House VA Technology Subcommittee Assesses VA IT Challenges

Noticeably absent from the hearing was VA’s CIO or a representative from OIT. Subcommittee members found this very disconcerting and disappointing.  VA’s CIO, James Gferer, declined to attend the hearing due to his appearance before the full House Committee that afternoon.  Carol Harris, Director of IT Acquisition Management at GAO and Brent Arronte, Deputy Assistant Inspector General from the Office of Audits and Evaluations both testified from a VA IT oversight standpoint.

Rep. Banks expressed his concern about how much of OIT’s budget is going to maintenance of legacy systems and that the percentage is on the rise.  It’s now 90% of VA’s total IT budget. He is also worried about OIT’s role in updating infrastructure in preparation for the new health record system (EHRM), the Decision Support Tool (DST) for MISSION Act implementation, as well as financial systems modernization which has started and stalled multiple times.

Rep. Banks asked Harris the main reason that VA is on GAO’s high risk list.  Harris replied that VA regressed due to turnover in the CIO position. VA has had six CIOs since 2012 and five CIOs in the last four years. Harris stated, “Our work has shown that the CIO needs to be in office roughly three-to-five years to be effective and about five-to-seven years for any major change initiative to take hold in a large public sector organization.”

Rep. Banks cited the U.S. Digital Service’s evaluation of the implementation of the GI Bill and their finding that it failed due to lack of accountability.  Arronte agreed with their conclusion stating that there was no single management official in charge and that this has been a common theme.  Arronte said, “When it’s time to make final decisions, there's no one there to do that.  It stalls the initiative or things are pushed out the door before they are ready.” According to Arronte, VA struggles with IT program management across the board.

Rep. Banks also stated that the “DOD/VA IPO is not living up to its mission.” He believes the IPO should be repurposed to organize all aspects of interoperability, not just the EHR. Banks said he planned to present legislation that would charge the IPO with “all aspects of interoperability” between DOD and VA, and that he would welcome GAO recommendations.

Harris said that the IPO as it is currently operating, is not a central point of accountability. She said this is the most important recommendation GAO has made regarding implementation of Cerner’s system.  According to Harris, if DOD and VA don't develop a process for adjudicating issues, then the project won't work. 

Rep. Banks asked GAO and VA OIG representatives if recent OIT organization changes that centralized help desk support and the enterprise program management office have had a positive impact. Michael Bowman, Director of IT and Security Audits at VA OIG, who accompanied Arronte, stated he is seeing some incremental improvement for IT security, but “improvements are marginal at best.” Harris said that one of the good things to come out of centralizing IT has been software license management.  Now VA has a comprehensive inventory of licenses and is in a better position to identify cost savings. 

Rep. Brownley asked those testifying with respect to ensuring success of the EHR implementation, “What are your recommendations for subcommittee oversight?” Harris responded that the committee needs to ensure that the process between DOD and VA is ironed out.  “If not, the project will fail.”  

Rep. Lamb commented that VA IT challenges appear to boil down to two big problems: leadership and money. “Is one more to blame?” Bowman replied that the inability of the CIO to be actively involved in budgeting for all VA administrations “is a recipe for disaster.” Harris stated that the VA doesn't have any policies for the CIO to be involved in strategic planning and only minimal involvement for budgeting.  She said these are critical, especially with turnover.

Additionally, Rep. Lamb asked why the VA isn’t making more FISMA progress. Bowman replied that VA is only making marginal progress.  The department has gone from 33 FISMA weaknesses to 28 weaknesses during the last audit.  Bowman says VA needs to do vulnerability assessments before OIG does the annual FISMA audit. 

Bowman also said IT security controls continue to be a major problem. Audits have found mission critical systems more than two years behind in security patches, network interconnections with third-parties that were not monitored, and major password deficiencies.

The subcommittee hearing brought to light multiple challenges within the VA OIT organization and general IT and cybersecurity issues that face the department. Given the number of challenges and lack of attendance from VA OIT leadership, I anticipate additional and frequent subcommittee hearings to try and provide oversight, guidance, and transparency to IT work within the VA.