Skip to main content

Electronic Health Records: Better Goals and Measures Would Improve Interagency Cybersecurity Collaboration

GAO-26-107673 Published: Jun 02, 2026. Publicly Released: Jun 02, 2026.
Jump To:

Fast Facts

Cyberattacks on healthcare systems are increasing. This puts the federal electronic health record system, which supports health care for millions of service members and veterans, at risk.

Four federal agencies, including DOD and VA, use the system to store, share, and analyze patient information. The Federal Electronic Health Record Modernization office—a joint DOD and VA office—facilitates collaboration among these agencies.

We report in this Q&A that the office doesn't fully follow leading practices for collaboration. Doing so would help the office better protect the system and its data.

Our recommendations to DOD and VA address this.

A person holding a tablet showing medical records.

 

A person holding a tablet showing medical records.

Highlights

What GAO Found

The Department of Defense (DOD) has primary responsibility for ensuring the cybersecurity of the federal electronic health record (EHR). The Federal Electronic Health Record Modernization office (FEHRM) is responsible for providing direction and oversight on joint functions. To that end, the FEHRM works to improve interagency cybersecurity and privacy collaboration by providing opportunities for partner agencies to coordinate and by initiating joint activities to enhance the security of the system. Accordingly, the FEHRM facilitated collaboration among partner agencies; however, the collaboration would be improved by fully addressing leading practices. For example, it has not fully articulated specific or common goals or outcomes related to the cybersecurity of the EHR or the privacy of data within it. Further, the FEHRM reported that it did not have related performance measures for monitoring progress towards these outcomes.

Extent to Which the FEHRM Followed Leading Interagency Collaboration Practices

Addressing the shortfalls in interagency collaboration could provide better understanding of the resources needed to address shared responsibilities and clearer insight into the impacts of joint efforts. As a result, the FEHRM, partner agencies, and Congress could have greater assurance that appropriate actions are being taken to keep the system and its data secure and to prevent its exploitation by adversaries.

Why GAO Did This Study

The federal EHR is a single system used to store, share, and analyze patient care information. The system is housed in a data center, referred to as the federal enclave. The system supports the delivery of healthcare to millions of beneficiaries across four partner agencies: DOD, the Department of Veterans Affairs (VA), the U.S. Coast Guard, and the National Oceanic and Atmospheric Administration. The FEHRM is a joint DOD-VA decision-making authority for the federal EHR with requirements set by Congress.

The Further Consolidated Appropriations Act, 2024 includes a provision for GAO to report on aspects of the federal EHR. This report (1) describes the federal EHR system and its management, (2) identifies the roles and responsibilities for the cybersecurity of the system and protecting the privacy of the data within it, and (3) examines how agencies are collaborating to keep the system and its data secure.

To conduct this work, GAO reviewed interagency agreements regarding the use of the federal EHR and relevant agency cybersecurity and privacy policies, and interviewed agency officials. GAO also compared FEHRM collaboration efforts to leading collaboration practices.

Recommendations

GAO is making one recommendation to DOD and one to VA to direct the FEHRM to define common goals, outcomes, and associated performance measures, and monitor, assess, and communicate progress on collaboration efforts toward ensuring the cybersecurity and privacy of the federal enclave. DOD disagreed with our report and VA neither agreed nor disagreed with the recommendations. GAO maintains its recommendations are valid, as discussed in this report.

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Defense The Secretary of Defense should ensure that the Deputy Secretary of Defense directs the FEHRM to define common goals, outcomes, and associated performance measures, and monitor, assess, and communicate progress on collaboration efforts toward ensuring the cybersecurity and privacy of the federal enclave. (Recommendation 1)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Veterans Affairs The Secretary of Veterans Affairs should ensure that the Deputy Secretary of Veterans Affairs directs the FEHRM to define common goals, outcomes, and associated performance measures, and monitor, assess, and communicate progress on collaboration efforts toward ensuring the cybersecurity and privacy of the federal enclave. (Recommendation 2)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Full Report

Full Report
(19 pages)
Accessible PDF
(19 pages)

GAO Contacts

Carol C. Harris
Director
Information Technology and Cybersecurity
harriscc@gao.gov

Media Inquiries

Sarah Kaczmarek
Managing Director
Office of Public Affairs
media@gao.gov

Public Inquiries

Contact Us

Topics

Health Care
Best practicesCompliance oversightCybersecurityElectronic health recordsHealth carePersonally identifiable informationPrivacyVeterans affairsMilitary interoperability agreementsPerformance measurement