Regulatory authority reports serious incidents in the VA's electronic health data system

The U.S. Department of Veterans Affairs failed to implement necessary controls for its Oracle Cerner electronic health records system to adequately prevent and respond to major incidents, according to a new audit by the agency's Office of the Inspector General.

In another report examining the VA's management of IT systems, the VA OIG found weaknesses in controls, including configuration management, assessment, authorization, and monitoring, which together were responsible for 23 incidents and a total system outage of 80 hours and 20 minutes.

The VA OIG made four recommendations to the Veterans Health Administration and five to the Electronic Health Record Modernization Integration Office (EHRM IO). These include assessing data needs during serious EHR performance incidents and “contractually” requiring real-time data release; developing effective notification and resolution metrics that capture outcomes for all serious performance incidents; identifying the appropriate backup system; and developing a training strategy to ensure physicians can use the system even during outages.

“As the agency responsible for EHR modernization, the VA should implement policies and procedures to prevent or minimize damage and disruption to critical systems,” the report said. “Although the contract specifies that Oracle Health assumes responsibility for the technical system, including monitoring, the VA is ultimately responsible for maintaining a clear view of the system's health to make effective, timely and informed risk management decisions.”

As an example of how a lack of controls in configuration management led to “severe performance degradation,” the OIG cited that in May 2022, “all three sites where the EHR system was deployed were not fully functional for five hours and four minutes.” This outage occurred because an expired certificate was disrupting some applications. Oracle had not listed the certificate in its monitoring tool and “therefore it was not automatically identified and marked for renewal before it expired,” the OIG said.

In August 2022, an incident with incomplete functionality occurred that affected five locations for one hour and 38 minutes, according to the report. Oracle pointed to software errors that were due to “data not being captured in a separate application used by VA,” and company officials said the company had no monitoring in place at the time. Oracle later added monitoring that would “make the company more quickly aware of the software errors.”

The VA OIG is not the only part of the agency raising concerns about the EHR: In an August memorandum released Monday, the OIG directed the VHA Under Secretary for Health to address concerns raised by facility managers and staff during inspections of health care facilities.

The memo states that during interviews at medical facilities, staff described the new EHR as a “system shock.”

OIG reported that leaders at the VA Southern Oregon Healthcare System called the implementation of the new EHR “the biggest challenge we have here,” saying it affects “all systems” and is “redefining how the VA operates.” Staff at that center, as well as the Jonathan M. Wainwright Memorial VA Medical Center, expressed concerns about efficiency and productivity loss, staffing, financial impact, and patient safety.