Federal Reports

DHS has not fully met requirements of the Act to assess its cybersecurity workforce and develop a strategy to address workforce gaps. The Department has not submitted annual workforce assessments to Congress by the statutorily defined due dates for the past four years. DHS did not include all required information in the submitted assessments. Further, the Department did not submit an annual cybersecurity workforce strategy to Congress, as required between 2015 and 2018. We made three recommendations to the Chief Human Capital Officer to timely complete the required cyber workforce assessments and strategies by assigning necessary staff resources, establishing a department-wide and coordinated approach to compiling centralized cybersecurity workforce data, and conducting oversight of component stakeholders to ensure department-wide commitment to addressing legislative reporting and data submission requirements. The Department concurred with all three recommendations.

The VA Office of Inspector General (OIG) conducted a healthcare inspection to assess allegations regarding patient care concerns in the departments of ophthalmology and gastroenterology (GI) at the New Mexico VA Health Care System (facility) in Albuquerque. A patient’s CHOICE referral for cataract surgery was denied but the denial was supported by Veterans Health Administration (VHA) policy. The OIG did not substantiate a delay in scheduling of the patient’s cataract surgery but determined that the ophthalmology department failed to meet VHA consult management scheduling expectations and followed a standard operating procedure for cataract surgery intake evaluations that had not gone through an approval process. The OIG also found delays in the authorization of non-VA care consults for comprehensive eye appointments. While it was not determined that 500 or more consults for outpatient GI procedures were awaiting scheduling as alleged, significant delays in access to outpatient GI care were identified. Facility leaders attributed the delays to loss of staff. The facility did not monitor and conduct performance improvement efforts on known GI consult performance deficiencies, and GI providers did not consistently communicate test results to patients per facility policy. Possible factors contributing to the inconsistent communication included a lack of knowledge of test results notification requirements, an absence of a standardized process for delegating responsibility, and a failure of GI leaders to address known issues. The OIG did not substantiate a failure to train GI Fellows on endoscope precleaning but found a lack of documentation of the training. There was no evidence that patients underwent procedures with endoscopes that GI Fellows did not properly preclean. The OIG made 13 recommendations related to non-VA care appeals, consult management, the timeliness of eye appointments and surgery, test results issues, and precleaning of endoscopic instruments.

Knowing a patient’s prescription history is essential to VA’s ongoing efforts to combating opioid abuse, overmedication, and deaths. The VA Office of Inspector General (OIG) conducted this audit to determine whether VA clinicians effectively used information from state-operated prescription drug monitoring programs (PDMPs) to manage and coordinate care for patients prescribed opioids. The OIG estimated that clinicians did not annually check PDMP databases for 73 percent of the 779,000 VA patients prescribed opioids between April 1, 2017, and March 31, 2018. Furthermore, VA clinicians should have considered whether 266,000 of the patients on long-term opioid therapy needed more frequent database queries. The OIG also estimated that 19 percent of VA patients prescribed opioids were at risk because VA clinicians did not perform the required query and were unaware of controlled substance prescriptions the patients may have obtained outside VA. The OIG concluded that the Veterans Health Administration (VHA) lacked effective internal controls to monitor and evaluate the performance of PDMP queries. Clinicians did not perform required queries because VHA did not effectively communicate its PDMP policy. Also, some medical facilities established less-stringent local policies, which were not reviewed to ensure they complied with VHA’s, and VHA did not address significant new developments or increased risks that affected its policy directive. Finally, the OIG found inadequate national VHA oversight and monitoring led to insufficient local monitoring and accountability at VA medical facilities. This occurred because VHA officials did not always consider PDMP queries a high priority as they implemented the Opioid Safety Initiative and focused on the reduction of VHA-issued opioid prescriptions. The OIG made eight recommendations to the under secretary for health related to strengthening VA’s policies regarding use of PDMP databases and ensuring VA leaders and clinicians understand and comply with those policies.

Acting on a congressional request, the VA Office of Inspector General (OIG) reviewed the Vocational Rehabilitation and Employment program at the VA regional office in Los Angeles, California. The program helps veterans with service-connected disabilities prepare for, find, and maintain suitable employment. Specifically, the OIG reviewed whether the program was sufficiently staffed to assist veterans, had demonstrated progress placing veterans on track to employment, accurately processed supply reimbursements, and assessed the number of veterans approved for the program versus those denied. The OIG found that the program generally complied with VA requirements, criteria, or goals for staffing, making required veteran contacts, meeting rehabilitation outcomes, and reimbursing veterans for supplies. The Los Angeles program also had an approval percentage comparable to the national program for the past four years. Despite staffing shortages from fiscal year (FY) 2013 to FY 2017, the program demonstrated progress toward placing veterans on track to gainful employment. The number of veterans rehabilitated through the program each year increased from 238 in FY 2015 to 446 in FY 2018. The OIG team determined employees generally made the appropriate number of veteran contacts according to program requirements and the program processed veterans’ reimbursement requests for academic supplies accurately. Therefore, the OIG made no recommendations for improvement. The OIG did identify an additional concern about the lack of oversight over program costs. However, the OIG only found two cases of the 30 sampled that lacked required approvals, and there was no fraud, waste, or abuse, so no recommendations were made.

The Office of the Inspector General contracted with Williams Adley to conduct this audit. The objective of the audit was to evaluate the effectiveness of the Smithsonian’s information security program in fiscal year 2018.

The objective of our audit was to assess the U.S. Department of Education’s (Department) compliance with Federal Information Technology Acquisition Reform Act (FITARA) Chief Information Officer (CIO) authority enhancements and other selected requirements. We found improvements are needed in the Department’s compliance with CIO authority enhancements. Specifically, we found that the Department has fully implemented and documented in policy only 8 of the 17 CIO authority enhancements (47 percent). The Office of the Chief Information Officer was unable to provide evidence that 6 of the 17 CIO authority enhancements (35 percent) have been fully implemented and theDepartment’s policies and procedures did not fully address 5 of the 17 CIO authority enhancements (29 percent) at the time we began our audit fieldwork, although 3 authority enhancements were later documented in revised guidance.In addition, we found that improvements are needed in the Department’s process for ensuring transparency and risk management of IT resources. Specifically, we found that the Department has not correctly classified all major IT investments, has not consistently adhered to its process for assessing the risk of IT investments, and has not always conducted TechStat sessions of high risk major IT investments as required by FITARA.

We conducted this audit in response to a congressional letter requesting a review of email usage by political appointees at the Department of Health and Human Services (HHS) to ensure that "…officials are following the spirit and letter of all federal laws and regulations, as well as departmental policies, related to email use."