GAO faults FEHRM's federal EHR cyber coordination

Government Executive’s account of the GAO report is governance with breach consequences. The Federal Electronic Health Record Modernization office, or FEHRM, oversees the push toward one interoperable electronic health record for the Department of Veterans Affairs, Defense Department, Coast Guard and NOAA. GAO says FEHRM has promoted collaboration but has not set well-defined common cybersecurity and privacy goals, outcomes or performance measures. That is how four participating agencies become four partial answers.

The split is real by design. DOD is primarily responsible for the EHR software and the network used to access it. VA also has responsibility for cybersecurity of its own network. Each of the four agencies manages its own networks and its privacy-law obligations for user data. The finished system is expected to have more than 500,000 users caring for over 18 million servicemembers, veterans and family members. At that scale, generic collaboration language is too soft to survive contact with a real incident.

GAO’s most concrete warning is the Joint Incident Management Framework, which FEHRM has been working on since 2021 and which was most recently scheduled for April, according to Government Executive. GAO recommended that DOD and VA leaders press FEHRM to define goals, outcomes and performance measures, then monitor, assess and communicate progress. DOD did not concur with the report as written. VA neither agreed nor disagreed and said it first focused on building a unified culture with partner agencies. Culture helps; in incident response, measured handoffs help more.