VA Cyber Attacks Still An Issue Until Major Weaknesses Are Fixed

VA Cyber Attacks

Benjamin KrauseOne government watchdog reported major weaknesses still exist in VA Information Technology systems and that VA cyber attacks will continue while they persist.

The Government Accountability Office (GAO) report indicated VA failed to address underlying security vulnerabilities that allowed multiple high-profile breaches recently. These breaches resulted in exposure of personal information of thousands of veterans.

The report warns, “Until VA fully addresses previously identified security weaknesses, its information is at heightened risk of unauthorized access, modification, and disclosure, and its systems at risk of disruption.”

During the investigation, GAO learned VA would not produced its forensic analysis or digital evidence to help evaluators assess whether or not any corrective measures were effective that it implemented following the breaches. Federal guidance indicates agencies are required to keep all evidence, but VA policy deviates from this.

The report continued:

“The NSOC identified vulnerabilities in these applications through testing conducted as part of the system authorization process, but VA did not develop plans of action and milestones for correcting the vulnerabilities, resulting in less assurance that these weaknesses would be corrected in a timely and effective manner,” according to the GAO.

These are not the only security failures taking place at the VA.

Security weaknesses were found in VA’s workstation, which include laptop computers. These issues “had not been corrected” at the time of the GAO’s investigation, despite solutions being available in some cases.

“Specifically, 10 critical software patches had been available for periods ranging from 4 to 31 months without being applied to workstations, even though VA policy requires critical patches to be applied within 30 days,” according to the GAO.

“There were multiple occurrences of each missing patch, ranging from about 9,200 to 286,700, and each patch was to address an average of 30 security vulnerabilities,” the report found. “VA decided not to apply 3 of the 10 patches until it could test their impact on its applications; however, it did not document compensating controls or plans to migrate to systems that support up-to-date security features.”

Read More:

Similar Posts


  1. The MIS dept. at the VA is a total mess, I read. Key people have left, others don’t care about fixing anything, people are coming in to work and doing absolutely nothing, others are leaving for some other place, others are being fired, others are screwing around with the systems for their own entertainment, there is no management at all these days there, and, probably, others are selling your records and data to whoever wants to buy it. Just read the hits about VA IT on google. But don’t worry, it will all be straightened out lickity split thanks to santas elfs.
    I’ve never heard of an organization as poorly run as the VA in my life. I never knew an organization could exist as fucked up as the VA is. What anyone is going to do about it is a mystery to me.

  2. And the ACA only makes things worse. Despite the HIPAA law (1996) which allows for the sharing of certain health information, the VHA will not share data, and giving them PHI is difficult at best. My Tricare primary care manager is also my VHA physician, but he cannot use Tricare tests, provider visits, etc. and put them in the VHA system. So each hospital wants you to open individual apps (MyHealtheVet, MyTricare, MyMedicare, Myetc., etc.) which opens the door for even further security violations. Baylor and United Regional (hospitals I use regularly) also want me to open their applications, but the transfer of information mandated under HIPAA has not happened in almost 20 years. I’ve refused to participate until this is fixed.

    1. Kurt you are “spot on.” HIPAA was designed for the LEGAL transfer of medical information, but if you are MEDICARE or Medicaid entitled think of all that information that can be dumped in the wrong hands. Social Security numbers were never meant to be used in the capacity they are today, in fact it was considered illegal to ask a person for such. The VA has WAY more issues that I saw and thought, “Fraud, Waste and Abuse” but heck what would I know, I have always worked in some capacity in the medical field. That included temp agency work for Blue Cross/ Blue Shield FEP department till they moved that department. ( which of those two insurance companies were the first?) just a bit of Trivia! That concerns me. I had a really strange holy crapola moment watching my bank being drained! Two sites I get as an email ( this I already read a time back) FierceGovernment and FierceGovernmentIT. Sadly, many Veterans can be the target to cyber crimes, so my thoughts were “what would they do to correct it?” Just in my case, closing an account, waiting for the ATM card and the headaches, how will the government respond if what happened to me could happen to thousands or millions of individuals and it is not fun when you watch it, it doesn’t kick off your week right!

Comments are closed.