GAO: VA Implements Nine of 13 Cybersecurity Recommendations for Veterans' Health Data
The Government Accountability Office reports that the Veterans Health Administration has fully implemented nine and partially implemented three of 13 cybersecurity recommendations made in September 2025 to protect veterans' protected health information in the Million Veteran Program system. GAO originally identified deficiencies in asset and risk management, configuration management, identity and access management, and continuous monitoring. All 73 reviewed VA business associate agreements met HIPAA Privacy Rule requirements for PHI use and disclosure. GAO will continue monitoring VA's progress on the remaining recommendations.
This GAO update demonstrates federal oversight of HIPAA-covered entity cybersecurity practices and sets expectations for systematic remediation of control deficiencies that Medicaid MCOs may face in their own compliance audits.
Managed Care
You might also like