By Jeff Wardon, Jr., Assistant Editor

Given the recent influxes of cyberattacks, cybersecurity has risen to the forefront as a major issue for healthcare facilities. These attacks can be costly, even well beyond their intended targets. Cybersecurity is key to preventing these attacks, however, there is much more to prevention than one might think.  

Many think that a cybersecurity program is just some antivirus software. While that is partially true, there are more moving parts and components to the operation. This was brought to light in a recent audit by the US Department of Veterans Affairs Office of Inspector General (OIG) conducted on the information security at the Northern Arizona VA Healthcare System.   

The OIG found deficiencies in all three areas it uses to inspect cybersecurity: configuration management, security management and access control. 

According to the audit, the areas are defined as: 

• Configuration management is identifying and managing security features for all hardware and software components of an information system. 
• Security management sets forth a framework and cycle of activity for assessing risk, developing and implementing effective security measures, and monitoring how well these procedures work. 
• Access controls refer to the proper restriction of sensitive computer resources to authorized individuals only. Both physical and environmental controls count in this. 

Concerning configuration management, the OIG found four controls to be deficient: vulnerability management, flaw remediation, unsupported components and baseline configurations. Essentially, the VA's vulnerability management program has flaws that must be addressed, such as improving patch management, addressing unsupported systems and ensuring proper baseline configurations for critical infrastructure and databases. 

The OIG only found that one security management control was deficient and in need ofcontinuous monitoring of the inventory. The inspection team found that there was almost twice the number of devices in the network versus the number identified in the VA’s cybersecurity management service, eMASS. According to the inspection team, the VA was aware of how many devices it had but failed to update the number in eMASS.  

Lastly, the inspection team found seven access controls had deficiencies in the following control areas: 

• Physical access 
• Video surveillance  
• Environmental controls 
• Equipment installation 
• Emergency power 
• Fire protection controls 
• Water detection 

All these controls prove vital to the VA’s information systems and infrastructure working properly, so naturally any weaknesses they have must be addressed.  

While this is one example of a health system’s cybersecurity shortcomings, it need not be taken lightly. Healthcare facilities face a great challenge currently with cybersecurity, as many find themselves plagued by a seemingly endless onslaught of cyberattacks. 

There are many different factors and aspects to cybersecurity. If they were to fail, it could leave a healthcare facility’s information system wide open for exploitation. Maintaining information systems takes a holistic approach, as every part plays a crucial role in preventing attacks and exploits. 

Jeff Wardon, Jr. Is the assistant editor for the facilities market.