Federal Reports

As part of the Pandemic Response Accountability Committee’s (PRAC)1 effort toprovide policymakers and stakeholders with information about the nature oftelehealth and its use across federal health care programs, the Office ofInspector General (OIG) conducted an evaluation to: (1) examine the use oftelehealth across the Department of Labor’s (DOL) workers’ compensationprograms during the first year of the COVID-19 pandemic, and (2) identifyemerging risks related to the use of telehealth.

Our annual plan identifies the audits, inspections, and other activities that the OIG intends to undertake to assist the U.S. Department of Education in fulfilling its responsibilities to America’s citizens and students.

The Government Performance and Results Modernization Act of 2010 defines major management challenges as programs or management functions that are vulnerable to waste, fraud, abuse, and mismanagement, and where a failure to perform well could seriously affect the ability of the U.S. Department of Education (Department) to achieve its mission or goals.In accordance with the Reports Consolidation Act of 2000, the Office of Inspector General (OIG) reports annually on the most serious management and performance challenges the Department faces. Our reports include a brief assessment of the Department’s progress in addressing the challenges. We also identify further actions that, if properly implemented, could enhance the effectiveness of the Department’s programs and operations.

This Office of Inspector General Comprehensive Healthcare Inspection Program report describes the results of a focused evaluation of the inpatient and outpatient settings of the Lexington VA Health Care System and associated outpatient clinics in Kentucky. This evaluation focused on five key operational areas:• Leadership and organizational risks• Quality, safety, and value• Medical staff privileging• Environment of care• Mental health (emergency department and urgent care center prevention initiatives)The OIG issued 10 recommendations for improvement in four areas:1. Quality, safety, and value• Peer review improvement actions2. Medical staff privileging• Focused and Ongoing Professional Practice Evaluations3. Environment of care• Local naloxone policy• Product expiration dates• Furnishing safety and condition• Suicide risk abatement plans4. Mental health• Suicide risk screening

This report summarizes the results of our fiscal year (FY) 2022 Federal Information Security Modernization Act (FISMA) evaluation and assesses the maturity of controls used to address risks in each of the nine information security areas, called domains.We assessed the effectiveness of information security programs on the required maturity model spectrum, which is a rating scale for information security. We rated SBA’s overall program of information security as “not effective.” We found SBA generally responded to previously identified vulnerabilities. The agency made progress in supply chain risk management and continues to be rated at the effective maturity level for incident response. However, the results of our tests show SBA continues to experience security control challenges in areas of configuration management, risk management, user access, security training, information security continuous monitoring, and contingency planning.Based on tests of seven information systems, we determined the results of each domain as follows:1. Risk management: Defined2. Supply chain risk management: Defined3. Configuration management: Defined4. Identity and access management: Defined5. Data protection and privacy: Consistently implemented6. Security training: Ad hoc7. Information security continuous monitoring: Consistently implemented8. Incident response: Managed and measurable9. Contingency planning: Consistently implementedRatings of defined, ad hoc, and consistently implemented are below the baseline for an effective security program.In addition to two open FISMA recommendations from prior years, we made six recommendations for improvements in six of the nine domains: risk management, supply chain risk management, identity and access management, information system continuous monitoring, security training, and contingency planning.SBA management agreed with all six recommendations and outlined corrective action plans to address identified vulnerabilities.