Monday, July 6, 2026
HomeHealthcareGAO: Federal EHR Cybersecurity Wants Stronger Governance, Clearer Accountability

GAO: Federal EHR Cybersecurity Wants Stronger Governance, Clearer Accountability

As healthcare organizations proceed to face an escalating cyber menace surroundings, a new report from the U.S. Authorities Accountability Workplace (GAO) underscores that expertise alone shouldn’t be sufficient to guard digital well being information. Robust governance, measurable targets, and coordinated management are equally important.

The report examines cybersecurity oversight of the federal digital well being file (EHR)—a shared Oracle Well being Millennium platform utilized by the Division of Protection (DOD), Division of Veterans Affairs (VA), U.S. Coast Guard, and Nationwide Oceanic and Atmospheric Administration. When totally deployed, the system will help greater than 500,000 customers caring for over 18 million beneficiaries, making it one of many nation’s largest EHR environments.

Though GAO discovered that the Federal Digital Well being Document Modernization (FEHRM) workplace has established a collaborative governance construction and helped coordinate cybersecurity efforts amongst collaborating companies, the audit concluded that important administration gaps stay. Particularly, FEHRM has not established widespread cybersecurity targets, measurable outcomes, or efficiency metrics to guage whether or not collaboration is successfully decreasing cyber threat.

The findings come as healthcare cybersecurity continues to obtain heightened consideration following main ransomware assaults which have disrupted care supply nationwide. The report factors to the 2024 cyberattack that disrupted prescription processing throughout the healthcare sector, inflicting delays at army pharmacies and making a backlog of roughly 1 million VA prescription claims.

For well being system executives, the report reinforces a broader lesson that extends past the federal authorities: governance should evolve alongside cybersecurity expertise. Organizations working advanced, multi-entity medical environments can’t rely solely on technical controls. In addition they want clearly outlined management tasks, measurable aims, and ongoing accountability for collaborative safety efforts.

GAO famous that FEHRM has efficiently carried out a number of collaborative actions, together with common interagency cybersecurity conferences, tabletop workout routines, joint governance boards, and coordination round configuration administration and incident response. Nevertheless, a number of deliberate initiatives—together with a Joint Safety Operations Heart and an interagency cyber evaluation—had been both modified or discontinued due to organizational and staffing challenges.

Maybe most regarding, GAO discovered that FEHRM solely totally met 5 of eight main practices for efficient interagency collaboration. It partially met requirements associated to defining widespread outcomes and sustaining management, whereas failing to satisfy the follow of guaranteeing accountability as a result of it lacks efficiency measures to observe cybersecurity collaboration.

GAO’s suggestions

Moderately than recommending new cybersecurity applied sciences, GAO centered on strengthening governance and oversight. It recommends that DOD and VA direct FEHRM to:

  • Set up clear, shared cybersecurity and privateness targets throughout collaborating companies.
  • Outline measurable short- and long-term outcomes for shielding the federal EHR.
  • Develop efficiency measures that observe progress towards these targets.
  • Often monitor, assess, and talk outcomes to company management and Congress.
  • Strengthen accountability by tying collaborative actions to measurable outcomes quite than merely documenting that collaboration occurred.

Why it issues for healthcare leaders

Whereas the report focuses on the federal EHR, its conclusions have implications throughout the healthcare business. Many well being techniques right this moment function more and more interconnected environments involving affiliated hospitals, doctor teams, pharmacies, well being info exchanges, cloud distributors, and third-party expertise companions.

As these ecosystems develop, cybersecurity turns into as a lot a governance problem as a technical one. Healthcare organizations ought to think about whether or not they have:

  • Clearly outlined cybersecurity aims shared throughout all collaborating organizations.
  • Govt-level accountability for cross-organizational cyber threat.
  • Significant efficiency metrics that measure collaboration—not merely compliance.
  • Formal incident response processes that span organizational boundaries.
  • Management succession and governance buildings able to sustaining long-term cybersecurity applications.

The GAO concludes that with out clearly articulated targets and measurable efficiency indicators, organizations threat being unable to display whether or not collaborative cybersecurity efforts are literally enhancing resilience. For healthcare leaders, the message is easy: efficient cyber protection relies upon not solely on stronger expertise, but in addition on stronger governance, shared accountability, and measurable outcomes.

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Recent Comments