Northern Arizona VA Healthcare System Faces Cybersecurity Audit

Cybersecurity is more complex than it seems at first.

By Jeff Wardon, Jr., Assistant Editor


Given the recent influxes of cyberattacks, cybersecurity has risen to the forefront as a major issue for healthcare facilities. These attacks can be costly, even well beyond their intended targets. Cybersecurity is key to preventing these attacks, however, there is much more to prevention than one might think.  

Many think that a cybersecurity program is just some antivirus software. While that is partially true, there are more moving parts and components to the operation. This was brought to light in a recent audit by the US Department of Veterans Affairs Office of Inspector General (OIG) conducted on the information security at the Northern Arizona VA Healthcare System.   

The OIG found deficiencies in all three areas it uses to inspect cybersecurity: configuration management, security management and access control. 

According to the audit, the areas are defined as: 

  • Configuration management is identifying and managing security features for all hardware and software components of an information system. 
  • Security management sets forth a framework and cycle of activity for assessing risk, developing and implementing effective security measures, and monitoring how well these procedures work. 
  • Access controls refer to the proper restriction of sensitive computer resources to authorized individuals only. Both physical and environmental controls count in this. 

Concerning configuration management, the OIG found four controls to be deficient: vulnerability management, flaw remediation, unsupported components and baseline configurations. Essentially, the VA's vulnerability management program has flaws that must be addressed, such as improving patch management, addressing unsupported systems and ensuring proper baseline configurations for critical infrastructure and databases. 

The OIG only found that one security management control was deficient and in need ofcontinuous monitoring of the inventory. The inspection team found that there was almost twice the number of devices in the network versus the number identified in the VA’s cybersecurity management service, eMASS. According to the inspection team, the VA was aware of how many devices it had but failed to update the number in eMASS.  

Lastly, the inspection team found seven access controls had deficiencies in the following control areas: 

  • Physical access 
  • Video surveillance  
  • Environmental controls 
  • Equipment installation 
  • Emergency power 
  • Fire protection controls 
  • Water detection 

All these controls prove vital to the VA’s information systems and infrastructure working properly, so naturally any weaknesses they have must be addressed.  

While this is one example of a health system’s cybersecurity shortcomings, it need not be taken lightly. Healthcare facilities face a great challenge currently with cybersecurity, as many find themselves plagued by a seemingly endless onslaught of cyberattacks. 

There are many different factors and aspects to cybersecurity. If they were to fail, it could leave a healthcare facility’s information system wide open for exploitation. Maintaining information systems takes a holistic approach, as every part plays a crucial role in preventing attacks and exploits. 

Jeff Wardon, Jr. Is the assistant editor for the facilities market. 



July 26, 2023


Topic Area: Information Technology , Security


Recent Posts

Disinfectant Dispensers in Healthcare Facilities Often Fail to Deliver Safe Concentrations: Study

Study of 10 hospitals finds 90 percent have at least one dispenser delivering disinfectants at incorrect concentrations.


Duke University Health System Receives $50 Million for Proton Beam Therapy Center

The donation is the largest philanthropic gift received by Duke University Health System.


UT Southwestern Experiences Data Breach Through Calendar Tool

The incident occurred in October.


Protecting Patient Data: Strategies and Tactics

As cyber threats and breaches grow, healthcare organizations and facilities need a better approach to cybersecurity.


Duke Health to Acquire Lake Norman Regional Medical Center

The closing is projected for the first quarter of 2025.


 
 


FREE Newsletter Signup Form

News & Updates | Webcast Alerts
Building Technologies | & More!

 
 
 


All fields are required. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

 
 
 
 

Healthcare Facilities Today membership includes free email newsletters from our facility-industry brands.

Facebook   Twitter   LinkedIn   Posts

Copyright © 2023 TradePress. All rights reserved.