Inspection of Information Security at the VA Spokane Healthcare System in Washington

Report Information

Issue Date
Report Number
25-00975-234
VISN
State
Washington
District
VA Office
Information and Technology (OIT)
Veterans Health Administration (VHA)
Report Author
Office of Audits and Evaluations
Report Type
Information Security Inspection
Report Topic
Information Technology and Security
Major Management Challenges
Information Systems and Innovation
Recommendations
7
Questioned Costs
$0
Better Use of Funds
$0
Congressionally Mandated
No

Summary

Summary

The VA Office of Inspector General’s (OIG) information security inspection program assesses whether VA facilities are meeting federal security requirements related to three high-risk control areas: configuration management, security management, and access. For this inspection, the OIG selected the VA Spokane Healthcare System in Washington and found deficiencies in all three areas.

Configuration management controls, which identify and manage security features for all hardware and software components of an information system, were deficient in vulnerability remediation and system baseline configurations.

Security management controls had one deficiency. The OIG identified volunteers and scheduling clerks who were granted unnecessary access to an electronic health record screen that contained unredacted personally identifiable information.

Access controls had four deficiencies. The OIG found that the Mann-Grandstaff VA Medical Center was deficient in inventory management of physical keys, unsecured network equipment, electrical grounding, and fuel storage. As a result, the facility risks unauthorized access, disruption, and destruction of critical information technology resources.

To address deficiencies, the OIG made seven recommendations to VA, all of which VA concurred with.

Open Recommendation Image, SquareOpenClosed and Implemented Recommendation Image, CheckmarkClosed-ImplementedNot Implemented Recommendation Image, X character'Closed-Not Implemented
No. 1
Open Recommendation Image, Square
to Information and Technology (OIT)

Implement vulnerability management processes to ensure all vulnerabilities are identified and plans of action and milestones are created for vulnerabilities that cannot be mitigated by VA deadlines.

No. 2
Open Recommendation Image, Square
to Information and Technology (OIT)

Implement a more effective baseline configuration process to ensure network devices and databases are running authorized software that is configured to approved baselines and free of vulnerabilities.

No. 3
Open Recommendation Image, Square
to Information and Technology (OIT)

Perform a cost-benefit analysis and implement appropriate controls within the federal Electronic Health Record to limit disclosure of veteran personally identifiable information based on job responsibility.

No. 4
Open Recommendation Image, Square
to Information and Technology (OIT),Veterans Health Administration (VHA)

Segregate the duties of maintaining key stock and making keys.

No. 5
Open Recommendation Image, Square
to Information and Technology (OIT),Veterans Health Administration (VHA)

Place network infrastructure equipment in a communications closet or approved enclosure to restrict access to only authorized personnel.

No. 6
Open Recommendation Image, Square
to Information and Technology (OIT),Veterans Health Administration (VHA)

Complete the installation of grounding measures for all telecommunications closets to protect information technology equipment against electromagnetic pulse attack or electrostatic discharge. Ensure the work completed by contractors adheres to the requirements as defined in the work order.

No. 7
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT),Veterans Health Administration (VHA)
Closure Date: 2/18/2026

Add anti-ram barriers to protect all sides of a fueling station’s fuel tank.