Federal Reports

Transmittal of the Final Report Assessing the Federal Trade Commission’s Compliance with the Federal Information Security Management Act for Fiscal Year 2017 (Redacted for public release)

The VA Office of Inspector General (OIG) conducted a healthcare inspection in response to an anonymous complaint alleging patients experienced extended wait times for primary care appointments and that funds intended to maintain or improve primary care services at the Monterey Community Based Outpatient Clinic (clinic), Monterey, California, were misused. The clinic is associated with the parent facility, VA Palo Alto Healthcare System (system), Palo Alto, California. The OIG substantiated that patients experienced extended wait times for clinic primary care appointments. The OIG found the number of new and established clinic primary care appointments taking 30 days or more to schedule increased from fiscal year (FY) 2016 to FY 2017. The OIG determined that clinic wait times for primary care appointments were negatively impacted by Patient Aligned Care Team (PACT) physician vacancies, PACT scheduling processes, and blocking PACT clinic appointments to allow providers to participate in workshops in preparation for opening the new expanded clinic (new clinic) that would serve active duty military members and veterans. The OIG also found a medical support assistant shortage, physician patient panel sizes over the recommended maximum, a reported large number of walk-in patients, and a history of minimal oversight. System and clinic leaders and PACT staff were unaware of adverse patient outcomes that occurred as a result of wait times for appointments. However, lengthy wait times could have negatively impacted patient outcomes. The OIG did not substantiate the misuse of clinic funding which was intended to maintain or improve PACT at the clinic. The OIG analyzed the direct and indirect costs for the clinic from FY 2014 through May 31, 2017, and found that funding had not substantially changed throughout this timeframe. The OIG found no evidence that the system misused PACT funding designated for the current or new clinic. The OIG made three recommendations.

The Federal Information Security Modernization Act (FISMA) for fiscal year (FY) 2017. FISMA (Public Law 113-283) requires Federal agencies to have an annual independent evaluation of their information security programs and practices. This evaluation can be performed by either the agency’s Office of Inspector General (OIG) or by an independent external auditor, as determined by the OIG, to determine the effectiveness of such programs and practices. KPMG, an independent public accounting firm, performed the DOI FY 2017 FISMA audit under a contract issued by the DOI and monitored by the OIG.KPMG reviewed information security practices, policies, and procedures at the DOI Office of the Chief Information Officer and 15 DOI bureaus and offices, and identified needed improvements in the areas of risk management, configuration management, identity and access management, and information system continuous monitoring. KPMG made 20 recommendations intended to strengthen the Department’s information security program, as well as those of the Bureaus and Offices. In its response to the draft report, the Office of the Chief Information Officer concurred with all recommendations and established a target completion date for each corrective action.