Federal Reports

Like other organizations, Amtrak (the company) has been migrating its existing technology systems and data and deploying new systems to the cloud, and its efforts are ongoing. During our ongoing audit of the company’s cloud computing practices, we identified two pressing cybersecurity issues. We are providing this early alert to bring these issues to the company’s immediate attention. Given the sensitive nature of the information, we are summarizing the results in this public version of the report.

SUMMARY OF RESULTS

Our work to date on the company’s cloud computing practices, which we plan to continue, identified two matters for immediate consideration. In commenting on a draft of this interim report, the company’s Executive Vice President for Digital Technology and Innovation agreed with our matters for consideration and described actions the company plans to take to address them.

U.S. Customs and Border Protection’s (CBP) inconsistent processes for
identifying special interest aliens (SIAs) created disparities in alien
screening. In July 2023, CBP’s Office of Field Operations (OFO) San Diego
Field Office and the U.S. Border Patrol (Border Patrol) Yuma and El Centro
sectors had a process to identify and provide additional screening of SIAs,
yet San Diego sector did not. This inconsistency occurred because CBP did
not have an agency-wide policy stating whether to identify aliens from
certain countries as SIAs. As a result, aliens from countries with links to
terrorism entered at least one CBP region that did not provide additional
screening.

The VA Office of Inspector General (OIG) conducted a healthcare inspection to evaluate facility leaders’ response to surgical care concerns related to two facility surgeons at the St. Cloud VA Medical Center (facility) in Minnesota.

The OIG found facility leaders generally met the Veterans Health Administration requirements for summary suspension notifications and initiation of focused clinical care reviews (FCCR) for the surgeons. However, the OIG identified concerns related to clinical privileges and professional practice evaluations for the medical staff.

The OIG determined that the surgical service chief failed to ensure that one surgeon’s application for privileges included recent surgical case volume and case mix as required. Additionally, although the focused professional practice evaluation plan for monitoring the surgeon included direct observation, the surgeon was not directly observed to ensure competency with surgical procedures. The OIG determined that facility leaders failed to initiate reporting of the surgeon to the state licensing board (SLB) when clinical care concerns were identified in the surgeon’s FCCR.

The OIG found facility surgeons’ ongoing professional practice evaluations reviewed only procedures completed in the surgical outpatient clinic and did not include the evaluation of operating room surgical procedures. The OIG is concerned that the failure to include all aspects of the surgeons’ practice limited facility leaders’ ability to ensure the effectiveness of the professional evaluation processes and processes used to monitor the quality of surgical care.

The OIG found that the surgical service chief was clinically inactive for the first two years of employment. As a result, facility leaders had no ability to ensure the competent clinical performance of the surgical service chief.

The OIG made four recommendations to the Facility Director related to comprehensive review of surgical service credentialing and privileging processes, professional practice evaluations, and SLB reporting processes.

To comply with Section 508 of the Rehabilitation Act of 1973, VA must make the information and communication technology it uses accessible to veterans with disabilities and anyone else seeking VA information. The OIG conducted this audit to follow up on a 2024 report on areas where VA’s implementation and monitoring of Section 508 requirements could be improved and to evaluate whether the procurement process for information and communication technology meets Section 508 standards.

The OIG team sampled 30 critical information technology and communications systems for review. The team did not independently verify compliance with Section 508 standards and relied on self-reporting by VA to assess progress and deficiencies. Of the 30 systems, VA’s Office of 508 Compliance classified only four as compliant. The OIG concluded that VA officials did not ensure the sampled information technology systems they procured would meet the accessibility standards required by law. The team also reviewed contract documentation for the 30 systems and found contracting officers and the designated officials for VA program offices did market research on vendors that could meet business requirements, but they took no additional action to verify that sampled systems were accessible to individuals with disabilities.

The OIG made four recommendations, including that the assistant secretary for information and technology ensure staff receive training and updated guidance on their roles and responsibilities. VA should also ensure the Office of 508 Compliance receives complete market research showing the technology VA seeks to procure is the most compliant under Section 508. The OIG also recommended the deputy assistant secretary for acquisition and logistics develop policies for ensuring information and communications technology procurements comply with Section 508.