VA Systems Security:

Information System Controls at the VA Maryland Health Care System

AIMD-00-117R: Published: Apr 19, 2000. Publicly Released: Apr 19, 2000.

Additional Materials:


Robert F. Dacey
(202) 512-3000


Office of Public Affairs
(202) 512-4800

Pursuant to a legislative requirement, GAO assessed the effectiveness of information system general controls at the Department of Veterans Affairs' Maryland Health Care System (VAMHCS).

GAO noted that: (1) there are significant weaknesses that pose a risk of inadvertent or deliberate misuse, fraudulent use, improper disclosure, and destruction of financial and sensitive veteran medical information; (2) specifically, GAO found that VAMHCS had not: (a) established effective access controls to its network and main computer system; (b) adequately managed network user identifications (ID) and passwords; or (c) monitored network system activity; (3) in addition, VAMHCS had not established procedures to control access by powerful user IDs to its main computer systems, nor had it appropriately segregated the access authority of selected procurement staff to request, approve, and receive medical items; (4) moreover, VAMHCS also had not established comprehensive physical security controls or adequately provided for continued processing of its critical financial and sensitive medical system in the event of service interruptions; (5) the lack of a comprehensive computer security management program is the primary reason for VAMHCS' information system general control problems; (6) GAO's May 1998 study of security management best practices found that an effective program would include guidance and procedures for assessing risks, establishing appropriate policies and related controls, raising awareness of prevailing risks and mitigating controls, and monitoring and evaluating the effectiveness of established controls; and (7) while VAMHCS had established an effective security awareness program, it had not yet established a framework for assessing risk, or evaluating the effectiveness of information system general controls, nor had it established comprehensive policies and procedures needed for an effective computer control environment.

Jan 14, 2021

Dec 10, 2020

Dec 9, 2020

Nov 12, 2020

Sep 30, 2020

Sep 28, 2020

Sep 21, 2020

Sep 16, 2020

Sep 9, 2020

Looking for more? Browse all our products here