Electronic Health Records: Better Goals and Measures Would Improve Interagency Cybersecurity Collaboration

The federal electronic health record (EHR) serves as a single, nationwide platform for storing and sharing patient data across the Department of Defense, Veterans Affairs, the Coast Guard and NOAA. Housing millions of beneficiaries’ health information, the system’s security is a national priority, prompting Congress to task the GAO with evaluating its cyber‑risk posture. The recent GAO review highlights how the Federal Electronic Health Record Modernization office (FEHRM) coordinates agency efforts but falls short of establishing concrete cybersecurity objectives and measurable performance indicators.

A core shortfall identified is the absence of shared, quantifiable goals that span all partner agencies. Without clear targets, agencies cannot accurately gauge progress, allocate resources efficiently, or demonstrate accountability to oversight bodies. This gap obscures the true cost of protecting the EHR enclave and limits the ability to respond swiftly to emerging threats. Moreover, the lack of performance metrics hampers the detection of gaps in privacy safeguards, leaving patient data exposed to potential adversary exploitation.

Adopting leading interagency collaboration practices—such as joint goal‑setting, standardized metrics, and transparent reporting—could transform the federal EHR’s security framework. Defined outcomes would enable real‑time monitoring, foster resource sharing, and provide Congress with concrete evidence of risk mitigation. As cyber threats evolve, a coordinated, metrics‑driven approach will be essential for safeguarding the nation’s health information infrastructure and maintaining public trust.