Federal Reports

This Comprehensive Healthcare Inspection Program (CHIP) provides a focused evaluation of the quality of care delivered at the Cheyenne VA Medical Center. The inspection covers leadership and organizational risks and key clinical and administrative processes associated with promoting quality care. For this inspection, the areas of focus were Quality, Safety, and Value; Medical Staff Privileging; Environment of Care; Medication Management: Controlled Substances Inspections; Mental Health: Military Sexual Trauma Follow-Up and Staff Training; Geriatric Care: Antidepressant Use among the Elderly; Women’s Health: Abnormal Cervical Pathology Results Notification and Follow-Up; and High-Risk Processes: Emergency Department and Urgent Care Center Operations. The facility’s executive leadership team appeared relatively stable; and efforts to continually improve and maintain positive outcomes, patient safety, and quality care were noted. Patients appeared generally satisfied with the leadership and care provided, but opportunities exist for the leaders to improve employee satisfaction. Review of the facility’s accreditation findings, sentinel events, disclosures, and patient safety indicator data did not identify any substantial organizational risk factors. Executive leaders were generally knowledgeable about selected Strategic Analytics for Improvement and Learning (SAIL) and community living center (CLC) metrics but should continue to take actions to improve performance of measures that are likely contributing to the current SAIL “2-star” and CLC “3-star” quality ratings. The OIG issued 17 recommendations for improvement in the following areas: (1) Quality, Safety, and Value • Interdisciplinary review of utilization management data • Root cause analyses and resuscitation episode reviews (2) Medical Staff Privileging • Ongoing professional practice evaluation process (3) Environment of Care • Environmental cleanliness • Infection prevention • Emergency management (4) Mental Health • MST coordinator responsibilities • MST training (5) Geriatric Care • Patient/caregiver education and understanding of medications (6) Women’s Health • Women veterans health committee core membership (7) High-risk Processes • Labeling open medication vials in the emergency department with expiration dates

We identified actions that selected States took related to their oversight of opioid prescribing and their monitoring of opioid use. The selected States were Nebraska, Nevada, New Hampshire, Tennessee, Texas, Utah, Washington State, and West Virginia. This report summarizes and compares information provided by the eight States.

What We Looked AtThe Maritime Administration's (MARAD) programs promote waterborne transportation and integration with other transportation modes and the viability of the U.S. Merchant Marine. MARAD works in many areas, including ship building and shipping, vessel and port operations, national security, and transportation safety. The Agency has 12 information systems and 1 local area network. MARAD also uses a number of web applications, some of which contain sensitive data and personally identifiable information (PII). We conducted this audit because of the importance of MARAD's programs to the Nation's transportation system and the sensitive nature of some of the Agency's information. Accordingly, our objective for this self-initiated audit was to determine whether MARAD's IT infrastructure contains security weaknesses that could compromise the Agency's systems and data.What We FoundWe gained unauthorized access to MARAD's network but MARAD did not detect our access or our placement of hacking tools on the network, in part because it did not have an alert system configured to do this, which the National Institute of Standards and Technology (NIST) recommends. We also gained access to records containing PII. While DOT policy requires the use of encryption to protect sensitive data, these records and other data we obtained were not encrypted. Had malicious attackers obtained these records, they could have used them to steal citizens' identities and MARAD could have lost $103 million in credit monitoring fees. Furthermore, inadequate security awareness training may contribute to some Agency personnel's susceptibility to social engineering. These weaknesses, individually and together, put MARAD's network and data at risk for unauthorized access and compromise.RecommendationsWe made several recommendations to help MARAD improve the security of information technology infrastructure.Sensitive information exempt from public disclosure under the Freedom of Information Act, 5 U.S.C. § 552, has been redacted and we have marked the document as FOR OFFICIAL USE ONLY.