Previously, this blog has examined the audits conducted by the Office of the Inspector General into branches of the Department of Health and Human Services. Another audit concerning cybersecurity was outlined in a report earlier this month, focusing on the Department of Veterans Affairs (VA).
For more than a decade, the VA has notably lagged in terms of cyber-readiness, and the latest information shows it still falls short of the Federal Information Security Management Act's requirements, although it has made some improvements.
According to the report, the VA currently has thousands of system security risks it needs to address, as well as multiple vulnerabilities on devices and servers. One of the areas of concern include the identity management and access controls used by the organization, which showed deficiencies related to password and access management, among other categories.
In response to the findings, the report recommends that the Executive in Charge for Information and Technology take a series of actions, such as updating information system contingency plans, to improve the VA's approach to cybersecurity.
The CIO of the Department, Stephen Warren, recently spoke to Federal News Radio about the results of the audit, in an interview quoted by FierceHealthIT. He said that the organization is committed to improvement.
"In spite of the work that we had done, there were areas where the intensity wasn't where it needed to be," he said. "I think too often folks count on technical controls and other controls to do what they need to do," he added. "It's why we have such [a] strong education program."
Government entities should turn to healthcare IT consulting firms for help with audits on their own agencies that will add to future IT readiness in areas like cybersecurity. The assessments can be targeted and implemented with specific goals in mind.