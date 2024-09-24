The Department of Veterans Affairs has neglected to put in the proper controls for its Oracle Cerner electronic health record system to adequately prevent and respond to major incidents, according to a new audit from the agency’s Office of Inspector General.

In another report scrutinizing the VA’s management of IT systems, VA OIG found a weakness in controls including configuration management, assessment, authorization and monitoring, which collectively accounted for 23 incidents and a total of 80 hours and 20 minutes of disruption for the system.

VA OIG offered four recommendations to the Veterans Health Administration and five to the Electronic Health Record Modernization Integration Office (EHRM IO), which include assessing EHR major performance incident data needs and “contractually” committing to data sharing in real time; developing effective notification and resolution metrics that capture results for all major performance incidents; identifying the appropriate backup system; and developing a training strategy to ensure clinicians can use the system when it’s down.

“As the agency responsible for modernizing the EHR, VA should implement policies and procedures to prevent or minimize damage and interruption to critical systems,” the report states. “Although the contract specifies that Oracle Health takes responsibility for the technical system, including monitoring, VA is ultimately responsible for maintaining situational awareness of the system to make effective, timely and informed risk management decisions.”

In an example of how the lack of controls within configuration management caused “major performance incidents,” OIG said that in May 2022, “all three sites where the EHR system had been deployed experienced incomplete functionality for five hours and four minutes.” That failure occurred because an expired certificate disrupted some applications. Oracle had not listed the certificate in its monitoring tool and “therefore was not identified automatically and flagged for renewal before it expired,” the OIG said.

In August 2022, an incomplete functionality incident occurred that affected five sites for one hour and 38 minutes, per the report. Oracle pointed to software errors happening as a result of “data failing to populate in a separate application used by VA,” and company representatives said that the company did not have the monitoring in place at the time. Oracle later added monitoring that would “alert it to the software errors more quickly.”

Meanwhile, in a separate memorandum from August published Monday, the IG directed the VHA undersecretary for health to address concerns that facility leaders and staff have expressed during health care facility inspections.

The memo said that during interviews at medical facilities, staff described the new EHR as a “system shock.”

OIG reported that leaders at the VA Southern Oregon Healthcare System described the implementation of the new EHR as “the single largest challenge that we have here” and said it has impacted “every system,” thereby “rewriting the way VA does business.” Staff at this center, as well as at the Jonathan M. Wainwright Memorial VA Medical Center, raised concerns about the efficiency and loss of productivity, staffing, financial impacts and patient safety.