OIG blasts VA over IT security controls, calls standards weak, unsafe
The Office of the Inspector General this week scolded the U.S. Department of Veterans Affairs over its IT security controls during a House Committee on Veterans Affairs’ Financial Management hearing on Wednesday.
OIG found weaknesses in configuration management, access controls, security management and contingency planning. Specifically, officials found VA had untimely patching of security vulnerability mitigation and inconsistent enforcement of password standards.
“This is a repeat finding that our contract auditors have reported since Fiscal Year 2000,” OIG Deputy Assistant Inspector General for Audits and Evaluations Nicholas Dahl said in his opening statement. “Without good information technology security controls, VA’s financial information may not be safe in terms of confidentiality, integrity and availability.”
This isn’t the first time the VA was scorned for its IT oversight. In March, the VA landed on the U.S. Government Accountability Office high-risk list again, for the third year in a row.
It was added to the list in 2015 for the first time due to GAO’s concerns with the “VA’s ability to ensure the timeliness, cost-effectiveness, quality and safety of the care provided to veterans,” GAO Director of Health Care Team Debra Draper said during a U.S. Senate Committee on Veterans’ Affairs meeting in March.
“As I noted at the time of their high-risk designation in 2015, VA had more than 100 open GAO recommendations related to healthcare,” Draper said. “Seventy-four new recommendations have been added since then; currently, there are still more than 100 open recommendations. And about a quarter of these have been open for three to four years.”
During the same meeting, VA Inspector General Michael Missal condemned the VA’s “exceedingly slow pace of progress.”
VA Secretary Shulkin told the House Committee on Veterans Affairs during a Wednesday morning meeting that modernization is a top priority of the agency, which he believes will create a “highly integrated, high-performance system.”