GAO Urges FEHRM to Improve Cybersecurity Management for Federal EHR System

In a recent report, the Government Accountability Office (GAO) identified significant shortcomings in the Federal Electronic Health Record Modernization (FEHRM) office's management of cybersecurity and privacy performance metrics related to the federal Electronic Health Record (EHR) system. Currently, this system serves over 500,000 users and manages data for approximately 18 million patients, highlighting the urgent need for robust cybersecurity oversight and effective interagency collaboration. The GAO's findings underline the necessity for the FEHRM to establish clear and quantifiable objectives while enhancing coordination among its partner agencies, which include the Department of Defense (DoD), Department of Veterans Affairs (VA), U.S. Coast Guard, and the National Oceanic and Atmospheric Administration (NOAA).

According to the GAO, the lack of sufficiently measurable goals and effective collaboration can leave the FEHRM vulnerable to digital threats and hamper its capacity to ensure patient data protection. The report articulates that without well-defined goals and measurable outcomes, the FEHRM is at risk of failing to manage shared cybersecurity responsibilities efficiently. This gap in performance management has persisted despite the necessity for extensive coordination among agencies responsible for significant health data management, and which must operate in compliance with stringent federal privacy laws.

The GAO has called for urgent action from the FEHRM to improve its ability to monitor, assess, and communicate on performance measures relevant to cybersecurity and privacy protection. The report indicates that articulating clear goals would not only enhance the oversight of the coordinated cybersecurity for the federal EHR but also provide essential insights into what resources and time commitments are required by each agency involved. The inability of the FEHRM to fully delineate specific short- and long-term objectives raises concerns about the potential repercussions on the security of sensitive health information.

This call for improvements arrives as the VA is seeking an additional $4.2 billion to modernize its EHR systems, reflecting a 25% increase over prior budgets. Such financial commitments underline the strategic importance placed on transitioning towards improved health IT infrastructure and robust cybersecurity measures. In assessing the impact of GAO's recommendations, procurement professionals should anticipate an increased demand for services related to cybersecurity, privacy compliance, and health IT modernization, as several federal agencies may issue new solicitations or modify existing contracts focused particularly on these areas. Contractors specializing in federal health IT systems, cybersecurity risk management, and privacy frameworks are well-positioned to engage the FEHRM and its partner agencies in meeting these new directives.

The strategic emphasis on measurable cybersecurity outcomes and enhanced cooperation across agencies could lead to the development of new procurement requirements and evaluation criteria, influencing the landscape of federal contracting in health IT. The GAO's report serves as a pivotal moment for agencies involved in the EHR modernization initiative, signaling a turning point aimed at enhancing the overall security posture of the EHR systems used within the federal health landscape.

Procurement professionals should be deeply aware of the implications of this GAO report as they prepare to respond to the evolving demands of the federal marketplace. The commitment to enhancing cybersecurity and protecting patient data not only affects direct service procurement but will alter the metrics against which contractors will be assessed in future bidding processes.