VA Medical Facility Security: Actions Needed to Address Longstanding Risks

Summary

What GAO Found The Department of Veterans Affairs (VA) is responsible for securing its facilities. GAO has identified security challenges at VA medical facilities and made recommendations to help manage related risks. In January 2018, for example, GAO found limitations with VA’s risk assessment methodology and recommended VA review and revise its risk management policies to reflect interagency standards and develop an oversight strategy to assess its facilities’ risk management programs. VA has not fully implemented these recommendations. In April 2026, GAO reported that its 2025 covert testing found security vulnerabilities at selected VA facilities related to security vulnerabilities that VA had previously identified in its risk assessments of its medical facilities. Specifically, VA failed to detect almost all of GAO’s covert tests. For example: In all 30 tests, VA staff did not detect a prohibited weapon that GAO investigators carried into the VA facilities, including two that had metal detectors. Twenty-eight facilities did not have metal detectors, as they are not required to. In 25 of 26 tests, VA staff did not confront an investigator drinking in plain view from a bottle labeled “vodka”—which is generally prohibited at VA facilities. Undercover GAO Investigator Appearing to Drink Alcohol in a VA Medical Facility Taking actions to address GAO’s recommendations would better provide VA with information it needs to make informed decisions, allocate resources effectively, and prioritize security efforts to create a safe environment for veterans and VA staff. Why GAO Did This Study VA oversees the largest integrated health care system in the U.S., serving 9 million enrolled veterans at over 1,300 facilities. VA employees, veteran patients, and medical facilities have been the targets of violence, threats, and other security-related incidents in recent years, including nonviolent crimes such as disorderly conduct and theft. The Interagency Security Committee (ISC)—of which VA is a member—developed a risk management standard that federal agencies must follow to identify and address the types of security vulnerabilities impacting their facilities. GAO has conducted work related to the ISC’s risk management standard and security at VA medical facilities. This statement, based primarily on three reports published between January 2013 and April 2026, discusses challenges VA faces related to the security of its facilities and actions that could help address those challenges, among other issues.