All Reports

Date Issued
|
Report Number
25-01781-71
|
Topics:  Information Technology and Security

Open Recommendation Image, SquareOpenClosed and Implemented Recommendation Image, CheckmarkClosed-ImplementedNot Implemented Recommendation Image, X character'Closed-Not Implemented
No. 1
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
Closure Date: 7/7/2026

Ensure that authorizations are reassessed when a significant change affects the security or privacy posture of an application, consistent with the requirements of VA Handbook 6500.

No. 2
Open Recommendation Image, Square
to Information and Technology (OIT)

Reevaluate the risk determination for the Patient Advocate Tracking System‑Replacement and determine the appropriate security categorization level and system classification based on (1) the sensitive personal information maintained in the system and (2) the System Security Categorization Report.

No. 3
Open Recommendation Image, Square
to Veterans Health Administration (VHA)

Reevaluate whether there is a continued business need to maintain access to veterans’ medical records in the Patient Advocate Tracking System-Replacement.

No. 4
Open Recommendation Image, Square
to Veterans Health Administration (VHA)

Institute a process to ensure user roles are regularly reviewed for continued access and evaluate the effectiveness of the access control principle of least privilege to ensure roles for the Patient Advocate Tracking System-Replacement are correctly configured and allow access only for authorized users.

No. 5
Open Recommendation Image, Square
to Veterans Health Administration (VHA)

Update the Patient Advocate Tracking System-Replacement user guides and training materials.

Date Issued
|
Report Number
25-02402-83
|
Topics:  Information Technology and Security

Open Recommendation Image, SquareOpenClosed and Implemented Recommendation Image, CheckmarkClosed-ImplementedNot Implemented Recommendation Image, X character'Closed-Not Implemented
No. 1
Open Recommendation Image, Square
to Information and Technology (OIT)

Improve the existing vulnerability management process to make sure all vulnerabilities are identified, plans of action and milestones are created for vulnerabilities that cannot be mitigated by VA deadlines, and software is updated before vendor support ends.

No. 2
Open Recommendation Image, Square
to Information and Technology (OIT)

Implement a baseline configuration process to make sure network devices and databases are running authorized software that is configured to approved baselines and free of vulnerabilities.

No. 3
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT),Veterans Health Administration (VHA)
Closure Date: 6/25/2026

Implement a process to disable access to the active directory and the electronic health record when temporary staff leave before their expected end date.

No. 4
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT),Veterans Health Administration (VHA)
Closure Date: 6/25/2026

Separate the duties of maintaining physical blank key stock and making keys to improve physical access controls over key inventories.

No. 5
Open Recommendation Image, Square
to Information and Technology (OIT),Veterans Health Administration (VHA)

Secure network infrastructure in accordance with VA environmental protection standards.

No. 6
Open Recommendation Image, Square
to Information and Technology (OIT),Veterans Health Administration (VHA)

Complete the installation of grounding measures for all telecommunication closets to protect information technology equipment.

No. 7
Open Recommendation Image, Square
to Information and Technology (OIT),Veterans Health Administration (VHA)

Routinely monitor and service uninterruptible power supplies that support the network infrastructure.

No. 8
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT),Veterans Health Administration (VHA)
Closure Date: 6/25/2026

Establish a process to make sure a witness observes the destruction of temporary paper files that contain personally identifiable information and protected health information.

Date Issued
|
Report Number
25-04347-110
|
Topics:  Information Technology and Security

Open Recommendation Image, SquareOpenClosed and Implemented Recommendation Image, CheckmarkClosed-ImplementedNot Implemented Recommendation Image, X character'Closed-Not Implemented
No. 1
Open Recommendation Image, Square
to Veterans Health Administration (VHA)

Update the local inventory procedure to include a process for securing information technology equipment when temporary space is needed and for tracking and distributing this equipment, in accordance with federal and VA requirements.

No. 2
Open Recommendation Image, Square
to Veterans Health Administration (VHA)

Assess the age of all unused information technology inventory to determine what should be used and what should be disposed of based on federal and VA requirements, and take action to address the results.

Total Monetary Impact of All Recommendations
Open: $ 305,607.00
Closed: $ 0.00
Date Issued
|
Report Number
26-00182-140
|
Topics:  Information Technology and Security ● Patient Safety

Open Recommendation Image, SquareOpenClosed and Implemented Recommendation Image, CheckmarkClosed-ImplementedNot Implemented Recommendation Image, X character'Closed-Not Implemented
No. 1
Open Recommendation Image, Square
to Veterans Health Administration (VHA)

The Under Secretary for Health reviews the Veterans Health Administration’s current use of generative AI chat tools, defines permissible clinical uses for general-purpose AI chat tools, oversight responsibilities, and risk mitigation, and outlines a plan for implementation.

No. 2
Open Recommendation Image, Square
to Veterans Health Administration (VHA)

The Under Secretary for Health evaluates whether safeguards applied to other high-impact AI tools, such as Ambient AI Scribe, should be adapted for generative AI chat tools used for clinical care and documentation.

No. 3
Open Recommendation Image, Square
to Veterans Health Administration (VHA)

The Under Secretary for Health oversees integration of AI-related risk monitoring into existing patient safety programs and ensures staff are trained to identify and report AI-related safety events.

Date Issued
|
Report Number
25-00734-134
|
Topics:  Clinical Care Services Operations ● Information Technology and Security ● Mental Health ● Patient Care Services Operations ● Patient Safety ● Suicide Prevention

Open Recommendation Image, SquareOpenClosed and Implemented Recommendation Image, CheckmarkClosed-ImplementedNot Implemented Recommendation Image, X character'Closed-Not Implemented
No. 1
Open Recommendation Image, Square
to Veterans Health Administration (VHA)

The Veterans Integrated Service Network Director conducts a comprehensive review of the care provided to the patient prior to the event, and takes action as indicated.

No. 2
Open Recommendation Image, Square
to Veterans Health Administration (VHA)

The Robley Rex VA Medical Center Director ensures that the facility has a mechanism in place for how Veterans Health Administration healthcare professionals will provide content of suicide prevention safety plans when completing suicide prevention safety plans with patients over the phone.

No. 3
Open Recommendation Image, Square
to Veterans Health Administration (VHA)

The Robley Rex VA Medical Center Director reviews facility Primary Care-Mental Health Integration guidance documents and ensures consistency and alignment with Veterans Health Administration requirements.

No. 4
Open Recommendation Image, Square
to Veterans Health Administration (VHA)

The Robley Rex VA Medical Center Director reconsiders the practice of reauthoring notes in the Computerized Patient Record System by behavioral health technicians in the Primary Care-Mental Health Integration call center, identifies other facility areas that use the reauthoring process, and takes action as indicated.

No. 5
Open Recommendation Image, Square
to Veterans Health Administration (VHA)

The Under Secretary for Health evaluates ways to mitigate the implications resulting from users’ ability to change authors in an unsigned note in the Computerized Patient Record System to ensure that such practice is limited to those in roles with a need to have that function, and takes action as indicated.

No. 6
Open Recommendation Image, Square
to Veterans Health Administration (VHA)

The Robley Rex VA Medical Center Director ensures that root cause analyses are completed in accordance with Veterans Health Administration policy, including root cause analysis process steps, timeliness, and team roles.

No. 7
Open Recommendation Image, Square
to Veterans Health Administration (VHA)

The Robley Rex VA Medical Center Director ensures that patient safety managers receive oversight, training, and support as required by the Veterans Health Administration.

No. 8
Open Recommendation Image, Square
to Veterans Health Administration (VHA)

The Robley Rex VA Medical Center Director ensures that the chief of quality understands the seriousness and implications of altering documentation without support, and that leaders, whose actions contributed to the deficiencies outlined in this report, receive administrative action, as appropriate.

Date Issued
|
Report Number
25-02113-77
|
Topics:  Information Technology and Security

Open Recommendation Image, SquareOpenClosed and Implemented Recommendation Image, CheckmarkClosed-ImplementedNot Implemented Recommendation Image, X character'Closed-Not Implemented
No. 1
Open Recommendation Image, Square
to Information and Technology (OIT)

Remediate servers that are not compliant with configuration standards and ensure periodic compliance scanning of servers.

No. 2
Open Recommendation Image, Square
to Information and Technology (OIT)

Remediate databases that are not compliant with configuration standards and ensure quarterly compliance and vulnerability scanning of databases.

No. 3
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
Closure Date: 5/28/2026

Remediate vulnerabilities within VA-defined timeframes and document mitigations for vulnerabilities that cannot be remediated on time.

No. 4
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
Closure Date: 5/28/2026

Comprehensively scan all the facility’s local area network segments for vulnerabilities.

No. 5
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
Closure Date: 5/28/2026

Prepare plans of action and milestones for unapproved software still in use. 

No. 6
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
Closure Date: 5/28/2026

Remediate or document mitigations for physical security deficiencies that can affect IT operations and resources. 

No. 7
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
Closure Date: 5/28/2026

Implement required controls on certain privileged accounts and ensure limited access to these account usernames and passwords.

No. 8
Open Recommendation Image, Square
to Information and Technology (OIT)

Define intervals for review of database audit logs and vulnerability scan results and ensure regular collection and review of database audit logs in accordance with policy.

No. 9
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
Closure Date: 5/28/2026

Verify and document the identity of vendors or contractors consistently before granting them access to IT resources.

No. 10
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
Closure Date: 5/28/2026

Provide access control list protection for all networked medical devices hosted on the VA Saginaw Healthcare System virtual local area networks.

Date Issued
|
Report Number
25-00975-234
|
Topics:  Information Technology and Security

Open Recommendation Image, SquareOpenClosed and Implemented Recommendation Image, CheckmarkClosed-ImplementedNot Implemented Recommendation Image, X character'Closed-Not Implemented
No. 1
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
Closure Date: 6/29/2026

Implement vulnerability management processes to ensure all vulnerabilities are identified and plans of action and milestones are created for vulnerabilities that cannot be mitigated by VA deadlines.

No. 2
Open Recommendation Image, Square
to Information and Technology (OIT)

Implement a more effective baseline configuration process to ensure network devices and databases are running authorized software that is configured to approved baselines and free of vulnerabilities.

No. 3
Open Recommendation Image, Square
to Information and Technology (OIT)

Perform a cost-benefit analysis and implement appropriate controls within the federal Electronic Health Record to limit disclosure of veteran personally identifiable information based on job responsibility.

No. 4
Open Recommendation Image, Square
to Information and Technology (OIT),Veterans Health Administration (VHA)

Segregate the duties of maintaining key stock and making keys.

No. 5
Open Recommendation Image, Square
to Information and Technology (OIT),Veterans Health Administration (VHA)

Place network infrastructure equipment in a communications closet or approved enclosure to restrict access to only authorized personnel.

No. 6
Open Recommendation Image, Square
to Information and Technology (OIT),Veterans Health Administration (VHA)

Complete the installation of grounding measures for all telecommunications closets to protect information technology equipment against electromagnetic pulse attack or electrostatic discharge. Ensure the work completed by contractors adheres to the requirements as defined in the work order.

No. 7
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT),Veterans Health Administration (VHA)
Closure Date: 2/18/2026

Add anti-ram barriers to protect all sides of a fueling station’s fuel tank.

Date Issued
|
Report Number
25-00529-219
|
Topics:  Financial Management ● Information Technology and Security

Open Recommendation Image, SquareOpenClosed and Implemented Recommendation Image, CheckmarkClosed-ImplementedNot Implemented Recommendation Image, X character'Closed-Not Implemented
No. 1
Open Recommendation Image, Square
to Office of Management (OM)

Implement a plan with the Office of Acquisition and Logistics Project Management Office to ensure system access is more granular and the intent of the principle of least privilege is met.

No. 2
Open Recommendation Image, Square
to Office of Management (OM)

Ensure all roles and accesses, including those provided by default access, are reviewed and certified periodically as required.

No. 3
Open Recommendation Image, Square
to Office of Management (OM)

Implement a permanent solution to provide supervisors and information owners with visibility of all roles and accesses, including those provided by default access, granted to users.

Date Issued
|
Report Number
25-00214-61
|
Topics:  Information Technology and Security ● Patient Care Services Operations ● Staffing ● Supplies and Equipment

Open Recommendation Image, SquareOpenClosed and Implemented Recommendation Image, CheckmarkClosed-ImplementedNot Implemented Recommendation Image, X character'Closed-Not Implemented
No. 1
Open Recommendation Image, Square
to Veterans Health Administration (VHA)

The Executive Director ensures staff receive education about badge holders’ responsibilities in preventing unauthorized access to VA facilities and computer systems and safeguarding electronic databases including electronic health care records.

No. 2
Closed and Implemented Recommendation Image, Checkmark
to Veterans Health Administration (VHA)
Closure Date: 2/12/2026

The Executive Director ensures signs are present and accurate throughout the facility.

No. 3
Closed and Implemented Recommendation Image, Checkmark
to Veterans Health Administration (VHA)
Closure Date: 2/12/2026

The Executive Director ensures staff maintain privacy curtains, preventive maintenance on medical equipment, and splash resistant bottom shelves on supply carts.

No. 4
Open Recommendation Image, Square
to Veterans Health Administration (VHA)

The Executive Director ensures staff monitor patient care areas for expired, damaged, and contaminated medications and remove them as needed.

No. 5
Open Recommendation Image, Square
to Veterans Health Administration (VHA)

The Executive Director ensures staff store medications in pharmaceutical grade refrigerators.

No. 6
Open Recommendation Image, Square
to Veterans Health Administration (VHA)

The Executive Director ensures primary care staffing is sufficient for patients to receive appropriate health care.

No. 7
Open Recommendation Image, Square
to Veterans Health Administration (VHA)

The Executive Director reviews staffing levels for the Housing and Urban Development–Veterans Affairs Supportive Housing program and takes action as needed.

Date Issued
|
Report Number
24-00568-38
|
Topics:  Information Technology and Security

Open Recommendation Image, SquareOpenClosed and Implemented Recommendation Image, CheckmarkClosed-ImplementedNot Implemented Recommendation Image, X character'Closed-Not Implemented
No. 1
Open Recommendation Image, Square
to Veterans Health Administration (VHA)

The Executive Director of Operations for a national cancer testing program ensures the project has met the requirements for Institutional Review Board review for research with human subjects and takes action as needed.

No. 2
Open Recommendation Image, Square
to Veterans Health Administration (VHA)

The Executive Director of Operations for a national cancer testing program ensures national cancer prevention, treatment, and research program staff are trained on Institutional Review Board project submission and privacy requirements. 

No. 3
Open Recommendation Image, Square
to Veterans Health Administration (VHA)

The National Specialty Care Program Office Chief Officer ensures the national cancer prevention, treatment, and research program staff reviews and provides required approvals before the release of protected health information for research. 

No. 4
Open Recommendation Image, Square
to Veterans Health Administration (VHA)

The National Specialty Care Program Office Chief Officer, in conjunction with the Office of Research & Development ensures that VA privacy officers report privacy incidents involving data obtained from or for national cancer prevention, treatment, and research program activities timely and monitors for compliance.

No. 5
Open Recommendation Image, Square
to Veterans Health Administration (VHA)

The Office of Research Oversight Executive Director in conjunction with the Chief Research and Development Officer, VHA Office of Research & Development, reviews the national cancer prevention, treatment, and research program final mitigation plan and ensures corrective actions address system-wide issues for determining whether a national cancer prevention, treatment, and research program project constitutes research, safeguarding privacy when data is shared for projects, and ensuring data security requirements are met. 

No. 6
Open Recommendation Image, Square
to Veterans Health Administration (VHA)

The National Specialty Care Program Office Chief Officer ensures the national cancer prevention, treatment, and research program has safeguards in place including biostatistician expertise to ensure that data containing sensitive patient information and protected health information is deidentified before sharing outside of VA as required.

Date Issued
|
Report Number
24-03708-141
|
Topics:  Information Technology and Security

Open Recommendation Image, SquareOpenClosed and Implemented Recommendation Image, CheckmarkClosed-ImplementedNot Implemented Recommendation Image, X character'Closed-Not Implemented
No. 1
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
Closure Date: 5/27/2026

Implement vulnerability management processes to ensure all vulnerabilities are identified and plans of action and milestones are created for vulnerabilities that cannot be mitigated by VA deadlines.

No. 2
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
Closure Date: 1/29/2026

Develop and approve an authorization to operate for the special-purpose systems.

No. 3
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
Closure Date: 1/29/2026

Include facility personnel during the security categorization process to ensure all necessary information types are considered when determining the security categorization for special-purpose systems.

No. 4
Closed and Implemented Recommendation Image, Checkmark
to Veterans Health Administration (VHA)
Closure Date: 1/29/2026

Segregate the pharmacy application administrative access from individuals who are custodians of the pharmaceutical inventory.

No. 5
Closed and Implemented Recommendation Image, Checkmark
to Veterans Health Administration (VHA)
Closure Date: 1/29/2026

Ensure a witness observes the destruction of temporary paper files that contain personally identifiable information and protected health information.