Recommendations
2065
| ID | Report Number | Report Title | Type | |
|---|---|---|---|---|
| 19-08980-95 | Deficiencies in Infrastructure Readiness for Deploying VA’s New Electronic Health Record System | Audit | ||
1 Establish an infrastructure-readiness schedule for future deployment sites thatincorporates lessons learned from DoD.
Closure Date:
2 Reassess the enterprise-wide deployment schedule to ensure projected milestones arerealistic and achievable, considering the time needed for facilities to completeinfrastructure upgrades.
Closure Date:
3 Implement tools to comprehensively monitor the status and progress of medical devicesat the enterprise level.
Closure Date:
4 Standardize infrastructure requirements in conjunction with VHA and the OIT and ensurethose requirements are disseminated to all necessary staff.
Closure Date:
5 Evaluate physical infrastructure for consistency with OEHRM requirements and monitorcompletion of those evaluations.
Closure Date:
6 Fill infrastructure-readiness team vacancies until optimal staffing levels are attained.
Closure Date:
7 Ensure physical security assessments are completed and addressed at future electronichealth record deployment sites.
Closure Date:
8 Ensure all access points to physical infrastructure are secured and inaccessible tounauthorized individuals.
Closure Date:
| ||||
| 19-06935-96 | Federal Information Security Modernization Act Audit for Fiscal Year 2019 | Audit | ||
1 We recommended the Assistant Secretary for Information and Technology consistently implement an improved continuous monitoring program in accordance with the NIST Risk Management Framework. Specifically, implement an independent security control assessment process to evaluate the effectiveness of security controls prior to granting authorization decisions. (This is a modified repeat recommendation from prior years.)
Closure Date:
2 We recommended the Assistant Secretary for Information and Technology implement improved mechanisms to ensure system stewards and information system security officers follow procedures for establishing, tracking, and updating Plans of Action and Milestones for all known risks and weaknesses including those identified during security control assessments. (This is a modified repeat recommendation from prior years.)
Closure Date:
3 We recommended the Assistant Secretary for Information and Technology implement controls to ensure that system stewards and responsible officials obtain appropriate documentation prior to closing Plans of Action and Milestones. (This is a modified repeat recommendation from prior years.)
Closure Date:
4 We recommended the Assistant Secretary for Information and Technology develop mechanisms to ensure system security plans reflect current operational environments, include an accurate status of the implementation of system security controls, and all applicable security controls are properly evaluated. (This is a repeat recommendation from prior years.)
Closure Date:
5 We recommended the Assistant Secretary for Information and Technology implement improved processes for reviewing and updating key security documents such as security plans and interconnection agreements on an annual basis and ensure the information accurately reflects the current environment. (This is a modified repeat recommendation from prior years.)
Closure Date:
6 We recommended the Assistant Secretary for Information and Technology implement improved processes to ensure compliance with VA password policy and security standards on domain controls, operating systems, databases, applications, and network devices. (This is a repeat recommendation from prior years.)
Closure Date:
7 We recommended the Assistant Secretary for Information and Technology implement periodic reviews to minimize access by system users with incompatible roles, permissions in excess of required functional responsibilities, and unauthorized accounts. (This is a repeat recommendation from prior years.)
Closure Date:
8 We recommended the Assistant Secretary for Information and Technology enable system audit logs on all critical systems and platforms and conduct centralized reviews of security violations across the enterprise. (This is a repeat recommendation from prior years
Closure Date:
9 We recommended the Assistant Secretary for Information and Technology fully implement two-factor authentication to the extent feasible for all user accounts throughout the agency. (This is a repeat recommendation from prior years.)
Closure Date:
10 We recommended the Assistant Secretary for Information and Technology implement more effective automated mechanisms to continuously identify and remediate security deficiencies on VA’s network infrastructure, database platforms, and web application servers. (This is a repeat recommendation from prior years.)
Closure Date:
11 We recommended the Assistant Secretary for Information and Technology implement a more effective patch and vulnerability management program to address security deficiencies identified during our assessments of VA’s web applications, database platforms, network infrastructure, and workstations. (This is a repeat recommendation from prior years.)
Closure Date:
12 We recommended the Assistant Secretary for Information and Technology maintain a complete and accurate security baseline configuration for all platforms and ensure all baselines are appropriately implemented for compliance with established VA security standards. (This is a repeat recommendation from prior years.)
Closure Date:
13 We recommended the Assistant Secretary for Information and Technology implement improved network access controls that restrict medical devices from systems hosted on the general network. (This is a modified repeat recommendation from prior years.)
Closure Date:
14 We recommended the Assistant Secretary for Information and Technology consolidate the security responsibilities for networks not managed by the Office of Information and Technology, under a common control for each site and ensure vulnerabilities are remediated in a timely manner. (This is a repeat recommendation from prior years.)
Closure Date:
15 We recommended the Assistant Secretary for Information and Technology implement improved processes to ensure that all devices and platforms are evaluated using credentialed vulnerability assessments. (This is a repeat recommendation from prior years.)
Closure Date:
16 We recommended the Assistant Secretary for Information and Technology implement improved procedures to enforce standardized system development and change control processes that integrates information security throughout the life cycle of each system. (This is a repeat recommendation from prior years.)
Closure Date:
17 We recommended the Assistant Secretary for Information and Technology review system boundaries, recovery priorities, system components, and system interdependencies and implement appropriate mechanisms to ensure that established system recovery objectives are met. (This is a modified repeat recommendation from prior years.)
Closure Date:
18 We recommended the Assistant Secretary for Information and Technology implement more effective agency-wide incident response procedures to ensure timely notification, reporting, updating, and resolution of computer security incidents in accordance with VA standards. (This is a repeat recommendation from prior years.)
Closure Date:
19 We recommended the Assistant Secretary for Information and Technology ensure that VA’s Cybersecurity Operations Center has full access to all security incident data to facilitate an agency-wide awareness of information security events. (This is a repeat recommendation from prior years.)
Closure Date:
20 We recommended the Assistant Secretary for Information and Technology implement improved safeguards to identify and prevent unauthorized vulnerability scans on VA networks. (This is a repeat recommendation from prior years.)
Closure Date:
21 We recommended the Assistant Secretary for Information and Technology implement improved measures to ensure that security control deficiencies are tracked individually instead of consolidating security deficiencies under one control. (This is a modified repeat recommendation from prior years.)
Closure Date:
22 We recommended the Assistant Secretary for Information and Technology fully develop a comprehensive list of approved and unapproved software and implement continuous monitoring processes to prevent the use of prohibited software on agency devices. (This is a repeat recommendation from prior years.)
Closure Date:
23 We recommended the Assistant Secretary for Information and Technology develop a comprehensive inventory process to identify connected hardware, software, and firmware used to support VA programs and operations. (This is a repeat recommendation from prior years.)
Closure Date:
24 We recommended the Assistant Secretary for Information and Technology implement improved procedures for monitoring contractor-managed systems and services and ensure information security controls adequately protect VA sensitive systems and data. (This is a modified repeat recommendation from prior years.)
Closure Date:
25 We recommended the Executive in Charge for Information and Technology ensure appropriate levels of background investigations be completed for all personnel in a timely manner, implement processes to monitor and ensure timely reinvestigations on all applicable employees and contractors, and monitor the status of the requested investigations.
Closure Date:
| ||||
| 19-08374-112 | Deficiencies in the Administration of Emergent Mental Health Services at Coatesville VA Medical Center, Pennsylvania | Hotline Healthcare Inspection | ||
1 The Under Secretary for Health ensures the clarification of policy regarding emergent mental health services extension request procedures including expected timeframes and patient notification processes.
Closure Date:
2 The Under Secretary for Health expedites the establishment of policy regarding follow-up of patients identified by the Recovery Engagement and Coordination for Health –Veterans Enhanced Treatment program and no longer receiving Veterans Health Administration services.
Closure Date:
3 The Coatesville VA Medical Center Director ensures compliance with the 90-day emergent mental health services extension request policies and procedures, as required by the Veterans Health Administration.
Closure Date:
4 The Coatesville VA Medical Center Director evaluates the Grant and Per Diem Program medical emergency procedures, seeks consultation with relevant subject matter experts including IntegratedEthics®, and takes action as appropriate.
Closure Date:
| ||||
| 19-07682-103 | Deficiencies in a Cardiac Research Study at the VA St. Louis Health Care System, Missouri | Hotline Healthcare Inspection | ||
1 The VA St. Louis Health Care System Director makes certain the Chief of Staff ensures research providers take action based on stress-test results to include coordination of care and notification to primary providers as warranted.
Closure Date:
2 The VA St. Louis Health Care System Director ensures that a full retrospective review of patients enrolled, to date, in the Arm Exercise Versus Pharmacologic Stress Testing for Clinical Outcome Prediction study with positive stress tests received communication of their test result and follow-up care if indicated.
Closure Date:
3 The VA St. Louis Health Care System Director ensures that a review of Patient A’s case is completed to determine if disclosure is warranted.
Closure Date:
4 The VA St. Louis Health Care System Director makes certain that the Institutional Review Board ensures adherence to the research study plan related to communication to the primary provider of patient enrollment in the study.
Closure Date:
5 The VA St. Louis Health Care System Director ensures alignment of content for the regadenoson stress test protocols and education provided to staff and healthcare trainees.
Closure Date:
6 The VA St. Louis Health Care System Director ensures the stress test laboratory regadenoson protocol meets VA St. Louis Health Care System Memorandum 00-34 requirements.
Closure Date:
| ||||
| 19-07096-108 | Deficient Staffing and Competencies in Sterile Processing Services at the VA Black Hills Healthcare System, Fort Meade Campus, South Dakota | Hotline Healthcare Inspection | ||
1 The VA Black Hills Healthcare System Director complies with Veterans Health Administration requirements that Level 1 and 2 facilities have an assistant chief of Sterile Processing Services on staff.
Closure Date:
2 The VA Black Hills Healthcare System Director ensures that Sterile Processing Services leaders track changes to manufacturer’s instructions, updates standard operating procedures, retrains staff as needed, and monitors compliance with Veterans Health Administration policy.
Closure Date:
3 The VA Black Hills Healthcare System Director ensures that Sterile Processing Services leaders maintain up-to-date staff competencies for reprocessing, and monitors compliance with Veterans Health Administration policy.
Closure Date:
| ||||
| 19-05866-82 | Review of Regional Procurement Office East’s Contract Closeout Compliance | Review | ||
1 The OIG recommended that the executive director of VHA Procurement establish effective and consistent quality assurance reviews, especially for contracts deemed higher risk, to ensure all closeout requirements, such as identifying and deobligating excess funds, closing out contracts timely, and properly completing and uploading closeout documentation, are performed in accordance with the Federal Acquisition Regulation and the Veterans Health Administration procurement manual.
Closure Date:
2 The OIG recommended that the executive director of VHA Procurement ensure all contracting officers receive standardized training regarding the Veterans Health Administration procurement manual closeout procedures, including the correct use of closeout procedures for contracts that are awarded using Federal Acquisition Regulation part 8 and simplified acquisition procedures.
Closure Date:
3 The OIG recommended that the executive director of VHA Procurement ensure the contract files for the 40 sampled contracts have complete closeout documentation in accordance with the Federal Acquisition Regulation and Veterans Health Administration procurement manual.
Closure Date:
| ||||
| 19-07090-90 | Alleged Issues in the Cardiology Department at the Richard L. Roudebush VA Medical Center, Indianapolis, Indiana | Hotline Healthcare Inspection | ||
1 The Richard L. Roudebush VA Medical Center Director reviews and develops cardiology recruitment and retention processes to reach the approved staffing level.
Closure Date:
2 The Richard L. Roudebush VA Medical Center Director explores the possible reasons for difficulties recruiting and retaining cardiologists and takes action to resolve identified issues.
Closure Date:
3 The Richard L. Roudebush VA Medical Center Director ensures that facility staff understand the Veterans Health Administration policy regarding authorized and unauthorized patient wait lists, and monitors compliance.
Closure Date:
4 The Richard L. Roudebush VA Medical Center Director ensures facility managers train staff regarding the consult process and wait list policies, and monitors compliance.
Closure Date:
| ||||
| 18-01275-89 | Quality of Care Issues in the Community Living Center and Emergency Department at the Dayton VA Medical Center, Ohio | Hotline Healthcare Inspection | ||
1 The Dayton VA Medical Center Director identifies facility resources and other means for provider education and training to strengthen skills when deficiencies in care are identified during peer reviews.
Closure Date:
2 The Dayton VA Medical Center Director ensures that Peer Review Committee meeting minutes document reasons for changes to peer review levels, and that changes are consistent with its review of relevant aspects of clinical care.
Closure Date:
3 The Dayton VA Medical Center Director ensures review of procedures to make certain gastroenterology staff coordinate care with referring providers and provide staff training on care coordination procedures as needed.
Closure Date:
4 The Dayton VA Medical Center Director makes certain that Community Living Center staff utilize the Situation, Background, Assessment, and Recommendation communication tool and document transfers to the Emergency Department in accordance with Dayton VA Medical Center policy.
Closure Date:
5 The Dayton VA Medical Center Director considers consolidating Medical Center policies related to patient transfers and transports to and from the Emergency Department into one policy to provide clear guidance to staff to effect timely transfers.
Closure Date:
6 The Dayton VA Medical Center Director ensures consistent implementation of standing orders in the Emergency Department.
Closure Date:
7 The Dayton VA Medical Center Director verifies policies and procedures are in place for monitoring of critically ill patients to track deterioration and need for intervention in the Emergency Department and during transport, and monitor compliance.
Closure Date:
8 The Dayton VA Medical Center Director ensures that handoff communication between Emergency Department providers is accurate and documented in the electronic health record during transitions in care in accordance with Dayton VA Medical Center policy, and compliance is monitored.
Closure Date:
9 The Dayton VA Medical Center Director ensures review of results from the revision of the Dayton VA Medical Center policy on threshold for peer review findings to trigger management reviews in order to confirm the revised policy is appropriately sensitive to identify provider practice issues that constitute patient safety concerns, and revise the policy if needed.
Closure Date:
10 The Dayton VA Medical Center Director confirms all code carts in the Emergency Department are processed and secured consistent with Dayton VA Medical Center policy.
Closure Date:
11 The Dayton VA Medical Center Director ensures Emergency Department supplies are secured and maintained consistent with Dayton VA Medical Center policy.
Closure Date:
12 The Dayton VA Medical Center Director ensures continued monitoring and compliance with bar code medication administration policy in the Community Living Center.
Closure Date:
13 The Dayton VA Medical Center Director reviews document management procedures for professional practice evaluations and takes actions as needed to comply with the VA Records Control Schedule.
Closure Date:
| ||||
| 19-07119-80 | Telehealth Public-Use Questionnaires Were Used Improperly to Determine Disability Benefits | Review | ||
1 Determine whether public-use disability benefits questionnaires continue to be an effective means of gathering evidence to support claims for benefit entitlement and, if necessary, take steps to discontinue their use.
Closure Date:
2 Update the Veterans Benefits Administration’s adjudication procedures manual to assist claims processors in determining whether public-use disability benefits questionnaires were conducted through telehealth and include specific steps on what to do if claims processors suspect that public-use disability benefits questionnaires were completed via telehealth.
Closure Date:
3 Revise public-use disability benefits questionnaire forms to include a mechanism for the private provider to indicate whether the examination was completed in person or through telehealth.
Closure Date:
4 Notify veterans and private providers on public-facing forums and public-use disability benefits questionnaires that telehealth examinations are not acceptable for use in making benefit entitlement determinations.
Closure Date:
| ||||
| 18-03251-88 | Alleged Improper Locality Pay for Teleworking Employee | Administrative Investigation | ||
1 The Office of General Counsel communicates to its telework-approving supervisors that they lack authority to grant permanent exceptions to the twice-per-pay-period reporting requirement of 5 C.F.R. § 531.605(d)(1), and that in any instance in which an exception is granted pursuant to 5 C.F.R. § 531.605(d)(2) or any other applicable provision, the supervisor is obligated to periodically reassess the employee’s telework arrangement to determine whether a permanent change of official worksite is necessary.
Closure Date:
| ||||
14957