A cloud-based patient tracking system used by the US Department of Veterans Affairs (VA) failed to undergo a proper risk assessment, according to a recent watchdog report. The system, Patient Advocate Tracking System-Replacement (PATS-R), was transferred to the cloud in 2023 and now contains sensitive medical record access.
Security Concerns Unaddressed
The Government Accountability Office (GAO) report, released last week, found that the VA didn’t conduct a thorough risk assessment before migrating PATS-R to the cloud. This lack of evaluation raises concerns about the system’s security and potential vulnerabilities. The GAO cited the transfer of sensitive medical information as a key reason for the required assessment.
GAO officials pointed out that PATS-R contains personally identifiable information, including medical records and Social Security numbers. This sensitive data makes the system a high-risk target for cyberattacks.
What this means
The VA’s failure to properly assess PATS-R’s risk means that sensitive patient data may be exposed to potential security breaches. This oversight is particularly alarming, given the sensitive nature of the information stored in the system.
The VA will need to take steps to address the GAO’s concerns and conduct a thorough risk assessment of PATS-R. This may involve implementing additional security measures, such as multi-factor authentication or encryption, to protect patient data.
VA Must Act to Ensure Patient Data Security
The VA must take immediate action to address the security concerns raised by the GAO report. This includes conducting a comprehensive risk assessment and implementing necessary measures to protect patient data. The VA has a responsibility to ensure the security of sensitive medical information, and any failure to do so can have serious consequences for patients.
As the VA continues to modernize its technology infrastructure, it’s essential that they prioritize patient data security. By taking proactive steps to address security concerns, the VA can build trust with patients and ensure the integrity of their sensitive medical information.



