GAO: EHR modernization office needs to improve cybersecurity collaboration

The Government Accountability Office addressed interagency collaboration shortfalls in a new report focused on the Federal Electronic Health Record Modernization office, a joint Department of Defense and Department of Veterans Affairs office that is responsible for providing oversight on joint functions within the federal EHR.

The GAO recommended that the DOD and VA direct the FEHRM office to define common goals and increase collaboration to ensure the cybersecurity and privacy of the federal EHR. The DOD disagreed with the watchdog's report, while the VA neither agreed nor disagreed with the recommendations.

The federal EHR is one of the largest EHR systems in the country, supporting millions of beneficiaries across four agencies: the DOD, the VA, the U.S. Coast Guard and the National Oceanic and Atmospheric Administration.

Thanks to a provision under the Further Consolidated Appropriations Act of 2024, the GAO is entitled to report on aspects of the federal EHR. For this report, GAO interviewed agency officials, compared FEHRM collaboration efforts to leading best practices and reviewed interagency agreements pertaining to the use of the federal EHR.

The FEHRM office was chartered in December 2019, serving as the sole decision-making authority "for DOD and VA to provide unified direction on joint functions to ensure that the departments deliver an interoperable EHR system," the report noted.

The charter charged the FEHRM office with managing the risks and operations of the joint EHR hosting environment, as well as managing cybersecurity, network security, disaster recovery and access management.

Given these responsibilities, the FEHRM office has made efforts to improve interagency cybersecurity and privacy, GAO acknowledged.

For example, the FEHRM office hosts a weekly cybersecurity team meeting, which gives stakeholders a forum to discuss cybersecurity best practices and demonstrate tabletop exercises to prepare for cybersecurity incidents.

Other efforts were started but have not reached their full potential, GAO noted. For example, the DOD and VA have been working to implement a joint security operations center since the FEHRM office was launched in 2019. The planned center was supposed to consist of a shared physical facility and actions to promote information sharing between the DOD and VA. However, FEHRM officials said that differing personnel security requirements between the two agencies hindered its ability to bring the center to life. They also said that the objectives of the joint security operations center had been met via alternative collaboration mechanisms.

Other efforts that achieved varying levels of completeness included an interagency cyber assessment and a joint incident management framework.

GAO compared the FEHRM office's efforts to leading collaboration best practices, such as bridging organizational cultures, leveraging resources and information, developing written guidance and clarifying roles and responsibilities.

While the FEHRM office generally aligned with some leading practices in GAO's view, it faltered in others. GAO said that the FEHRM office was not aligned with leading practices for ensuring accountability and was only partially aligned in the categories of defining common outcomes and identifying and sustaining leadership.

"While the FEHRM has initiated a number of efforts to promote collaboration between DOD, VA, the Coast Guard, and NOAA and secure the network and privacy of health data in the federal enclave, it has done so without well-defined common goals and outcomes," GAO said.

"Further, the FEHRM does not monitor, assess or communicate on performance measures to which it and the partner agencies can be held accountable. Articulating clear and measurable goals would better position the FEHRM to oversee the coordinated cybersecurity of the federal EHR by providing insight into the specific resources, skills, or time needed to address shared responsibilities."

As such, GAO recommended that the DOD and VA direct the FEHRM office to define common goals and to monitor and communicate progress on cybersecurity collaboration efforts.

"We stand by our findings and continue to affirm that our recommendations -- which are intended to strengthen collaboration that already exists among DOD, the FEHRM, and the other partner agencies -- would help the partners and Congress have greater assurance that joint actions taken to secure the system and its data not only operationalize the existing set of agreements but also produce intended results," GAO stated.

"Further, having clear goals and associated performance measures to monitor progress on collaboration efforts will ensure that all agencies that use the common EHR system continue to focus their actions on those efforts that collectively allow them to keep their health data secure."

Jill Hughes has covered health tech news since 2021. Her coverage areas include cybersecurity, HIPAA compliance, interoperability, AI and EHRs.