EHR Modernization Needs Better Cyber and Privacy Collaboration, GAO Says

The Federal Electronic Health Record Modernization (FEHRM) office was created to deliver a single, interoperable EHR platform for the Department of Defense, Veterans Affairs, Coast Guard and NOAA. With more than half a million clinicians expected to log in daily and data for over 18 million beneficiaries, the system’s scale rivals the private sector’s largest health‑IT deployments. GAO’s latest report flags that the office’s collaborative processes fall short of leading cybersecurity practices, lacking clear, shared goals and measurable outcomes across the four agencies.

Effective cyber defense for a federal health enclave hinges on coordinated incident response, unified risk assessments, and transparent performance tracking. GAO highlighted that FEHRM’s Joint Incident Management Framework, slated for an April release, remains stalled without agreed‑upon metrics. Recent ransomware attacks on Change Healthcare, which disrupted VA medication processing for tens of thousands of veterans, illustrate how fragmented security postures can cascade into nationwide care interruptions. By establishing joint performance indicators and a robust communication cadence, the agencies can better allocate resources, anticipate threats, and reduce response times.

Looking ahead, the GAO’s recommendations push DOD and VA leadership to codify common objectives, monitor progress, and publicly report on collaboration outcomes. Successful implementation would not only protect sensitive health data but also restore confidence in the federal EHR rollout, especially as VA resumes phased deployments across additional sites. Policymakers and health‑IT executives should watch how these governance reforms evolve, as they will set a benchmark for large‑scale government digital health initiatives worldwide.