GAO: Federal EHR cybersecurity effort has no measurable goals, performance measures

A June 2026 GAO report found that the Federal Electronic Health Record Modernization office lacks measurable cybersecurity goals, has vacant director and deputy director positions, and has repeatedly missed deadlines on a security framework it has described as foundational to protecting health data for 18 million DOD and VA beneficiaries.

The findings represent the latest in a long line of GAO assessments of the two departments’ EHR modernization efforts — and among the most pointed. GAO concluded that FEHRM’s interagency collaboration only partially meets standard best practices, with significant gaps in governance, goal-setting, and performance measurement.

You can’t manage what you can’t measure

The overall finding from the report is that FEHRM’s efforts only partially align with standard interagency collaboration practices, and fell well short of best practices on governance and goal setting. 

Simply put, “the FEHRM has not fully articulated specific short- or long-term goals or intended outcomes related to the cybersecurity of the federal EHR or the privacy of health data within it,” the GAO report stated. 

In January of 2026, FEHRM told GAO officials that their goals for fiscal year 2026 were “still under development,” according to the report. 

“The FEHRM did not provide information on specific, short-term or long-term planned cybersecurity or collaboration outcomes beyond the goals and activities provided for fiscal year 2025.”  

“Without clear goals and outcomes, the FEHRM has limited insight into the specific resources, skills, or time needed to address any shared cybersecurity responsibilities. It will also not be well positioned to provide assurances to agency leadership and Congress that the health information in the federal enclave is as secure as possible.” 

The GAO was equally blunt about the absence of performance measures.  

“The FEHRM told us that it did not have performance measures for its fiscal year 2025 goals, and it did not have performance measures for the fiscal year 2026 goals that were reportedly under development,” the agency continued.  

“Since the FEHRM has not defined the planned outcomes for the current fiscal year and it did not define performance measures in the prior year, it cannot monitor progress towards achieving planned outcomes. As a result, the FEHRM may not have critical information needed to assess and communicate progress and may be at risk of failing to achieve shared cybersecurity responsibilities.”  

Additional concerns continue to affect fundamental cybersecurity efforts

FEHRM performed somewhat better on other standard industry practices, including bridging organizational cultures and including all relevant stakeholders in decision-making processes. 

However, as of May 2026, the positions of FEHRM Director and Deputy Director positions were vacant, and this gap in high-level leadership could be contributing to insufficient goal setting, including the organization’s inability to meet deadlines for the Joint Incident Management Framework, which has been described as “foundational to the cybersecurity posture of the federal EHR,” according to GAO.  

An initial draft of the security framework was developed in May 2021 and revised throughout the following year. 

“Despite those efforts, in May 2025, FEHRM officials stated that the framework was not complete; however, officials anticipated it would be completed by September 2025. In February 2026, FEHRM officials reported that the framework would be completed by April 2026,” GAO says. 

As of the report’s publication in June 2026, GAO did not indicate that the Joint Incident Management Framework had been completed. 

Recommendations for strengthening governance and goal setting

The report pulled no punches in its conclusion, plainly stating that “the FEHRM does not monitor, assess or communicate on performance measures to which it and the partner agencies can be held accountable.” 

“Articulating clear and measurable goals would better position the FEHRM to oversee the coordinated cybersecurity of the federal EHR by providing insight into the specific resources, skills, or time needed to address shared responsibilities.” 

The agency provided matching recommendations to the DOD and the VA, including that the DOD and VA should direct the FEHRM to define common goals, outcomes, and associated performance measures to establish accountability and track progress toward desired outcomes.  The two departments should also work to monitor, assess, and communicate progress on collaboration efforts designed to ensure cybersecurity and privacy within the military and VA health systems. 

“Addressing these practices could allow the FEHRM, partner agencies, and Congress to have greater assurance that appropriate actions are being taken to keep the system and its data secure and to prevent its exploitation by adversaries,” GAO concludes.  

GAO notes that the DOD “did not concur with the report, as written,” although the VA “generally agreed” with the findings and pointed out that it has taken initial actions to build trust and test the joint readiness of the systems through tabletop cybersecurity exercises and other means.    

Jennifer Bresnick is a journalist and freelance content creator with a decade of experience in the health IT industry.  Her work has focused on leveraging innovative technology tools to create value, improve health equity, and achieve the promises of the learning health system.  She can be reached at [email protected].