Watchdog Agencies: VA Data at RiskNew Reports Identify Information Security Weaknesses
While the Department of Veterans Affairs, which operates the nation's largest integrated healthcare system, has taken steps to improve information security in recent years, it still has weaknesses that have not been fully addressed, two government watchdog agencies say. And those weaknesses increase veterans' risk of identity theft and make the VA network vulnerable to potential attacks by foreign entities.
Those findings were discussed at a Nov. 18 House Committee on Veterans Affairs hearing on the VA's information security.
The VA has deficiencies in a number of areas, according to the two watchdog agencies, such as configuration management, including software patching; access control, including the use of weak or default passwords; security management, including outdated security management documentation; and contingency planning, including deficiencies in back-up devices.
VA CIO Steph Warren testified at the hearing that the VA is addressing many of the various weaknesses identified by the VA Office of Inspector General and the Government Accountability Office. In fact, the VA has pumped in an additional $60 million this year to tackle information security issues, including configuration management, he says. VA will reassess whether there's a need for even more resources early next year, he added.
The GAO report found the VA had failed to apply 10 critical software patches that had been available for four to 31 months even though VA policy requires critical patches to be applied within 30 days.
Warren testified, however, that some of those patches had not been applied by the time of the GAO review this spring because, for example, some legacy VA financial applications "cannot be patched." Instead, the VA has increased other controls for those systems as part of the VA's multilayered defenses, he says. Some patches pushed out from manufacturers "bring systems down" or don't work as the vendors anticipate with various applications running on those systems, he contends.
And it's virtually impossible for the VA to keep up with all software patches that are issued, Warren testified. "Every day, the industry finds new ways [for systems] to be exploited. Patching is one part of a complex defense of systems. It's part of spectrum of things that need to be done," he said.
The various vulnerabilities identified by GAO and OIG "are all attack points for foreign attacks ... a pivot point to get into the entire VA network," testified Michael Bowman, director of IT and security audit office of the VA OIG.
The VA has made improvements in its IT and information security, but more work needs to be done, testified Sondra McCauley, deputy assistant inspector general for audits and evaluations at the VA OIG. Remaining vulnerabilities and weaknesses, however, "make veterans vulnerable to ID theft and fraud," she testified.
As part of efforts to improve information security and address other IT concerns, the VA is also issuing a request for proposal this week for a new patient scheduling system. The VA expects to award the contract in March and roll out the new system over a two-year period beginning in 2015, Warren testified. Some critics claim the VA's legacy scheduling system allowed patient information to be altered, such as appointment dates changed or entered without authorization. The RFP for the new scheduling system includes requirements for a variety of built-in security features, including logging and audit trails, Warren testified.
Greg Wilshusen, the GAO's director of information security issues, testified that its new report has made eight recommendations to the VA to address identified weaknesses in such areas as incident response, Web applications, and patch management. Wilshusen said the VA, in its response to the draft report, concurred with the GAO's recommendations and indicated that it had already begun taking action to comply with six of the recommendations, although the GAO had not yet verified that action.
But Wilshusen testified that unless the various weaknesses are adequately addressed, "data could be manipulated or used for fraud," he testified.
The GAO report notes that the agency's findings are consistent with those of the other watchdog agency - the VA OIG, which also identified patch management as an issue in its fiscal year 2013 report on the agency's compliance with the Federal Information Security Management Act.
"Specifically, the report identified significant deficiencies in configuration management controls intended to ensure that VA's critical systems have appropriate security baselines and up-to-date vulnerability patches," the GAO notes about the OIG's findings.
"The OIG found that VA had unsecure Web application servers, excessive permissions on database platforms, a significant number of outdated and vulnerable third-party applications and operating system software, and a lack of common platform security standards across the department. To address these issues, the OIG recommended that VA implement a patch and vulnerability management program."