Electronic Health Records: Better Goals and Measures Would Improve Interagency Cybersecurity Collaboration

What GAO Found

The Department of Defense (DOD) has primary responsibility for ensuring the cybersecurity of the federal electronic health record (EHR). The Federal Electronic Health Record Modernization office (FEHRM) is responsible for providing direction and oversight on joint functions. To that end, the FEHRM works to improve interagency cybersecurity and privacy collaboration by providing opportunities for partner agencies to coordinate and by initiating joint activities to enhance the security of the system. Accordingly, the FEHRM facilitated collaboration among partner agencies; however, the collaboration would be improved by fully addressing leading practices. For example, it has not fully articulated specific or common goals or outcomes related to the cybersecurity of the EHR or the privacy of data within it. Further, the FEHRM reported that it did not have related performance measures for monitoring progress towards these outcomes.

Extent to Which the FEHRM Followed Leading Interagency Collaboration Practices

Addressing the shortfalls in interagency collaboration could provide better understanding of the resources needed to address shared responsibilities and clearer insight into the impacts of joint efforts. As a result, the FEHRM, partner agencies, and Congress could have greater assurance that appropriate actions are being taken to keep the system and its data secure and to prevent its exploitation by adversaries.

Why GAO Did This Study

The federal EHR is a single system used to store, share, and analyze patient care information. The system is housed in a data center, referred to as the federal enclave. The system supports the delivery of healthcare to millions of beneficiaries across four partner agencies: DOD, the Department of Veterans Affairs (VA), the U.S. Coast Guard, and the National Oceanic and Atmospheric Administration. The FEHRM is a joint DOD-VA decision-making authority for the federal EHR with requirements set by Congress.

The Further Consolidated Appropriations Act, 2024 includes a provision for GAO to report on aspects of the federal EHR. This report (1) describes the federal EHR system and its management, (2) identifies the roles and responsibilities for the cybersecurity of the system and protecting the privacy of the data within it, and (3) examines how agencies are collaborating to keep the system and its data secure.

To conduct this work, GAO reviewed interagency agreements regarding the use of the federal EHR and relevant agency cybersecurity and privacy policies, and interviewed agency officials. GAO also compared FEHRM collaboration efforts to leading collaboration practices.