VA OIG identifies security vulnerabilities in Spokane Healthcare system

The vulnerabilities were discovered following an audit by the Department of Veterans Affairs Office of Inspector General (VA OIG).

What happened

The VA OIG recently released their findings from a 2025 audit of the Mann-Grandstaff VA Medical Center, which is part of the Department of Veterans' Affairs Spokane Healthcare System in Washington state.

The audit determined that Spokane had deficiencies in all three areas that were inspected: configuration management, security management, and access controls. The audit included security across the board, from physical to cyber.

Going deeper

The audit, conducted between January 29th and February 6th, 2025, was published on February 18th, 2025. The 32-page report contained 23 recommendations for improvement and noted that 21 of the recommendations had been previously given. The OIG also provided seven specific recommendations for the VA, including:

1. Implementing vulnerability management processes to identify vulnerabilities and action plans.
2. Implementing a more effective baseline configuration process to make sure that all devices are using approved software.
3. Perform a cost-benefic analysis and implement appropriate controls to limit disclosing personally identifiable information unless necessary
4. Segregating the duties of making and maintaining physical keys to various rooms.
5. Placing network infrastructure equipment in a communications closet or approved enclosure.
6. Completing the installation of technology to prevent against electromagnetic pulse attacks, and
7. Adding anti-ram barriers to protect the fueling station.

Why it matters

The VA OIG audits Spokane yearly, and Veterans Affairs systems around the nation are frequently involved in data breach incidents. A June 2025 news report highlighted a massive breach of 26 million veterans’ data in 2006, noting that the incident unveiled a myriad of cybersecurity issues. Yet, despite that breach and others, federal and state-level Veterans Affairs offices often use outdated devices and equipment, making them more prone to accidental disclosures and data breaches.

The big picture

Audits are a great way to keep government organizations accountable and ensure they are taking steps to improve infrastructure and limit vulnerabilities. It’s recommended that healthcare organizations regularly audit their cyber systems or hire an outside organization to do so. One Paubox report found that many organizations operate under a “false sense of security,” because they have solutions, like Microsoft 365 or Google Workspace, that they assume are safe. However, penetration testing and audits can help determine if an organization is truly safe from attacks or accidental disclosure.

FAQs

What are anti-ram barriers and why does that matter?

This part of the audit is not directly related to cybersecurity, but rather a physical fueling system. The audit was designed to uncover any vulnerabilities within Spokane’s Health Facility, be them cyber or physical.

Will the VA actually commit to all of the recommendations?

In the OIG’s finding, the VA did commit to implementing all of the recommendations, with varying estimated dates of completion.

What is penetration testing?

Penetration testing involves planned tests where experts attempt to infiltrate a cybersecurity system, much like how a hacker would. This type of testing provides a realistic scenario for healthcare IT teams.