VA OIG Audits Orlando VA Medical Center for Network Vulnerabilities

February 20, 2018 James Keogh HIPAA News

A Florida Veterans Affairs Medical Center set up a Wi-Fi network without coordinating with the VA’s Office of Information & Technology (OI&T). The result of such action was the introduction of vulnerabilities that could lead to unauthorized access to VA systems. The VA Office of Inspector General (VA OIG) received a complaint that the Veterans Services Adaptable Network (VSAN) was being developed without OI&T knowing about it and without obtaining project funding through proper channels. So, VA OIG made an audit of the Orlando Veterans Affairs Medical Center at Lake Nona, FL.

There was no evidence uncovered regarding the funding irregularities. But VA OIG found the Wi-Fi network for patients set up with no OI&T coordination. The network was lacking in appropriate security controls as per VA policies. No risk assessment was performed after the network set-up. There was also no segregation between the VSAN and VA network. The lack of supervision by local OI&T staff introduced unnecessary risks which could have caused the compromise of other VA systems. Fortunately, the vulnerabilities were not exploited.

The VA OIG report mentioned that the security controls adopted were not in accordance with VA’s security requirements because of different priorities and resources. The management did not give the required resources to the project so there was no security risk assessment performed. Hence, the recommended action is to have the executives-in-charge for the Office of the Under Secretary for Health and the Office of Information and Technology to make sure that all industrial control systems, guest Internet networks and external air-gapped networks are correctly segregated and satisfy VA security requirements.

The report highlighted the problems in the network set-up. First, the software or hardware installed was not authorized by the IT department. That can introduce vulnerabilities that the IT departments cannot find and correct. Second, the IT department did not supervise the set-up. Software that is not up-to-date can introduce vulnerabilities that allow easy access to the healthcare networks.

As per the Health IT department’s requirements, employees are not allowed to install software or use devices without proper authorization from the department. The IT departments also need to conduct scans of the network to check if rogue devices have been connected. Network access tools can also be used to restrict network access to authorized devices and implement security controls including AV software.

About James Keogh 144 Articles
James Keogh has been writing about the healthcare sector in the United States for several years. With several years of covering healthcare topics, he has developed expertise in HIPAA-related issues, including compliance, patient privacy, and data breaches. His work is known for its thorough research and accuracy, making complex legal and medical information accessible . James's articles are valuable resources for healthcare professionals and have been featured in reputable publications. You can follow James on Twitter https://x.com/JamesKeoghHIPAA and contact James on LinkedIn https://www.linkedin.com/in/james-keogh-89023681.
Twitter LinkedIn