Minnesota-based St. Cloud VA Medical Center was found by the Department of Veterans Affairs' Office of Inspector General to fail federal information security guidelines in configuration management, access controls, and contingency planning, having only passed security management controls, FedScoop reports.
Vulnerability management deficiencies identified in previous Federal Information Security Modernization Act audits, including the use of end-of-life operating systems and inadequate remediation of critical and high-risk security flaws, persisted at St. Cloud VA Medical, according to the OIG report. No accurate information systems inventory has been kept by the medical center, which was also found to have nearly 20 systems still on the no longer supported Windows XP while having no operational video surveillance system on its data center.
Most recommendations given by the VA OIG have been concurred by the center's assistant secretary for information and technology and chief information officer but the CIO disagreed on the need for improved network device inventory.