A federal office responsible for overseeing electronic health records across four government agencies has been running its interagency cybersecurity coordination without defined performance measures for two straight fiscal years – a gap that a new Government Accountability Office report says leaves the office unable to assess whether its shared security responsibilities are being met at all.
The Federal Electronic Health Record Modernization Office, which provides direction and oversight for federal health records across the Department of Defense, the Department of Veterans Affairs, the U.S. Coast Guard, and the National Oceanic and Atmospheric Administration, has neither articulated specific short- nor long-term cybersecurity goals nor established outcomes related to the privacy of health data within the federal EHR system. As of January, goals for fiscal 2026 were described as still under development. For security and health IT leaders evaluating how to protect connected health infrastructure – where the stakes extend from data privacy into the continuity of patient care – the FEHRM’s situation illustrates a governance failure that vendor selection frameworks and structured accountability practices are specifically designed to prevent.
What the GAO Found
The report, covering an audit period from June 2024 to June 2026 and fulfilling a requirement under a fiscal 2024 appropriations law, centers on a specific and measurable failure: the absence of performance measures for interagency collaboration goals across the past two fiscal years.
The GAO‘s language on the consequences is direct. “Without clear goals and outcomes, the FEHRM has limited insight into the specific resources, skills, or time needed to address any shared cybersecurity responsibilities,” the report states. “Ensuring accountability relies on monitoring, assessing, and communicating progress toward the short- and long-term outcomes by using performance measures.“
The report recommended that DOD and VA leadership ensure the FEHRM’s cybersecurity and privacy coordination efforts fully meet leading interagency collaboration practices – a standard the office has not demonstrated it is currently hitting. The GAO also flagged that without performance measures, the FEHRM may lack the information needed to assess and communicate progress and risks, failing to deliver on shared cybersecurity responsibilities entirely.
Where the Agencies Disagree
The response from the agencies involved complicates the picture. The DOD did not concur with the draft GAO report submitted in March. The VA neither agreed nor disagreed, saying it has taken what it described as essential first steps, while simultaneously acknowledging that DOD holds primary responsibility for ensuring EHR cybersecurity.
The VA’s position adds a structural wrinkle: it noted that both agencies must concur to implement recommendations directed at both, which introduces a coordination dependency into the very process of fixing a coordination failure. If DOD continues to push back on the GAO’s framing while the VA defers to DOD on cybersecurity primacy, the path to implementing the recommendations runs through the same interagency alignment gap the report identified as the root problem.
The Scale of What Is at Stake
The federal EHR system runs on Oracle Health Millennium and will serve more than 500,000 users, providing care to over 18 million people when fully deployed. Each agency manages its own networks and carries its own responsibility for compliance with federal privacy laws, but the EHR system is the shared surface across which patient care information is stored, shared, and analyzed.
That combination – a shared platform, agency-specific network management, and distributed privacy obligations – makes interagency cybersecurity coordination not an administrative preference but a structural requirement. A breach or privacy failure affecting the federal EHR does not stay contained within one agency’s perimeter.
VA Secretary Doug Collins recently told a congressional budget hearing that the formerly troubled EHR rollout was now working, describing progress as slow but genuine. The VA is requesting $4.2 billion to continue EHR modernization – an increase of roughly $840 million, or nearly 25%, over the prior year’s funding level. Collins framed the system as central not only to internal VA operations but to community care coordination and communication between VA facilities.
That investment trajectory makes the governance gap the GAO identified more consequential, not less. Scaling a system to full deployment across 18 million patients while cybersecurity coordination goals remain undefined creates compounding exposure at exactly the moment when the attack surface is expanding.
What the Report Says the FEHRM Is Doing Right
The GAO report is not a comprehensive indictment. The DOD and VA signed a charter establishing the FEHRM that outlined roles and responsibilities, and the office has initiated efforts to promote collaboration. The report acknowledged those foundations while making clear they are insufficient without measurable goals attached to them.
“Articulating clear and measurable goals would better position the FEHRM to oversee the coordinated cybersecurity of the federal EHR by providing insight into the specific resources, skills, or time needed to address shared responsibilities,” the report concluded.
The gap between having initiated collaboration efforts and being able to demonstrate that those efforts are achieving anything is precisely what performance measures exist to close. Until the FEHRM establishes them – and until DOD and VA find the alignment needed to implement the GAO’s recommendations – the federal government’s largest health record modernization effort will continue advancing its deployment timeline faster than it is advancing the governance framework designed to keep 18 million patients’ data secure.
Research and Intelligence Sources: Government Accountability Office, Federal Electronic Health Record Modernization
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
