Federal Reports

What We Looked AtThe Maritime Administration's (MARAD) programs promote waterborne transportation and integration with other transportation modes and the viability of the U.S. Merchant Marine. MARAD works in many areas, including ship building and shipping, vessel and port operations, national security, and transportation safety. The Agency has 12 information systems and 1 local area network. MARAD also uses a number of web applications, some of which contain sensitive data and personally identifiable information (PII). We conducted this audit because of the importance of MARAD's programs to the Nation's transportation system and the sensitive nature of some of the Agency's information. Accordingly, our objective for this self-initiated audit was to determine whether MARAD's IT infrastructure contains security weaknesses that could compromise the Agency's systems and data.What We FoundWe gained unauthorized access to MARAD's network but MARAD did not detect our access or our placement of hacking tools on the network, in part because it did not have an alert system configured to do this, which the National Institute of Standards and Technology (NIST) recommends. We also gained access to records containing PII. While DOT policy requires the use of encryption to protect sensitive data, these records and other data we obtained were not encrypted. Had malicious attackers obtained these records, they could have used them to steal citizens' identities and MARAD could have lost $103 million in credit monitoring fees. Furthermore, inadequate security awareness training may contribute to some Agency personnel's susceptibility to social engineering. These weaknesses, individually and together, put MARAD's network and data at risk for unauthorized access and compromise.RecommendationsWe made several recommendations to help MARAD improve the security of information technology infrastructure.Sensitive information exempt from public disclosure under the Freedom of Information Act, 5 U.S.C. § 552, has been redacted and we have marked the document as FOR OFFICIAL USE ONLY.

The VA Office of Inspector General (OIG) conducted a healthcare inspection to address concerns with patients’ access to care and delays in outpatient mental health care. The OIG identified patients’ limited access to outpatient mental health care as evidenced by the staff’s insufficient use of the electronic wait list, high appointment clinic cancellation rates, and long wait times for new patient appointments. In addition, there were delays in providing outpatient mental health care for new patients’ consults and for patients receiving ongoing mental health care. Contributing factors included underutilizing telemental health and community care services, staffing shortages, delays in hiring staff, hiring practice issues, disproportionate care provider productivities, and a lack of training and supervision for scheduling staff. The OIG determined that the facility policy for no-show patients did not reflect Veterans Health Administration requirements and scheduling staff did not consistently follow up with no-show patients. During the inspection, OIG staff identified issues involving an incomplete administrative investigative board review and action plan, and although some patients had consults marked complete, documentation did not reflect that they were evaluated and/or seen by a mental health provider as requested by the consult. The OIG made 12 recommendations related to electronic wait lists, outpatient mental health appointments, non-VA and telemental health care, scheduling delays for patients’ consults and return-to-clinic appointments, provider and scheduling staff shortages, hiring practices, consult and no-show policy compliance, administrative investigation board review processes, and the consult completion process.

OIG administers the Medicaid Fraud Control Unit (MFCU or Unit) grant awards, annually recertifies the Units, and oversees the Units' performance in accordance with the requirements of the grant. As part of this oversight, OIG conducts periodic reviews of all Units and prepares public reports based on these reviews.

This resource guide explains our approach to using claims data to identify incidents of potential abuse or neglect of vulnerable populations. The guide synthesized the methodologies that OIG developed in our extensive work on identifying unreported critical incidents, particularly those involving potential abuse or neglect. These methodologies were used in work examining a variety of care settings, including nursing facilities and group homes. The guide includes a flow chart showing key decision points in the process and the detailed lessons that the OIG has learned using this approach. We encourage our public and private sector partners to use this guide to develop a process tailored to their specific circumstances and apply it to any vulnerable population they deem appropriate. The source of the data could include Medicaid Management Information Systems claims data, private payor insurance claims data, or similar data sets. Analyzing the data to target which medical records should be reviewed can help identify individual incidents of unreported abuse or neglect, patterns and trends of abuse or neglect involving specific providers, beneficiaries, or patients who may require immediate intervention to protect their health, safety and rights. The guide also provides technical information, such as examples of medical diagnosis codes, to support our public and private sector partners with analyzing their own claims data to help combat abuse and neglect.