OIG Seal
Department of Veterans Affairs, Office of Inspector General
Michael J. Missal, Inspector General

OIG Reports

| 21-01898-152 | Summary | Report

Recommendations (2)Toggle Content


OpenClosed - ImplementedClosed - Not Implemented

No. 1   to Veterans Health Administration (VHA)

Direct the assistant under secretary for health operations to reinforce to medical facility directors the importance of establishing a process to ensure facility managers include pharmaceutical refrigerators and freezers in the facility’s routine maintenance schedules and develop and implement a procedure to make sure medical facilities follow VHA Notice 2021-16.

No. 2   to Veterans Health Administration (VHA)

Require the assistant under secretary for patient care services to coordinate with the assistant under secretary for health operations to update the 10N Guide to VHA Issue Briefs and clarify that medical facilities must report all refrigerated pharmaceutical loss via the issue brief tracker.

Total Monetary Impact of All Recommendations

Open: $ 5,100,000.00
Closed: $ 0.00

| 21-01123-97 | Summary | Report

Recommendations (3)Toggle Content


OpenClosed - ImplementedClosed - Not Implemented

No. 1   to Office of Information and Technology (OIT)

The assistant secretary for information and technology and chief information officer will ensure the Veterans Data Integration and Federation Enterprise Platform security objectives are all set at a categorization level of high based upon both the sensitive personal information maintained in the system and the approved risk assessment.

No. 2   to Office of Information and Technology (OIT); Veterans Health Administration (VHA)

The assistant secretary for information and technology and chief information officer will act to reestablish the Veterans Data Integration and Federation Enterprise Platform in the Enterprise Mission Assurance Support Service to ensure appropriate security controls are implemented and the system is assessed at the high risk level.

No. 3   to Office of Information and Technology (OIT); Veterans Health Administration (VHA)

The assistant secretary for information and technology and chief information officer will ensure the Office of Information Technology provides appropriate oversight and follows proper program management processes and protocols when establishing and monitoring security controls for IT systems.

| 21-00846-104 | Summary | Report

Recommendations (3)Toggle Content


OpenClosed - ImplementedClosed - Not Implemented

No. 1   to Veterans Health Administration (VHA)

Maximize opportunities to bill veterans’ private health insurers for recoverable claims by developing procedures that align and prioritize the processing of such claims to insurers’ filing deadlines.

No. 2   to Veterans Health Administration (VHA)

Strengthen information system controls to make certain that complete and accurate claims information is transferred between applicable current and future Community Care payment systems and the Consolidated Patient Account Centers’ workflow tool and VistA patient treatment files.

No. 3   to Veterans Health Administration (VHA)

Conduct an assessment to determine if staffing resources and workload are sufficiently aligned to process the anticipated volume of claims to be billed to veterans’ private health insurers and make adjustments as needed.

Total Monetary Impact of All Recommendations

Open: $ 805,200,000.00
Closed: $ 0.00

| 21-02437-120 | Summary | Report

Recommendations (5)Toggle Content


OpenClosed - ImplementedClosed - Not Implemented

No. 1   to Veterans Benefits Administration (VBA)

The acting under secretary for benefits updates the School Certifying Official Handbook and considers other training aids to ensure how to calculate and report vacation breaks is clearly detailed.

No. 2   to Veterans Benefits Administration (VBA)

The acting under secretary for benefits develops and implements procedures for claims examiners to verify that all consecutive days are included in enrollments flagged for manual processing containing reported vacation breaks in the remarks section.

No. 3   to Veterans Benefits Administration (VBA)

The acting under secretary for benefits obtains amended enrollments from school certifying officials to correct vacation break reporting errors identified during this review and take remedial action when appropriate.

No. 4   to Veterans Benefits Administration (VBA)

The acting under secretary for benefits applies data analysis and record matching to identify enrollments with possible vacation break reporting errors made by school certifying officials, or processing errors by claims examiners.

No. 5   to Veterans Benefits Administration (VBA)

The acting under secretary for benefits includes in the development of the new automated system fields for vacation breaks to eliminate the need for manual processing.

Total Monetary Impact of All Recommendations

Open: $ 624,000.00
Closed: $ 0.00

| 21-02889-134 | Summary | Report

Recommendations (6)Toggle Content


OpenClosed - ImplementedClosed - Not Implemented

No. 1   to Electronic Health Record Modernization Integration Office

The executive director of the Electronic Health Record Modernization Program Management Office complies with internal guidance and ensures the development of an integrated master schedule for the Electronic Health Record Modernization program that complies with standards adopted from GAO for scheduling.

No. 2   to Electronic Health Record Modernization Integration Office

The executive director of the Electronic Health Record Modernization Program Management Office takes action to improve stakeholder coordination in the development of the program schedules to ensure activities from all relevant VA entities are included.

No. 3   to Electronic Health Record Modernization Integration Office

The executive director of the Electronic Health Record Modernization Program Management Office develops procedures for when and how staff should perform an initial schedule risk analysis for the program and conduct periodic updates as needed.

No. 4   to Electronic Health Record Modernization Integration Office

The executive director of the Electronic Health Record Modernization Program Management Office ensures consistency between contract language and program office plans or other guidance identifying the entity or individuals responsible for developing and maintaining the program’s work breakdown structure and integrated master schedule.

No. 5   to Electronic Health Record Modernization Integration Office

The executive director of the Electronic Health Record Modernization Program Management Office evaluates the contract requirements for schedule management and modifies as needed to ensure clear roles and expectations for further development and maintenance of the program’s integrated master schedule.

No. 6   to Electronic Health Record Modernization Integration Office

The executive director of the Electronic Health Record Modernization Program Management Office complies with the Federal Acquisition Regulation and issue guidance to accept deliverables not separately priced before invoice payment.

| 21-01309-74 | Summary | Report

Recommendations (26)Toggle Content


OpenClosed - ImplementedClosed - Not Implemented

No. 1   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology consistently implement an improved continuous monitoring program in accordance with the NIST Risk Management Framework. Specifically, implement an independent security control assessment process to evaluate the effectiveness of security controls prior to granting authorization decisions. (This is a repeat recommendation from prior years.)

No. 2   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology implement improved mechanisms to ensure system stewards and Information System Security Officers follow procedures for establishing, tracking, and updating Plans of Action and Milestones for all known risks and weaknesses including those identified during security control assessments. (This is a repeat recommendation from prior years.)

No. 3   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology implement controls to ensure that system stewards and responsible officials obtain appropriate documentation prior to closing Plans of Action and Milestones. (This is a repeat recommendation from prior years.)

No. 4   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology develop mechanisms to ensure system security plans reflect current operational environments, include an accurate status of the implementation of system security controls, and all applicable security controls are properly evaluated. (This is a repeat recommendation from prior years.)

No. 5   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology implement improved processes for reviewing and updating key security documents such as security plans, risk assessments, and interconnection agreements on an annual basis and ensure the information accurately reflects the current environment. (This is a repeat recommendation from prior years.)

No. 6   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology implement improved processes to ensure compliance with VA password policy and security standards on domain controls, operating systems, databases, applications, and network devices. (This is a repeat recommendation from prior years.)

No. 7   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology implement periodic reviews to minimize access by system users with incompatible roles, permissions in excess of required functional responsibilities, and unauthorized accounts. (This is a repeat recommendation from prior years.)

No. 8   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology enable system audit logs on all critical systems and platforms and conduct centralized reviews of security violations across the enterprise. (This is a repeat recommendation from prior years.)

No. 9   to Office of Information and Technology (OIT)

We recommended the Office of Personnel Security, Human Resources, and Contract Offices implement improved processes for establishing and maintaining accurate data within VA’s authoritative system of record for background investigations. (This is a modified repeat recommendation from prior years.)

No. 10   to Office of Information and Technology (OIT)

We recommended the Office of Personnel Security, Human Resources, and Contract Offices strengthen processes to ensure appropriate levels of background investigations are completed for applicable VA employees and contractors. (This is a modified repeat recommendation from prior years.)

No. 11   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology implement more effective automated mechanisms to continuously identify and remediate security deficiencies on VA’s network infrastructure, database platforms, and web application servers. (This is a repeat recommendation from prior years.)

No. 12   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology implement a more effective patch and vulnerability management program to address security deficiencies identified during our assessments of VA’s web applications, database platforms, network infrastructure, and workstations. (This is a repeat recommendation from prior years.)

No. 13   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology maintain a complete and accurate security baseline configuration for all platforms and ensure all baselines are appropriately monitored for compliance with established VA security standards. (This is a repeat recommendation from prior years.)

No. 14   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology implement improved network access controls that restrict medical devices from systems hosted on the general network. (This is a repeat recommendation from prior years.)

No. 15   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology consolidate the security responsibilities for networks not managed by the Office of Information and Technology, under a common control for each site and ensure vulnerabilities are remediated in a timely manner. (This is a repeat recommendation from prior years.)

No. 16   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology implement improved processes to ensure that all devices and platforms are evaluated using credentialed vulnerability assessments. (This is a repeat recommendation from prior years.)

No. 17   to Office of Information and Technology (OIT)

We recommended the Acting Assistant Secretary for Information and Technology implement improved procedures to enforce standardized system development and change control processes that integrates information security throughout the life cycle of each system. (This is a repeat recommendation from prior years.)

No. 18   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology review system boundaries, recovery priorities, system components, and system interdependencies and implement appropriate mechanisms to ensure that established system recovery objectives can be measured and met. (This is a modified repeat recommendation from prior years.)

No. 19   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology ensure that contingency plans for all systems are updated to include critical inventory components and are tested in accordance with VA requirements. (This is a repeat recommendation from prior years.)

No. 20   to Office of Information and Technology (OIT)

20. We recommended the Assistant Secretary for Information and Technology implement more effective agency-wide incident response procedures to ensure timely notification, reporting, updating, and resolution of computer security incidents in accordance with VA standards. (This is a repeat recommendation from prior years.)

No. 21   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology ensure that VA’s Cybersecurity Operations Center has full access to all security incident data to facilitate an agency-wide awareness of information security events. (This is a repeat recommendation from prior years.)

No. 22   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology implement improved safeguards to identify and prevent unauthorized vulnerability scans on VA networks. (This is a repeat recommendation from prior years.)

No. 23   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology implement improved measures to ensure that all security controls are assessed in accordance with VA policy and that identified issues or weaknesses are adequately documented and tracked within POA&Ms. (This is a repeat recommendation from prior years.)

No. 24   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology fully develop a comprehensive list of approved and unapproved software and implement continuous monitoring processes to prevent the use of prohibited software on agency devices. (This is a repeat recommendation from prior years.)

No. 25   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology develop a comprehensive inventory process to identify connected hardware, software, and firmware used to support VA programs and operations. (This is a repeat recommendation from prior years.)

No. 26   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology implement improved procedures for monitoring contractor-managed systems and services and ensure information security controls adequately protect VA sensitive systems and data. (This is a repeat recommendation from prior years.)

| 21-00510-105 | Summary | Report

Recommendations (3)Toggle Content


OpenClosed - ImplementedClosed - Not Implemented

No. 1   to Veterans Health Administration (VHA)

Review and update, as appropriate, program policy to formally align with the Office of Patient Advocacy’s program expectations, including when complaints must be entered into a patient advocate tracking system and the responsibilities of patient advocate supervisors.

No. 2   to Veterans Health Administration (VHA)

Implement controls that require facility patient advocate supervisors and Veterans Integrated Service Network patient advocate coordinators to perform regular, documented reviews of records in the patient advocate tracking system to monitor that the required information is entered properly.

No. 3   to Veterans Health Administration (VHA)

Provide guidance to medical facility directors to ensure they fulfill their required Patient Advocacy Program management duties, including timely complaint resolution and trending complaint data.

| 21-00497-46 | Summary | Report

Recommendations (3)Toggle Content


OpenClosed - ImplementedClosed - Not Implemented

No. 1   to Veterans Health Administration (VHA)

Develop guidelines requiring supervisors to use VHA systems to monitor documentation of efforts to contact patients to schedule an appointment and to take corrective action as appropriate.

No. 2   to Veterans Health Administration (VHA)

Establish a tool to monitor whether clinicians are properly indicating the appropriateness of alternative forms of care and whether staff offered them to patients when clinically appropriate.

No. 3   to Veterans Health Administration (VHA)

Reassess the frequency of and approach to its training for scheduling community care consults to VHA facilities as revisions are made to the various tools.

| 20-03351-08 | Summary | Report

Recommendations (1)Toggle Content


OpenClosed - ImplementedClosed - Not Implemented

No. 1   to Veterans Health Administration (VHA)

The OIG recommended that the acting under secretary for health perform additional analyses to ensure materially accurate specialty care workload data are used to implement the Asset and Infrastructure Review Commission recommendations.

Filter Options

Use the controls below to filter the list of OIG reports. Click on the headings to view the filter choices.

Current Filter

  • Report Type: Audit

Records 1 - 10 of 760 oversight reports that match your filter criteria.

8/10/2022 9:36:42 PM


Date RangeRemove

Limits the list of reports to those published in the date range specified below.

Report LocationRemove

Limits the list of reports to those pertaining to the cities selected below. Hold down the control key to select multiple values or to toggle an individual value on or off.

VA Administration/Staff OfficeRemove

Limits the list of reports to those pertaining to the VA offices selected below. Hold down the control key to select multiple values or to toggle an individual value on or off.

Report TypeRemove

Limits the list of reports to the report types selected below. Hold down the control key to select multiple values or to toggle an individual value on or off. For a description of the types of reports published by the OIG, please visit our Reports and Publications homepage.

OIG Report AuthorRemove

Limits reports to those authored by specific OIG elements.

Report NumbersRemove

Helpful for finding reports if you know the report number. Separate multiple values with semicolons.

Search TermsRemove

Limit the results to reports that match your search terms.

Recommendation StatusRemove

Limits reports to those with open or closed recommendations.

Recommendation Action OfficeRemove

Limits reports to those with recommendations specific to the following VA Offices

COVID-RelatedRemove

Check to return only COVID-related reports.

Displaying records at a time.