- GAO has called for stronger cybersecurity oversight of the federal electronic health record system
- The audit found gaps in how agencies define and measure joint cybersecurity and privacy efforts
- The watchdog recommends establishing shared goals and performance metrics to improve accountability
The Government Accountability Office has urged the Departments of War and Veterans Affairs to strengthen cybersecurity coordination for the federal electronic health record system, noting that the office responsible for overseeing interagency collaboration lacks common goals and performance measures for monitoring security efforts.
In a report released Tuesday, GAO said the Federal Electronic Health Record Modernization office, or FEHRM, has facilitated cybersecurity and privacy coordination among partner agencies but has not fully adopted leading practices for interagency collaboration.
The EHR program and other healthcare IT priorities will be explored at the Potomac Officers Club’s 2026 Healthcare Summit, where senior officials will discuss modernization efforts shaping federal healthcare delivery. Register now to participate in the Dec. 3 event!
Why Did GAO Review the Federal EHR Program?
The federal electronic health record system supports healthcare delivery for millions of beneficiaries across four agencies: DOW, VA, the U.S. Coast Guard and the National Oceanic and Atmospheric Administration. The system stores, shares and analyzes patient information through a common environment known as the federal enclave.
According to GAO, DOW has primary responsibility for securing the system, while FEHRM provides direction and oversight for joint functions supporting the EHR environment.
What Problems Did GAO Identify?
GAO found that FEHRM has created opportunities for agencies to coordinate cybersecurity and privacy activities and has launched joint efforts intended to improve system security. However, auditors said the office has not fully articulated common goals or desired outcomes related to cybersecurity and data privacy.
The watchdog also found that FEHRM lacks associated performance measures to evaluate progress toward those objectives. Without clear goals and metrics, agencies may have a more difficult time understanding resource requirements, assessing the effectiveness of collaborative efforts, and demonstrating progress in securing the system and its data.
GAO said addressing those shortcomings would provide Congress and participating agencies with greater assurance that appropriate actions are being taken to protect the federal EHR environment from cyberthreats.
What Recommendations Did GAO Make?
GAO issued one recommendation to DOW and one to VA, calling on both departments to direct FEHRM to establish common goals, outcomes and performance measures related to cybersecurity and privacy efforts. The recommendations also call for monitoring, assessing and communicating progress toward those objectives.
According to the report, DOW disagreed with GAO’s findings, while VA neither agreed nor disagreed with the recommendations.
