Federal Reports

This Office of Inspector General (OIG) Comprehensive Healthcare Inspection Program report provides a focused evaluation of the quality of care delivered in the inpatient and outpatient settings of the Beckley VA Medical Center and two outpatient clinics in West Virginia. The inspection covered key clinical and administrative processes that are associated with promoting quality care. This inspection focused on Leadership and Organizational Risks; COVID-19 Pandemic Readiness and Response; Quality, Safety, and Value; Registered Nurse Credentialing; Medication Management: Remdesivir Use in VHA; Mental Health: Emergency Department and Urgent Care Center Suicide Risk Screening and Evaluation; Care Coordination: Inter-facility Transfers; and High-Risk Processes: Management of Disruptive and Violent Behavior. At the time of the OIG’s inspection, the medical center’s executive leadership team had worked together for over one year. Employee survey data revealed general satisfaction with leaders. However, opportunities appeared to exist for the Chief of Staff to improve employees’ perceptions toward leaders and the workplace, and for the Chief of Staff, Associate Director/Patient Care Services, and Associate Director to reduce staff feelings of moral distress at work. Patient experience survey scores implied satisfaction with the care provided, but highlighted opportunities for leaders to improve female patients’ experiences with specialty care providers. The OIG’s review of the medical center’s accreditation findings, sentinel events, and disclosures did not identify any substantial organizational risk factors. Executive leaders were generally knowledgeable within their scope of responsibility about selected Strategic Analytics for Improvement and Learning model measures and should continue to take actions to sustain and improve performance. The OIG issued four recommendations for improvement in four areas: (1) Quality, Safety, and Value • Surgical workgroup meetings (2) Mental Health • Suicide safety plan training (3) Care Coordination • Medication list transmission (4) High-Risk Processes • Prevention and management of disruptive behavior training

The VA Office of Inspector General (OIG) conducted this inspection to determine whether the Tucson Consolidated Mail Outpatient Pharmacy (CMOP) was meeting federal security guidance. The inspection team selected the Tucson CMOP because it is home to the CMOP Local Area Network, which establishes an interface for electronically transferring information between all Veterans Health Administration medical centers and the CMOP host systems located at each of the seven CMOPs, which form an integrated and highly automated outpatient prescription dispensing system.The OIG team found deficiencies in configuration management, contingency planning, and access controls. Specifically, the Tucson CMOP had inaccurate component inventories, ineffective vulnerability management, and inadequate flaw remediation and had not implemented the configuration management plan; lacked a disaster recovery plan; and had not changed the default username and password for the security camera system and did not consistently generate or forward audit records to the Cybersecurity Operations Center. Without these controls, VA may be placing critical systems at unnecessary risk of unauthorized access, alteration, or destruction. The OIG made six recommendations to the Tucson CMOP director: implement effective inventory management tools, an effective vulnerability and flaw remediation program, and a disaster recovery plan; ensure CMOP staff understand their assigned roles and responsibilities; task the facility manager to change the default username and password for the security camera system; and request the Office of Information and Technology to configure audit logging on the misconfigured devices in accordance with established baselines, policy, and procedures.

As part of our annual audit plan, we performed an audit of Tennessee Valley Authority’s (TVA) non-power dam control system cybersecurity. Our objective was to determine if the cybersecurity controls of TVA’s non-power dam control system were operating effectively.In summary, we found (1) no clear ownership of the non-power dam control system, (2) vulnerable versions of operating systems and control system software, (3) inappropriate logical and physical access, and (4) internal information technology controls were not operating effectively or had not been designed and implemented. Prior to completion of our audit, TVA clarified the ownership of the control system and took actions to address the inappropriate logical and physical access. We recommend the Senior Vice President, Resource Management and Operations Services, update the non power dam control system to address the identified vulnerabilities and information technology control weaknesses. TVA management agreed with our recommendation and provided information on planned actions.

The objective of the audit was to determine whether the Office of Postsecondary Education (OPE) has an adequate process in place to ensure that institutions of higher education (schools) use Higher Education Emergency Relief Fund (HEERF) grant funds appropriately and that performance goals are met. OPE needs to strengthen its oversight processes to ensure that schools use HEERF grant funds appropriately and that performance goals are met. OPE established and implemented several controls to promote transparency and accountability in program administration, including providing guidance and other technical assistance to schools on the appropriate uses of HEERF grant funds, requiring that schools post to their websites or submit to OPE various reports on their uses of funds as well as other information (HEERF reports), and taking steps to expand independent audit coverage for schools. However, OPE did not perform or document several key activities that are essential to effective program oversight.