Northern Arizona VA Healthcare System Faces Cybersecurity Audit

Cybersecurity is more complex than it seems at first.

By Jeff Wardon, Jr., Assistant Editor

Given the recent influxes of cyberattacks, cybersecurity has risen to the forefront as a major issue for healthcare facilities. These attacks can be costly, even well beyond their intended targets. Cybersecurity is key to preventing these attacks, however, there is much more to prevention than one might think.  

Many think that a cybersecurity program is just some antivirus software. While that is partially true, there are more moving parts and components to the operation. This was brought to light in a recent audit by the US Department of Veterans Affairs Office of Inspector General (OIG) conducted on the information security at the Northern Arizona VA Healthcare System.   

The OIG found deficiencies in all three areas it uses to inspect cybersecurity: configuration management, security management and access control. 

According to the audit, the areas are defined as: 

  • Configuration management is identifying and managing security features for all hardware and software components of an information system. 
  • Security management sets forth a framework and cycle of activity for assessing risk, developing and implementing effective security measures, and monitoring how well these procedures work. 
  • Access controls refer to the proper restriction of sensitive computer resources to authorized individuals only. Both physical and environmental controls count in this. 

Concerning configuration management, the OIG found four controls to be deficient: vulnerability management, flaw remediation, unsupported components and baseline configurations. Essentially, the VA's vulnerability management program has flaws that must be addressed, such as improving patch management, addressing unsupported systems and ensuring proper baseline configurations for critical infrastructure and databases. 

The OIG only found that one security management control was deficient and in need ofcontinuous monitoring of the inventory. The inspection team found that there was almost twice the number of devices in the network versus the number identified in the VA’s cybersecurity management service, eMASS. According to the inspection team, the VA was aware of how many devices it had but failed to update the number in eMASS.  

Lastly, the inspection team found seven access controls had deficiencies in the following control areas: 

  • Physical access 
  • Video surveillance  
  • Environmental controls 
  • Equipment installation 
  • Emergency power 
  • Fire protection controls 
  • Water detection 

All these controls prove vital to the VA’s information systems and infrastructure working properly, so naturally any weaknesses they have must be addressed.  

While this is one example of a health system’s cybersecurity shortcomings, it need not be taken lightly. Healthcare facilities face a great challenge currently with cybersecurity, as many find themselves plagued by a seemingly endless onslaught of cyberattacks. 

There are many different factors and aspects to cybersecurity. If they were to fail, it could leave a healthcare facility’s information system wide open for exploitation. Maintaining information systems takes a holistic approach, as every part plays a crucial role in preventing attacks and exploits. 

Jeff Wardon, Jr. Is the assistant editor for the facilities market. 

July 26, 2023

Topic Area: Information Technology , Security

Recent Posts

Skills Gap Remains Wide in Facilities Management

Many candidates lack the skills that are needed to be a facilities manager.

Memorial Hermann Cypress Hospital Announces Expansion Project

The project will add 58 beds and 347,000 square feet of new and renovated service areas.

3 Key Roles Doors Play in Healthcare Facilities

From securing areas to reducing infection spread, doors play many parts in a healthcare facility’s operations.

Patient Chokes Out Roommate at Norristown State Hospital

The incident stemmed from a dispute over the roommate throwing the patient’s books.

OhioHealth Announces Expansion of Dublin Methodist Hospital

Construction is expected to begin in winter 2026.


FREE Newsletter Signup Form

News & Updates | Webcast Alerts
Building Technologies | & More!


All fields are required. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Healthcare Facilities Today membership includes free email newsletters from our facility-industry brands.

Facebook   Twitter   LinkedIn   Posts

Copyright © 2023 TradePress. All rights reserved.