Federal Reports

The VA Office of Inspector General (OIG) conducted a healthcare inspection to assess allegations concerning Sterile Processing Services (SPS) at the Carl T. Hayden VA Medical Center (facility) in Phoenix, Arizona.The OIG substantiated that SPS staff failed to don personal protective equipment (PPE) in SPS decontamination areas. The OIG observed SPS and other facility staff enter decontamination areas without required PPE.The OIG did not substantiate that SPS staff falsified Resi-Tests by documenting the same lot number for endoscopes. The OIG found that some Resi-Test kits had the same lot numbers but that was not indicative of falsified tests. Additionally, the OIG identified missing documentation of Resi-Test results from October through December 2020; however, based on review of subsequent documentation, direct observations, and interviews, the OIG concluded that SPS staff completed Resi-Tests in accordance with policy.The OIG did not substantiate that SPS staff failed to follow validation testing requirements for biological indicators and Bowie-Dick tests for sterilizers. The OIG found no infection concerns associated with inadequate reprocessing of equipment.The OIG found that SPS staff followed reprocessing steps according to standard operating procedures and instructions for use. The OIG did not substantiate that SPS staff did not have adequate reprocessing supplies. The OIG found that floor grade instruments received in decontamination areas were discarded and not reprocessed. The OIG found that SPS staff reviewed instructions for use for loaner trays upon receipt at the facility. The OIG did not substantiate that SPS staff failed to receive documentation for instruments sterilized at another VA facility. The OIG concluded that SPS leaders were knowledgeable of the practice standards. The OIG made one recommendation to the Facility Director to ensure staff comply with requirements for donning required personal protective equipment prior to entry into decontamination areas.

What the Office of Inspector General Evaluated: 

The objective was to determine whether the Library has implemented adequate governance controls to ensure that its  cloud services are secure, operationally suitable, and cost-beneficial.

What the Office of Inspector General Found: 

-  The Library is unable to identify  current-state cloud services in a reliable and effective manner. 
- The Library does not have an actionable cloud strategy.
- The Library has not developed a system administration manual for the Office of the Chief Information Officer Google Services.
- The Library has not performed a gap analysis as part of its  cloud strategy workforce development and planning component. 
- The Library’s cloud contracts lack detailed service-level information regarding data preservation and migration.
- The Library does not consistently apply the risk management framework to its  cloud applications.
- The Library does not consistently implement its  cost estimation and monitoring requirements for cloud migrations.

What the Office of Inspector General Recommends: 

- Develop a process to ensure that it is able to identify its cloud-hosted systems, as defined by National Institute of Standards and Technology SP 800-145 and CSF ID.AM4.
- Enhance and document its  capabilities to ensure that the Office of the Chief Information Office can automatically track and report on the Library’s current-state cloud systems at a level of granularity that can support enterprise architecture and Office of the Chief Information Office reporting of cloud migration metrics and track the Library’s progress toward a planned future state.
- Update its  cloud strategy and cloud implementation plan to fully align with the federal  Cloud Smart strategy.
- Disseminate the updated documents to management-level Office of the Chief Information Office personnel and individuals within Contracts and Grants Directorate to ensure organization-wide awareness and alignment.                                                                                                                                  
-Develop account management and auditing procedures to support the implementation of the Office of the Chief Information Officer Google Services.
- Provide training to relevant personnel so they can execute the responsibilities documented within the new procedures.
- Ensure the most current System Administration Manuals are available/accessible as needed to enable Library personnel to perform their duties.
- Update the Library’s cloud strategy to include a workforce development and planning component. 
- Perform an Office of the Chief Information Office-wide skills gap assessment in support of the Library cloud strategy.
- Based on the results of the Office of the Chief Information Office-wide skills gap assessment, implement any necessary corrective actions.
- Finalize and implement the procurement policies for cloud computing services and IT products and services.
- Ensure that the procurement policies take into consideration the guidelines and recommendations for cloud procurement contained in National Institute of Standards and Technology SP 800-144, Guidelines on security and Privacy in Public Cloud Computing, and National Institute of Standards and Technology SP 800-146, Cloud Computing Synopsis and Recommendations.
- Ensure that system security plans or other system-specific documents for current cloud-based systems address data preservation and the migration of data to and from the cloud, as outlined in National Institute of Standards and Technology SP 800-146, Cloud Computing Synopsis and Recommendations, sections 3 and 9, respectively.
- Evaluate the alignment of its  established low impact externally  hosted control baselines with National Institute of Standards and Technology control baselines and document and justify any deviations (i.e., tailoring), with a rationale or an acceptance of the related risk.
- Refine its  Plan of Action & Milestones management process to ensure that it reviews reports of overdue plan of action & milestones in a timely manner and to require justification for any delays or extensions.
- Review cloud system continuous monitoring plans to ensure that the control scopes and assessment frequencies are commensurate with the systems’ control baselines. Monitor performance of control assessments accordingly.
- Review the system security plans in Archer to determine the scope of the technical error related to inherited controls. Coordinate with the vendor to identify and implement a solution.
- Conduct an analysis to determine if system security plans for other systems have insufficient tailoring or inherit ance statements and create a plan to address any identified gaps.  
- Establish Library-specific cost models for computing, storage, and network services that the Library can use in performing total cost of ownership comparisons and monitoring.
- Ensure the Library’s cloud strategy or implementation plan clearly identifies the need to document and present total cost of ownership comparisons when making hosting determinations.
- Plan and monitor the implementation of its  cloud IT  investments and complete and submit  quarterly and annual IT investment reports with documentation supporting the reported status, if necessary.