Federal Reports

The VA Office of Inspector General (OIG) assessed the reliability of wait time data and evaluated whether Veterans Integrated Service Network (VISN) 15 provided timely access to health care within its medical facilities and through Choice, and whether they appropriately managed consults. The OIG estimated that new patients waited an average of about 18 days, and 18 percent of the appointments for new patients at VISN 15 facilities had wait times longer than 30 days. This was higher than the estimated 10 percent that the Veterans Health Administration’s (VHA) electronic scheduling system showed. Staff did not correctly record clinically indicated dates for about 38 percent of the new patient appointments, which understated wait times by about 15 days. Inaccurate wait time data resulted in veterans not being identified as eligible for Choice. With respect to veterans in VISN 15 who received care through Choice, the OIG estimated that the overall average wait time was 32 days. The audit estimated that 41 percent of the appointments had wait times longer than 30 days, and those veterans waited an average of 58 days. Facilities did not have adequate procedures to monitor the aging of veteran referrals from facilities to TriWest, and did not consistently monitor the aging of the authorized Choice care. Regarding consults, facility staff discontinued or canceled an estimated 27 percent inappropriately, which led to veterans experiencing additional delays, or not receiving the requested care. Clinicians and staff were still unclear on specific consult management procedures. The Office of Healthcare Inspections identified clinical concerns with six patients, and determined that one patient likely had an adverse outcome as a result of a delay in care. The OIG made 11 recommendations—three to the Office of the Under Secretary for Health and eight to the VISN 15 Director. VHA and VISN 15 provided responsive action plans.

The VA Office of Inspector General (OIG) conducted a healthcare inspection to evaluate the circumstances of a patient’s death involving alleged mismanagement of the patient’s resuscitation (Event) at the Buffalo VA Medical Center (Facility), Buffalo, New York, and actions taken by Facility leaders subsequent to the death. The Facility Director contacted the OIG to report a registered nurse (RN 1) found the patient unresponsive and did not “call a code” because he/she feared cardiopulmonary resuscitation (CPR) would traumatize the patient’s body. The OIG substantiated RN 1 did not “call a code” after finding the full-code patient unresponsive. The OIG determined • RN 1 and a respiratory therapist (RT) acted outside their scopes of practice and violated policy when they announced the patient was dead, which influenced others not to take action; • A telemetry RN (RN 2) failed to call for assistance and abandoned the telemetry desk during the Event; • A licensed practical nurse failed to call for assistance and initiate CPR; • Telemetry monitoring failures contributed to the delayed response to the Event; • RN 1 failed to document the patient’s lung assessment and the RT failed to assess the patient’s respiratory status, before and after a scheduled respiratory treatment; and • The Facility’s Performance Manager’s conversation with the patient’s family could have been misunderstood. The OIG identified administrative concerns related to Facility leaders’ responses to the Event. Specifically, Facility leaders did not immediately remove involved staff from direct patient care, conduct a timely Administrative Investigation Board and Root Cause Analysis, submit an Issue Brief to the Veterans Integrated Service Network, and pursue notifying the patient’s family or personal representative. The OIG found Facility staff failed to preserve the patient’s telemetry data. The Facility did not have a policy and Veterans Health Administration has not provided guidance about preservation of evidence after an adverse event. The OIG made 10 recommendations.

Amtrak (the company) contracted with the independent certified public accounting firm of Ernst & Young LLP to audit its consolidated financial statements as of September 30, 2017, and for the year then ended, and to provide a report on internal control over financial reporting and on compliance and other matters. Because the company receives federal assistance, it must obtain an audit performed in accordance with generally accepted government auditing standards.

We evaluated the Department to determine whether it effectively follows the incident response lifecycle, as defined by the National Institute of Standards and Technology (NIST). We found that the Office of the Chief Information Officer (OCIO) had not fully implemented the capabilities recommended by NIST in its incident detection and response program. During internal threat simulation testing, most of our efforts to conduct reconnaissance, identify vulnerabilities, exfiltrate sensitive data, and communicate with known malicious command and control servers on the internet went unnoticed by the Department.The Department’s decentralized management and authority across the OCIO and bureaus, combined with the flattened internal networks, has eliminated many of the technical security boundaries within the Department’s network – essentially creating blind spots where the OCIO cannot detect malicious activity. Our emulation of malicious activity was successful, in part, because of these blind spots. The Department’s assignment of responsibilities between the OCIO and the bureaus emphasized the Department’s inability to detect and respond to these blind spots.The bureaus and offices had varying levels of capabilities, resources, and approaches to incident response. Even those with more incident response resources relied heavily on the OCIO for perimeter security controls and monitoring services, which were inconsistently shared with the bureaus. Since the OCIO did not establish the foundation necessary to successfully prepare for responding to incidents, the Department could not detect, contain, or recover from incidents in a timely manner.Without a centralized program, Department and bureau incident response teams did not have an effective roadmap outlining policies, procedures, and responsibilities for handling incident response activities. We made 23 recommendations to help the Department improve its incident response program, so it can promptly detect and fully contain cyber threats to maintain the availability, confidentiality, and integrity of Department computer systems and data. The Department concurred with all of our recommendations and is working to implement them.