VA OIG finds cybersecurity flaws at Orlando VA Medical Center

The Florida VA provider set-up its Wi-Fi network without coordinating with the VA’s IT office, introducing security flaws that could have allowed a hacker to gain access to VA systems.
By Jessica Davis
04:42 PM
Share
veterans affairs health

Orlando Veterans Affairs Medical Center in Florida. Credit: Google Maps

The U.S. Department of Veterans Affairs Office of Inspector General found security at the Orlando Veterans Affairs Medical Center (VAMC) was vulnerable, due to the facility setting up a wireless network without coordinating with the VA Office of Information and Technology.

In doing so, the medical center introduced vulnerabilities that could have been leveraged to gain authorized access to VA systems.

VA OIG audited the Orlando provider after officials received a complaint that VAMC was developing the Veterans Services Adaptable Network on its own and funding for the project wasn’t given through proper channels.

Funding issues weren’t discovered. Instead, VA OIG confirmed the network wasn’t properly coordinated -- and the network lacked security controls in line with VA policies. Further, the hospital’s network wasn’t segmented from the VA Network.

The unnecessary risks introduced into the system were caused by a lack of oversight, VA OIG officials found. And those risks could have resulted in compromising other VA systems. Fortunately, officials said it appears that was not the case.

However, management failed to allocate the necessary resources to perform assessments and make sure the right security controls were put in place, officials said.

VA OIG officials made numerous recommendations to shore up security at Orlando VAMC. The Office of Under Secretary for Health executive and Office of Information and Technology executive must ensure all networks, control systems and external air-gaps are segmented and meet VA security requirements.

Unfortunately, the Orlando provider is not the only organization with these types of failures.

IT must be involved with all network and software projects to ensure proper installation and make sure security mechanisms are in place. Unauthorized installations leave organizations vulnerable to attacks and can expose data and systems to the public.

Organizations should scan systems regularly to ensure there are no open ports or gaps in the system, while also ensuring no rogue software or devices have been installed without authorization.

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com