Watchdog Agency: Many VA Security Weaknesses PersistAmong the Concerns: Making Sure All Devices 'Authorized'
A watchdog agency's annual security review of the Department of Veterans Affairs, the nation's largest healthcare provider, makes 33 recommendations for how the VA can address a variety of continuing vulnerabilities, but only three of them are new.
The report says the VA is making strides in developing policies and procedures, but still faces challenges implementing components of its agencywide information security continuous monitoring and risk management program to meet the requirements of the Federal Information Security Modernization Act.
"While some improvements were noted, this audit identified continuing significant deficiencies related to access controls, configuration management controls, continuous monitoring controls and service continuity practices designed to protect mission-critical systems," the report notes.
The watchdog agency spotlighted three new recommendations in its latest report:
- To address weaknesses in the agencywide information security and risk management program, the VA should implement improved processes to ensure all VA systems and devices are formally "authorized to operate" and system security controls are evaluated before allowing such systems to connect to the VA's network or the internet.
- To addresses various weaknesses found in configuration management controls, the VA should implement improved processes to ensure that all devices and platforms are evaluated using credentialed vulnerability assessments.
- To address incident response and monitoring weaknesses, the VA's Network Security and Operations Center should have full access to all security incident data to facilitate agencywide awareness of information security events.
Rebecca Herold, president of Simbus, a privacy and cloud security services firm, and CEO of The Privacy Professor consultancy, says each of the new recommendations are important for other healthcare organizations to consider.
The recommendation likely to have the biggest impact, she says, is ensuring that all systems and devices are formally authorized. "These are often those personally owned systems and devices that employees are using to perform work activities, in addition to using, to remotely connect to the work systems and networks," she says.
The security challenges faced by the VA are common throughout healthcare, says Keith Fricke, principle consultant at tw-Security. "No organization in any industry will ever be 100 percent secure," he says. "To be 100 percent secure is to be 0 percent functional. Security weaknesses will always be present. The rapid evolution of technology will always create new weaknesses that criminals race to exploit before everyone else can protect against the attacks."
The VA Office of Inspector General's report, released on June 21, covers the annual review conducted in 2016 of the VA's compliance with FISMA and applicable National Institute of Standards and Technology guidelines.
The report notes that an independent firm, CliftonLarsonAllen LLP, performed the FISMA audit conducted from April through November 2016.
"Based on our audit procedures, we conclude that VA continues to face significant challenges meeting the requirements of FISMA," OIG writes in its report.
The report makes 33 recommendations for the VA to address weaknesses found by the auditors in eight key areas, including the VA's:
- Agencywide security management program;
- Identity management and access controls;
- Configuration management controls;
- System development/change management controls;
- Contingency planning;
- Incident response and monitoring;
- Continuous monitoring; and
- Contractor systems oversight.
When it comes to the various VA deficiencies identified, the OIG writes, "weaknesses in access and configuration management controls resulted from VA not fully implementing security standards on all servers, databases and network devices. VA also has not effectively implemented procedures to identify and remediate system security vulnerabilities on network devices, databases and server platforms VA-wide."
Many of those security components are also common challenges for other healthcare organizations, Herold says. "All healthcare entities also struggle with getting all eight of these areas properly addressed," she says.
"Size is certainly a contributing factor within the VA, but the fact is no organization will be able to eliminate all security vulnerabilities, and there will always be many security threats to every type of organization," she says. "This is especially true in any environment that mixes employees with a large number of contracted workers, and a wide variety of those who are not part of the organization, such as patients, visitors and the general public."
Fricke says of the deficiencies found at the VA, those most commonly found at private sector healthcare entities involve identity and access management, contingency planning, incident response and monitoring, and continuous monitoring.
"Many healthcare organizations do not have a contingency plan, and if one does exist, it may not be updated frequently," he notes. "Continuous monitoring really requires outsourcing that capability. Employing staff to monitor networks 24x7 is costly and it is hard to retain talent in this area of security operations."
In addition to the new recommendations the OIG makes, the watchdog agency report is again urging the VA to implement 30 previous recommendations made to address findings of prior annual security reviews, some of which were slightly modified. Those include:
- Implement clear roles, responsibilities and accountability for developing, maintaining, completing and reporting on plans of action and milestones;
- Implement periodic reviews to minimize access by system users with incompatible roles, permissions in excess of required functional responsibilities and unauthorized accounts;
- Enable system audit logs on all systems and platforms and conduct centralized reviews of security violations;
- Implement a more effective patch and vulnerability management program to address security deficiencies; and
- Implement improved processes for ensuring the encryption of backup data prior to transferring the data offsite for storage.
The VA recently announced plans to phase out its old, home-grown VistA electronic health record system and implement a new system based on Cerner Corp.'s Millennium EHR. The Department of Defense also uses an EHR based on the Cerner technology, and government officials have said the VA's planned EHR migration could potentially help improve the security and interoperability of vets' health data (see VA's New EHR System: Weighing Risks, Benefits).