Government & Policy

VA OIG finds cybersecurity flaws at Orlando VA Medical Center

The Florida VA provider set-up its Wi-Fi network without coordinating with the VA’s IT office, introducing security flaws that could have allowed a hacker to gain access to VA systems.
By Jessica Davis
February 09, 2018
04:42 PM

The U.S. Department of Veterans Affairs Office of Inspector General found security at the Orlando Veterans Affairs Medical Center (VAMC) was vulnerable, due to the facility setting up a wireless network without coordinating with the VA Office of Information and Technology.

In doing so, the medical center introduced vulnerabilities that could have been leveraged to gain authorized access to VA systems.

VA OIG audited the Orlando provider after officials received a complaint that VAMC was developing the Veterans Services Adaptable Network on its own and funding for the project wasn’t given through proper channels.

Funding issues weren’t discovered. Instead, VA OIG confirmed the network wasn’t properly coordinated -- and the network lacked security controls in line with VA policies. Further, the hospital’s network wasn’t segmented from the VA Network.

The unnecessary risks introduced into the system were caused by a lack of oversight, VA OIG officials found. And those risks could have resulted in compromising other VA systems. Fortunately, officials said it appears that was not the case.

However, management failed to allocate the necessary resources to perform assessments and make sure the right security controls were put in place, officials said.

VA OIG officials made numerous recommendations to shore up security at Orlando VAMC. The Office of Under Secretary for Health executive and Office of Information and Technology executive must ensure all networks, control systems and external air-gaps are segmented and meet VA security requirements.

Unfortunately, the Orlando provider is not the only organization with these types of failures.

IT must be involved with all network and software projects to ensure proper installation and make sure security mechanisms are in place. Unauthorized installations leave organizations vulnerable to attacks and can expose data and systems to the public.

Organizations should scan systems regularly to ensure there are no open ports or gaps in the system, while also ensuring no rogue software or devices have been installed without authorization.

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com

Topics: 
Government & Policy, Privacy & Security

More regional news

Nurses review a patient record on a digital tablet

All private hospitals in Singapore to connect to national EMR

By
Adam Ang
November 20, 2024
Dr. Mehmet Oz

Trump picks Dr. Mehmet Oz to head CMS

By
Susan Morse
November 20, 2024
Agency cybersecurity infosec illustrated by many colored streams harnessed by a lock

OIG again deems HHS' infosec program ineffective

By
Andrea Fox
November 20, 2024
Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story

Agency cybersecurity infosec illustrated by many colored streams harnessed by a lock
OIG again deems HHS' infosec program ineffective

Most Read

What Loper Bright and the end of Chevron deference mean for HHS
Particle Health files antitrust suit against Epic
Choosing a managed IT service for aged care
India to harness ABDM data to develop public AI
South Korea to digitise medical image exchange system
ASTP intros 2024 draft Federal FHIR Action Plan

Research

White Papers

More Whitepapers

Patient Engagement
Patient Engagement
Financial/Revenue Cycle Management

Webinars

More Webinars

Imaging
Interoperability
Artificial Intelligence

Video

Dr Alice Sutedjo Lisa at SMC Telogorejo Hospital_HIMSS24 APAC
Assisting the elderly in digital care
Dr. Benoit Desjardins of the University of Montreal
Cyberattacks are becoming more widespread, and more disruptive
George Pappas at Intraprise Health_Digital shield and lock Photo by da-kuk/Getty Images
Tighter cyber mandates hold New York providers to higher security standards
Dr. Jay Anders at Medicomp Systems_Computer chip with stethoscope Photo by Just_Super/iStock/Getty Images Plus
Transparency and responsible AI are crucial for medical devices

More Stories

Clinicians look at diagnostic imaging
American College of Radiology launches AI quality registry
A doctor with glasses sits at a desk and speaks during a telehealth visit.
DEA and HHS extend virtual prescribing for controlled substances through 2025
Dr. Jay Anders at Medicomp Systems_Computer chip with stethoscope Photo by Just_Super/iStock/Getty Images Plus
Transparency and responsible AI are crucial for medical devices
George Pappas of Intraprise Health on cybersecurity
How to protect telemedicine from cyberattacks
Doctor talking notes while talking to a tablet
Modernizing acute care: the economic impact of bedside telehealth
A pharmacist reviewing a digital record
Blooms The Chemist integrates Healthengine and more...
Lee Kim at HIMSS_Global Health Equity Week 2024
AI can be leveraged to improve cybersecurity and health equity
HIMSSCast logo
HIMSSCast: Caregiver input needed for allocation of investment dollars