OIG Seal
Department of Veterans Affairs, Office of Inspector General
Michael J. Missal, Inspector General

OIG Reports

| 18-01455-108 | Summary | Report

Recommendations (8)Toggle Content


OpenClosed - ImplementedClosed - Not Implemented

No. 1   to Veterans Health Administration (VHA)

The VA Eastern Colorado Health Care System Director confirms that providers who perform patients’ clinical histories complete medication reconciliation to include non-VA medications.

No. 2   to Veterans Health Administration (VHA)

The VA Eastern Colorado Health Care System Director confirms that healthcare providers further evaluate patients when indicators of infection are present, including rising white blood cell counts, and that providers take action as appropriate.

No. 3   to Veterans Health Administration (VHA)

The VA Eastern Colorado Health Care System Director ensures that patient care teams verify that resources needed upon discharge, including family assistance, are available and meets patients’ needs.

No. 4   to Veterans Health Administration (VHA)

The VA Eastern Colorado Health Care System Director strengthens processes and documentation that is consistent with Veterans Health Administration Directive 1140.11 when elderly patients are transitioning in care.

No. 5   to Veterans Health Administration (VHA)

The VA Eastern Colorado Health Care System Director conducts a review of the interdisciplinary discharge planning team notes and patient discharge orders to identify and correct provider to patient communication deficiencies, and if deficiencies are noted, develop action plans to rectify the communication and mitigation issues identified.

No. 6   to Veterans Health Administration (VHA)

The VA Eastern Colorado Health Care System Director verifies that outpatient podiatry scheduling practices align with Veterans Health Administration and VA Eastern Colorado Health Care System podiatry scheduling policies and takes action as necessary.

No. 7   to Veterans Health Administration (VHA)

The VA Eastern Colorado Health Care System Director verifies that Wound Care Clinic practice aligns with VA Eastern Colorado Health Care System policy and takes action as necessary.

No. 8   to Veterans Health Administration (VHA)

The VA Eastern Colorado Health Care System Director ensures that a review is conducted of podiatry resident supervision and develop and implement corrective action plans with timelines and oversight of podiatry residency program as necessary.

Total Monetary Impact of All Recommendations

These recommendations have no monetary value.

| 18-05872-103 | Summary | Report

Recommendations (1)Toggle Content


OpenClosed - ImplementedClosed - Not Implemented

No. 1   to Veterans Health Administration (VHA)

The Tomah VA Medical Center Director continues efforts to educate providers and improve compliance with risk mitigation strategies.

Total Monetary Impact of All Recommendations

These recommendations have no monetary value.

| 17-05297-85 | Summary | Report

Recommendations (2)Toggle Content


OpenClosed - ImplementedClosed - Not Implemented

No. 1   to Veterans Health Administration (VHA)

The Under Secretary for Health ensures that patients with confirmed positive chronic hepatitis C infection have provider documentation to address treatment considerations entered in their EHRs.

No. 2   to Veterans Health Administration (VHA)

The Under Secretary for Health ensures that providers obtain posttreatment hepatitis C RNA tests to evaluate patient response to DAA treatment in alignment with VA National Viral Hepatitis Program Guidelines.

Total Monetary Impact of All Recommendations

These recommendations have no monetary value.

Supplemental InformationToggle Content

Companion Podcast

The OIG's David Vibe, Glenn Schubert, and Dr. Patrice Marcarelli discuss the Veterans Health Administration's treatment of hepatitis C and the use of new direct-acting antivirals that can cure hepatitis C.

| 18-02127-64 | Summary | Report

Recommendations (27)Toggle Content


OpenClosed - ImplementedClosed - Not Implemented

No. 1   to Office of Information and Technology (OIT)

We recommended the Executive in Charge for Information and Technology consistently implement the agency-wide risk management governance structure, along with mechanisms to identify, monitor, and manage risks across the enterprise. (This is a modified repeat recommendation from prior years.)

No. 2   to Office of Information and Technology (OIT)

We recommended the Executive in Charge for Information and Technology implement mechanisms to ensure sufficient supporting documentation is captured to justify closure of Plans of Action and Milestones. (This is a repeat recommendation from prior years.)

No. 3   to Office of Information and Technology (OIT)

We recommended the Executive in Charge for Information and Technology implement improved processes to ensure that all identified weaknesses are incorporated into the Governance Risk and Compliance tool in a timely manner, and corresponding Plans of Action and Milestones are developed to track corrective actions and remediation. (This is arepeat recommendation from prior years.)

No. 4   to Office of Information and Technology (OIT)

We recommended the Executive in Charge for Information and Technology implement clear roles, responsibilities, and accountability for developing, maintaining, completing, and reporting on Plans of Action and Milestones. (This is a repeat recommendation from prioryears.)

No. 5   to Office of Information and Technology (OIT)

We recommended the Executive in Charge for Information and Technology develop mechanisms to ensure system security plans reflect current operational environments, include an accurate status of the implementation of system security controls, and all applicable security controls are properly evaluated. (This is a repeat recommendation from prior years.)

No. 6   to Office of Information and Technology (OIT)

We recommended the Executive in Charge for Information and Technology implement improved processes for reviewing and updating key security documents such as security plans and security control assessments on an annual basis and ensure the information accurately reflects the current environment. (This is a modified repeat recommendation from prior years.)

No. 7   to Office of Information and Technology (OIT)

We recommended the Executive in Charge for Information and Technology implement mechanisms to enforce VA password policies and standards on all operating systems, databases, applications, and network devices. (This is a repeat recommendation from prioryears.)

No. 8   to Office of Information and Technology (OIT)

We recommended the Executive in Charge for Information and Technology implement periodic reviews to minimize access by system users with incompatible roles, permissions in excess of required functional responsibilities, and unauthorized accounts. (This is a repeatrecommendation from prior years.)

No. 9   to Office of Information and Technology (OIT)

We recommended the Executive in Charge for Information and Technology enable system audit logs on all critical systems and platforms and conduct centralized reviews of security violations across the enterprise. (This is a repeat recommendation from prior years.)

No. 10   to Office of Information and Technology (OIT)

We recommended the Executive in Charge for Information and Technology fully implement two-factor authentication to the extent feasible for all user accounts throughout the agency. (This is a modified repeat recommendation from prior years.)

No. 11   to Office of Information and Technology (OIT)

We recommended the Executive in Charge for Information and Technology implement more effective automated mechanisms to continuously identify and remediate security deficiencies on VA’s network infrastructure, database platforms, and web application servers. (This is a repeat recommendation from prior years.)

No. 12   to Office of Information and Technology (OIT)

We recommended the Executive in Charge for Information and Technology implement a more effective patch and vulnerability management program to address security deficiencies identified during our assessments of VA’s web applications, database platforms, network infrastructure, and workstations. (This is a repeat recommendation from prior years.)

No. 13   to Office of Information and Technology (OIT)

We recommended the Executive in Charge for Information and Technology maintain a complete and accurate security baseline configuration for all platforms and ensure all baselines are appropriately implemented for compliance with established VA security standards. (This is a repeat recommendation from prior years.)

No. 14   to Office of Information and Technology (OIT)

We recommended the Executive in Charge for Information and Technology implement improved network access controls to restrict medical devices from the general network and ensure that databases, file shares, and management devices, are adequately secured prior to connecting to VA’s network. (This is a modified repeat recommendation from prior years.)

No. 15   to Office of Information and Technology (OIT)

We recommended the Executive in Charge for Information and Technology consolidate thesecurity responsibilities for networks not managed by the Office of Information and Technology, under a common control for each site and ensure vulnerabilities are remediated in a timely manner. (This is a repeat recommendation from prior years.)

No. 16   to Office of Information and Technology (OIT)

We recommended the Executive in Charge for Information and Technology implement improved processes to ensure that all devices and platforms are evaluated using credentialed vulnerability assessments. (This is a repeat recommendation from prior years.)

No. 17   to Office of Information and Technology (OIT)

We recommended the Executive in Charge for Information and Technology implement improved procedures to enforce a standardized system development and change control framework that integrates information security throughout the life cycle of each system. (Thisis a repeat recommendation from prior years.)

No. 18   to Office of Information and Technology (OIT)

We recommended the Executive in Charge for Information and Technology implement improved processes for ensuring that backup data is adequately secured in accordance with organizational policy. (This is a repeat recommendation from prior years.)

No. 19   to Office of Information and Technology (OIT)

We recommended the Executive in Charge for Information and Technology implement improved processes for the review of system outages and disruptions for contingency plan improvements in accordance with defined policy. (This is a modified repeat recommendationfrom prior years.)

No. 20   to Office of Information and Technology (OIT)

We recommended the Executive in Charge for Information and Technology identify all external network interconnections and implement improved processes for monitoring VA networks, systems, and connections for unauthorized activity. (This is a repeatrecommendation from prior years.)

No. 21   to Office of Information and Technology (OIT)

We recommended the Executive in Charge for Information and Technology implement more effective agency-wide incident response procedures to ensure timely reporting, updating, and resolution of computer security incidents in accordance with VA standards. (This is arepeat recommendation from prior years.)

No. 22   to Office of Information and Technology (OIT)

We recommended the Executive in Charge for Information and Technology ensure that VA’s Cybersecurity Operations Center has full access to all security incident data to facilitate anagency-wide awareness of information security events. (This is a repeat recommendationfrom prior years.)

No. 23   to Office of Information and Technology (OIT)

We recommended the Executive in Charge for Information and Technology implement improved safeguards to identify and prevent unauthorized vulnerability scans on VA networks. (This is a modified repeat recommendation from prior years.)

No. 24   to Office of Information and Technology (OIT)

We recommended the Executive in Charge for Information and Technology fully develop a comprehensive list of approved and unapproved software and implement continuous monitoring processes to prevent the use of prohibited software on agency devices. (This is amodified repeat recommendation from prior years.)

No. 25   to Office of Information and Technology (OIT)

We recommended the Executive in Charge for Information and Technology develop a comprehensive inventory process to identify connected hardware, software, and firmware used to support VA programs and operations. (This is a modified repeat recommendationfrom prior years.)

No. 26   to Office of Information and Technology (OIT)

We recommended the Executive in Charge for Information and Technology implement improved procedures for overseeing contractor-managed systems and ensure information security controls adequately protect VA sensitive systems and data. (This is a modified repeat recommendation from prior years.)

No. 27   to Office of Information and Technology (OIT)

We recommended the Executive in Charge for Information and Technology implement mechanisms for updating their systems inventory, including contractor-managed systems and interfaces, and provide this information in accordance with Federal reporting requirements. (This is a repeat recommendation from prior years.)

Total Monetary Impact of All Recommendations

These recommendations have no monetary value.

Filter Options

Use the controls below to filter the list of OIG reports. Click on the headings to view the filter choices.

Current Filter

  • All records

4/22/2019 4:58:49 AM


Date RangeRemove

Limits the list of reports to those published in the date range specified below.

Report LocationRemove

Limits the list of reports to those pertaining to the cities selected below. Hold down the control key to select multiple values or to toggle an individual value on or off.

VA Administration/Staff OfficeRemove

Limits the list of reports to those pertaining to the VA offices selected below. Hold down the control key to select multiple values or to toggle an individual value on or off.

Report TypeRemove

Limits the list of reports to the report types selected below. Hold down the control key to select multiple values or to toggle an individual value on or off. For a description of the types of reports published by the OIG, please visit our Reports and Publications homepage.

OIG Report AuthorRemove

Limits reports to those authored by specific OIG elements.

Report NumbersRemove

Helpful for finding reports if you know the report number. Separate multiple values with semicolons.

Search TermsRemove

Limit the results to reports that match your search terms.

Recommendation StatusRemove

Limits reports to those with open or closed recommendations.

Recommendation Action OfficeRemove

Limits reports to those with recommendations specific to the following VA Offices

Displaying records at a time.