EHR modernization needs better cyber and privacy collaboration, GAO says

The Government Accountability Office said on Tuesday that the unit overseeing the federal government’s new electronic health record system is not collaborating enough with its partner agencies to secure the software against digital threats or ensure that patient data is sufficiently protected. 

In a watchdog report, GAO said the Federal Electronic Health Record Modernization office “doesn't fully follow leading practices for collaboration” when it comes to the cybersecurity and privacy of data with the new EHR system. 

The office oversees the government’s effort to deploy one common, interoperable system across the Department of Veterans Affairs, the Defense Department, the U.S. Coast Guard and the National Oceanic and Atmospheric Administration. GAO said the completed system is expected to have “more than 500,000 users providing care to over 18 million servicemembers, veterans, and their families, making it one of the nation’s largest electronic health record systems.”

FEHRM was created through a joint charter signed by DOD and VA in December 2019, with the four participating agencies taking on varying levels of cyber and privacy responsibilities.

DOD is primarily responsible for managing the cybersecurity of the EHR software and the network used to access the system. GAO said VA also has “responsibility for the cybersecurity of its own network.” Each of the four agencies is also responsible for managing their own networks and following applicable privacy laws when it comes to handling users’ data.

While GAO said that FEHRM has “initiated a number of efforts to promote collaboration” with the four agencies, it added that “it has done so without well-defined common goals and outcomes.” The watchdog added this includes concerns that the office does not “monitor, assess or communicate on performance measures” to hold its partners accountable. 

“Articulating clear and measurable goals would better position the FEHRM to oversee the coordinated cybersecurity of the federal EHR by providing insight into the specific resources, skills, or time needed to address shared responsibilities,” the report said. “Further, these goals would help hold the FEHRM accountable for demonstrating how its activities, such as the development of the Joint Incident Management Framework, align with the common outcomes it seeks to achieve.”

FEHRM has been working to create the framework since 2021 to streamline agency responses to EHR-directed cyber threats, with GAO saying the guidance was most recently scheduled to be released in April. 

Without outlining clear goals and outcomes, the watchdog said “progress on planned efforts, such as the Joint Incident Management Framework, may be impeded or further delayed.”

GAO’s concerns about planning extended to the office’s logistical operations, with the report saying that FEHRM “has not fully articulated specific short- or long-term goals or intended outcomes related to the cybersecurity of the federal EHR or the privacy of health data within it.” This included office officials telling GAO in January 2026 that it was still developing its goals for fiscal year 2026.

The watchdog made two recommendations, including calling for both DOD and VA leaders to press FEHRM “to define common goals, outcomes, and associated performance measures, and monitor, assess, and communicate progress on collaboration efforts toward ensuring the cybersecurity and privacy of the federal enclave.”

DOD did not concur with the report as it was written. VA neither agreed nor disagreed with GAO’s takeaways, but said it initially focused on establishing a unified culture to build trust with partner agencies, which it called “the essential first step.” 

While the joint EHR system has reportedly not been directly targeted by a cyberattack, previous cyber incidents have underscored the impact these types of breaches and digital assaults can have on healthcare delivery. 

A February 2024 ransomware attack on Change Healthcare — a subsidiary of UnitedHealth Group and the largest healthcare payment system in the U.S. — disrupted payments and prescription processing at medical facilities across the U.S. This included VA’s systems, with an agency official saying at the time that it affected just over 40,000 veterans’ medications.

That attack also affected “interface assessments” at the Captain James A. Lovell Federal Health Care Center in North Chicago, Illinois, a joint DOD-VA facility that was in the process of switching over to the new federal EHR system. That rollout, which occurred in March 2024, was the Pentagon’s last site rollout of the new software.

DOD and NOAA have completed their deployments of the new software, and the Coast Guard is reportedly in the final stages of its rollout. VA, however, has faced numerous missteps in its own EHR implementation effort. 

VA paused most rollouts of the EHR system in April 2023 to address a host of safety, technical and usability concerns. The agency and DOD subsequently conducted the Lovell deployment during the reset period, which was the sixth VA facility to receive the new software. 

The agency recently resumed EHR software rollouts at four Michigan-based medical facilities in April and plans to deploy the system at nine more sites in 2026. VA Secretary Doug Collins told Congress last month that the new rollouts were “phenomenal,” although he said the agency needs to go back and fix issues at the first five sites that received the software.