Over Half Of Operating Systems At VA Medical Center In Texas Are Outdated, Watchdog Finds

An IT security assessment released by the Department of Veterans Affairs’ Office of Inspector General on Tuesday found that more than half of the network switches at the Harlingen VA Health Care Center in Harlingen, Texas, used outdated operating systems and did not meet the department’s baseline configurations.

The audit was conducted to determine whether Harlingen was complying with information security protections required by the Federal Information Security Management Act, or FISMA. OIG said it selected Harlingen—which is part of the Texas Valley Coastal Bend Healthcare System that receives approximately 300,000 outpatient visits per year—for an assessment because it has not been previously reviewed during the annual FISMA audit.

OIG found deficiencies in three of the four security control areas at Harlingen, including with configuration management, contingency planning and access controls. OIG’s inspection team did not document any issues with the center’s security management.

The audit reported significant deficiencies in Harlingen’s configuration management controls used to identify and track the center’s hardware and software components, including an inaccurate component inventory list, unaddressed security flaws and an inability to identify all critical and high-risk vulnerabilities across the center’s network.

Most concerning was OIG’s finding that “almost 53 percent of the Harlingen center’s network switches used operating systems that no longer receive maintenance or vulnerability support from the vendor.” And the outdated devices did not meet the baseline configurations for network equipment mandated by the VA Office of Information and Technology Configuration Control Board, which reflect “agreed-on specifications for systems or configuration items within those systems."

“Network devices and IT systems are an organization’s most critical infrastructure,” OIG said in its assessment. “Upgrading is not just a defensive strategy but a proactive one that protects network stability.”

The OIG assessment also documented varying tallies of IT components at Harlingen, despite VA’s use of an automated inventory system. VA identified 1,568 devices at the center, while the OIG assessment team identified 1,544 devices on Harlingen’s network. However, VA’s Enterprise Mission Assurance Support Services system, or eMASS—which “allows for FISMA systems inventory tracking and reporting activities,” according to the audit—only identified 942 devices.

“Because VA’s eMASS is used for developing system security and privacy plans, without an accurate inventory of network devices in eMASS, VA has no assurance that these plans implement security controls for all the components within the system,” the audit said.

OIG’s inspection team also compared on-site vulnerability scans with those conducted remotely by VA’s Office of Information and Technology from Jan. 10 to Jan. 13, 2022, and identified 16 serious vulnerabilities on the Harlingen network that had not been mitigated within VA’s established timeframe for addressing vulnerabilities. These included “five critical vulnerabilities on less than 1% of the computers and 11 high-risk vulnerabilities on 20% of the computers,” including one vulnerability that was first identified on the network in 2013.

Other deficiencies at Harlingen that were identified by OIG’s inspection team included finding that database managers were not adequately maintaining log data; that computer rooms and communications closets across the facility lacked fire detection systems; and that the computer room housing the center’s police servers did not have a visitor access log. And OIG also found that Harlingen’s contingency plan “did not fully address reconstituting all systems to restore IT operations to a fully operational state after a disaster.”

The OIG made four recommendations to VA’s assistant secretary for information and technology and chief information officer “because they are related to enterprise-wide IT security issues similar to those identified during previous FISMA audits and IT security reviews.” OIG also made an additional recommendation to Harlingen’s director to “validate that appropriate physical and environmental security measures are implemented and functioning as intended.” VA concurred with all five recommendations.

VA has long struggled to comply with FISMA’s requirements, with the Government Accountability Office noting in a November 2019 report that VA was one of the federal agencies with deficient information security protections, including when it came to implementing effective security controls and mitigating vulnerabilities.

Tuesday’s audit also came after the OIG released a separate IT security assessment of the Alexandria VA Medical Center in Pineville, Louisiana on Sept. 22 that documented deficiencies in three of the facility’s four security control areas and found “critical and high-risk vulnerabilities on 37% of the devices” at the center.

The fiscal year 2021 FISMA audit of VA’s agencywide compliance, which was released in April, found that the department as a whole “continues to face significant challenges in complying with FISMA due to the nature and maturity of its information security program.” OIG noted in Tuesday’s assessment of Harlingen that the FY2021 FISMA audit made 26 recommendations to VA, and that “all 26 recommendations were repeated from the prior year.”

NEXT STORY: Watchdog Identifies Multiple Security Deficiencies at VA Medical Center in Louisiana

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page. Save Settings

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Help us tailor content specifically for you:

11 Years Of Business Super Terminal Display Manufacturing Experience

Free Sample, After-Sale Guarantee

Fully Customizable

Over Half of Operating Systems at VA Medical Center in Texas are Outdated, Watchdog Finds - Nextgov

Featured Products

News & Blog

Cargo Scanner Market in 2021: Global Industry Scale and Growth Opportunities by 2027 | Market Participants: CEIA, MB Telecom, GILARDONI, SMITHS DETECTION, L-3 SECURITY & DETECTION SYSTEMS, SAFRAN MORPHO, RA...-Energy Siren

CBIC launches cargo inspection dispatch platform at Tughlakabad warehouse-Economic Times

By 2027, the medical X-ray film scanner market will grow significantly | VIDAR Systems Corporation (3D Systems), Dentsply Sirona, Angell Technology, Posdion-Energy Siron

Whole body X-ray scanner market size and 2028 outlook | Top companies-L3, Smiths Detection, Adani system, Xscann Technologies, Braun, Westminster, Unival Group GmbH, Nuctech,-Energy Siren

Former Boston Police Chief Ed Davis joins RaySecur's Advisory Board

Parcel Post Expo: Keyence launches a handheld computer capable of scanning 100 codes at the same time-Parcel and Postal Technology International

American View: Why the October Positive Employment Report did not capture the key points-Business Reporter

Analysis of the analog X-ray equipment market by size, share, growth, and trends from 2021 to 2027 | Siemens Healthineers, Shimadzu, Carestream, Agfa Healthcare-Energy Siren

2021 X-ray food inspection equipment market share, scale, growth, major companies, compound annual growth rate to 2027 | Anritsu Infivis, Bizerba, Mettler-Toledo, Thermo-fisher-Energy Siren

X-ray baggage scanner market size and 2028 outlook | Top companies-ASE, Astrophysics, Autoclear, Braun International, CEIA, Garrett, Gilardoni, Hamamatsu, KritiKal Securescan, L3 Communications,-Energy Siren