As it does every year, the Department of Health and Human Services Office of Inspector General publishes the top management and performance challenges facing the department. This year, the IG found that HHS faces significant challenges when it comes to data, managing it and using it. With details, the senior counselor to the OIG, Andrew VanLandingham, joined Federal Drive with Tom Temin.
Tom Temin: Mr. VanLandingham, good to have you on.
Insight by Sonatype: Stephan Mitchev, acting CTO at USPTO, discusses how USPTO is looking at supply chain issues to address cybersecurity concerns. Dr. Stephen Magill, VP of product innovation at Sonatype, provides an industry perspective.
Andrew VanLandingham: Thanks, Tom, appreciate the opportunity to talk about this important document.
Tom Temin: And looking at the data challenges with HHS, which I guess were kind of made worse by the amount of data they had to ingest in the pandemic response, you found that the challenges fall into two basic buckets – tell us what those were.
Andrew VanLandingham: Yeah, I think at the end of the day that the way to sum up the broad challenge of use and protection of data at HHS is best highlighted by the sort of dual challenge they face during the pandemic. On one hand, in order to have a good public health response, HHS needs to be able to share its data with a range of partners, other federal agencies, state and local public health departments, and American citizens. But at the same time, they also need to protect its data. And I think as everyone who listens to your show knows, cybersecurity is a chief challenge at the federal government, and really, the country faces when protecting from adversarial attacks that have just been growing really over the last 18 months during the pandemic.
Tom Temin: And I want to get to that one second, let’s talk about the first issue which is sharing the data. And in some sense, that’s part of a perhaps larger set of issues with respect to being able to make the proper decisions based on data, which as you know, is law and policy for the federal government under the DATA Act and other things. And so it sounds like it just got worse, because of the volume and the number of decisions that had to be made. Would that be a fair way to put it?
Andrew VanLandingham: Yeah, I think it definitely got more complex, I think is the way I would frame it for HHS. I mean, certainly COVID is an unprecedented challenge for HHS, who’s the primary federal agency that has to deal with pandemic response. But through the Food Drug Administration, the National Institutes of Health, but also other agencies that folks may not know a lot about, like the administration for public response [ASPR], that helps lead across federal agencies in response, they need to be able to share data with their partners across a range of issues, right – hospital capacity, lab testing – and those are all key things that the public health response needs in order to be effective, regardless of what level you’re looking at. And so if folks remember, last year, HHS quickly stood up HHS Protect, to sort of solve an issue that they saw where they weren’t be able to get public health data quickly from hospitals especially. And so this is, I think, a good example that then the top management challenge that we referenced, where the intention was great, HHS knew it needed to improve its ability to both ingest and share data and HHS protect was the solution. The problem was trying to stand up a massive database for hospital public health reporting, during the middle of a pandemic does pose some issues. And then a survey we did a few 100 hospitals across the country. One consistent theme we heard at OIG was just the burden of data reporting that put on hospitals during the middle of a pandemic, while they’re struggling to just treat patients and then also adapt to the changing public health reporting requirements. It just shows the magnitude of the problem that the department faced really beginning last year.
Tom Temin: And which component of the department was responsible for this? Because you’ve got some really big elements, you’ve got CMS. I’m assuming it’s CDC, and not NIH. Am I correct?
Andrew VanLandingham: Actually, this is pretty interesting, Tom. For HHS Protect, the chief information officer of HHS was actually the lead component in building HHS Protect. Now it was just announced, I believe, a few weeks ago by the department that that is going to be moving back to CDC. I think the other thing to point out is the HHS Protect system wasn’t the only way HHS was getting public health data in its door, and then reporting out to its partners. Like you said, CMS does have some responsibility in collaboration with CDC to get nursing home data, CMS reports on that. And then laboratory data from state and public health labs and from private labs mainly goes to the CDC. So again, another challenge that we point out is this siloed approach to public health data reporting within the department does pose issues. The department’s collecting data from multiple different entities in multiple different ways. And it makes it hard to stitch it together in a cohesive manner so that we’re providing clear, consistent public health data to folks. It really is a heavy burden, heavy left for the department.
Tom Temin: We’re speaking with Andrew VanLandingham. He is the senior counselor to the Office of Inspector General at Health and Human Services. And this was not a traditional audit report in the way the OIG normally operates. So did you have recommendations for them on this front? Or how does that all work?
Andrew VanLandingham: This, as you mentioned at the outset, is an annual document that we put out. And it’s part of the department’s annual financial statement. And really unlike our audit reports, or studies that are specific to one program or one issue, this top management challenge document looks broadly across the department at key issues that face a range of the operating divisions or staff divisions as we call them in HHS and crosses programs. And so as your listeners are looking at, well what are the big challenges across HHS, our top management challenges document really hits on key issues that don’t just affect CMS and NIH and FDA. But really the entire operations of the department – things like health equity, obviously a key issue on front of mine for a lot of folks. That’s not just something for Medicare and Medicaid to address .That’s across a range of programs. The department has a lot of different levers to pull to address that challenge obviously will take a lot of work from folks. But it’s also things like financial integrity. HHS – obviously with CMS – it’s a large chunk of federal expenditures, in terms of the health care services, but HHS is also the largest grant-making agency in the government and the second largest contracting agency. So we’re talking about $2.8 trillion worth of expenditures alone in fiscal year 2021. And that’s a giant lift for any department for any entity to manage correctly. And we know that there are a lot of financial integrity issues, the department has made progress on, but a lot of risks that they still face moving forward, like the Medicaid and proper payment rate being over 20%. There’s a lot in this document that I think folks will find useful, again, that crosses HHS, in a way that our audits and studies and evaluations still really gives a broad lens a good bigger contextual perspective.
Tom Temin: And getting back to the data protection side of the issue in that challenge five – let’s call it the data challenge – is HHS performing at least as well as average with respect to cybersecurity of its data? Or do they need some work, do you think?
Andrew VanLandingham: Well, the top management challenge document doesn’t actually grade HHS. Our [Federal Information Security Management Act] or annual FISMA work does look at that. And our FISMA work has found that HHS has made some progress on cybersecurity front, but has some room to improve as well. Here, I think it’s important to point out this complexity, again, of the cybersecurity challenge facing HHS. On one hand, we know because of the pandemic, HHS has been targeted specifically because of the important role they play in the response. But at the same time, the government is really doing its best to try and improve cybersecurity across all agencies, right? The president issued an executive order earlier this year, that really is a significant step forward, improving cybersecurity across the federal government, and just implementing those provisions. As folks at the Department of Homeland Security and the specific agency [Cybersecurity and Infrastructure Security Agency] work to implement that, HHS is going to really have to change its culture and organizational setup for cybersecurity to meet the spirit of that executive order. It’s going to be a heavy lift moving forward, but they could have huge positive impacts for improving the cybersecurity of the department.
Tom Temin: And when you deliver that kind of message to management that you’ve got to change your whole culture around something and you really got to get up to speed. How do they take it?
Andrew VanLandingham: I think the department leadership sees this document as a useful tool to again, look broadly across the agencies, right? So often we look at a problem in terms of it’s a Medicare problem or an NIH problem. But something like cybersecurity really does benefit from looking at it from a whole department perspective. And so I think they see this document as a good roadmap and call to action that can really drive interest prioritization, that things that you need to really make change at that level on that scale. And so something like cybersecurity, which has traditionally been siloed within each octave, each major agency within HHS basically has its own CIO, which is a great model. But that just means that at the end of the day, they’re all making individual choices around improving cybersecurity. And I think that’s where we’re seeing some of the risk pop up. And so as the federal government writ large takes measures to really improve cybersecurity sort of the rising tide lifts all boats, making sure that everyone across HHS is responsible is something that the departmental leadership is really going to have in their sites to do. And so I think that they use this document as a way to really understand it from a level that most audits, most evaluation don’t necessarily get at. It’s useful in that sort of perspective.
Tom Temin: And with respect to the difficulty of that platform for collecting data stood up early in the pandemic. Did you also talk to some of the external stakeholders? That is the large medical institutions that had to do the reporting to give you kind of full sense of the insight there?
Andrew VanLandingham: Yeah, absolutely. I think as I mentioned, we did a survey of a few 100 hospital systems, talking to our administrators, trying to really understand a range of challenges related to the pandemic. And one thing that was brought up quite frequently was this idea of the burden of reporting data and the number of changes that they had to address. I think, as we can all imagine, it’s not simply flipping a switch and all of a sudden the data flows. A lot of this required changing their electronic health record systems to support reporting, working with their IT vendors to make that happen, all while balancing the demands of responding to a pandemic. And so it was a really good insights, I think, for us to understand the sort of long term planning that’s needed to respond to a public health emergency. Again, something else that’s addressing our top management challenges, this idea that the department can have the systems ready to go or at least plans in place to stand up the systems for future pandemics so that that burden is not reduced to something that hospitals and others need to change in the midst of responding to the pandemic. But it’s something that can be stood up in advance and understood in advance to ease that burden, prove that data collection and ultimately improve the sort of transparency and accountability around not just pandemic response, but also public health emergency response, too.
Want to stay up to date with the latest federal news and information from all your devices? Download the revamped Federal News Network app
Tom Temin: Yeah, so really, I would think any agency would want to read this, because in some ways, these cross-agency boundaries, these are universal issues. Just a quick question, does data collection from industry, does that have to go through Paperwork Reduction Act considerations?
Andrew VanLandingham: It depends, right, depends on exactly what the department is asking the industry to do. So there’s no universal yes, that there are some regulatory hurdles, certainly to collecting information from industry like the Paperwork Reduction Act. But there are certain exceptions the department can get around using that. But to your point, there is a larger federal data strategy that OMB issued just a few weeks ago. I think it shows a great linear progression of not only HHS seemed to do, but a lot of federal governments. And really, it starts with getting the basics right, getting governance right, getting the sort of infrastructure around data right. And it’s the stuff that doesn’t make headlines. And it’s not the stuff that you testify to Congress about. But things like data governance and infrastructure are the sort of singles and doubles that the government needs to hit in order to make significant progress in improving both data collection, but also data publication and transparency. And there are certain pockets, even within HHS that have made strides. CMS has done a lot to make its data more available to both providers and to its patients. And so using those sort of nuts and bolts approaches, at least initially, will help us eventually get to an era where the federal government can better leverage artificial intelligence and machine learning, because that data is more consistent, more standardized, more accessible, and those sorts of technologies really need those large, standardized datasets to work best. And making progress now on those nuts and bolts issues will help make sure that by 2030, the federal government is really making progress on advanced use of data.
Tom Temin: And as a baseball fan, I like your singles and doubles analogy. That’s how you score runs in the long run. Andrew VanLandingham is senior counselor to the Office of Inspector General at the Department of Health and Human Services. Thanks so much for joining me.
Andrew VanLandingham: Thanks Tom, appreciate the opportunity.