GAO urges DoD, VA to improve EHR cybersecurity

The Federal Electronic Health Record Modernization Office (FEHRM), a joint effort of the US departments of Defense and Veterans Affairs, “doesn’t fully follow leading practices for collaboration” on patient privacy and cybersecurity, the US Government Accountability Office says in a new report.

“Doing so would help the office better protect the system and its data,” which is used by millions of service members and veterans, as well as employees of the US Coast Guard and the National Oceanic and Atmospheric Administration, said GAO observers.

The new report details how the DoD and VA collaborate to keep the EHR and its sensitive data secure, and where that collaboration falls short of best practices.

The office is required to review the federal EHR under the Further Consolidated Appropriations Act of 2024; it conducted a performance audit from June 2024 to June 2026.

The federal EHR currently has more that 200,000 healthcare provider users and will have more than 500,000 users when the VA completes its deployment, the GAO said.

The DoD completed its implementation of the Oracle Health EHR in 2024, while the VA is in process of migrating all of its medical facilities to the new system and anticipates it will complete doing so by 2031.

The GAO looked at interagency agreements and relevant agency cybersecurity and privacy policies managing the system, and also interviewed agency officials.

It recommended that the DoD and VA “define common goals, outcomes and associated performance measures, and monitor, assess and communicate progress on collaboration efforts toward ensuring the cybersecurity and privacy of the federal enclave.”

Each department’s secretary is tasked with assigning their deputy secretary to act on the recommendation.

While the DoD has primary responsibility for ensuring the EHR’s cybersecurity, it must work with the VA to do so, and some key tasks have been delayed.

For example, the DoD and VA were to establish a Joint Security Operations Center and facilitate cyber incident information sharing. Two years ago, the agencies said that personnel security requirements impeded the creation of a shared physical space.

This past year they said they coordinated on joint agreement reviews and tabletop exercises and established a near real-time data feed from the DoD security operations center to the VA’s security operations center.

However, some efforts – like creating a repository of interagency agreements to improve monitoring – have lagged and remain ongoing, the GAO said.

Of note, a Joint Incident Management Framework, which is considered foundational to the federal EHR’s cybersecurity posture and had undergone multiple revisions since 2021, was not completed as of April, the GAO said.

“When a breach happens, the FEHRM works to bring all parties together through existing mechanisms such as conference calls,” the office noted in the report.

The GAO cited the 2024 Change Healthcare cyberattack to demonstrate the vulnerability of healthcare data. After the enormous claims payments processor was hit with BlackCat ransomware, healthcare was debilitated nationwide.

For months after the outage, the fallout continued and countless healthcare organizations were unable to get their claims paid.

“At DOD, this led to delays in military pharmacies being able to process claims and fill some prescriptions,” the GAO said. “At VA, health information exchange and prescription orders were impacted, resulting in a backlog of about one million prescription claims.”

In December, the GAO also said the VA’s new EHR still had numerous unresolved technical issues, but the department insisted it had made “hundreds of improvements” and was ready to resume its federal EHR rollout in 2026.

In April, four Michigan VA facilities migrated to the new EHR, followed by three in Ohio on Saturday.

“The FEHRM has generally facilitated collaboration among the federal partners; however, the collaboration would be improved by fully addressing leading practices,” the GAO said in the report. “We recommend that DOD and VA leadership ensure that the FEHRM’s efforts to coordinate cybersecurity and privacy protection are fully meeting leading interagency collaboration practices.” Healthcare IT News