VA Medical Facility Security: Actions Needed to Address Longstanding Risks

What GAO Found

The Department of Veterans Affairs (VA) is responsible for securing its facilities. GAO has identified security challenges at VA medical facilities and made recommendations to help manage related risks.

In January 2018, for example, GAO found limitations with VA's risk assessment methodology and recommended VA review and revise its risk management policies to reflect interagency standards, and develop an oversight strategy to assess its facilities' risk management programs. VA has not yet fully implemented these recommendations as of April 2026.

In April 2026, GAO reported that its 2025 covert testing found security vulnerabilities at selected VA facilities. In some cases, VA security measures were not effective. Specifically, VA failed to detect most of GAO's covert tests related to security vulnerabilities it had previously identified in its risk assessments of its medical facilities. For example:

• In all 30 tests, VA staff did not detect a prohibited weapon that GAO investigators carried into the VA facilities, including two that had metal detectors.
• In 25 of 26 tests, VA staff did not confront an investigator drinking in plain view from a bottle labeled vodka-which is generally prohibited at VA facilities.

Undercover GAO Investigator Appearing to Drink Alcohol in a VA Medical Facility

Taking actions to address GAO recommendations would better provide VA with information it needs to make informed decisions, allocate resources effectively, and prioritize security efforts to create a safe environment for veterans and VA staff.

Why GAO Did This Study

VA oversees the largest integrated health care system in the U.S., serving 9 million enrolled veterans at over 1,300 facilities. VA employees, veteran patients, and medical facilities have been the targets of violence, threats, and other security-related incidents in recent years, including nonviolent crimes such as disorderly conduct and theft.

The Interagency Security Committee (ISC)-which VA is a member of- developed a risk management standard that federal agencies must follow to identify and address the types of security vulnerabilities impacting their facilities.

GAO has conducted work related to the ISC's risk management standard and security at VA medical facilities. This statement, based primarily on three reports published from January 2013 to April 2026, discusses challenges VA faces related to the security of its facilities and actions that could help address those challenges, among other issues.