GAO faults FEHRM’s cyber coordination on federal EHR
The hard part is not naming four owners; it is making one incident playbook work when the record system is shared.
TL;DR
GAO found the Federal Electronic Health Record Modernization office lacks well-defined common goals, outcomes and performance measures for cybersecurity and privacy collaboration, according to NextGov/FCW. The shared EHR spans VA, DoD, the Coast Guard and NOAA, and is expected to support more than 500,000 users caring for over 18 million people. The awkward part is governance: DoD, VA and each participating agency hold different pieces of cyber, network and privacy responsibility.
GAO’s finding is less about whether the federal electronic health record is important, and more about whether its owners have built the machinery to defend it together. NextGov/FCW reports that the watchdog said the Federal Electronic Health Record Modernization office has started collaboration efforts with VA, DoD, the Coast Guard and NOAA, but has not fully followed leading practices because it lacks clear common goals, outcomes and performance measures for cybersecurity and privacy.
That matters because the system is not a single-agency IT project with a tidy owner. DoD is primarily responsible for managing cybersecurity of the EHR software and the network used to access it. VA has responsibility for its own network. Each participating agency manages its own network and must comply with applicable privacy laws for user data. The completed system is expected to have more than 500,000 users providing care to more than 18 million servicemembers, veterans and family members. In that environment, “coordination” cannot just mean meetings and goodwill.
GAO’s more concrete concern is the missing control loop. FEHRM has been working since 2021 on a Joint Incident Management Framework to streamline responses to cyber threats directed at the EHR, with the guidance most recently scheduled for April, according to the report described by NextGov/FCW. GAO warned that without defined goals and outcomes, planned efforts like that framework may be delayed or impeded. FEHRM officials also told GAO in January 2026 that the office was still developing its fiscal 2026 goals.
The recommendations run through DoD and VA leadership, which GAO said should press FEHRM to define common goals, outcomes and performance measures, then monitor, assess and communicate progress. DoD did not concur with the report as written. VA neither agreed nor disagreed, saying it first focused on building a unified culture and trust with partner agencies. Culture helps. It does not substitute for a measurable incident-response framework when four agencies are attached to one of the largest health record systems in the country.
Published ·Deep Fathom