An audit conducted at Rapides Parish, La.-based Alexandria VA Medical Center found that the hospital has multiple deficiencies in its information technology systems, including uninstalled security patches and outdated operating systems.
An IT security assessment audit conducted by the VA's Office of Inspector General on Sept. 22 highlighted deficiencies in three of the four security control areas at Alexandria, including configuration management, security management and access controls.
The issues included inaccurate component inventories, a flawed vulnerability management process, devices missing security patches and outdated operating systems.
The audit also identified inconsistencies in the hospital's component inventories that record IT assets at the hospital.
The audit identified 3,874 devices at Alexandria — less than the 4,110 devices identified by VA — but noted that the center "did not account for all network segments and included network segments that were not reported to the team for scanning."
After reviewing the network segments, the OIG identified a total of 872 devices that were not accounted for by VA.
The lack of accurate inventories at the hospital "led to undetected and unaddressed critical and high-risk vulnerabilities," according to the audit.
In addition, several of the critical and high-risk vulnerabilities had security patches available that had not been applied, and some of the vulnerabilities "had been on the network for as long as three years after initial discovery by VA."
Other deficiencies at the hospital included an outdated physical access control system for Alexandria's data center and core switch room, improperly installed network infrastructure equipment, failed power supplies, and identification and authentication controls that did not meet the standards of VA's information security policy.