According to an IT security assessment released on Tuesday by the Department of Veterans Affairs’ Office of Inspector General, more than half of the network switches at the Harlingen VA Health Care Center in Harlingen, Texas, were running outdated operating systems and did not meet the department’s baseline configurations.
The audit was conducted to evaluate whether Harlingen was complying with the Federal Information Security Management Act, or FISMA, information security safeguards. The OIG stated that it chose Harlingen for an assessment because it had not previously been reviewed during the annual FISMA audit.
Harlingen is part of the Texas Valley Coastal Bend Healthcare System, which receives approximately 300,000 outpatient visits per year.
The OIG discovered flaws in three of the four security control areas at Harlingen, including configuration management, contingency planning and access controls. OIG’s inspection team did not document any issues with the center’s security management.
OIG discovered flaws in three of Harlingen’s four security control areas, including configuration management, contingency planning, and access controls. The OIG inspection team found no problems with the centre’s security management.
The audit found significant flaws in Harlingen’s configuration management controls, which were used to identify and track the centre’s hardware and software components. These flaws included an inaccurate component inventory list, unaddressed security flaws, and an inability to identify all critical and high-risk vulnerabilities across the centre’s network.
Most concerning was OIG’s finding that “almost 53 per cent of the Harlingen centre’s network switches used operating systems that no longer receive maintenance or vulnerability support from the vendor.” And the outdated devices did not meet the baseline configurations for network equipment mandated by the VA Office of Information and Technology Configuration Control Board, which reflect “agreed-on specifications for systems or configuration items within those systems.”
“Network devices and IT systems are an organization’s most critical infrastructure,” OIG said in its assessment. “Upgrading is not just a defensive strategy but a proactive one that protects network stability.”
Despite VA’s use of an automated inventory system, the OIG assessment revealed varying tallies of IT components at Harlingen. The VA discovered 1,568 devices at the centre, while the OIG assessment team discovered 1,544 devices on the Harlingen network. However, according to the audit, VA’s Enterprise Mission Assurance Support Services system, or eMASS, which “allows for FISMA systems inventory tracking and reporting activities,” only identified 942 devices.
Read the full article here
