Lack of cybersecurity controls at a Veterans Affairs Department contractor point to a lack of oversight by the office of the VA chief information officer, says a VA inspector general report.

The report, dated July 27, examines the actions of an unnamed contractor providing the system permitting veterans to refill prescription orders via telephone, as well as to manage the scheduling of their appointments, check their balance due and receive lab results via a secure connection. The vendor has contracts worth $5.2 million during the current fiscal year and has contracted with the VA since 1992.

Auditors received a hotline complaint earlier that month alleging that unauthorized contractor access had occurred at VA medical facilities in Columbia, Mo., Kansas City, Mo., Huntington, W. Va., and Wilmington, Del.  

In fact, improper access had occurred, the audit finds; certain corporate officers improperly used other employee's virtual private network user accounts to gain unauthorized access to VA systems and networks, the audit says. Company officials told auditors they did so to conduct maintenance and monitor contractor systems.

Auditors also found sensitive VA data stored on unencrypted hard drives located at corporate offices. Contractor systems at VA medical facilities didn't always use firewall protections and--because the vendor systems contain unsupported software--vendors systems lacked adequate anti-virus and malware protection, the report adds.

The office of the VA CIO "has not performed effective oversight of contractor practices to ensure the contractor is meeting VA information security requirements at vendor offices and VA medical facilities," the report states.

For more:
- download the report, 10-03516-229 (.pdf)

Related Articles:
VA to allow access to commercial cloud collaboration sites 
VA: Private sector will make Blue Button more sophisticated 
Audio: VA CIO Roger Baker's July IT report