All Reports

Implement a more effective vulnerability management program to address security deficiencies identified during the inspection. (This is a repeat recommendation from the prior inspection.)

Ensure vulnerabilities are remediated within OIT’s established time frames. (This is a repeat recommendation from the prior inspection.)

Ensure all servers and databases are part of the automated scanning process.

Implement approved baseline configurations for databases and document justifications and approvals for any deviations.

Implement more effective configuration control processes to ensure network devices maintain vendor support and receive security updates.

Implement an improved inventory process to ensure the accuracy of network ranges managed within the Enterprise Mission Assurance Support Service. (This is a repeat recommendation from the prior inspection.)

Implement an effective audit and monitoring process for all servers and databases. (This is a repeat recommendation from the prior inspection.)

Ensure that physical access logs for the data center and communication rooms are reviewed on a quarterly basis.

Consider taking appropriate steps to implement redundant distribution paths between the uninterruptible power supplies and the information technology equipment at the Hines Information Technology Center.

Implement steps to prevent the inadvertent activation of the main circuit breaker at the Hines Information Technology Center, such as installing a protective covering over the circuit breaker with an explicit warning label indicating the breaker’s function to help prevent power outages at the facility.

Implement steps to prevent the inadvertent activation of circuit breakers at all VA data centers, such as updating the physical security controls policy to require protective covers and explicit warning labels.

Update the Hines Information Technology Center information system contingency plan to help ensure the efficient restoration of data center power and critical applications in the event of a power outage.

Implement annual testing of Hines Information Technology Center contingency and restoration procedures following a power loss to ensure all stakeholders are aware of their responsibilities in accordance with revised information system contingency plan procedures.

Reduce improper and unknown payments to below 10 percent for the Pension Program. This is a repeat recommendation from the OIG’s FY 2022 report.

Reduce improper and unknown payments to below 10 percent for the Purchased Long-Term Services and Supports Program. This is a repeat recommendation from the OIG’s FY 2022 report.

The El Paso VA Health Care System Director ensures Behavioral Health Service policies and guidance are in alignment with federal laws and Texas and New Mexico state laws specific to the system’s emergency detention orders, and educates behavioral health licensed independent practitioners on the policies, as needed.

The Executive Director ensures staff complete root cause analyses for sentinel events.

The Chief of Staff ensures service chiefs initiate Focused Professional Practice Evaluations for newly appointed licensed independent practitioners.

The Chief of Staff ensures service chiefs regularly complete Ongoing Professional Practice Evaluations for licensed independent practitioners.

The Chief of Staff ensures service chiefs consider specialty-specific data during licensed independent practitioners’ Ongoing Professional Practice Evaluations.

The Chief of Staff ensures practitioners with equivalent specialized training and similar privileges complete Ongoing Professional Practice Evaluations.

The Chief of Staff ensures the Healthcare Delivery Council or an appropriately identified executive committee of the medical staff reviews professional practice evaluation results.

The Veterans Integrated Service Network Chief Medical Officer oversees the healthcare system’s privileging processes.

The Executive Director ensures staff follow the manufacturer’s recommendations for testing over-the-door alarms for sleeping rooms in the Acute Psychiatric Unit.

The Executive Director ensures staff test panic alarms in the Acute Psychiatric Unit and document VA police response times.

The Chief of Staff ensures designated staff complete the Comprehensive Suicide Risk Evaluation the same calendar day, when logistically feasible and clinically appropriate, for all ambulatory care patients with a positive suicide risk screen.

The Chief of Staff ensures clinical staff notify the suicide prevention team when patients report suicidal behaviors during the Comprehensive Suicide Risk Evaluation.

The Chief of Staff ensures the suicide prevention coordinators conduct, track, and report a minimum of five suicide prevention outreach activities each month.

We recommended the Assistant Secretary for Information and Technology consistently implement an improved continuous monitoring program in accordance with the NIST Risk Management Framework. Specifically, implement an independent security control assessment process to evaluate the effectiveness of security controls prior to granting authorization decisions. 

We recommended the Assistant Secretary for Information and Technology implement improved mechanisms to ensure system stewards and Information System Security Officers follow procedures for establishing, tracking, and updating Plans of Action and Milestones for all known risks and weaknesses including those identified during security control assessments. 

We recommended the Assistant Secretary for Information and Technology implement controls to ensure that system stewards and responsible officials obtain appropriate documentation prior to closing Plans of Action and Milestones.

We recommended the Assistant Secretary for Information and Technology develop mechanisms to ensure system security plans reflect current operational environments, include an accurate status of the implementation of system security controls, and all applicable security controls are properly evaluated.

We recommended the Assistant Secretary for Information and Technology implement improved processes for reviewing and updating key security documentation, including control assessments on a risk-based rotation or as needed. Such updates will ensure all required information is included and accurately reflects the current environment.

We recommended the Assistant Secretary for Information and Technology implement improved processes to ensure compliance with VA password policy and security standards on domain controls, operating systems, databases, applications, and network devices. 

We recommended the Assistant Secretary for Information and Technology implement periodic reviews to minimize accounts and permissions in excess of required functional responsibilities, and to remove unauthorized or unnecessary accounts.

We recommended the Assistant Secretary for Information and Technology enable system audit logs on all critical systems and platforms and conduct centralized reviews of security violations across the enterprise.

We recommended the Office of Personnel Security, Human Resources, and Contract Offices implement improved processes for establishing and maintaining accurate investigation data within VA systems used for background investigations.

We recommended the Office of Personnel Security, Human Resources, and Contract Offices strengthen processes to ensure appropriate levels of background investigations are completed for applicable VA employees and contractors.

We recommended the Assistant Secretary for Information and Technology implement more effective automated mechanisms to continuously identify and remediate security deficiencies on VA’s network infrastructure, database platforms, and web application servers.

We recommended the Assistant Secretary for Information and Technology implement improved processes for tracking and resolving vulnerabilities that cannot be addressed within policy timeframes. Implement more effective patch and vulnerability management processes to mitigate identified security deficiencies and reduce applicable security risks.

We recommended the Assistant Secretary for Information and Technology maintain a complete and accurate security baseline configuration for all platforms and ensure all baselines are appropriately monitored for compliance with established VA security standards.

We recommended the Assistant Secretary for Information and Technology implement improved controls that restrict vulnerable medical devices from unnecessary access to the general network.

We recommended the Assistant Secretary for Information and Technology enhance procedures for tracking security responsibilities for networks, devices, and components not managed by the Office of Information and Technology to ensure vulnerabilities are remediated in a timely manner.

We recommended the Assistant Secretary for Information and Technology implement improved processes to ensure that all devices and platforms are evaluated using credentialed vulnerability assessments.

We recommended the Assistant Secretary for Information and Technology implement improved procedures to enforce standardized system development and change control processes that integrates information security throughout the life cycle of each system.

We recommended the Assistant Secretary for Information and Technology implement improved procedures to ensure that system outages and disruptions are tracked to specific system boundaries and that interdependent systems are considered for the purposes of tracking and measuring against stated system recovery time objectives.

We recommended the Assistant Secretary for Information and Technology ensure contingency plans for all systems and applications are updated and tested in accordance with VA requirements.

We recommended the Assistant Secretary for Information and Technology ensure that systems and applications are adequately logged and monitored to facilitate an agency-wide awareness of information security events.

We recommended the Assistant Secretary for Information and Technology implement improved safeguards to identify and prevent unauthorized vulnerability scans on VA networks.

We recommended the Assistant Secretary for Information and Technology implement improved measures to ensure that all security controls are assessed in accordance with VA policy and that identified issues or weaknesses are adequately documented and tracked within POA&Ms.

We recommended the Assistant Secretary for Information and Technology implement improved processes to monitor for unauthorized changes to system components and the installation of prohibited software on all agency devices and platforms.

We recommended the Assistant Secretary for Information and Technology develop a comprehensive inventory process to identify connected hardware, software, and firmware used to support VA applications and operations.

We recommended the Assistant Secretary for Information and Technology implement improved procedures for monitoring contractor-managed systems and services and ensure information security controls adequately protect VA sensitive systems and data.

The Secretary of Veterans Affairs directs the assistant secretary for Human Resources and Administration/Operations, Security, and Preparedness should update Policy Notice 23-03 and Form 10017-A to address the deficiencies noted in this report, including the overly broad definitions of groups, failure to provide adequate support for high-demand skill CSIs, and lack of needs analyses for recruitment and retention.

The Secretary of Veterans Affairs designates a responsible official to review the critical skill incentives that have been paid to any member of the Senior Executive Service (SES), SES-equivalent, or other Senior Leader (including Veterans Health Administration’s medical center directors and Veterans Integrated Service Network directors and the Veterans Benefits Administration’s regional office and district directors) for the deficiencies identified in this report and to ensure compliance with all applicable statutory criteria and VA policy, and take any corrective action needed.

The Secretary of Veterans Affairs designates a responsible official to review any critical skill incentive payments based on a high-demand skills justification made to all nonexecutive groups of employees, if any, to ensure compliance with all applicable statutory criteria and VA policy, and take any corrective action needed.

In consultation with the Office of General Counsel’s Ethics Specialty Team, the Secretary of Veterans Affairs or his designee takes appropriate action to determine whether individuals involved in the decision-making process for awarding CSIs had any actual or apparent conflicts of interest and develop a process to ensure all decision-makers are free from conflicts when awarding future incentives.

The Secretary of Veterans Affairs directs the assistant secretary for Human Resources and Administration/Operations, Security, and Preparedness to revise policies regarding critical skills incentives to ensure that recommending and approving officials are accountable for their determinations that each CSI recipient meets all established criteria, and that the roles and responsibilities of a technical reviewer and human resources reviewer are clearly established.

The Secretary of Veterans Affairs delegates to a responsible official the development of a formal concurrence process to provide reasonable assurance that a senior attorney within the Office of General Counsel (with sufficient experience and expertise to consider all relevant facts and perspectives) is accountable for providing legal advice before and during the implementation of any new authority that carries the potential for significant reputational or financial harm to VA.

The Secretary of Veterans Affairs delegates to a responsible official a review of existing governance board policies to determine whether additional guidance is needed to define their role in reviewing proposals for implementing new pay authorities affecting senior executive compensation.

The Secretary of Veterans Affairs takes whatever administrative actions, if any, he deems appropriate related to personnel involved in the process for granting critical skill incentives for VA central office executives based on the findings in this report.

Formalize the executive director’s intent by requiring the submission to the OIG of a related plan and documentation of progress on implementing VA’s maintenance of an independent and updated list of contract facilities.

Comply with the requirements of the customer satisfaction survey contract to route exam comment cards directly between the survey vendor and veteran.

Develop and implement formal standard operating procedures for the contract exam facility site visits detailing roles, responsibilities, objectives, and monitoring.

Update the Medical Disability Examination Office site visit checklist to include a focus on specific ADA and OSHA criteria required by contracts with exam vendors.

Complete a standardized training plan for staff who conduct site visits at contract exam facilities to include ADA and OSHA compliance.

Ensure the Medical Disability Examination Office is conducting complaint-based contract facility inspections.

Enforce contractual requirements for vendors to conduct inspections and recertify all facilities to ensure ADA and OSHA compliance.

Review and analyze all veteran complaints related to exam facilities received through all entities and perform complaint-based site visits or create action plans, as necessary.

Make certain that the Medical Disability Examination Office develops a plan with the vendors to determine if each veteran seeking an exam requires accessibility arrangements prior to scheduling.

Implement a plan to strengthen the National Work Queue division’s monitoring of claims awaiting decision at its own location to ensure its rules are operating as intended and make adjustments as needed.

Ensure the Office of Field Operations includes the National Work Queue division’s functioning in its annual internal controls assessment and statement of assurance.

Ensure that personal information of veterans who have passed away while waiting for community care consults to be scheduled is only shared with staff who need to know for specific work assignments.

Conduct a strategic business evaluation of the community care department’s workflow processes to determine if there are alternatives that could improve consult processing and scheduling efficiency and timeliness.

Continue to increase specialty provider availability in VA and the community for veterans assigned to the Martinsburg VA medical facility.

Ensure that the performance plan of the chief of community care has standards related to the metrics for community care.

The Chief of Staff ensures service chiefs recommend continued privileges for licensed independent practitioners based on Ongoing Professional Practice Evaluation activities, and the Medical Executive Committee recommends them based on evaluation results.

The Deputy Medical Center Director ensures staff post biohazard signs in applicable areas.

The Associate Director ensures staff keep patient care areas safe and clean.

The Assistant Director ensures staff document VA police response times for panic alarm testing in the inpatient mental health unit.

The Chief of Staff ensures providers complete the Comprehensive Suicide Risk Evaluation on the same day as a patient’s positive suicide risk screen in all ambulatory care settings.

The Chief of Staff ensures service chiefs regularly complete Ongoing Professional Practice Evaluations for licensed independent practitioners.

The Chief of Staff ensures the Clinical Executive Board reviews professional practice evaluation data for licensed independent practitioners.

The Chief of Staff ensures service chiefs include service-specific criteria in the Ongoing Professional Practice Evaluations of licensed independent practitioners.

The Medical Center Director ensures staff follow the manufacturer’s recommendations for testing over-the-door alarms on mental health inpatient unit sleeping room doors.

The Chief of Staff ensures designated staff complete the Comprehensive Suicide Risk Evaluation the same calendar day, when logistically feasible and clinically appropriate, for all ambulatory care patients with a positive suicide risk screen.

The Chief of Staff ensures suicide prevention coordinators conduct, track, and report a minimum of five suicide prevention outreach activities each month.

The Chief of Staff ensures clinical staff notify the suicide prevention team when patients report suicidal behaviors during the Comprehensive Suicide Risk Evaluation.

The VA Desert Pacific Healthcare Network Director strengthens Sterile Processing Service oversight to ensure timely communication of audit findings with action plan expectations to facility leaders.

The VA Desert Pacific Healthcare Network Director ensures entry of audit results into the Sterile Processing Accountability Tool within the required time frame.

The VA Desert Pacific Healthcare Network Director ensures audit results are shared with the Sterile Processing Advisory Board per Veterans Health Administration requirements.

The VA New Mexico Health Care System Director ensures Sterile Processing Service has a process to communicate all instances when high-level disinfection documentation cannot be located to the associated clinical services when the reusable medical devices was used in patient care.

The VA New Mexico Health Care System Director ensures Sterile Processing Service has a formal process in place to sustain daily quality assurance reviews and monitors compliance.

The VA New Mexico Health Care System Director ensures Sterile Processing Service leaders demonstrate clear communication of Sterile Processing Service staff roles and responsibilities in accordance with Veterans Health Administration High Reliability Organization principles and values.

The VA New Mexico Health Care System Director ensures the facility’s Sterile Processing Service identifies and resolves high-level disinfection documentation errors as they occur, prior to use of associated reusable medical devices on patients.

The Chief of Staff ensures practitioners from other facilities with equivalent specialized training and similar privileges complete Ongoing Professional Practice Evaluations for solo licensed independent practitioners.

The Medical Center Director ensures staff conduct environment of care inspections in non-patient care areas at least once per fiscal year.

The Medical Center Director ensures providers complete the Comprehensive Suicide Risk Evaluation the same day as a patient’s positive suicide risk screen in ambulatory care settings.

The Under Secretary for Health considers the need for a national policy establishing the inclusion of social determinants of health/health-related social needs into discharge assessment and planning.

The Under Secretary for Health considers the implementation of a standardized electronic health record template, such as the Assessing Circumstances and Offering Resources for Needs tool, that includes the assessment of social determinants of health/health-related social needs of hospitalized patients.

The Under Secretary for Health evaluates barriers to assessing social determinants of health/health-related social needs when patients are discharged from VA medical centers.

The Under Secretary for Health promotes the use of health equity tools across VA medical centers

The Under Secretary for Health promotes the establishment of partnerships of VA medical centers with community resources to address social determinants of health/health-related social needs.

The Associate Director ensures staff maintain a safe environment by keeping walls in good repair.

The Associate Director ensures staff check over-the-door alarms in the inpatient mental health unit according to the manufacturer’s guidelines.

The Associate Director ensures staff document VA police response times for panic alarm testing in the inpatient mental health unit.

The Medical Center Director ensures leaders conduct institutional disclosures for all applicable sentinel events.

The Medical Center Director ensures staff complete environment of care inspections in patient and non-patient care areas at the required frequency.

The Medical Center Director ensures staff cover electrical receptacles in the Inpatient Mental Health Unit common area with metal plates.

The Medical Center Director ensures providers complete the Comprehensive Suicide Risk Evaluation following a patient’s positive suicide risk screen.

The Medical Center Director ensures clinical staff notify the suicide prevention team when patients report suicidal behaviors during Comprehensive Suicide Risk Evaluations.

The Chief of Staff ensures supervisors communicate the Peer Review Committee’s recommendations for all Level 3 peer reviews to providers and ensure they implement the improvement actions.

The Chief of Staff ensures the Medical Executive Council documents its review of licensed independent practitioners’ professional practice evaluations and recommend privileges based on the results.

The Executive Director ensures staff store reusable medical equipment in temperature- and humidity-controlled storage locations.

The Associate Director ensures staff keep storage rooms and areas used by patients clean and safe.

The Chief of Staff limits medication access to approved staff members.

The Associate Director ensures all toilet rooms within proximity to areas where pelvic examinations are performed, and all women’s, unisex, and family public restrooms have feminine hygiene products available at no cost.

The Under Secretary for Health, in conjunction with the National Oncology Program and Veterans Integrated Service Network directors, ensure facility leaders and staff are aware of the services offered to veterans diagnosed with breast cancer through the Women’s Oncology System of Excellence.

The Under Secretary for Health and National Oncology Program staff offer a range of services for patients diagnosed with breast cancer, including rehabilitative services, through the Women’s Oncology System of Excellence.

The Under Secretary for Health, Veterans Integrated Service Network directors, and facility leaders ensure staff enter data into the local cancer registry database in a timely manner.