoke detectors; and unencrypted hard drives were not being sanitized before they were shipped out for destruction. The OIG made 10 recommendations to address the deficiencies.