Follow-Up Inspection of Information Security at the VA Southern Oregon Healthcare System

The VA Office of Inspector General (OIG) conducted a follow-up information security inspection of the Southern Oregon Healthcare System to assess three high-risk control areas: configuration management, security management, and access controls. The site was selected again due to its recent launch of the federal Electronic Health Record (EHR) system. The OIG reported VA made progress on recommendations from the 2022 inspection but found deficiencies in all three areas in this follow-up.

Configuration management controls had two deficiencies. Critical vulnerabilities persisted beyond VA’s deadline without required action plans, and servers were improperly configured against baseline security standards. These weaknesses exposed outdated, exploitable software, creating immediate risks to system security.

Security management controls had two deficiencies. The OIG identified temporary staff accounts that were not promptly disabled, and some volunteers and clerks had broad access to information in the EHR system, increasing the likelihood of data breaches.

Access controls had five critical deficiencies at the White City VA Medical Center: inadequate controls over physical key creation, unsecured network infrastructure, improperly grounded spaces and rooms, lack of backup power in multiple spaces, and improper oversight of a contractor destroying sensitive paper records. These issues threaten operations, data integrity, and VA’s reputation.

To address deficiencies, the OIG made eight recommendations to VA, four of which are similar to recommendations from the 2022 inspection. By February 2026, the Office of Information and Technology had fully addressed three recommendations, which the OIG considers closed. VA concurred with all eight recommendations.