Recommendations
2124
| ID | Report Number | Report Title | Type | |
|---|---|---|---|---|
| 13-01391-72 | VA's Federal Information Security Management Act Audit for Fiscal Year 2013 | Audit | ||
1 We recommend the Executive in Charge for Information and Technology fully develop and implement an agency-wide risk management governance structure, along with mechanisms to identify, monitor, and manage risks across the enterprise. (This is a repeat recommendation from last year.)
2 We recommend the Executive in Charge for Information and Technology implement mechanisms to ensure sufficient supporting documentation is captured in the central database to justify closure of Plans of Action and Milestones. (This is a repeat recommendation from last year.)
3 We recommend the Executive in Charge for Information and Technology define and implement clear roles and responsibilities for developing, maintaining, completing, and reporting Plans of Action and Milestones. (This is a repeat recommendation from last year.)
4 We recommend the Executive in Charge for Information and Technology implement mechanisms to ensure Plans of Action and Milestones are updated to accurately reflect current status information. (This is a repeat recommendation from last year.)
5 We recommend the Executive in Charge for Information and Technology develop mechanisms to ensure system security plans reflect current operational environments, including accurate system interconnection and ownership information. (This is a repeat recommendation from last year.)
6 We recommend the Executive in Charge for Information and Technology implement improved processes for updating key security documents such as risk assessments, security impact analyses, and security self-assessments on at least an annual basis and ensure all required information accurately reflects the current environment and new risks in accordance with Federal standards. (This is a new recommendation.)
7 We recommend the Executive in Charge for Information and Technology implement mechanisms to enforce VA password policies and standards on all operating systems, databases, applications, and network devices. (This is a repeat recommendation from last year.)
8 We recommend the Executive in Charge for Information and Technology implement periodic access reviews to minimize access by system users with incompatible roles, permissions in excess of required functional responsibilities, and unauthorized accounts. (This is a repeat recommendation from last year.)
9 We recommend the Executive in Charge for Information and Technology enable system audit logs and conduct centralized reviews of security violations on mission-critical systems. (This is a repeat recommendation from last year.)
10 We recommend the Executive in Charge for Information and Technology implement mechanisms to ensure all remote access computers have updated security patches and antivirus definitions prior to connecting to VA information systems. (This is a repeat recommendation from last year.)
11 We recommend the Executive in Charge for Information and Technology implement two-factor authentication for remote access throughout the agency. (This is a repeat recommendation from last year.)
12 We recommend the Executive in Charge for Information and Technology develop and implement policies and procedures for restricting privileged remote access from foreign countries that may pose a significant security risk to VA systems. (This is a new recommendation.)
13 We recommend the Executive in Charge for Information and Technology implement effective automated mechanisms to continuously identify and remediate security deficiencies on VA’s network infrastructure, database platforms, and Web application servers. (This is a repeat recommendation from last year.)
14 We recommend the Executive in Charge for Information and Technology implement a patch and vulnerability management program to address security deficiencies identified during our assessments of VA’s Web applications, database platforms, network infrastructure, and work stations. (This is a modified repeat recommendation from last year.)
15 We recommend the Executive in Charge for Information and Technology implement standard security configuration baselines for all VA operating systems, databases, applications, and network devices. (This is a repeat recommendation from last year.)
16 We recommend the Executive in Charge for Information and Technology implement procedures to enforce a system development and change control framework that integrates information security throughout the life cycle of each system. (This is a repeat recommendation from last year.)
17 We recommend the Executive in Charge for Information and Technology implement processes to ensure information system contingency plans are updated with the required information and lessons learned are communicated to senior management. (This is a repeat recommendation from last year.)
18 We recommend the Executive in Charge for Information and Technology develop and implement a process for ensuring the encryption of backup data prior to transferring the data offsite. (This is a new recommendation.)
19 We recommend the Executive in Charge for Information and Technology ensure that agreements for alternate processing sites have been established that define the roles and responsibilities for alternate locations in the event of a disaster. (This is a new recommendation.)
20 We recommend the Executive in Charge for Information and Technology review change management procedures to ensure that any changes to system procedures are appropriately tested, validated, documented and approved. (This is a repeat recommendation from last year.)
21 We recommend the Executive in Charge for Information and Technology fully implement an automated 24-hour security event and incident correlation solution to monitor security for all systems interconnections, database security events, and mission-critical platforms supporting VA programs and operations. (This is a repeat recommendation from last year.)
22 We recommend the Executive in Charge for Information and Technology identify all external network interconnections and ensure appropriate Interconnection Security Agreements and Memoranda of Understanding are in place to govern them. (This is a repeat recommendation from last year.)
23 We recommend the Executive in Charge for Information and Technology implement more effective agency-wide incident response procedures to ensure timely resolution of computer security incidents in accordance with VA set standards. (This is a repeat recommendation from last year.)
24 We recommend the Executive in Charge for Information and Technology provide the OIG with timely and formal notifications of network intrusions and system compromises in accordance with FISMA. (This is a new recommendation.)
25 We recommend the Executive in Charge for Information and Technology develop a listing of approved software and implement continuous monitoring processes to identify and prevent the use of unauthorized application software, hardware and system configurations on its networks. (This is a modified repeat recommendation from last year.)
26 We recommend the Executive in Charge for Information and Technology develop a comprehensive software inventory process to identify major and minor software applications used to support VA programs and operations. (This is a modified repeat recommendation from last year.)
27 We recommend the Acting Assistant Secretary for Information and Technology develop procedures to integrate information security costs into the capital planning process while ensuring traceability of Plans of Action and Milestones remediation costs to appropriate capital planning budget documents. (This is a repeat recommendation from last year.)
28 We recommend the Executive in Charge for Information and Technology implement procedures for overseeing contractor-managed cloud-based systems, ensuring OIG access to those systems, and ensuring information security controls adequately protect VA sensitive systems and data. (This is a modified repeat recommendation from last year.)
29 We recommend the Executive in Charge for Information and Technology implement mechanisms for updating the Federal Information Security Management Act systems inventory, including contractor-managed systems and interfaces, and annually review the systems inventory for accuracy. (This is a repeat recommendation from last year.)
30 We recommend the Executive in Charge for Information and Technology implement mechanisms to ensure all users with VA network access participate in and complete required VA-sponsored security awareness training. (This is a repeat recommendation from last year.)
| ||||
| 14-01119-168 | Healthcare Inspection – Community Living Center Patient Care, Gulf Coast Veterans Health Care System, Biloxi, Mississippi | Hotline Healthcare Inspection | ||
1 We recommended that the System Director actively recruits and fills approved physician vacancies within the Extended Care Service.
Closure Date:
| ||||
| 13-03018-159 | Review of Alleged Mismanagement of VBA's Eastern Area Fiduciary Hub | Audit | ||
1 We recommended the Under Secretary for Benefits require the Eastern Area Fiduciary Hub to implement controls to monitor misuse determinations to ensure reviews meet timeliness standards.
Closure Date:
2 We recommended the Under Secretary for Benefits require the Director of Pension and Fiduciary Service to implement controls to monitor negligence reviews.
Closure Date:
3 We recommended the Under Secretary for Benefits implement controls to ensure the reissuance of misused funds to beneficiaries and repayment from former fiduciaries occurs timely.
Closure Date:
4 We recommended the Under Secretary for Benefits require the Director of Pension and Fiduciary Services to conduct a negligence review of the 12 identified cases of misuse of beneficiary funds and determine if misused funds are required to be reissued to affected beneficiaries.
Closure Date:
5 We recommended the Under Secretary for Benefits ensures the Eastern Area Fiduciary Hub implements a plan to expedite completion of their backlog of field examinations to meet performance standards.
Closure Date:
6 We recommended the Under Secretary for Benefits require the Director of the Indianapolis VA Regional Office to implement a plan to ensure the Eastern Area Fiduciary Hub eliminates its backlog of Fiduciary Program mail during FY 2014.
Closure Date:
Total Monetary Impact of All Recommendations
Open: $0
Closed: $944,000
Total: $944,000
| ||||
| 14-02603-178 | Interim Report: Review of VHA's Patient Wait Times, Scheduling Practices, and Alleged Patient Deaths at the Phoenix Health Care System | Audit | ||
1 We recommend the VA Secretary take immediate action to review and provide appropriate health care to the 1,700 veterans we identified as not being on any existing wait list.
Closure Date:
2 We recommend the VA Secretary review all existing wait lists at the Phoenix Health Care System to identify veterans who may be at greatest risk because of a delay in the delivery of health care (for example, those veterans who would be new patients to a specialty clinic) and provide the appropriate medical care.
Closure Date:
3 We recommend the VA Secretary initiate a nationwide review of veterans on wait lists to ensure that veterans are seen in an appropriate time, given their clinical condition.
Closure Date:
4 We recommend the VA Secretary direct the Health Eligibility Center to run a nationwide New Enrollee Appointment Request report by facility of all newly enrolled veterans and direct facility leadership to ensure all veterans have received appropriate care or are shown on the facility's electronic waiting list.
Closure Date:
| ||||
| 14-00686-166 | Combined Assessment Program Review of the Aleda E. Lutz VA Medical Center, Saginaw, Michigan | Comprehensive Healthcare Inspection Program | ||
1 We recommended that nursing managers fully implement the plan approved in March 2014.
Closure Date:
2 We recommended that the annual staffing plan reassessment process ensures that the facility expert panel includes all required members.
Closure Date:
3 We recommended that the annual staffing plan reassessment process ensures that the acute care unit-based expert panel includes all required members.
Closure Date:
4 We recommended that processes be strengthened to ensure that acute care staff accurately document the risk scale score for all patients with pressure ulcers and that compliance be monitored.
Closure Date:
5 We recommended that the facility establish staff pressure ulcer education requirements and that compliance be monitored.
Closure Date:
6 We recommended that processes be strengthened to ensure that wound care specialist consults are initiated and completed for all patients with pressure ulcers and that compliance be monitored.
Closure Date:
7 We recommended that processes be strengthened to ensure that staff complete and document restorative nursing services according to residents' care plans and that compliance be monitored.
Closure Date:
8 We recommended that processes be strengthened to ensure that staff document residents' progress toward restorative nursing goals and that compliance be monitored.
Closure Date:
9 We recommended that processes be strengthened to ensure that staff document residents' restorative progress bi-weekly and that compliance be monitored.
Closure Date:
10 We recommended that processes be strengthened to ensure that all required participants or their designees attend weekly EOC rounds and that compliance be monitored.
Closure Date:
11 We recommended that processes be strengthened to ensure that all required participants or their designees attend weekly EOC rounds and that compliance be monitored.
Closure Date:
| ||||
| 14-00242-160 | Community Based Outpatient Clinic and Primary Care Clinic Reviews at W.G. (Bill) Hefner VA Medical Center, Salisbury, North Carolina | Comprehensive Healthcare Inspection Program | ||
1 We recommended that CBOC/Primary Care Clinic staff consistently complete diagnostic assessments for patients with a positive alcohol screen.
Closure Date:
2 We recommended that CBOC/Primary Care Clinic Registered Nurse Care Managers receive motivational interviewing and health coaching training within 12 months of appointment to Patient Aligned Care Teams.
Closure Date:
3 We recommended that staff document that medication reconciliation was completed at each episode of care where the newly prescribed fluoroquinolone was administered, prescribed, or modified.
Closure Date:
4 We recommended that staff consistently provide written medication information that includes the fluoroquinolone.
Closure Date:
5 We recommended that staff provide medication counseling/education as required.
Closure Date:
| ||||
| 14-00231-158 | Community Based Outpatient Clinic and Primary Care Clinic Reviews at Aleda E. Lutz VA Medical Center, Saginaw, Michigan | Comprehensive Healthcare Inspection Program | ||
1 We recommended that the sink faucet control in the handicap
accessible restroom at the Alpena CBOC meets Americans with Disabilities Act Guidelines and is accessible during regular clinic hours.
2 We recommended that processes are improved to ensure review
of the hazardous materials inventory occurs twice within a 12-month period at the Alpena and Bad Axe CBOCs.
3 We recommended processes are strengthened to ensure women
veterans can access gender-specific restrooms without entering public areas at the Bad Axe CBOC.
4 We recommended that the parent facility includes staff at the Alpena and Bad Axe CBOCs in required education, training, planning, and participation in annual disaster exercise.
5 We recommended that CBOC/PCC staff consistently document the offer of further treatment to patients diagnosed with alcohol dependence.
| ||||
| 14-00244-147 | Community Based Outpatient Clinic and Primary Care Clinic Reviews at Canandaigua VA Medical Center, Canandaigua, New York | Comprehensive Healthcare Inspection Program | ||
1 We recommended that processes are improved to ensure review of the hazardous materials inventory occurs twice within a 12-month period at the Rochester CBOC.
Closure Date:
2 We recommended that all identified EOC deficiencies at the Rochester CBOC are tracked by the parent facility EOC Committee until resolution.
Closure Date:
3 We recommended that CBOC/PCC staff consistently complete diagnostic assessments for patients with a positive alcohol screen.
Closure Date:
4 We recommended that CBOC/PCC staff provide education and counseling for patients with positive alcohol screens and drinking levels above NIAAA limits.
Closure Date:
5 We recommended that CBOC/PCC staff consistently document the offer of further treatment to patients diagnosed with alcohol dependence.
Closure Date:
| ||||
| 13-00991-154 | Review of Alleged Unauthorized Commitments Within VA | Audit | ||
1 We recommended the Executive in Charge, Office of Management and Chief Financial Officer, review FYs 2012 and 2013 purchase card transactions above the micro-purchase threshold and submit identified unauthorized commitments to Heads of Contracting Activities for ratification actions.
Closure Date:
2 We recommended the Executive in Charge, Office of Management and Chief Financial Officer, establish policies and procedures to perform recurring reviews of purchase card transactions above the micro-purchase threshold to identify transactions made by cardholders without appropriate warrant authority.
Closure Date:
3 We recommended the Executive in Charge, Office of Management and Chief Financial Officer, revise policies and procedures to verify that purchase card spending limits do not exceed warrant authority limits before issuing individuals purchase cards with spending limits above the micro-purchase threshold.
Closure Date:
4 We recommended the Executive in Charge, Office of Management and Chief Financial Officer, require recurring unauthorized commitment training for purchase cardholders and their approving officials.
Closure Date:
5 We recommended the Executive in Charge, Office of Management and Chief Financial Officer, ensure the Management Quality Assurance Service follow-up on the status of ratification of identified unauthorized commitments.
Closure Date:
6 We recommended the Principal Executive Director, Office of Acquisition, Logistics, and Construction, direct Heads of Contracting Activities to perform individual ratification actions for unauthorized commitments identified by the Executive in Charge, Office of Management and Chief Financial Officer’s review of FYs 2012 and 2013 purchase card transactions above the micro-purchase threshold.
Closure Date:
7 We recommended the Principal Executive Director, Office of Acquisition, Logistics, and Construction, create and maintain an accurate database of warranted VA contracting officers that includes warrant effective and expiration dates, and specific warrant authority limitations.
Closure Date:
8 We recommended the Principal Executive Director, Office of Acquisition, Logistics, and Construction, establish policies and procedures requiring Heads of Contracting Activities to complete ratification actions within a specified time period after the identification of unauthorized commitments.
Closure Date:
9 We recommended the Principal Executive Director, Office of Acquisition, Logistics, and Construction, limit institutional ratifications by ensuring every unauthorized commitment meets the ratification review requirements.
Closure Date:
Total Monetary Impact of All Recommendations
Open: $0
Closed: $85,600,000
Total: $85,600,000
| ||||
| 13-04243-151 | Combined Assessment Program Review of the Wilmington VA Medical Center, Wilmington, Delaware | Comprehensive Healthcare Inspection Program | ||
1 We recommended that the facility establish a policy for scanning health records and that compliance with the newly established policy be monitored.
Closure Date:
2 We recommended that the dialysis patient care area have an emergency eyewash station.
Closure Date:
3 We recommended that processes be strengthened to ensure that the dialysis unit's chemical storage room is locked when unattended and that compliance be monitored.
Closure Date:
4 We recommended that the clinical laboratory urinalysis section ceiling leak be repaired and that ceiling tiles in the clinical laboratory urinalysis section and blood bank and in the ambulatory surgery medication room be replaced.
Closure Date:
5 We recommended that the facility establish a policy addressing radiation equipment inspection, testing, and maintenance and fluoroscopy quality control and that compliance with the newly established policy be monitored.
Closure Date:
6 We recommended that processes be strengthened to ensure that designated x-ray and fluoroscopy employees have radiation exposure monitoring completed annually and that compliance be monitored.
Closure Date:
7 We recommended that signs be posted in waiting and procedure rooms within radiology asking female patients to notify staff if they may be pregnant.
Closure Date:
8 We recommended that processes be strengthened to ensure that clinicians conducting medication education accommodate identified learning barriers and document the accommodations made to address those barriers and that compliance be monitored.
Closure Date:
9 We recommended that processes be strengthened to ensure that patients/caregivers are provided medication lists at discharge and that compliance be monitored.
Closure Date:
10 We recommended that processes be strengthened to ensure that patients/caregivers are provided with discharge instructions and that compliance be monitored.
Closure Date:
11 We recommended that nursing managers monitor the staffing methodology that was implemented in August 2013.
Closure Date:
12 We recommended that nurse managers reassess the target nursing hours per patient day for unit 4 East to more accurately plan for staffing and evaluate the actual staffing provided.
Closure Date:
13 We recommended that the facility establish an interprofessional pressure ulcer committee.
Closure Date:
14 We recommended that processes be strengthened to ensure that acute care staff accurately document location, stage, risk scale score, and date pressure ulcer acquired for all patients with pressure ulcers and that compliance be monitored.
Closure Date:
15 We recommended that processes be strengthened to ensure that acute care staff provide and document recommended pressure ulcer interventions and that compliance be monitored.
Closure Date:
16 We recommended that processes be strengthened to ensure that acute care staff provide and document pressure ulcer education for patients at risk for and with pressure ulcers and/or their caregivers and that compliance be monitored.
Closure Date:
17 We recommended that processes be strengthened to ensure that designated employees receive training on how to administer the pressure ulcer risk scale and how to accurately document findings and that compliance be monitored.
Closure Date:
18 We recommended that processes be strengthened to ensure that patient care areas are clean, that clean and dirty items are stored separately, and that medications are secured at all times and that compliance be monitored.
Closure Date:
19 We recommended that processes be strengthened to ensure that staff document resident progress towards restorative nursing goals, modify restorative nursing interventions as needed, and document the modifications and that compliance be monitored.
Closure Date:
20 We recommended that processes be strengthened to ensure that employees who perform restorative nursing services receive training on and competency assessment for resident transfers.
Closure Date:
21 We recommended that processes be strengthened to ensure that staff do not provide medical treatment to residents during meals in the common dining area.
Closure Date:
| ||||
15303