A Florida Veterans Affairs Medical Center set up a Wi-Fi network without coordinating with the VA’s Office of Information & Technology (OI&T). The result of such action was the introduction of vulnerabilities that could lead to unauthorized access to VA systems. The VA Office of Inspector General (VA OIG) received a complaint that the Veterans Services Adaptable Network (VSAN) was being developed without OI&T knowing about it and without obtaining project funding through proper channels. So, VA OIG made an audit of the Orlando Veterans Affairs Medical Center at Lake Nona, FL.
There was no evidence uncovered regarding the funding irregularities. But VA OIG found the Wi-Fi network for patients set up with no OI&T coordination. The network was lacking in appropriate security controls as per VA policies. No risk assessment was performed after the network set-up. There was also no segregation between the VSAN and VA network. The lack of supervision by local OI&T staff introduced unnecessary risks which could have caused the compromise of other VA systems. Fortunately, the vulnerabilities were not exploited.
The VA OIG report mentioned that the security controls adopted were not in accordance with VA’s security requirements because of different priorities and resources. The management did not give the required resources to the project so there was no security risk assessment performed. Hence, the recommended action is to have the executives-in-charge for the Office of the Under Secretary for Health and the Office of Information and Technology to make sure that all industrial control systems, guest Internet networks and external air-gapped networks are correctly segregated and satisfy VA security requirements.
The report highlighted the problems in the network set-up. First, the software or hardware installed was not authorized by the IT department. That can introduce vulnerabilities that the IT departments cannot find and correct. Second, the IT department did not supervise the set-up. Software that is not up-to-date can introduce vulnerabilities that allow easy access to the healthcare networks.
As per the Health IT department’s requirements, employees are not allowed to install software or use devices without proper authorization from the department. The IT departments also need to conduct scans of the network to check if rogue devices have been connected. Network access tools can also be used to restrict network access to authorized devices and implement security controls including AV software.