OIG Security Audit of Texas VA Facility Found Familiar Problems
A Texas outpatient clinic belonging to the Department of Veterans Affairs has the all-too-common problem of obsolete equipment leading to security vulnerabilities, a watchdog report concludes.
An audit by the department’s inspector general of a clinic serving the Harlingen region of south Texas found the VA center did not replace applications before they became unsupported by vendors.
“Without effective configuration management, users do not have adequate assurance that the system and network will perform as intended,” the report says.
More than half of the center’s network switches used operating systems past their vendor support dates, meaning they would not receive maintenance or vulnerability support.
“Network devices and IT systems are an organization’s most critical infrastructure. Upgrading is not just a defensive strategy but a proactive one that protects the stability of the network,” auditors say.
The legacy issues at the Harlingen facility are similar to what is found in many other healthcare organizations.
“Every hospital and health system we encounter has some degree of hardware/software legacy, end-of-life, or unsupported system that is in use,” says Dave Bailey, vice president of security services at CynergisTek.
“The primary drivers are the vendors are not keeping up, poor system life cycle practices by the organization, and cost to replace/upgrade the asset,” he wrote in an email to Information Security Media Group.
Most major upgrades take years to implement enterprisewide due to cost and the disruptive nature of downtime in a clinical setting, he adds. “In many cases, the system may already be at or nearing end of life before the migration is completed. An operating system upgrade may require the replacement of the hardware, which can consume entire capital budgets.”
There are other reasons why many healthcare entities continue to keep legacy IT systems and equipment running long after they are no longer supported by vendors, says senior privacy and security consultant Susan Lucci of tw-Security.
Risks associated with obsolescence are “not generally top of mind, particularly when there is a routine that ‘appears’ to be working fine,” she says.
Not all outdated IT poses the same risk. “From a safety perspective, attention should be given to healthcare devices for patients,” Lucci says. “These have been identified as posing serious risk to the patients they were designed to help and when old, unpatched, unsupported legacy systems are running these devices, this poses the most serious risk to human life.”
Legacy IT need not necessarily be a constant bane, especially if informed risk analysis can make a business case for its replacement.
That includes bringing in a third party to do an objective evaluation of the entire IT department combined with penetration testing. “Most audits of this type will identify a number of areas that need attention,” she says. “Once you have the evaluation, put the action items into a project plan and systematically work the plan resolving the issues on a priority basis.”
Bailey suggests that entities conduct risk analysis to inform the business on the potential life safety and financial impacts of dealing with a crippling cyberattack where the entity cannot patch the vulnerability, stop the attack or restore the environment due to the unsupported platform.
“Include total cost of ownership analysis during the procurement process. Ensure to include the appropriate operational and capital multiyear outlay to support system upgrades and migrations with the buying decision,” he says.