VA IG Identifies Hundreds of Major Incidents with New EHR System

Earlier this week, the VA’s watchdog issued a report with findings on an audit examining the major performance incidents that occurred with VA’s new Electronic Health Record (HER) system since October 24, 2020. The audit coincides with the release of an OIG report citing facility leaders and staff concerns with the new system at two deployment sites.

As a reminder, the VA awarded Cerner (bought by Oracle Health in 2022) a 10-year contract in 2018 to transition the department to a new EHR system, aligned with the system used by the DOD. The new system was deployed to several locations, however, deployments ultimately paused in April 2023 due to several performance issues. The Captain James A. Lovell Federal Health Cener deployment was the only exception to the pause. Since then, the VA has modified contract terms with Oracle and reported success with the deployment at Lovell. VA officials have stated intentions to resume deployment at other locations in 2025, despite congressional doubt on whether the VA is fully prepared to continue deployment.

In its audit of the Oracle EHR system, the VA IG found that the department and contractor did not have the sufficient controls in place to prevent, respond to, and mitigate major performance incidents. A major performance incident is defined as an issue which requires a response beyond routine incident management, results in significant disruption to operations, and that can run the risk of causing severe system degradation. The audit identified four types of major performance incidents: outages, performance degradations, incomplete functionality, and loss of redundancy.

Within these four categories, the VA IG found that there were 826 major performance incidents with the EHR system from October 24, 2020, to March 31, 2024, which totaled 1,909 hours of system disruption. Many incidents (720) were driven by incomplete functionalities in the system, followed by performance degradation (69).

One example of an incident, according to the report, was a system disruption due to a system change on March 3, 2022, at the Mann-Grandstaff VA Medical Center in Spokane, WA which stopped operations for 27 hours and caused many patients to reschedule appointments.

The system at the same location experienced another incident on March 14, 2022, due to an update that inadvertently corrupted user credentials and prevented users’ accessibility to the EHR system.  That incident lasted over 10 hours.

The IG found that the VA and Oracle Health failed to have adequate controls in place to prevent and address the incidents. In particular, the audit found problems with configuration management controls to protect the software and hardware components of the system. Moreover, the IG found problems with continuous monitoring controls resulting in inadequate ongoing assessment of controls, particularly with changes in information systems and environments of operation.  

In addition to the lack of controls, the report places much of the blame on contractual deficiencies, lack of VA oversight for Oracle Health, and a lack in strong procedures for responding to incidents. The IG provided nine recommendations to the EHRM Office and VA Undersecretary for Health. According to the report, VA officials agreed with all the recommendations.