Full Report
The Department of Defense (DOD) has primary responsibility for ensuring the cybersecurity of the federal electronic health record (EHR). The Federal Electronic Health Record Modernization office (FEHRM) is responsible for providing direction and oversight on joint functions. To that end, the FEHRM works to improve interagency cybersecurity and privacy collaboration by providing opportunities for partner…
Analysis Summary
# Regulation/Compliance: GAO Cybersecurity Oversight of the Federal EHR
## Overview
This report by the Government Accountability Office (GAO) evaluates the effectiveness of the Federal Electronic Health Record Modernization (FEHRM) office in coordinating cybersecurity and privacy protections for the joint Department of Defense (DOD) and Department of Veterans Affairs (VA) electronic health record system. The GAO highlights critical gaps in interagency collaboration and performance monitoring that may leave Federal EHR data vulnerable to exploitation.
## Key Details
- **Issuing Authority:** Government Accountability Office (GAO) / Department of Defense (DOD)
- **Effective Date:** June 04, 2026 (Report Release)
- **Jurisdiction:** Federal Government (DOD, VA, FEHRM)
- **Status:** Final Audit / Formal Recommendation
## Requirements
### Mandatory Requirements
1. **Goal Articulation:** Use of specific, common goals for EHR cybersecurity and data privacy.
2. **Performance Measurement:** Establishment of metrics to monitor progress toward cybersecurity outcomes.
3. **Interagency Collaboration:** Adherence to "leading practices" for collaboration between the DOD, VA, and FEHRM.
4. **Oversight:** The FEHRM must provide direction and oversight on joint functions to ensure system integrity.
### Recommended Practices
1. **Resource Mapping:** Detailed identification of resources needed to address shared cybersecurity responsibilities.
2. **Impact Analysis:** Regular assessment of the impacts of joint cybersecurity efforts to provide assurance to Congress.
3. **Adversary Prevention:** Proactive enhancement of system security to prevent exploitation by foreign adversaries.
## Affected Organizations
- **Industries:** Government Healthcare, Defense, and Veterans Affairs.
- **Organization Size:** Federal-scale agencies.
- **Geographic Scope:** United States (Federal Government infrastructure).
## Compliance Timeline
- **June 04, 2026:** GAO Report GAO-26-107673 released identifying shortfalls.
- **Immediate:** FEHRM and partner agencies tasked with addressing collaboration gaps.
- **Ongoing:** Periodic reviews by Congress and the GAO to ensure recommendations are implemented.
## Implementation Guidance
### Assessment Phase
- Evaluate existing interagency agreements (MOUs/MOAs) between the DOD and VA regarding EHR security.
- Audit current EHR data privacy controls against "leading practices" for federal collaboration.
### Implementation Phase
- Define "Common Goals" for the joint EHR environment.
- Develop a suite of Key Performance Indicators (KPIs) to measure cybersecurity resilience.
- Formalize the FEHRM’s role in initiating joint security activities.
### Validation Phase
- Report progress on performance measures to Congress.
- Conduct follow-up GAO audits to verify the adoption of leading practices.
## Technical Requirements
- **System Synchronization:** Integration of security protocols across different agency networks.
- **Data Privacy Controls:** Implementation of privacy-enhancing technologies within the EHR system.
- **Interoperability Security:** Ensuring that joint functions do not create security "seams" between agencies.
## Penalties & Enforcement
- **Fines:** Not applicable (Interagency compliance).
- **Other Consequences:** Increased Congressional scrutiny, potential budgetary restrictions, and heightened risk of data breach/adversarial exploitation.
- **Enforcement:** Directed by the GAO and enforced through Congressional oversight and DOD/VA departmental leadership.
## Related Standards
- **NIST SP 800-53:** Security and Privacy Controls for Information Systems and Organizations.
- **HIPAA:** Health Insurance Portability and Accountability Act (Federal healthcare data requirements).
- **FISMA:** Federal Information Security Modernization Act.
## Resources
- **Official Documentation:** [https://www.gao.gov/products/gao-26-107673] (Defanged)
- **Agency Site:** [https://www.fehrm.gov] (Defanged)
## Practical Recommendations
1. **Define Success:** Leadership should immediately finalize a written charter that defines what "secure" looks like for the joint EHR.
2. **Standardize Metrics:** Implement a dashboard that tracks cybersecurity incidents and compliance status across both DOD and VA nodes of the EHR.
3. **Clarify Accountability:** Explicitly document which agency is responsible for specific technical controls to avoid "gray areas" in oversight.