All Reports

Remediate servers that are not compliant with configuration standards and ensure periodic compliance scanning of servers.

Remediate databases that are not compliant with configuration standards and ensure quarterly compliance and vulnerability scanning of databases.

Remediate vulnerabilities within VA-defined timeframes and document mitigations for vulnerabilities that cannot be remediated on time.

Comprehensively scan all the facility’s local area network segments for vulnerabilities.

Prepare plans of action and milestones for unapproved software still in use. 

Remediate or document mitigations for physical security deficiencies that can affect IT operations and resources. 

Implement required controls on certain privileged accounts and ensure limited access to these account usernames and passwords.

Define intervals for review of database audit logs and vulnerability scan results and ensure regular collection and review of database audit logs in accordance with policy.

Verify and document the identity of vendors or contractors consistently before granting them access to IT resources.

Provide access control list protection for all networked medical devices hosted on the VA Saginaw Healthcare System virtual local area networks.

Implement vulnerability management processes to ensure all vulnerabilities are identified and plans of action and milestones are created for vulnerabilities that cannot be mitigated by VA deadlines.

Implement a more effective baseline configuration process to ensure network devices and databases are running authorized software that is configured to approved baselines and free of vulnerabilities.

Perform a cost-benefit analysis and implement appropriate controls within the federal Electronic Health Record to limit disclosure of veteran personally identifiable information based on job responsibility.

Segregate the duties of maintaining key stock and making keys.

Place network infrastructure equipment in a communications closet or approved enclosure to restrict access to only authorized personnel.

Complete the installation of grounding measures for all telecommunications closets to protect information technology equipment against electromagnetic pulse attack or electrostatic discharge. Ensure the work completed by contractors adheres to the requirements as defined in the work order.

Add anti-ram barriers to protect all sides of a fueling station’s fuel tank.

Implement a plan with the Office of Acquisition and Logistics Project Management Office to ensure system access is more granular and the intent of the principle of least privilege is met.

Ensure all roles and accesses, including those provided by default access, are reviewed and certified periodically as required.

Implement a permanent solution to provide supervisors and information owners with visibility of all roles and accesses, including those provided by default access, granted to users.

The Executive Director ensures staff receive education about badge holders’ responsibilities in preventing unauthorized access to VA facilities and computer systems and safeguarding electronic databases including electronic health care records.

The Executive Director ensures signs are present and accurate throughout the facility.

The Executive Director ensures staff maintain privacy curtains, preventive maintenance on medical equipment, and splash resistant bottom shelves on supply carts.

The Executive Director ensures staff monitor patient care areas for expired, damaged, and contaminated medications and remove them as needed.

The Executive Director ensures staff store medications in pharmaceutical grade refrigerators.

The Executive Director ensures primary care staffing is sufficient for patients to receive appropriate health care.

The Executive Director reviews staffing levels for the Housing and Urban Development–Veterans Affairs Supportive Housing program and takes action as needed.

The Executive Director of Operations for a national cancer testing program ensures the project has met the requirements for Institutional Review Board review for research with human subjects and takes action as needed.

The Executive Director of Operations for a national cancer testing program ensures national cancer prevention, treatment, and research program staff are trained on Institutional Review Board project submission and privacy requirements. 

The National Specialty Care Program Office Chief Officer ensures the national cancer prevention, treatment, and research program staff reviews and provides required approvals before the release of protected health information for research. 

The National Specialty Care Program Office Chief Officer, in conjunction with the Office of Research & Development ensures that VA privacy officers report privacy incidents involving data obtained from or for national cancer prevention, treatment, and research program activities timely and monitors for compliance.

The Office of Research Oversight Executive Director in conjunction with the Chief Research and Development Officer, VHA Office of Research & Development, reviews the national cancer prevention, treatment, and research program final mitigation plan and ensures corrective actions address system-wide issues for determining whether a national cancer prevention, treatment, and research program project constitutes research, safeguarding privacy when data is shared for projects, and ensuring data security requirements are met. 

The National Specialty Care Program Office Chief Officer ensures the national cancer prevention, treatment, and research program has safeguards in place including biostatistician expertise to ensure that data containing sensitive patient information and protected health information is deidentified before sharing outside of VA as required.

Implement vulnerability management processes to ensure all vulnerabilities are identified and plans of action and milestones are created for vulnerabilities that cannot be mitigated by VA deadlines.

Develop and approve an authorization to operate for the special-purpose systems.

Include facility personnel during the security categorization process to ensure all necessary information types are considered when determining the security categorization for special-purpose systems.

Segregate the pharmacy application administrative access from individuals who are custodians of the pharmaceutical inventory.

Ensure a witness observes the destruction of temporary paper files that contain personally identifiable information and protected health information.