Many of the members of the House Veterans Affairs Technology Modernization Subcommittee are relatively new to Congress, but it didn’t take them long to recognize a series of ongoing, reoccurring themes with the state of IT at the Department of Veterans Affairs.
Management of legacy IT systems are taking up too much time and resources, even as the list of new priorities and congressionally-driven initiatives that require an IT upgrade from VA grows ever longer.
Insight by Carahsoft: Learn how the FedRAMP PMO and its partners believe the end result of many of ongoing initiatives is a better, faster and cheaper cloud security program by downloading this exclusive ebook.
Operation and maintenance for the department’s legacy systems comprises more than 80 percent of VA’s IT spend, and that number is creeping upward.
“Now it is approaching 90 [percent],” Rep. Jim Banks (R-Ind.), the subcommittee ranking member, said. “We have been devoting more attention to IT, but the situation is actually getting worse.”
VA proposed an additional $240 million for its Office of Information and Technology in its 2020 budget request. OI&T would have nearly $4.1 billion in funding, not including an additional $1.1 billion for its ongoing electronic health record modernization efforts.
“I agree we have to invest in IT, but I need to know this will actually bend that cost curve and produce some new capabilities rather than perpetuate the current state of affairs,” he added.
Specifically, Banks, as well as the Government Accountability Office, wants to see VA devote more of its time, money and personnel toward the long list of new programs and capabilities that it’s been tasked to develop.
But the department, at least until this point, has been ill-prepared to make this pivot, especially with an IT shop that still faces a myriad of challenges. Lack of consistent IT leadership has been the biggest sticking point for VA over the past decade, and it’s a major factor that contributed to GAO’s decision to place VA healthcare on the High-Risk List back in 2015.
VA has had 10 different chief information officers since 2004 and six since 2012, according to the Government Accountability Office. A series of acting CIOs filled the gap between the time LaVerne Council left the position in January 2017 and the Senate confirmed James Gfrerer this past December.
The average CIO at VA has served about two years, according to Carol Harris, director of IT management issues at GAO. CIO turnover is common throughout government, but it’s especially prevalent at VA.
“Our work has shown that the CIO needs to be in office roughly three-to-five years to be effective and about five-to-seven years for any major change initiative to take hold in a large public sector organization,” she said.
In addition, VA lacks the formal policies that describe a series of concrete authorities that the CIO should have, Harris said.
Both GAO and VA’s IG office criticized the department for not giving the CIO central authority over the department’s IT budget. VA medical centers often purchase IT equipment under their own budgets, said Brent Arronte, the agency’s deputy assistant inspector general. And other VA administrations have told the IG they often don’t have a clear sense of what the CIO is doing.
“When it’s time to make final decisions about an initiative or an application, there’s no one there to do that,” Arronte said. “It stalls the initiative. The initiatives tend to be pushed out the door when they’re not ready. What we end up seeing is functionality problems with those programs as they mature, and then they try to fix them in flight so to speak. They struggle with that.”
The House Veterans Affairs Committee held two separate hearings on VA IT Tuesday. In the first, the technology modernization subcommittee attempted to get an update on a wide variety of VA IT initiatives. But it mostly heard about a litany of problems from GAO and VA’s IG. The subcommittee invited Gfrerer, the new CIO to testify about VA’s progress, but he declined and the department didn’t send an alternative.
Gfrerer accompanied Richard Stone, VA’s acting undersecretary for health, at the committee’s hearing on MISSION Act technology later that afternoon.
“I believe in taking the time to get things right, not do it in a hurry,” House VA Committee Chairman Phil Roe (R-Tenn.) said Tuesday afternoon. “I would rather VA postpone implementation of this program than to rush implementation in name only and have veterans pay the price for it.”
Want to stay up to date with the latest federal news and information from all your devices? Download the revamped Federal News Network app
But both Stone and Gfrerer said VA would meet the June 6 deadline to stand up a consolidated community care program under the MISSION Act. The department said it would also meet the June 6 deadline to stand up a decision support tool, which is designed to help VA providers determine whether their patients meet the agency’s new criteria to see a doctor in the community.
VA exuded confidence at the afternoon hearing. It dismissed an assessment from the U.S. Digital Service, which recommended VA should stop development on the decision support tool and reassess.
But GAO and VA’s inspector general office painted a different picture of several VA IT initiatives.
VA’s electronic health record modernization, for example, has “serious challenges,” Harris said. GAO — and members of Congress — have been pushing VA and the Defense Department to establish a joint governance structure and designate a single person between the two agencies as the decision-making authority for the EHR overhaul.
“Ensuring that VA fully defines the role of the inter-agency program office with DoD is the most important action that VA can take to ensure that the EHR program is a success,” Harris said. “If they do not fully define that process with DoD, they are going to fail.”
Banks, meanwhile, brought up his concerns about VA’s efforts to modernize its financial management business systems.
“I need to see some forward movement,” he said. “VA started [financial management business transformation] almost three years ago, and I have watched it relaunch three separate times, [with] ballooning costs to above $2 billion but not deliver any new capabilities. We have been told that the old financial and accounting software barely holds together and VA’s ability to pass an audit is hanging on by a thread. That sort of thing absolutely gets my attention.”
IT security has been a material weakness on VA audits for the past 20 years, according to the department’s inspector general.
“We have to see password controls consistently implemented across those systems,” Michael Bowman, director of the information technology and security audits division within VA OIG, told the subcommittee. “We still see [systems] with the same username and password sometimes two or three years running. We have default passwords. When you’re briefly the VA Secretary and we start explaining that, it’s really uncomfortable because it seems like very low-hanging fruit. Why is that a discussion point every year when we brief out on the financial statements?”
And because many of VA’s legacy systems are no longer supported by the original vendor, the department can’t implement quick security patches and address other cybersecurity risks.
“Unbelievable,” Banks said.
GAO did, however, point to at least one bright spot. The department implemented a comprehensive software license management program based on GAO’s recommendations. VA can analyze software license usage and cost information across the department. It recently identified $65 million in savings over three years from analysis of one software license, Harris said.
Still, the small group of members on the technology modernization subcommittee, including its chairman, were discouraged by the assessment from GAO and VA’s inspector general office.
“Well, this has been somewhat depressing,” Rep. Susie Lee (D-Nev.) said in closing the hearing.