Federal Reports

The VA Office of Inspector General (OIG) conducted a healthcare inspection to evaluate the circumstances of a patient’s death involving alleged mismanagement of the patient’s resuscitation (Event) at the Buffalo VA Medical Center (Facility), Buffalo, New York, and actions taken by Facility leaders subsequent to the death. The Facility Director contacted the OIG to report a registered nurse (RN 1) found the patient unresponsive and did not “call a code” because he/she feared cardiopulmonary resuscitation (CPR) would traumatize the patient’s body. The OIG substantiated RN 1 did not “call a code” after finding the full-code patient unresponsive. The OIG determined • RN 1 and a respiratory therapist (RT) acted outside their scopes of practice and violated policy when they announced the patient was dead, which influenced others not to take action; • A telemetry RN (RN 2) failed to call for assistance and abandoned the telemetry desk during the Event; • A licensed practical nurse failed to call for assistance and initiate CPR; • Telemetry monitoring failures contributed to the delayed response to the Event; • RN 1 failed to document the patient’s lung assessment and the RT failed to assess the patient’s respiratory status, before and after a scheduled respiratory treatment; and • The Facility’s Performance Manager’s conversation with the patient’s family could have been misunderstood. The OIG identified administrative concerns related to Facility leaders’ responses to the Event. Specifically, Facility leaders did not immediately remove involved staff from direct patient care, conduct a timely Administrative Investigation Board and Root Cause Analysis, submit an Issue Brief to the Veterans Integrated Service Network, and pursue notifying the patient’s family or personal representative. The OIG found Facility staff failed to preserve the patient’s telemetry data. The Facility did not have a policy and Veterans Health Administration has not provided guidance about preservation of evidence after an adverse event. The OIG made 10 recommendations.

Amtrak (the company) contracted with the independent certified public accounting firm of Ernst & Young LLP to audit its consolidated financial statements as of September 30, 2017, and for the year then ended, and to provide a report on internal control over financial reporting and on compliance and other matters. Because the company receives federal assistance, it must obtain an audit performed in accordance with generally accepted government auditing standards.

We evaluated the Department to determine whether it effectively follows the incident response lifecycle, as defined by the National Institute of Standards and Technology (NIST). We found that the Office of the Chief Information Officer (OCIO) had not fully implemented the capabilities recommended by NIST in its incident detection and response program. During internal threat simulation testing, most of our efforts to conduct reconnaissance, identify vulnerabilities, exfiltrate sensitive data, and communicate with known malicious command and control servers on the internet went unnoticed by the Department.The Department’s decentralized management and authority across the OCIO and bureaus, combined with the flattened internal networks, has eliminated many of the technical security boundaries within the Department’s network – essentially creating blind spots where the OCIO cannot detect malicious activity. Our emulation of malicious activity was successful, in part, because of these blind spots. The Department’s assignment of responsibilities between the OCIO and the bureaus emphasized the Department’s inability to detect and respond to these blind spots.The bureaus and offices had varying levels of capabilities, resources, and approaches to incident response. Even those with more incident response resources relied heavily on the OCIO for perimeter security controls and monitoring services, which were inconsistently shared with the bureaus. Since the OCIO did not establish the foundation necessary to successfully prepare for responding to incidents, the Department could not detect, contain, or recover from incidents in a timely manner.Without a centralized program, Department and bureau incident response teams did not have an effective roadmap outlining policies, procedures, and responsibilities for handling incident response activities. We made 23 recommendations to help the Department improve its incident response program, so it can promptly detect and fully contain cyber threats to maintain the availability, confidentiality, and integrity of Department computer systems and data. The Department concurred with all of our recommendations and is working to implement them.

The Government Charge Card Abuse Prevention Act of 2012 (Charge Card Act) requires the Office of Inspector General to conduct an annual risk assessment and periodic audits on agency charge card programs. We conducted this audit to determine whether the Department of Homeland Security implemented internal controls to prevent illegal, improper, and erroneous purchases and payments. During fiscal year 2016, DHS reported spending approximately $1.2 billion in purchase, travel, and fleet card transactions. Although the Department has established internal controls for its charge card programs, the components we reviewed did not always follow DHS’ procedures. Our testing results of purchase, travel, and fleet card transactions revealed internal control weaknesses. Specifically, we found major internal control weaknesses that persisted at the United States Coast Guard and some control weaknesses within CBP’s Fleet Card Program.