GAO Urges VA to Improve IT Modernization and Cybersecurity

Published: September 23, 2020

Federal Market AnalysisGAOHealth ITInformation TechnologyVA

During a House hearing last week, GAO summarized ongoing VA IT and cybersecurity challenges, and urged the department to implement its recommendations for resolving them.

GAO’s Carol Harris, Director of Information Technology Management Issues, testified last week before a joint hearing of the House Subcommittees on Economic Opportunity and Technology Modernization to present GAO’s collective analysis on VA IT modernization and cybersecurity progress and challenges.

IT is fundamental to delivering VA’s mission and its IT budget now exceeds $4 billion annually. However, over a number of years, VA has experienced challenges in managing its IT projects and programs.

Harris’s testimony focused on VA’s efforts in three areas: modernizing three critical IT systems, implementing FITARA, and addressing cybersecurity issues.

VA has been working to modernize three critical IT systems. Over the years, GAO has tracked progress on these modernization efforts and found the following issues and challenges with each:

Veterans Health Information Systems and Technology Architecture (VistA) – VistA is VA’s Electronic Health Record (EHR) and health information technology system. GAO has followed and reported on VA’s efforts to modernize VistA over the past 20 years. VA has recently successfully implemented a scheduling component of its new EHR and is slated to deploy its first medical site on the completely new EHR system next month.   

Caregiver Application Tracker (CAT) – CAT is a system for the Family Caregiver Program which supports family caregivers of seriously injured post-9/11 veterans. VA is working to replace CAT and has implemented some of GAO’s recommendations stemming from 2014 regarding the system replacement.  However, a September 2019 GAO review, showed that VA had not yet implemented a new IT system to fully support the program and it did not have a definitive date for doing so.

Veterans Benefits Management System (VBMS) – VBMS collects and stores information and is used for processing disability benefit claims. A GAO review done in September 2015 showed that VA was progressing in the development and implementation of VBMS, but noted that additional actions could improve the development and use of the system. GAO made five recommendations aimed at improving VBMS development and implementation. However, as of September 2020, VA had only implemented one recommendation.

Additionally, VA’s progress in implementing key provisions of FITARA has been irregular. VA has made progress in closing unneeded data centers and improving software licensing, but has made limited progress in the areas of IT investment risk management and CIO authority enhancement. Congress cannot effectively monitor VA’s progress until the department fully implements the act’s provisions.

VA also struggles with information security issues. Since FY 2016, GAO has reported that VA faces challenges related to

  • Effectively implementing the federal approach and strategy for securing information systems
  • Effectively implementing information security controls and mitigating known security deficiencies
  • Establishing elements of its cybersecurity risk management program.

GAO urged VA to address these challenges as well as manage IT supply chain risks.

Harris concluded her testimony by stating that the VA has long struggled to overcome IT management challenges, which have resulted in a lack of system capabilities and implementation of critical initiatives. Harris stressed, “…it is more important than ever for the department to ensure that it is managing its IT in a way that addresses the challenges we have identified in our previous reports and high-risk updates. If the department continues to experience the challenges that we have previously identified, it may jeopardize its ability to effectively support key programs, such as the Forever GI Bill.”