EHR modernization effort lacks cyber performance measures, GAO finds
The Federal Electronic Health Record Modernization office, in charge of providing direction and oversight for federal health records across four agencies, needs to boost its interagency collaboration on cybersecurity and privacy protection, the Government Accountability Office said in a report published Tuesday.
After finding the office lacked interagency collaboration goal performance measures for the past two fiscal years, the report said that Defense Department and Veterans Affairs Department leadership should “ensure that the FEHRM’s efforts to coordinate cybersecurity and privacy protection are fully meeting leading interagency collaboration practices.”
“Without clear goals and outcomes, the FEHRM has limited insight into the specific resources, skills, or time needed to address any shared cybersecurity responsibilities,” the report said. “Ensuring accountability relies on monitoring, assessing, and communicating progress toward the short- and long-term outcomes by using performance measures.”
The report also said FEHRM has not fully articulated specific short- or long-term goals or intended outcomes related to the cybersecurity of the federal EHR or the privacy of health data within it. As of January, goals for fiscal 2026 were “still under development.”
“As a result, the FEHRM may not have critical information needed to assess and communicate progress and may be at risk of failing to achieve shared cybersecurity responsibilities,” it said.
But not everyone agrees. The DOD did not concur with the draft GAO report sent in March, and the VA neither agreed nor disagreed, saying it has taken “essential” first steps.
However, the VA agreed that DOD has the primary responsibility of ensuring the cybersecurity of EHRs. It said there must be concurrence to implement the recommendations to both agencies to define common goals, outcomes, and performance measures, as well as monitor, assess and communicate progress on collaboration efforts.
The GAO report, auditing from June 2024 to June 2026, is in fulfillment of a fiscal 2024 appropriations law provision requiring the office to report on aspects of the federal EHR.
EHRs, used through Oracle Health Millennium, are used across the DOD, VA, the U.S. Coast Guard and the National Oceanic and Atmospheric Administration, though each agency is responsible for managing its own networks and following federal privacy laws.
Used to share, store and analyze patient care information, EHRs will have more than 500,000 users providing care to over 18 million people when fully deployed, it said.
VA Secretary Doug Collins recently said in a congressional budget hearing that the formerly beleaguered EHR rollout was now “actually working,” slowly but surely. The VA is currently seeking $4.2 billion to modernize the EHR, an $840 million or nearly 25% increase from last year’s level.
“This is key for them, not only to do their work internally, but also their community care aspects and talking to other VA hospitals,” he said last month.
The FEHRM is succeeding in some aspects, the report said. The DOD and VA signed a charter to establish the office that outlined roles and responsibilities and the office has “initiated a number of efforts to promote collaboration,” but it could do more.
“Articulating clear and measurable goals would better position the FEHRM to oversee the coordinated cybersecurity of the federal EHR by providing insight into the specific resources, skills, or time needed to address shared responsibilities,” the report said.
