GAO Urges Improved Cybersecurity Coordination for DoD and VA EHR Systems

The U.S. Government Accountability Office (GAO) has issued a stark warning about the cybersecurity coordination between the Department of Defense (DoD) and the Department of Veterans Affairs (VA). The joint Federal Electronic Health Record Modernization Office (FEHRM) is failing to fully adhere to leading practices for collaboration, potentially compromising the security of sensitive patient data.

The GAO's report, which covers a performance audit conducted from June 2024 to June 2026, underscores the critical importance of robust cybersecurity measures. The federal EHR system serves millions of service members, veterans, and employees of the U.S. Coast Guard and the National Oceanic and Atmospheric Administration (NOAA). With over 200,000 healthcare provider users and an anticipated 500,000 users once the VA completes its deployment by 2031, the stakes are high.

GAO's Key Findings and Recommendations

The audit revealed that while the DoD completed its implementation of the Oracle Health EHR in 2024, the VA is still in the process of migrating all its medical facilities to the new system. The GAO examined interagency agreements and relevant agency cybersecurity and privacy policies to assess how well the FEHRM is protecting patient data.

One of the primary issues identified is a lack of clear roles and responsibilities within the FEHRM. According to the report, this ambiguity hampers effective collaboration between the DoD and VA. The GAO recommends establishing more defined roles and implementing regular cybersecurity assessments to identify and address vulnerabilities proactively.

Another critical finding is the absence of formal mechanisms for sharing threat intelligence and incident response strategies. This gap could leave the system vulnerable to cyberattacks that could compromise patient privacy and data integrity. The report suggests creating a dedicated task force or committee to facilitate better communication and coordination between the two departments.

The GAO also noted that while both agencies have cybersecurity policies in place, they are not consistently applied across all components of the EHR system. This inconsistency can lead to security gaps that malicious actors could exploit. The watchdog recommends standardizing these policies and ensuring regular compliance checks.

Why It Matters

The implications of inadequate cybersecurity coordination between the DoD and VA extend far beyond technical vulnerabilities. Patient records contain sensitive information, including medical histories, personal identifiers, and treatment details. A breach of this data could have severe consequences for individuals, ranging from identity theft to compromised health outcomes.

The trust that service members and veterans place in these institutions is paramount. Ensuring the security and privacy of their health records is not just a legal obligation but a moral one. The GAO's recommendations are a call to action for both agencies to take immediate steps to strengthen their cybersecurity frameworks.

VA Secretary Doug Collins has already signaled an increased commitment to EHR modernization, with a 25% budget increase proposed for FY 2027 over the current 2027 Military Construction and Veterans Affairs appropriations. This additional funding could be crucial in implementing the GAO's recommendations and enhancing overall system security.

In a world where cyber threats are becoming more sophisticated, it is imperative that government agencies responsible for managing critical health data take proactive measures to protect their systems. The safety and well-being of millions depend on it.