The Department of Veterans Affairs has failed to follow some federal security requirements at its healthcare facilities, potentially putting patients at risk, according to a new report.
The Government Accountability Office (GAO) reviewed the VA's physical security and risk management measures and found that they only partially adhere to requirements for federal buildings set by the Interagency Security Committee (ISC).
For example, the VA does not include two of the five factors outlined by the ISC when considering threat level: the facility's size and population. It also does not require that its healthcare facilities adjust security measures based on threat levels, the GAO found.
In addition, VA hospitals do not measure security performance, which is a key part of making the ISC's effectiveness assessments work, according to the report. VA officials said that their security protocols were developed prior to the 2013 issuance of ISC's guidelines, but that they're reevaluating their policies.
RELATED: Oregon VA hospital administrators cherry-pick patients to improve quality metrics, clinicians say
Lori Rectanus, a director with GAO, wrote a letter (PDF) to Rep. Phil Roe, M.D., R-Tenn., who chairs the House Committee on Veterans Affairs, saying that VA facilities have been a recent target for violence or other security threats, including "bomb threats and violent attacks involving weapons," making it crucial for VA to look at how it handles security. Security at VA medical centers is no easy task, however, she said.
"Ensuring physical security for these medical centers can be complicated because VA has to balance safety and security with providing an open and welcoming healthcare environment," Rectanus wrote.
The VA's healthcare system has been under intense scrutiny over the past several years following a nationwide scandal in 2014 that revealed long wait times for veterans seeking care at its hospitals. Since the scandal broke, a number of other issues have emerged, including reports that for 15 years the system hired physicians with revoked licenses.
The GAO investigation also revealed that the VA's oversight for risk management does not meet standards created by the Office of Management and Budget.
The VA does conduct biennial security assessments at its healthcare facilities, but those analyses do not review the quality of risk assessments at medical centers, examine if its hospitals implemented countermeasures appropriately or gather data across the healthcare system to evaluate security quality.
The lack of a defined oversight strategy across the VA's health system means that it has not evaluated the effectiveness of the different approaches used by its medical centers, according to GAO.