Recommendations
514
| ID | Report Number | Report Title | Type | |
|---|---|---|---|---|
| 23-01397-126 | Ineffective Use and Oversight of Medical/Surgical Prime Vendor Program Led to Increased Spending | Audit | ||
1 Ensure facility staff place all orders for eligible items through the Medical/Surgical Prime Vendor program, including those that are identified as on back order.
Closure Date:
2 Implement tracking mechanisms for back orders to assist the facilities in not obtaining excess supplies.
3 Ensure that logistics staff receive training and use the Prime Vendor Conversion and Recommendation Tool to identify commonly purchased open market items and convert those items to Medical/Surgical Prime Vendor purchases.
Closure Date:
4 Identify and implement an efficient way to transfer product list updates to the inventory ordering system.
Closure Date:
5 In collaboration with the Strategic Acquisition Center, identify a VA-owned system for staff to check product information, such as availability and pricing, and ensure applicable facility staff are aware of this location.
Closure Date:
6 Implement a standardized, routine review of open market purchases.
Closure Date:
7 Ensure that reporting tools are effective and consistently applied, and that reported issues are resolved.
Closure Date:
8 Ensure that logistics staff receive relevant Medical/Surgical Prime Vendor program guidance and training.
Closure Date:
9 Ensure the product list includes items that facilities need and regularly purchase so the Veterans Health Administration can expand the savings and benefits the Medical/Surgical Prime Vendor program offers.
| ||||
| 23-02181-98 | Financial Efficiency Inspection of the VA North Texas Health Care System | Financial Inspection | ||
1 Establish a plan to use VA’s cost accounting system information to identify alternative ways to reduce costs, enhance efficiency, and inform business decisions as identified by VA financial policy.
Closure Date:
2 Ensure healthcare system staff responsible for labor cost and workload mapping are responding in a timely manner to the results of managerial cost accounting audits and correcting all identified issues.
Closure Date:
3 Consider a plan to align VA North Texas Health Care System financial management practices with federal financial accounting standard practices. This could include using cost information for performance measurement, budgeting, and cost control, and making economic choices.
Closure Date:
4 Ensure that healthcare system staff are made aware of policy requirements and the responsible finance office conducts monthly reviews and reconciliations on all open obligations for financial validity and take appropriate actions as required by VA Financial Policy, vol. 2, chap. 5, “Obligations” (2020), updated May 2023.
Closure Date:
5 Consult with Office of General Counsel and Office of Acquisitions, Logistics and Construction to determine if any further actions are necessary, including contract modifications, to remedy and prevent future purpose statute and bona fide needs rule violations.
Closure Date:
6 Establish controls to ensure cardholders comply with record retention requirements, confirm approving officials and cardholders review purchases for VA policy compliance, and ensure contracting is used when it is in the best interest of the government.
Closure Date:
7 Require cardholders to submit a request for ratification for any unauthorized commitments identified.
Closure Date:
8 Develop and implement a plan to ensure data accuracy and reliability in the Generic Inventory Package in accordance with Veterans Health Administration policy.
Closure Date:
9 Continue to develop and implement processes to ensure all necessary reports are monitored routinely and appropriate steps are taken to ensure all supply chain performance measures are maintained in compliance with policy.
Closure Date:
| ||||
| 23-02330-127 | Inspection of Information Security at the VA Bedford Healthcare System in Massachusetts | Information Security Inspection | ||
1 Obtain an inventory of locally managed databases, perform configuration compliance scans, provide the facility with a copy of the scan results, and monitor the facility’s remediation efforts.
Closure Date:
2 Implement a process to verify system owners review user account access to locally managed databases.
Closure Date:
3 Implement effective system life-cycle processes to ensure network devices meet standards mandated by the VA Office of Information and Technology Configuration Control Board.
Closure Date:
4 Develop and approve an authorization to operate for the special-purpose systems.
Closure Date:
5 Include system personnel during the security categorization process to ensure that all necessary information types are considered when determining the security categorization for special-purpose systems.
Closure Date:
6 Implement controls to ensure the accuracy of user locations supporting the Lynx Duress system.
Closure Date:
7 Implement the appropriate physical security controls to restrict and monitor access to the facility, its server room, and communication closets.
Closure Date:
8 Implement and monitor emergency power and uninterruptible power supplies in all communication closets.
Closure Date:
9 Implement grounding equipment in all communication closets.
| ||||
| 23-02186-97 | Follow-Up Information Security Inspection at the VA Financial Services Center in Austin, Texas | Information Security Inspection | ||
1 Implement a more effective vulnerability management program to address security deficiencies identified during the inspection. (This is a repeat recommendation from the prior inspection.)
Closure Date:
2 Ensure vulnerabilities are remediated within OIT’s established time frames. (This is a repeat recommendation from the prior inspection.)
3 Ensure all servers and databases are part of the automated scanning process.
Closure Date:
4 Implement approved baseline configurations for databases and document justifications and approvals for any deviations.
Closure Date:
5 Implement more effective configuration control processes to ensure network devices maintain vendor support and receive security updates.
Closure Date:
6 Implement an improved inventory process to ensure the accuracy of network ranges managed within the Enterprise Mission Assurance Support Service. (This is a repeat recommendation from the prior inspection.)
Closure Date:
7 Implement an effective audit and monitoring process for all servers and databases. (This is a repeat recommendation from the prior inspection.)
Closure Date:
8 Ensure that physical access logs for the data center and communication rooms are reviewed on a quarterly basis.
Closure Date:
| ||||
| 23-03063-164 | Evaluation of the May 2023 Power Outage at the Hines Information Technology Center in Illinois | Review | ||
1 Consider taking appropriate steps to implement redundant distribution paths between the uninterruptible power supplies and the information technology equipment at the Hines Information Technology Center.
Closure Date:
2 Implement steps to prevent the inadvertent activation of the main circuit breaker at the Hines Information Technology Center, such as installing a protective covering over the circuit breaker with an explicit warning label indicating the breaker’s function to help prevent power outages at the facility.
Closure Date:
3 Implement steps to prevent the inadvertent activation of circuit breakers at all VA data centers, such as updating the physical security controls policy to require protective covers and explicit warning labels.
Closure Date:
4 Update the Hines Information Technology Center information system contingency plan to help ensure the efficient restoration of data center power and critical applications in the event of a power outage.
Closure Date:
5 Implement annual testing of Hines Information Technology Center contingency and restoration procedures following a power loss to ensure all stakeholders are aware of their responsibilities in accordance with revised information system contingency plan procedures.
Closure Date:
| ||||
| 24-00510-167 | Review of VA’s Compliance with the Payment Integrity Information Act for Fiscal Year 2023 | Review | ||
1 Reduce improper and unknown payments to below 10 percent for the Pension Program. This is a repeat recommendation from the OIG’s FY 2022 report.
Closure Date:
2 Reduce improper and unknown payments to below 10 percent for the Purchased Long-Term Services and Supports Program. This is a repeat recommendation from the OIG’s FY 2022 report.
Closure Date:
| ||||
| 23-03167-173 | System Leaders’ Response to Allegations Related to Access to Behavioral Health Care at the El Paso VA Health Care System in Texas | Hotline Healthcare Inspection | ||
1 The El Paso VA Health Care System Director ensures Behavioral Health Service policies and guidance are in alignment with federal laws and Texas and New Mexico state laws specific to the system’s emergency detention orders, and educates behavioral health licensed independent practitioners on the policies, as needed.
Closure Date:
| ||||
| 23-00110-168 | Comprehensive Healthcare Inspection of the Roseburg VA Health Care System in Oregon | Comprehensive Healthcare Inspection Program | ||
1 The Executive Director ensures staff complete root cause analyses for sentinel events.
Closure Date:
2 The Chief of Staff ensures service chiefs initiate Focused Professional Practice Evaluations for newly appointed licensed independent practitioners.
Closure Date:
3 The Chief of Staff ensures service chiefs regularly complete Ongoing Professional Practice Evaluations for licensed independent practitioners.
Closure Date:
4 The Chief of Staff ensures service chiefs consider specialty-specific data during licensed independent practitioners’ Ongoing Professional Practice Evaluations.
Closure Date:
5 The Chief of Staff ensures practitioners with equivalent specialized training and similar privileges complete Ongoing Professional Practice Evaluations.
Closure Date:
6 The Chief of Staff ensures the Healthcare Delivery Council or an appropriately identified executive committee of the medical staff reviews professional practice evaluation results.
Closure Date:
7 The Veterans Integrated Service Network Chief Medical Officer oversees the healthcare system’s privileging processes.
Closure Date:
8 The Executive Director ensures staff follow the manufacturer’s recommendations for testing over-the-door alarms for sleeping rooms in the Acute Psychiatric Unit.
Closure Date:
9 The Executive Director ensures staff test panic alarms in the Acute Psychiatric Unit and document VA police response times.
Closure Date:
10 The Chief of Staff ensures designated staff complete the Comprehensive Suicide Risk Evaluation the same calendar day, when logistically feasible and clinically appropriate, for all ambulatory care patients with a positive suicide risk screen.
11 The Chief of Staff ensures clinical staff notify the suicide prevention team when patients report suicidal behaviors during the Comprehensive Suicide Risk Evaluation.
12 The Chief of Staff ensures the suicide prevention coordinators conduct, track, and report a minimum of five suicide prevention outreach activities each month.
Closure Date:
| ||||
| 23-01105-69 | Federal Information Security Modernization Act Audit for Fiscal Year 2023 | Audit | ||
1 We recommended the Assistant Secretary for Information and Technology consistently implement an improved continuous monitoring program in accordance with the NIST Risk Management Framework. Specifically, implement an independent security control assessment process to evaluate the effectiveness of security controls prior to granting authorization decisions.
Closure Date:
2 We recommended the Assistant Secretary for Information and Technology implement improved mechanisms to ensure system stewards and Information System Security Officers follow procedures for establishing, tracking, and updating Plans of Action and Milestones for all known risks and weaknesses including those identified during security control assessments.
Closure Date:
3 We recommended the Assistant Secretary for Information and Technology implement controls to ensure that system stewards and responsible officials obtain appropriate documentation prior to closing Plans of Action and Milestones.
Closure Date:
4 We recommended the Assistant Secretary for Information and Technology develop mechanisms to ensure system security plans reflect current operational environments, include an accurate status of the implementation of system security controls, and all applicable security controls are properly evaluated.
Closure Date:
5 We recommended the Assistant Secretary for Information and Technology implement improved processes for reviewing and updating key security documentation, including control assessments on a risk-based rotation or as needed. Such updates will ensure all required information is included and accurately reflects the current environment.
Closure Date:
6 We recommended the Assistant Secretary for Information and Technology implement improved processes to ensure compliance with VA password policy and security standards on domain controls, operating systems, databases, applications, and network devices.
Closure Date:
7 We recommended the Assistant Secretary for Information and Technology implement periodic reviews to minimize accounts and permissions in excess of required functional responsibilities, and to remove unauthorized or unnecessary accounts.
Closure Date:
8 We recommended the Assistant Secretary for Information and Technology enable system audit logs on all critical systems and platforms and conduct centralized reviews of security violations across the enterprise.
Closure Date:
9 We recommended the Office of Personnel Security, Human Resources, and Contract Offices implement improved processes for establishing and maintaining accurate investigation data within VA systems used for background investigations.
Closure Date:
10 We recommended the Office of Personnel Security, Human Resources, and Contract Offices strengthen processes to ensure appropriate levels of background investigations are completed for applicable VA employees and contractors.
Closure Date:
11 We recommended the Assistant Secretary for Information and Technology implement more effective automated mechanisms to continuously identify and remediate security deficiencies on VA’s network infrastructure, database platforms, and web application servers.
Closure Date:
12 We recommended the Assistant Secretary for Information and Technology implement improved processes for tracking and resolving vulnerabilities that cannot be addressed within policy timeframes. Implement more effective patch and vulnerability management processes to mitigate identified security deficiencies and reduce applicable security risks.
Closure Date:
13 We recommended the Assistant Secretary for Information and Technology maintain a complete and accurate security baseline configuration for all platforms and ensure all baselines are appropriately monitored for compliance with established VA security standards.
Closure Date:
14 We recommended the Assistant Secretary for Information and Technology implement improved controls that restrict vulnerable medical devices from unnecessary access to the general network.
Closure Date:
15 We recommended the Assistant Secretary for Information and Technology enhance procedures for tracking security responsibilities for networks, devices, and components not managed by the Office of Information and Technology to ensure vulnerabilities are remediated in a timely manner.
Closure Date:
16 We recommended the Assistant Secretary for Information and Technology implement improved processes to ensure that all devices and platforms are evaluated using credentialed vulnerability assessments.
Closure Date:
17 We recommended the Assistant Secretary for Information and Technology implement improved procedures to enforce standardized system development and change control processes that integrates information security throughout the life cycle of each system.
Closure Date:
18 We recommended the Assistant Secretary for Information and Technology implement improved procedures to ensure that system outages and disruptions are tracked to specific system boundaries and that interdependent systems are considered for the purposes of tracking and measuring against stated system recovery time objectives.
Closure Date:
19 We recommended the Assistant Secretary for Information and Technology ensure contingency plans for all systems and applications are updated and tested in accordance with VA requirements.
Closure Date:
20 We recommended the Assistant Secretary for Information and Technology ensure that systems and applications are adequately logged and monitored to facilitate an agency-wide awareness of information security events.
Closure Date:
21 We recommended the Assistant Secretary for Information and Technology implement improved safeguards to identify and prevent unauthorized vulnerability scans on VA networks.
Closure Date:
22 We recommended the Assistant Secretary for Information and Technology implement improved measures to ensure that all security controls are assessed in accordance with VA policy and that identified issues or weaknesses are adequately documented and tracked within POA&Ms.
Closure Date:
23 We recommended the Assistant Secretary for Information and Technology implement improved processes to monitor for unauthorized changes to system components and the installation of prohibited software on all agency devices and platforms.
Closure Date:
24 We recommended the Assistant Secretary for Information and Technology develop a comprehensive inventory process to identify connected hardware, software, and firmware used to support VA applications and operations.
Closure Date:
25 We recommended the Assistant Secretary for Information and Technology implement improved procedures for monitoring contractor-managed systems and services and ensure information security controls adequately protect VA sensitive systems and data.
Closure Date:
| ||||
| 23-03773-169 | VA Improperly Awarded $10.8 Million in Incentives to Central Office Senior Executives | Administrative Investigation | ||
1 The Secretary of Veterans Affairs directs the assistant secretary for Human Resources and Administration/Operations, Security, and Preparedness should update Policy Notice 23-03 and Form 10017-A to address the deficiencies noted in this report, including the overly broad definitions of groups, failure to provide adequate support for high-demand skill CSIs, and lack of needs analyses for recruitment and retention.
Closure Date:
2 The Secretary of Veterans Affairs designates a responsible official to review the critical skill incentives that have been paid to any member of the Senior Executive Service (SES), SES-equivalent, or other Senior Leader (including Veterans Health Administration’s medical center directors and Veterans Integrated Service Network directors and the Veterans Benefits Administration’s regional office and district directors) for the deficiencies identified in this report and to ensure compliance with all applicable statutory criteria and VA policy, and take any corrective action needed.
Closure Date:
3 The Secretary of Veterans Affairs designates a responsible official to review any critical skill incentive payments based on a high-demand skills justification made to all nonexecutive groups of employees, if any, to ensure compliance with all applicable statutory criteria and VA policy, and take any corrective action needed.
Closure Date:
4 In consultation with the Office of General Counsel’s Ethics Specialty Team, the Secretary of Veterans Affairs or his designee takes appropriate action to determine whether individuals involved in the decision-making process for awarding CSIs had any actual or apparent conflicts of interest and develop a process to ensure all decision-makers are free from conflicts when awarding future incentives.
Closure Date:
5 The Secretary of Veterans Affairs directs the assistant secretary for Human Resources and Administration/Operations, Security, and Preparedness to revise policies regarding critical skills incentives to ensure that recommending and approving officials are accountable for their determinations that each CSI recipient meets all established criteria, and that the roles and responsibilities of a technical reviewer and human resources reviewer are clearly established.
Closure Date:
6 The Secretary of Veterans Affairs delegates to a responsible official the development of a formal concurrence process to provide reasonable assurance that a senior attorney within the Office of General Counsel (with sufficient experience and expertise to consider all relevant facts and perspectives) is accountable for providing legal advice before and during the implementation of any new authority that carries the potential for significant reputational or financial harm to VA.
Closure Date:
7 The Secretary of Veterans Affairs delegates to a responsible official a review of existing governance board policies to determine whether additional guidance is needed to define their role in reviewing proposals for implementing new pay authorities affecting senior executive compensation.
Closure Date:
8 The Secretary of Veterans Affairs takes whatever administrative actions, if any, he deems appropriate related to personnel involved in the process for granting critical skill incentives for VA central office executives based on the findings in this report.
Closure Date:
| ||||
11259