<DOC>
[110 Senate Hearings]
[From the U.S. Government Printing Office via GPO Access]
[DOCID: f:39599.wais]
S. HRG. 110-
HEARING ON THE CURRENT STATE OF
AFFAIRS FOR INFORMATION TECHNOLOGY
________________________________________________________________________
HEARING
BEFORE THE
COMMITTEE ON VETERANS' AFFAIRS
UNITED STATES SENATE
ONE HUNDRED TENTH CONGRESS
FIRST SESSION
__________
SEPTEMBER 19, 2007
__________
Printed for the use of the Committee on Veterans' Affairs
Available via the World Wide Web:http://www.access.gpo.gov/congress/senate
_________
U.S. GOVERNMENT PRINTING OFFICE
39-599 PDF WASHINGTON : 2007
_________________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC area
(202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC 20402-0001
COMMITTEE ON VETERANS' AFFAIRS
DANIEL K. AKAKA, Hawaii, Chairman
JOHN D. ROCKEFELLER IV, West Virginia RICHARD M. BURR, North Carolina, Ranking
PATTY MURRAY, Washington Member
BARACK OBAMA, Illinois LARRY E. CRAIG, Idaho,
BERNARD SANDERS, (I) Vermont ARLEN SPECTER, Pennsylvania
SHERROD BROWN, Ohio JOHNNY ISAKSON, Georgia
JIM WEBB, Virginia LINDSEY O. GRAHAM, South Carolina
JON TESTER, Montana KAY BAILEY HUTCHISON, Texas
JOHN ENSIGN, Nevada
WILLIAM E. BREW, Staff Director
LUPE WISSEL, Republican Staff Director
(II)
C O N T E N T S
__________
SEPTEMBER 19, 2007
SENATORS
Page
Akaka, Hon. Daniel K., Chairman, U.S. Senator from Hawaii ....... 1
Burr, Richard, Ranking Member, U.S. Senator from North Carolina.. 2
Murray, Patty, U.S. Senator from Washington ..................... 4
WITNESSES
Howard, T. Robert, Assistant Secretary for Information and Technology, U.S.
Department of Veterans Affairs; accompanied by Paul A. Tibbits, M.D.,
Deputy Chief Information Officer, Office of Enterprise Development, Office
of Information and Technology, U.S. Department of Veterans Affairs; and
Ray H. Sullivan, Director of Field Operations, Office of Information and
Technology, U.S. Department of Veterans Affairs ................. 5
Prepared statement ............................................ 8
Response to written questions submitted by:
Hon. Daniel K. Akaka ........................................ 10
Hon. Bernard Sanders ........................................ 12
Melvin, Valerie, Director, Human Capital and Management Information
Systems Issues, U.S. Government Accountability Office; accompanied
by McCoy Williams, Director, Financial Management and Assurance
Team, U.S. Government Accountability Office; Gregory Wilshusen,
Director, Information Security Issues, U.S. Government Accountability
Office; and Barbara Oliver, Assistant Director, Information
Technology, U.S. Government Accountability Office ................ 29
Prepared statement ............................................. 31
Lucas, Stephen M., Director, James A. Haley; VA Hospital and Clinics,
Tampa, Florida .................................................. 64
Prepared statement ............................................ 65
Graves, Kim, Special Assistant to the Under Secretary for Benefits,
U.S. Department of Veterans Affairs ............................. 67
Prepared statement .............................................. 68
Glaser, John P., Vice President and Chief Information Officer,
Partners Healthcare ............................................. 71
Prepared statement ............................................. 73
(III)
HEARING ON THE CURRENT STATE OF AFFAIRS
FOR INFORMATION TECHNOLOGY
WITH VA
___________
WEDNESDAY, SEPTEMBER 19, 2007
U.S. SENATE,
COMMITTEE ON VETERANS' AFFAIRS,
Washington, DC.
The Committee met, pursuant to notice, at 9:29 a.m., in room
562, Dirksen Senate Office Building, Hon. Daniel K. Akaka, Chairman
of the Committee, presiding.
Present: Senators Akaka, Murray, and Burr.
OPENING STATEMENT OF HON. DANIEL K. AKAKA, CHAIRMAN,
U.S. SENATOR FROM HAWAII
Chairman AKAKA. Aloha and welcome to all of you today to this
hearing on the state of information technology within the Department
of Veterans Affairs.
Before we get started, I take this opportunity to welcome the
Senators of this Committee. I look forward to working closely with
them and look forward to that, as well. You all know that we have
a long history of bipartisan work on this Committee, and I am sure
that this will continue.
Over the past several years, this Committee has held multiple
oversight hearings on VA IT issues. Often, these hearings have
been in reaction to public failures of IT, including last year's data
theft. This year, as we talk about seamless transition, we also
think about IT and how we can do that, as well.
Lost in the outcry about these failures was the recognition that
while IT can help VA in many ways, it is only a tool, not an overall
solution to a problem or a need. Without competent management,
sound business practices, trained users, and a clear idea of desired
outcomes, IT not only fails to be an asset, it can even become part
of the problem.
A recent VA IG audit that I requested on waiting times at VA
facilities is a good example of how IT can and cannot be used. The
investigation looked into the disconnect between what VA managers
tell us about waiting times for VA appointments-that there
are virtually none-and what veterans and stakeholders tell us
about the existence of long lines. What the IG found was problems
with the accuracy and completeness of the waiting lists, lists that
are generated from VA's electronic health care records system. VA
responded to the IG's findings in part by suggesting that new computer
software will solve the problem. This is not an exclusive answer.
Unless and until Congress and VA leadership can rely on
VA's data as it is entered into databases, we cannot work together
to get an accurate picture of the state of VA care and provide appropriate
resources. IT can help, but only when there is a clear
agreement on how to collect and report information.
Today's hearing will focus on a wide range of information technology
issues. Last year, there was a major change in the management
of IT affairs at VA and this hearing is a chance to get a reading
on the impact of that change. We hope to get a sense of where
the Department is and where it is going with IT. We will hear testimony
on the effects of changes to VA's IT management structure
on the Department's ability to deliver health care benefits and
services to veterans. Other issues before us include the impact of
new VA IT security policies and procedures since the 2006 data
theft, the prognosis for the development of a DOD-VA bi-directional
interoperable Electronic Health Record, and other significant
IT issues.
Also, we are today releasing a GAO report on information security
that I, along with other Members of the Senate and House, requested
in response to last year's data theft. The report finds that
although VA has made progress, there is still much work to do and
part of that work is to hear from you and discuss this report today.
Secretary Howard, at your confirmation hearing last year, I challenged
you to restore the confidence of veterans in VA's ability to
protect their personal information while leveraging IT solutions to
maintain VA's preeminence as a health care and benefits provider.
So I look forward to your assessment of where we are today and
where we need to go in these areas. Millions of veterans rely upon
VA for benefits and services, and in so doing have to rely on VA's
IT systems. We must do all we can to ensure that they can do so
with confidence.
I want to thank all of our witnesses today for being here and
sharing with us what they have done thus far.
Before we start, I want to take this opportunity to welcome Senator
Richard Burr of North Carolina to his new role as the Committee's
Ranking Republican Member. I look forward to working
closely with him as we continue to seek ways to meet the many
challenges that continue to confront veterans and VA. As I said, we
do have a history of bipartisanship here on this Committee and I
am sure that will continue with Senator Burr, without question.
We must do all we can to ensure that we can do that with confidence.
I am glad to have the Senator from Washington here, as
well. So let me call on Senator Burr for his statement.
STATEMENT OF HON. RICHARD BURR, RANKING MEMBER, U.S.
SENATOR FROM NORTH CAROLINA
Senator BURR. Mr. Chairman, let me thank you for your gracious
welcome. As you and I both know, we serve as Chair and Ranking
Member on other Subcommittees and we find ways to address the
business that we need to continue friendship and stay focused on
the issues that are important to that Committee. I look forward to
continuing that as we address the issues before us in the Veterans
Affairs Committee. I thank you for calling this hearing. More
importantly, I thank all of our witnesses today. I take the Ranking
Membership on a temporary basis until other things are sorted out,
but I certainly look forward to the information that we are here to
talk about.
The topic of information technology covers a wide variety of different
areas, all of which are important and all of which have the
ability to positively or negatively impact a veteran's quality of life.
From electronic health and benefit records, to the electronic
infrastructure
that enhances VA services, to protecting our veterans'
personal information, IT is the driving factor in accomplishing all
these things.
The May 3, 2006 theft of computer external hard drive from a
VA employee's home resulted in the compromise of over 26 million
veterans' personal information. It drew national attention to the
VA and highlighted problems with its information technology policies,
procedures, and structures. The theft initiated a strong reaction
from Congress, as it should have, and last December, we
passed the VA Information Security Enhancement Act of 2006.
Among many of the mandated improvements to the VA IT system,
we assigned responsibilities to hold specific individuals
accountable.
We have created prompt Congressional reporting requirements,
and we provided for recruitment and retention of individuals
skilled in information technology.
The theft also expedited a complete restructuring of the VA's IT
organization so that the VA headquarters could have more IT oversight
over all of its facilities throughout the United States. It then
served as a catalyst for complete review of security systems and
procedures and raised Congressional interest in and scrutiny of the
IT program.
The result of all of this is that the VA has undertaken a massive
effort to restructure their IT program. VA's efforts to create
consistency
and enhanced security within a formerly decentralized IT program
has resulted in a new and centralized IT architecture. Individual
hospital directors used to have control over their own IT
staff and programs. This resulted in inconsistent technologies within
VA and little or no oversight from the VA main office. This new
restructuring of VA IT is meant to consolidate efforts in the areas
of policy, planning, purchasing, and training.
However, no decision comes without consequences and I have
some concerns as to whether this centralization will result in an IT
system that is too slow and doesn't respond to local needs. That
being said, I look forward to learning more about the current state
of these efforts, the successes and the challenges that have yet to
be addressed. I also hope to hear more about VA's progress with
DOD-VA efforts to create an interoperable, interchangeable health
records system. I hope to learn more about where we stand in the
area of VA-DOD data sharing and standardization, what we have
accomplished and what we have left to do. Someone who served
this country should not have to compromise their health just because
VA and DOD can't get health information from each other.
With all this in mind, we convene today to learn about the current
status of the newly centralized IT management system, current
improvements in IT security, and the state of IT infrastructure
and the progress made in VA and DOD information sharing.
I would like to personally thank the Chair for his indulgence as
we have transitioned on this side and to once again thank all of
our witnesses today for their very candid testimony. I thank the
Chair.
Chairman AKAKA. Thank you very much, Senator Murray. This
Committee is in order as I call on our Hon. Senator Patty Washington
from Washington for her statement.
STATEMENT OF HON. PATTY MURRAY, U.S. SENATOR FROM
WASHINGTON
Senator MURRAY. Thank you very much, Chairman Akaka. I join
you in welcoming Senator Burr to the position of Ranking and look
forward to working with you on many issues. I know we have
talked about what we share in common, as well, for our veterans.
Mr. Chairman, the topic of today's hearing, which is the state of
information technology within the VA, is incredibly important. It
impacts nearly everything the VA does, from delivery of health care
and benefits, to the protection of sensitive personal information, to
the pursuit of a truly seamless transition with DOD. The VA's IT
system is really kind of the glue that holds everything together.
The VA has a lot to be proud of when it comes to its IT system.
Its Electronic Health Records have improved the quality of health
care for veterans while at the same time reducing the cost of
delivering
health care. And as we all know, when Hurricane Katrina hit
New Orleans, veterans who were enrolled in the VA system, unlike
many others, did not lose their medical records because the VA's
back-up files preserved their records and enabled them to get care
across the country at different VA facilities.
Despite all this, the VA's IT system does have some very serious
challenges. Chairman Akaka, I know that you and many other
Members of this Committee share my deep concern over the VA's
information security and inventory control practices. Since the VA's
now well publicized loss of personal data in May of 2006 and January
of 2007, the VA has taken steps to improve its information security
practices, but as the GAO recently pointed out, more does remain
to be done.
Mr. Howard, I hope to hear from you today about why the VA
has not fully implemented most of the key GAO and IG recommendations
to strengthen your agency's information security
practices. According to a July 2007 GAO report, four audited VA
facilities reported more than 2,400 missing items estimated to cost
$6.4 million. A 2004 GAO report of VA's inventory control revealed
that fewer than half of the items selected for testing could be located,
and most of that was IT equipment. These deeply troubling
revelations raise some serious questions about who is minding the
shop at the VA. Our veterans need to know that their personal and
sensitive data is well protected and they deserve to know what is
being done to improve the accountability and control of the VA's IT
inventory.
As we will surely hear from Mr. Howard, one of the key ways the
VA has acted to minimize the risk of data loss has been to centralize
the VA's information technology system. This effort certainly
has its merits, but some have raised questions about how
this change will impact the ingenuity and flexibility that local
providers have on the development of the system.
So I look forward to hearing from our witnesses today on how
they think the VA can balance the needs for centralized management
of the IT system while still meeting our local needs out in our
communities. I also look forward to hearing from our witnesses
about where things stand in the development of a joint VA-DOD
Electronic Health Care Record. For too long, as we all know, our
servicemembers and veterans have suffered the consequences of
this system failure and we need to make sure, Mr. Chairman, that
we are doing everything in our power to right that wrong.
So I really appreciate the opportunity to be at this hearing today
and look forward to the testimony from the witnesses.
Chairman AKAKA. Thank you very much for that, Senator Burr.
I am pleased this morning to introduce our first panel. Assistant
Secretary for Information and Technology Bob Howard has served
in his current position since the fall of the year 2006. He has the
daunting task of reorganizing VA's IT and its management structure
while continuing to provide uninterrupted support for the delivery
of health care and benefits.
Secretary Howard is accompanied by Dr. Paul Tibbits, Deputy
Chief Information Officer in the Office of Enterprise Development,
and Ray Sullivan, Director of Field Operations.
Secretary Howard, I want to thank you for coming today. We
look forward to your assessment of where VA IT is and where it
needs to go, and I know we are looking forward to your kind of
leadership and would like to hear from you at this time. Will you
please proceed with your testimony.
STATEMENT OF ROBERT T. HOWARD, ASSISTANT SECRETARY
FOR INFORMATION AND TECHNOLOGY, U.S. DEPARTMENT
OF VETERANS AFFAIRS; ACCOMPANIED BY PAUL A. TIBBITS,
M.D., DEPUTY CHIEF INFORMATION OFFICER, OFFICE OF
ENTERPRISE DEVELOPMENT, OFFICE OF INFORMATION
AND TECHNOLOGY, U.S. DEPARTMENT OF VETERANS AFFAIRS;
AND RAY H. SULLIVAN, DIRECTOR OF FIELD OPERATIONS,
OFFICE OF INFORMATION AND TECHNOLOGY, U.S.
DEPARTMENT OF VETERANS AFFAIRS
Mr. HOWARD. Thank you, Mr. Chairman. I would like to thank
you for the opportunity to testify on the current status of the VA
OIT reorganization and its impact on the delivery of health care
and benefits, the effect of enhanced VA IT security policies and
procedures
on health care and benefits delivery, the status of asset
management for IT systems, the legacy system transition, the Joint
Inpatient Records System and unresolved problems identified during
the realignment. These are all very important issues that need
to be addressed.
As you mentioned, sir, I am accompanied by Dr. Paul Tibbits and
Ray Sullivan. Paul will discuss issues associated with development
and Ray on the operations side.
First, sir, though, I would like to thank you for actually being the
catalyst for establishing my top priorities as Assistant Secretary for
the Office of Information and Technology. These were developed in
response to a nomination post-hearing question presented by you
back in September of last year. At the time of your question, the
paper was blank, so I thank you for prompting me to develop what
has turned out to be very helpful, extremely helpful, priority
statements.
These priorities are guiding the realignment process we see
taking place today. There are seven of them.
Briefly, they include, (1) establishing a well-led, high-performing
organization that delivers responsive support.
(2) standardizing IT infrastructure and IT business processes
throughout the VA.
(3) establish programs that make VA's IT system more interoperable
and compatible.
(4) effectively managing the IT appropriation to ensure
sustainment and modernization of our IT infrastructure and more
focused application development to meet increasing and changing
requirements of our business units.
(5) priority is strengthening information security controls within
VA and among our contractors in order to substantially reduce the
risk of unauthorized exposure of veteran or VA employee sensitive
personal information.
(6) priority is creating an environment of vigilance and awareness
to the risk of compromising veteran or employee sensitive personal
information by integrating security awareness into daily activities.
And lastly, sir, the last priority is to remedy the Department's
longstanding IT material weaknesses relating to a general lack of
security controls, and sir, I assure you that we are working hard
to give these priorities the required attention.
As you know, the Secretary approved the Department's new
reorganization
structure in 2007 and we set a goal to complete the realignment
by July of 2008. We have transferred over 6,000 employees
to the Office of Information and Technology, and this, along
with the centralized IT appropriation and delegation of authority
for FISMA, provides a very unique opportunity to significantly improve
IT activities within VA.
Another critical element in that regard is the full commitment
for VA's leadership to make this reorganization successful, and we
do have that commitment.
I have provided an organization chart for you, a reference
throughout the hearing, and as you see there, there are five additional
deputies that we have. We also have an IT oversight and
compliance capability and a Quality and Performance Office. We
have also implemented a new IT governance plan which establishes
the processes, responsibilities, and authorities required to manage
IT's resources.
Clearly an important question associated with this realignment
is how has it impacted the delivery of health care and benefits to
our veterans. In my opinion, there has been no significant change
in these two areas, which was, in fact, a key objective of this
reorganization,
and that was to do no harm. This is not to say we have
not had problems. We have. But we have also experienced improvements
in our ability to gain knowledge over IT activities that were
not very visible in the past. We have gained benefits in IT funding
details across the VA and also in our ability to protect the sensitive
information of our veterans.
An area in which information protection has dramatically improved
is incident response. VA has encrypted over 18,000 laptop
computers and has implemented procedures for issuing encrypted
portable data storage devices. This month, the Department is procuring
software to address the encryption of data at rest. And just
last week, we awarded an extremely important contract, and that
is for an extensive port monitoring capability which will help us
better control what devices can access our network.
At the same time, VA continues to increase self-reporting security
and policy and privacy violations and incidents. This trend is
a direct positive outcome of the significant amount of policy guidance
and training conducted on information protection over the
past year and a half. Since the May 2006 data breach, the VA staff
is now more aware of the importance of protecting our veterans'
and employees' information and identities. While we do have a way
to go here, I have definitely seen an improvement.
Regarding the annual FISMA report that we will submit this
year, not only will we submit one-and as you know, we didn't submit
one last year, we got an incomplete-for the first time, we have
completed testing of over 10,000 security controls on our 603 computer
systems. This is the first time that has been done. We are
also addressing some critical problem areas.
As you know, the House Veterans Affairs Oversight and Investigations
Committee recently held a hearing on VA's IT asset management
based on a GAO report which found inadequate controls
and risks associated with theft, loss, and misappropriation of IT
equipment at selected VA locations. For the past 6 months, tightening
IT inventory control throughout the VA has been the focus
of a cross-functional tiger team. Types of equipment to be inventoried
are Blackberries, thumb drives, cell phones, and in addition,
VA has issued a memorandum requiring each VA facility to complete
it by the end of December of this year, a wall-to-wall inventory
of all IT equipment assets, including sensitive items, regardless
of cost. This initial inventory will help provide a VA IT asset
baseline, something that has not existed before.
We have also made progress in the evolution of our health care
and benefits systems and in improving ties with DOD. The work
with DOD has been most helpful in the area of data sharing and
data standardization. We are moving our health care system from
a hospital-centric model to a patient-centric approach. This approach
will ultimately allow veterans and their care providers to
access seamless health records and information at any time regardless
of location. This modernization will utilize a central IT architecture
and a six-phase transition plan to be completed by 2015.
The existing portfolio of VBA applications are based on various
legacy technologies, most of which are not web-based. These legacy
applications are more expensive in that they require more intensive
support since they rely on outdated software. To remedy this, VBA
has established an application architecture blueprint to be used for
all applications and a pilot is being performed for the Benefits
Delivery Network Rehost Program to migrate the legacy system to a
more modern browser-based environment.
In closing, Mr. Chairman, I want to assure you, that we will remain
focused in our efforts to improve all aspects of the informa-
tion technology environment in the VA and to make sure that we
do not negatively impact the delivery of health care or benefits in
the process, but instead begin to see steady improvements in modernizing
both our health care and benefits IT environments.
Thank you for your time and the opportunity to speak on this
issue and we would be happy to answer any questions you may
have.
[The prepared statement of Mr. Howard follows:]
PREPARED STATEMENT OF ROBERT T. HOWARD, ASSISTANT SECRETARY FOR
INFORMATION AND TECHNOLOGY, DEPARTMENT OF VETERANS AFFAIRS
Thank you, Mr. Chairman. I would like to thank you for the opportunity
to testify on the current status of the VA Office of Information &
Technology's (OIT) reorganization and it's impact on the delivery of
healthcare and benefits; the effect of enhanced VA IT security policies
and procedures on healthcare and benefits delivery; the status of asset
management/inventory control for IT systems; the legacy system
transition; joint in-patient record systems; and unresolved problems
identified during the realignment. These are all very important issues
that need to be addressed.
To assist in discussing these issues today, I am accompanied by:
Dr. Paul Tibbits, my Deputy Chief Information Officer for Enterprise
Development,
Mr. Ray Sullivan, my Director of Field Operations
First, I would like to thank you Mr. Chairman for being the catalyst for
establishing my top priorities as Assistant Secretary for the Office of
Information and Technology. They were developed in response to a
nomination post-hearing question presented by you back in September of
last year. Thank you for prompting me to develop what has turned out to
be very helpful and extremely important priority statements.
These priorities are guiding the realignment process we see taking place
today.
There are seven of them. Briefly, they include (1) establishing a
well-led, high-performing, IT organization that delivers responsive IT
support to the three Administrations and Central Office staff sections;
(2) standardizing IT infrastructure and IT business processes throughout
VA; (3) establishing programs that make VA's IT system more
interoperable and compatible; (4) effectively managing the VA
IT appropriation to ensure sustainment and modernization of our IT
infrastructure and more focused application development to meet
increasing and changing requirements of our business units; (5)
strengthening information security controls within VA and among our
contractors in order to substantially reduce the risk of unauthorized
exposure of veteran or VA employee sensitive personal information; (6)
creating an environment of vigilance and awareness to the risks of
compromising veteran or employee sensitive personal information within
the VA by integrating security awareness into daily activities; and
(7) remedying the Department's longstanding IT material weaknesses
relating to a general lack of security controls. I assure you that
we are working hard to give these priorities the required attention.
As you know, the Secretary approved the Department's new organization
structure in 2007, and we've set a goal to complete the realignment by
July 2008. We have transferred over 6,000 employees to the Office of
Information and Technology. This, along with the centralized IT
appropriation and delegation of authority for FISMA provides a unique
opportunity to significantly improve IT activities within VA. Another
critical element in that regard is the full commitment from VA's
leadership to make this reorganization successful.
I have provided an organization chart for your reference throughout the
hearing. In addition to five additional deputies, we have an IT
Oversight and Compliance capability and a Quality and Performance
Office. We also have implemented a new IT governance plan which
establishes the processes, responsibilities and authorities required to
manage VA's IT resources. The GAO recently released a report on our
realignment progress and correctly identified that there is more work
to be done to
have a successful transition from a decentralized to a centralized
organization. We have already begun implementing some of their
recommendations. Clearly an important question associated with this
realignment is how has it impacted the delivery of healthcare and
benefits to our veterans? In my opinion, there has been no significant
change in these two areas-which was a key objective of this
reorganization-to do no harm. This is not to say we have not had
problems-we have. But we have also experienced improvements in our
ability to gain knowledge over IT activities that were not very visible
in the past, in IT funding details across the VA, and in our ability to
protect the sensitive information of our veterans. An area in which
information protection has dramatically improved is incident response.
VA has encrypted over 18,000 laptop computers, and has implemented
procedures for issuing encrypted portable data storage devices. This
month, the Department is procuring software to address the encryption
of data at rest. And just last week we awarded a contract for an
extensive port monitoring capability which will help us better control
what devices can access our network. At the same time, VA continues to
increase self-reporting security and privacy violations and incidents.
This trend is a direct, positive outcome of the significant amount of
policy, guidance, and training conducted on information protection over
the past year and a half. Since the May 2006 data breach, the VA staff
is now more aware of the importance of protecting our veterans' and
employees' information and identities. While we do have a way to go
here, I have definitely seen improvement. The Department has also
undertaken a concerted effort to reduce the use of social security
numbers and to review and eliminate a significant amount of personally
identifiable information VA currently holds. To that end, VA has
drafted two documents outlining plans to achieve both these goals.
These plans were developed in accordance with OMB Memorandum
M-07-16, ''Safeguarding Against and Responding to the Breach of
Personally Identifiable Information'' and it will be included in this
year's FISMA report. Regarding the FISMA report, not only will we
submit one this year, (we got
an incomplete last year), but we have, for the first time, completed
testing of over 10,000 security controls on our 603 computer systems.
We are also addressing some critical problem areas. As you know, the
House Veterans Affairs Oversight & Investigations Committee recently
held a hearing on VA's IT asset management based on a GAO report
(report 07-505) which found inadequate controls and risk associated
with theft, loss, and misappropriation of IT equipment at selected
VA locations. In that report, GAO found many problems regarding
the IT asset management environment and included a number of important
recommendations-with which we agree and are implementing. We have
completed a handbook on the Control of Information Technology
Equipment within the VA which includes each of the recommendations
made by GAO in its report. These documents are now being finalized
within the Department, but we have already implemented the procedures
they describe. They will provide clear direction on all aspects
of IT asset management.
For the past 6 months, tightening IT inventory control throughout VA
has been the focus of a cross-functional Tiger Team. Types of equipment
to be inventoried are black berries, thumb drives, cell phones, etc.
In addition, VA has issued a memorandum requiring each VA facility to
complete, by the end of December of this year, a wall-to-wall inventory
of all IT equipment assets, including sensitive items, regardless
of cost. Reporting requirements have been established at the Facility,
Regional and Field Operations levels to ensure that issues are
identified and addressed early in the process. By way of support, we
have established an IT Inventory Control Knowledge Center that is
accessible by all VA personnel. This website provides references,
templates, definitions, frequently asked questions and a link to contact
the Tiger Team directly. Also, the Office of Oversight and Compliance
is working with Tiger Team members to develop a compliance checklist
that will be used for scheduled and unscheduled audits regarding IT
assets. This initial inventory will help provide a VA IT asset
baseline-something that has not existed before. We have also made
progress in the evolution of our healthcare and benefits systems
and in improving ties with DOD. The work with DOD has been most helpful
in the area of data sharing and data standardization. We are moving our
healthcare system from a hospital-centric model to a patient-centric
approach. This approach will ultimately allow veterans and their care
providers to access seamless health records and information at any
time, regardless of location. This modernization will utilize a central
IT architecture and a six-phase transition plan to be completed by
2015.
The existing portfolio of VBA applications are based on various legacy
technologies, most of which are not web-based. These legacy
applications are more expensive in that they require more intensive
support since they rely on outdated software.
To remedy this, VBA has established an application architecture
blueprint to be used for all applications. A pilot is being performed
for the Benefits Delivery Network (BDN) Re-host program to migrate the
legacy system to a more modern browser-based environment.
In closing, Mr. Chairman, I want to assure you that we will remain
focused in our efforts to improve all aspects of the Information
Technology environment in the VA and to make sure that we do not
negatively impact the delivery of healthcare or benefits in the process
but instead begin to see steady improvements in modernizing both our
healthcare and benefits IT environments. Thank you for your time
and the opportunity to speak on this issue. We would be happy to answer
any questions you may have.
RESPONSE TO WRITTEN QUESTIONS SUBMITTED BY HON. DANIEL K. AKAKA TO ROBERT
T. HOWARD, ASSISTANT SECRETARY FOR VETERANS AFFAIRS
Question 1. During an oversight visit to the Honolulu Regional Office,
Committee
staff learned that claims are being delayed because VBA staff are not
able to read medical reports which are scanned into VHA's electronic
health record system. I understand that happen almost a year ago. VBA
asked for access to the electronic health record files because of the
delays in processing claims and this request has not been approved. It
is my further understanding that VBA will not he able to view these
records until some time in 2008; in the meantime, processing of claims
is delayed until the records can be printed out and sent to VBA. Given
the current backlog in claims processing, this seems like an IT
solution that should be given a priority. What can be done to improve
the electronic transmission of medical information from VHA to VBA in
a more timely manner?
Response. The compensation and pension records interchange application
(CAPRI), provides the Veterans Benefits Administration (VBA) employees
with online access to electronic medical records, stored at Veterans
Health Administration (VHA) facilities. This application allows VBA
employees to access and print medical evidence needed for claims
processing. It also allows text from electronic documents to be copied
and pasted into rating decisions, to eliminate the need for re-keying
this important information, cited as evidence, in support of a
veterans' disability claim.
One additional element that has been requested is access to the imaged
files, stored in the VHA systems in VistA Imaging. The plan has always
been to expand CAPRI, to provide access to these imaged records. We are
assessing current priorities to determine when it will be feasible to
incorporate this type of information into the CAPRI interface. Once the
enhancement is completed, this additional type of medical evidence can
be obtained and stored in Virtual VA, the VBA imaging system.
Question 2. As mentioned in my opening statement, my requested
investigation on VHA's waiting times yielded findings about the
accuracy and completeness of the waiting lists. Senator Tester has also
brought to my attention the need to refine the pharmacy ordering system,
so that prescriptions aren't mailed out to veterans until they are
needed. Is responsibility for matters such as fixing the electronic waiting
list and refining pharmacy systems your responsibility or does that still
vest in VHA? What priority does VA place on finding specific health
information solutions? Response. The responsibility for addressing the
electronic waiting list and refining pharmacy systems is jointly shared
by VHA and VA's Office of Information and Technology (OIT). VHA is
responsible for defining software requirements. OIT is responsible
for the development of software which meets those requirements.
VHA has conveyed to OIT that the two software packages (pharmacy and
scheduling) are both top priorities for VHA and that development
efforts should be managed to address those priorities. Therefore, here
are the current OIT milestones for the pharmacy re-engineering and
replacement scheduling application projects: Planned Finish Planned Start
<GRAPHIC NOT AVAILABLE IN TIFF FORMAT>
Question 3. It seems as though VA has been in the process of
modernizing its health and benefits IT systems for years. What is the
time line for completing the migration of VistA and BDN to modern IT
platforms?
Response. A completion date for the migration of VistA to a modern IT
platform, also referred to as the HealtheVet modernization effort, is
currently in the proposal phase and is being reviewed. A six-phase
transition plan is proposed to deploy all applications within the new
VistA-HealtheVet environment, which will use a central IT architecture,
by 2015. Phase I focuses on the deployment of core infrastructure
components such as the health data repository, administrative data
repository, and several common services; as well as, the first major
applications built upon this services oriented architecture (SOA).
Major applications under development as part of Phase II include the
laboratory and pharmacy replacement systems. Upon completion of all six
phases, VA will have an IT health care system that holds a comprehensive,
interdisciplinary medical record, which will be available anywhere. The
estimated cost for the proposed plan does not include operations and
maintenance costs.
The current schedule to migrate BDN business functionality off the
Honeywell/Bull mainframe projects completion in September 2012. Upon
successful completion, the Honeywell/Bull Mainframe will be retired
from the VA IT environment. BDN is composed of several applications
that support three VBA business lines: compensation and pension (C&P),
education, and vocational rehabilitation and employment (VR&E). C&P
unctionality within BDN is scheduled to be fully replaced by VETSNET in
the third quarter of fiscal 2009. VR&E functionality is contained in
the Chapter 31 application, which is scheduled for conversion to the VA
''To Be'' architecture in Fiscal Year 2011. The remaining BDN
functionality supports education service and is scheduled to be fully
migrated to the VA ''To Be'' architecture by third quarter 2012.
Subsequent to validation efforts to ensure all functionality has been
successfully transitioned, the Honeywell/Bull mainframe will be shutdown
and removed
from the VA IT environment in September 2012.
Question 4. This question pertains to the issue of VA and DOD
interoperability. I understand that VA has an integrated medical
information system, while DOD has multiple systems that are not i
ntegrated. What are the challenges for VA health professionals to
receive accurate and timely medical information from DOD when it does
not have an integrated system that cannot fully communicate within DOD,
much less with VA and when not all of DOD's medical information is
available electronically? Response. VA and the Department of Defense
(DOD) are working together to address challenges related to VA
obtaining access to the multiple systems in which DOD data is held.
Despite these challenges, VA and DOD are now sharing unprecedented
amounts of electronic medical data. Over the past several years, VA and
DOD have worked closely and collaboratively to develop incremental data
exchanges, which now support the one way and bi-directional exchange of
most health data that are available in electronic format.
For example, VA and DOD worked to first develop the bi-directional
health information exchange (BHIE), to support the exchange of text
data from legacy composite health care system (CHCS). VA and DOD later
collaborated on additional work that permitted the exchange of data via
the inpatient essential clinical information system (CIS), and later
with the clinical data repository of AHLTA, DOD's electronic health
information system.
Despite the lack of uniform implementation across DOD and the resulting
increased time it took to make DOD data available, VA providers are now
able to use BHIE to view electronic laboratory results, allergy,
pharmacy, radiology results, theater data, and select inpatient data
available electronically from major DOD facilities, such as discharge
summaries and emergency department notes. We also have demonstrated the
successful bi-directional exchange of digital radiology images at a
pilot site in El Paso, Texas. Additional work will support the future
exchange of encounter notes, problem lists, vital signs, history data
and questionnaires. VA's ongoing ability to share data with DOD, in a
seamless fashion, is dependent upon VA's ability to develop modern
tools and technologies and DOD's ongoing efforts to develop a complete
electronic health record. VA is working with DOD to document a study to
explore developing a joint in-patient electronic health record. This
will have the potential to address the unavailability of electronic data
for much of
the DOD inpatient record.
Question 5. The House Appropriations Committee report language
accompanying the 2008 VA MILCON Appropriations Bill would cutoff funds
for VA's continued development of its electronic health record system,
unless it is interoperable with DOD. What would be the impact on future
development of VA's electronic health record system should funding be
cutoff?
Response. As the electronic health record is at the center of VA's
health care system, possible impacts on future development of VA's
electronic health record system should funding be eliminated include:
Inability to comply with regulatory changes that would require
software modifications for implementation and reporting.
Compromise in patient safety due to elimination of funding to correct
software deficiencies.
Inability to enhance the current interoperable features within VistA
(e.g. remote data interoperability, laboratory data sharing, Vista
imaging sharing pilot).
Inability to enhance the bi-directional health information exchange
(BHIE), another aspect of VA/DOD interoperability.
Compromised ability to effectively report on and monitor pandemic
disease outbreaks.
Inability to meet Global War on Terror (GWOT) and/or Operation Enduring
Freedom/Operation Iraqi Freedom (OEF/OIF) mandates.
VA would fall from industry leading position as the private sector
continues to improve in this arena, reducing public opinion of VA
activities.
Question 6. During questioning, Mr. Lucas testified that he was denied
authority
by VACO to purchase certain IT equipment that he considered would be
helpful, to improve the efficiency and operations of his hospital.
Dr. Glaser followed-up, by testifying that within his health care
network, 50 percent of a hospital's IT spending was discretionary, so
long as it was spent within established guidelines. He also mentioned a
program for awarding grants for IT innovation. Please comment on the
policy that precludes a VA Medical Center Director from using
discretionary funds to purchase IT equipment that they deem would
improve the efficiency and operations of their facility. Also, please
comment on whether or not VA has an existing IT innovation grant
program and if not, if one is in the planning stages.
Response. As stated in the attached memorandum dated April 13, 2006,
all IT expenditures are directed and controlled under a separate
appropriation and under the authority of the VA Chief Information
Officer (CIO). The VA CIO allocates discretionary funds to each medical
center as mentioned above. There is currently no program for awarding
grants for IT innovation.
Question 7. I understand that VA's Office of Information and Technology
(OI&T) has metrics that measure how well VA Administrations are
complying with VACO centralized management IT policies and procedures.
Does a metric exist that measures how well OI&T is supporting VHA and
VBA?
Response. There are no metrics that measure either ''side'' of this
concept, i.e., either how well VA's Administrations are complying with
VACO centralized management IT policies, or conversely, how well OIT is
supporting the Administrations.
RESPONSE TO WRITTEN QUESTIONS SUBMITTED BY HON. BERNARD SANDERS TO
ROBERT T. HOWARD, ASSISTANT SECRETARY FOR VETERANS' AFFAIRS
Question 1. For years now, we have seen report after report about the
unconscionable delays, appeals, and remands that characterize the VBA
disability compensation process. I have thought for some time now that
automating the rules embodied in the Veterans Administration Schedule
for Rating Disabilities (VASRD) would go a long way toward speeding up
the process of adjudication and appeal, reducing the existing backlog of
claims, and improving the accuracy and consistency of decisions.
It seems that there would be tremendous value in getting a complete and
standardized set of data on each veteran, relevant to his or her
particular problems, that can then be linked to the relevant sections
of the Schedule for more accurate ratings, the same way, regardless of
the skill of the rater. It seem the Department is busy hiring hundreds
of new raters, but has done nothing to improve the underlying antiquity
of the process they are being asked to assume. Please tell us what the
Department's plans are to automate the VASRD, in order to make claims
processing more accurate, timely, and efficient. Do you have the
resources and authority you need to carry out such a task?
Response. VBA is receiving more disability claims then at any time in
recent history.
Our expanded outreach program for active duty servicemembers and members
of the National Guard and Reserves, the aging of the veteran population
and the progression of their disabilities, and the addition of type-2
diabetes to the list of presumptive disabilities for veterans, who
served in Vietnam, are among the major factors driving up claims receipts.
Our incoming claims volume is now 45-percent above our 2000 (year) level.
This year, we received 838,000 disability claims, which is 32,000 more
claims than last year. At the same time, we are receiving more claims,
the claims decision process is becoming longer and more difficult,
because veterans today, on average, claim more disabilities than
veterans in previous areas and the nature of many of these disabilities
is becoming increasingly complex (e.g., serious traumatic injuries,
diabetes and its complications, PTSD, undiagnosed illness, etc.). VA
must assign a percentage evaluation to each disability determined to be
service-related. Changes in law and recent Court decisions have also
introduced additional complications into the claims decision process
and extended the length of time veterans must wait for decisions on
their claims.
Because of the large growth in claims receipts and the increased
complexity of the claims, the pending inventory of rating-related
claims remains high-391,000 at the end of September 2007. The high
volume and complexity of incoming claims also impact average processing
time, which is currently 183 days. We have developed a plan to address
the workload challenges. While there are many components in this plan,
the cornerstone of VB's long-term effort to reduce claims backlogs and
improve claims processing timeliness remains unchanged-develop a well-
trained workforce that is sized commensurate with current and projected
claims workload.
We are aggressively hiring across the Nation. We have already added
over 1,100 new employees since January 2007, and we will add a total
of 3,100 by the end of this year.
Because it takes at least 2 years for a new employee to become fully
trained in all aspects of claims processing, we have also
significantly increased the use of overtime.
Additionally, retired claims processors have been recruited to
return to work as rehired annuitants, enabling us to increase
decision output this year by nearly 16,000 claims. We are continuing
to hire additional annuitants.
To get our new employees productive as early as possible in their VA
career, we have modified our new employee training program, to focus
initial training on specific claims processing functions. This allows
our more experienced employees to focus on the more difficult claims.
We are looking at additional ways to achieve greater efficiencies in
the delivery of disability benefits. We are in the process of
centralizing the remaining pension claims workload, which includes
original disability and death claims processing, to our three pension
maintenance centers. This will allow regional offices to dedicate more
resources to compensation claims processing.
We will also gain processing efficiencies in 2008, through
centralization of all compensation and general assistance telephone
calls, to nine virtual information call centers.
We are already seeing the results of the increased processing capacity
and the initiatives begun earlier last year. On average, we are now
producing 5,000 more claims decisions per month.
Chairman AKAKA. Thank you very much for your testimony, Secretary
Howard.
Mr. Secretary, under the former decentralized VA IT management
structure, field-based innovation and creativity were hallmarks
leading to the creation of VA's electronic medical information
system. How can you maintain this spirit of innovation and
creativity while centralizing most of the decisionmaking in the
central office?
Mr. HOWARD. Sir, that is an extremely important question, and
one thing we absolutely cannot impact is innovation throughout
our medical system. That is for absolute certainty and we do not
want to do that. But at the same time, we do need to get better
visibility of these innovative ideas and we have begun to establish
a program to do precisely that.
In other words, if you are a physician working with your IT community
at a hospital, working on a very innovative idea, that is
fine. But at some point in the process, we need to make a decision
as to what to do with that idea, whether we want to expand it
throughout the VA, whether we want to adequately fund it and
bring it forward. This is very, very important. We don't want to
stop these ideas, but we do want to capture them and distribute
them throughout the VA, so that everyone can gain the benefit of
this particular innovative idea, and a lot of that is going on.
With the reorganization, we actually have gained more visibility
over these ideas than we perhaps have had before. The funding
issue, though, is very key, and at some point in that innovative
process, we need to decide whether to move forward or whether to
stop that particular topic because it doesn't prove to be beneficial.
But IT does not make that decision. A key aspect of your question,
sir, deals with the word ''requirements.'' Requirements definition,
requirements determination, and requirements prioritization,
that is not IT. We have a priority process in place that does involve
the administrations. They set the priorities on what should be
done. We need to help them, though, in defining those requirements
and in making clear the funding aspect of those requirements.
As you can see on that drawing on the left side that I passed out,
each of the administrations has got a requirements office that
interfaces with us, and this is beginning to happen. We have
established a governance process that includes requirements
determination.
So in answer to your question, sir, not only do we not want to
stop innovation, we want to take advantage of the innovation by
spreading it throughout the VA, properly funded, properly supported,
and properly supported by the administrations involved.
Chairman AKAKA. Thank you. I am delighted to hear what you
said, because I have made comments that we need to restructure
VA and not continue structures that we have had in World War II.
Things have changed, been very different, and creativity and
innovation play a huge part in putting together and developing a system
that can help our veterans today and we are looking for that.
I am glad you are heading in that direction.
Last year, Mr. Secretary, following the lost laptop, Secretary
Nicholson testified that VA intends to become the gold standard for
information security within the Federal Government. GAO says in
the report released today that VA still has not fully implemented
20 of the 22 GAO and VA IG recommendations necessary to improve
information security within the Department. My question to
you is, how close is VA to implementing the GAO and IG recommendations,
and in your view, how close is VA to becoming the
government leader in information security?
Mr. HOWARD. Sir, I agree with the reports that there is a lot
more work to be done. There is no question about that. However,
with that said, we have made some dramatic strides. 2008, quite
frankly, is a key year for us. We now have got some key contracts
in place that we have been working on for quite a while. I mentioned
a couple of them in my testimony. And although they don't
sound important, these are extremely important. Just the one dealing
with port monitoring, we have been working through the contracting
process to put that in place and now we have the availability
to us where you will not be able to put in, for example, an
unauthorized thumb drive. You won't be able to do it. It has to be
an approved encrypted thumb drive in order even to be able to be
used on our system.
This software is beginning to be implemented now throughout
the VA because we have received a contract for sufficient licenses
to be deployed. That is just one example. You asked when we will
be the gold standard. Sir, it is a difficult question. I don't know,
to be honest with you. We hope to be very close by the end of this
fiscal year, and I have here-you remember my hearing last year
and we were all looking at my big plan. Well, you know, I have gotten
it and we are working on these actions, but they are not all
complete, and if you remember from last year, a good number of
them did extend into fiscal year 2008, in some cases, even beyond.
The plan that we have here, and to just refresh your memory,
this was the assessment of strengthening of controls program we
put in place, continues. We monitor this all the time. A lot of the
organizations throughout the VA are involved in it and we intend
to keep the pressure on. These programs are in three main areas.
The managerial area, and we have made progress. In fact, we finally
finished our handbook. It is a very thick handbook that describes
the VA security program. In fact, that will be issued here
in another week. It includes for the employees the behavior
requirements that they must have-standards of behavior is included
in that document. Managerial controls include completing these
policies that we have to put in place, and we are well on our way
to do that.
The organizational controls-the operational controls, rather,
deal with the way we do business, and we have instituted a number
of those, as well.
And then we have the technical controls, the encryption standards
like the port monitoring capability that I have mentioned previously.
Another key one that we now have implemented that we
have sufficient licenses for is the RMS process. That is a better
encryption capability for e-mail. Many of your staff probably have
seen our weekly summaries that we send on incident reports and
a lot of them deal with unencrypted e-mails. Before, we had PKI.
In fact, on my Blackberry here, I can send encrypted e-mails, but
it is not robust enough. We now have the right management system
that we have sufficient licenses for. This is being distributed
throughout the VA. This provides the capability to send a clear email,
but encrypt the attachment and a number of options that you
can work-much more robust than we have had heretofore. But we
are not going to get rid of PKI. We are going to keep that, as well.
In fact, the number of licenses continue to grow and the certificates
that people have asked for throughout the VA.
The last thing I want to say in the whole business of achieving
the gold standard, sir, has to do with people. The main-the principal
issue in all of this is the behavior of our people, the responsible
activities-acting responsible and what have you. We have
very intensive training programs going on. I know I have the full
support of hospital directors and RO directors throughout the VA.
There is no question about that. They are behind us in continuing
to help educate our staffs and our employees in acting responsibly.
tant area, and the last thing I would like to say on all this is
sometimes we have to balance it, too. Even Secretary Nicholson said,
why don't we implement this right away, and sometimes you need
to be careful because you could impact the business. We have got
to always keep track of making sure that we can stay actively engaged
with our patients. So it has been a real balancing act, but
the sum is that we have improved the security situation. Fiscal
year 2008 is a key year for us. My plan, we are driving on.
The incident response capability we have put in place-unfortunately,
we see a lot of incidents, but at least they are reporting
them and it is helping us drive down the serious ones. A good example
is back to the Social Security number issue and encrypted
e-mails and what have you. We now have in place a capability to
shut off an e-mail if a Social Security number is in that particular
e-mail, and we have been working on this for a while. When we
started monitoring this capability, we saw over 7,000 messages
coming through in a particular month that possibly had Social Security
numbers embedded in the e-mails.
We started putting a warning sign on the computers that basically
said, ''You are about to send a Social Security number in this
e-mail.'' We left the warning for a while and we watched it go down
dramatically. Now we are at the point where if such an e-mail occurs,
we take a look at it. If it does have a Social Security number,
we do not let it go through, and it happens fast enough. Why did
we wait for a while before we did that? Back to the impact of the
business. We were very reluctant to implement a dramatic policy
like that without understanding the impact on the business
throughout the VA.
I know it is a rather lengthy answer, sir, but it is a very impor-
Chairman AKAKA. Thank you, Secretary Howard.
Before I call on Senator Burr, I would like to ask Senator Murray
to assume the Chairmanship while I step out to vote in another
committee and I will be right back.
Senator BURR? Thank you, Mr. Chairman.
General Howard, welcome. I think it is safe to say there is no
louder cheerleader for what you are doing than the Congress of the
United States and we all hope that you are successful in the rollout
of this new IT structure. As I have heard the specific detail
that you are looking at and that you are implementing, it does
make me a little bit concerned, and I should share it right up front,
that on the back end of this, when we talk about the data sharing
with DOD, that we not get so complicated that we create a new
barrier to our ability to shift that data from one side to the other.
Let me, if I could, go to some specific questions. You raised a list
of seven priorities. If you would, on a scale of one to ten, ten being
perfect, would you rate each one of those seven priorities from the
standpoint of where you are today in your assessment.
Mr. HOWARD. Yes, sir.
Senator BURR. Thank you.
Mr. HOWARD. Allow me to refer to the priorities. Sir, the first
one-you need to get to page two here.
Senator BURR. Page two.
Mr. HOWARD. Sir, the first one is the business of a well-led,
highperforming IT organization. I would probably say we are probably
at a six there--
Senator BURR. Great.
Mr. HOWARD.-and one of the reasons is-here is a-can I get
into a reason, or just--
Senator BURR. If you will, let us just go through the seven of
them and--
Mr. HOWARD. I have got you.
Senator BURR. What I am trying to do is to begin to create a
baseline.
Mr. HOWARD. Right. I would give that one a 6.
Senator BURR. All right. Number 2?
Mr. HOWARD. Number 2 is probably down around 3 somewhere.
Senator BURR. And number 3?
Mr. HOWARD. That is probably a 2 or a 3. That is pretty low.
Senator BURR. And number 4?
Mr. HOWARD. That is up there. That is about a 7.
Senator BURR. And No. five?
Mr. HOWARD. That is about a 7, also.
Senator BURR. And number 6?
Mr. HOWARD. I would say that is an 8.
Senator BURR. And the last one, number 7?
Mr. HOWARD. That is down around five.
Senator BURR. Great. Great. I really thank you for doing this, because
as you know, we have got the GAO coming in, we have got
other individuals that will testify, and I think it is important that
we have a good understanding not just of what the priorities are
but where you are in that process of completing them.
Mr. HOWARD. Sure.
Senator BURR. Now, you said in your testimony that clearly an
important question associated with this realignment is how it has
impacted the delivery of health care and benefits to our veterans.
In my opinion, there has been no significant change in these two
areas, which was a key objective of this reorganization, to do no
harm. Let me ask you, what matrix did you use to determine that
there hadn't been, as you referred to, a significant change, and in
using that, do you mean positively and negatively or just negatively?
Mr. HOWARD. Both directions, sir, and significant is the key
word. There has been change. I mean, there is no doubt about that.
But-and I deliberately stated it that way, that although there
have been improvements, they haven't been significant yet. Significant
is the key. We are working on that, and there have been some
improvements, like, for example, just gaining visibility over the
various innovative ideas that are going on out there. That is a positive
step.
Senator BURR. How does an IT section make a determination
about the actual delivery of care, though? I mean, is this something
that you have reached out with--
Mr. HOWARD. Feedback from the administration, sir, on that part
of it.
Senator BURR. You have discussed the efforts of moving the IT
organization from a decentralized to a centralized model, and I
understand the motivation and what you hope to achieve in budget
control, standardization of equipment and processes. However, with
a centralized organization, I am concerned about the possibilities
of your office losing touch with local IT needs. How will you ensure
that the hospitals, and clinics receive the IT support they need, and
more importantly, is there a way for them to communicate problems
or recommendations up the chain to your office?
Mr. HOWARD. Yes, sir. We have established an organization. In
fact, the key one, Ray is in charge of the Field Operations. Most
of the individuals that were transferred to us, in fact, work for Ray,
almost 4,000. He has organized the country, if you will, into geographic
regions where we have regional directors in place. We meet
with them very often. The CIOs, the senior IT officials at a hospital
or regional office work for those regional directors and they are also
in communication. In addition to that, we have established an information
security element that also reports to Ray. They are more
independent, though. They report almost directly up to the senior
level.
Now, if you take an environment at the hospital level, and this
is the charge that we have given to the IT individuals throughout
our organization, if you are the senior IT person at a hospital, you
are like me. Your name is Bob Howard. You put on your Bob Howard
mask or whatever, because you are responsible for everything
I am responsible for at that particular facility, especially making
sure that hospital director is adequately supported. We have
preached that time and time again. There should be no question
about that. And if you ever run into anybody that doesn't have that
message, I would like to know about it because we have clearly
driven that point home.
Now, that is difficult for some of them because in the past, they
perhaps were just a Member of the staff, you know, on the hospital,
and now they have the charge they are out front. You are now
right outside the hospital director's office. You have a responsibility
here to stay engaged with that individual, to make sure that not
only his desires are accounted for, but any problems that he may
have.
And along those lines, I mentioned we have our oversight and
compliance capability. Arnie Claudio sitting behind me here runs
that, and he goes out and he looks not just at the hospital director.
He is looking at my people. And we have had a couple of instances
where we have taken action because we were not too happy with
the way the IT community has been operating. In other words, in
our opinion, they were not adequately supporting that hospital director
and we will not stand for that.
Now, all of this will take time to put it in place--
Senator BURR. And I appreciate your passion for that because I
will assure you, if there is a breakdown, the likelihood is those of
us on the dais will be the first to hear about it from an individual
or from a specific facility.
With the Senator from Washington's indulgence, I would like to
ask one more question, if I could, and it gets at the heart of the
VA-DOD seamless transition of health care records. I understand
some significant progress has recently been made, but the overall
process still seems to be moving pretty slow. In fact, I am aware
that the VA has just recently awarded a contract to pay for a study
assessing what will be required to create a joint inpatient e-health
record. Now, General, I have got to ask you, how is this different
than what we have done before?
Mr. HOWARD. Sir, I will say that the activity between us and
DOD has been better. It has been more intense. In fact, there are
weekly meetings that take place at the Deputy Secretary level--
Senator BURR. But share with me, if you will, what will we learn
from this study that we don't know today?
Mr. HOWARD. Sir, one thing that we hope to learn, and maybe
clear the air on what we are really talking about, here is a good
example. The absolute key in sharing between VA and DOD has
to do with data. It has to do with the database itself, not as much
with the application. And, you know, we have VistA. DOD has
Alta. You don't necessarily have to has an exact replica of each
application, but you must have the ability to get at the data and it
has to be standardized, and this is a key area that we are focusing
on.
I am going to ask Dr. Tibbits in just a minute to chime in on this
because he is leading this effort as far as VAIT is concerned.
There is value in coming as close as we can to a single application,
but we don't believe it is totally necessary to get this seamless
transition that we both want. The key again is in the data set, and
that we have a lot of work to do there just in standardizing the
data, you know, call an aspirin an aspirin instead of something
else. I mean, it sounds ridiculous, but it is true. There is a lot of
data standardization work that still remains to be done, so that if
a DOD physician is looking at a particular descriptor, it is the
same thing that a VA physician might be looking at, and work continues
in that area.
Senator BURR. And I hope you would agree that there is a huge
difference between two entities using the same descriptor so that
you can accurately mine that data and trying to replicate two identical
data programs. I mean, Google proved to all of us that they
could come up with a way to mine whatever it is we asked them
to go into and they could do it in a seamless, quick, and fairly
successful way, given how successful the company has been. Yet in
government, we seem to be bogged down in not accepting what others
have proven to be paradigms that they can break down and
overcome and we consistently continue to try to look for what the
hurdles are.
I want to hear from the Doctor, but I also just want to express
one more time, my hope is that from this study, there is something
new that we are attempting to learn, some piece of information
that we don't currently have. If not, I would love to see us bypass
a study and begin with further implementation. Doctor--
Mr. HOWARD. Sir, along those lines, I don't believe there is a document,
you know, one document, where you can read about both
systems in one place, VistA and Alta, and a comparison in detail,
you know, not a DOD perspective or a VA perspective, but an independent
look at what we really-because, again, making sure we
know what we are talking about is awfully important here. This is
really complex stuff. I have the famous egg here on the VistA system.
I mean, this is really complicated. Of course, Alta is complicated,
as well. This study, we think, will help us bridge the
knowledge gap and a better understanding of what we are dealing
with, but I would ask Paul if he wants to add anything to that.
Dr. TIBBITS. Senator, thank you so much for the opportunity.
Well, I can only emphasize what General Howard said. First of all,
the study is going to give us a first-time look at both systems side
by side from an inpatient perspective. In VA, we happen to have
a very integrated capability right now, inpatient, outpatient, the
full view of taking care of a patient.
In addition, the study is going to help us clarify objectives, and
I want to spend a few seconds on that if I can, on clarification of
objectives. It is very clear to me that everyone is rightfully quite
interested in information sharing to improve services to veterans.
In addition to and over and above that objective, there are other
objectives that one could focus on, for example, less costly development
of software. Those are not necessarily strongly related objectives
to each other. One thing this study is going to do is help tease
apart, clarify, and focus people on one objective versus the other
and make sure activities align with either one or both as we both
come to agree what the objectives are.
Clearly, serving veterans is everybody's highest priority. Information
interoperability in the context that you have asked the
question is clearly much more important with respect to that objective
than is the joint development of software, which at the end of
the day, with respect to serving the veterans, is really pretty marginal
with respect to its contribution. It might save the Department
some money, but it is really not a key to serving the veterans'
needs. Standardizing the data and information sharing is.
So over and above the study, you asked what are we doing? Are
all of our eggs in one basket with respect to the study itself? The
answer is no. Because of the interest of the administration in VA-
DOD sharing, this process has been initiated where both Deputy
Secretaries, Deputy Secretary of Defense and our Deputy, meet
weekly, and therefore there are other meetings at a lower level
weekly, which I am involved in. I am co-chair of the Live Action
Four For Information Sharing with my counterpart, the Principal
Deputy Assistant Secretary of Health Affairs, Dr. Steve Jones, and
we are moving beyond just the study.
The study, again, focuses on inpatient, data and applications. We
are more broadly interested in serving veterans in the full spectrum
of information interoperability, and in fact, less interested
broadly in the applications themselves for that reason.
So one of the ideas that we have articulated and Dr. Jones has
agreed with, and I don't want to speak for him so you will have
to talk to him, and the customers in VHA who have also agreed,
with whom we are working this very closely-to actually look at
the two databases underneath both of the Departments' medical
records. In our case the Health Data Repository, in the case of the
Department of Defense the Clinical Data Repository. Those are the
databases.
The real key to information sharing is what do we do in the future
with respect to those two databases, irrespective and over and
above and totally aside from what we do with the applications.
With respect to those two databases, we are actually now beginning
to look at what it would take to converge those databases so that,
if feasible-and then working out a cost and schedule to do that-
if feasible, it would, in fact, not only serve the information
interoperability and service objectives of taking care of veterans
and active duty servicemembers, but at the same time, largely liberate
both Departments from the consternation of which application set
you happen to want to use because my application set is better
than your application set or whatever it happens to be, or because
applications happen to be tailored to the mission of the organization
where DOD has a medical support mission in theater which
we do not have.
So there are very good reasons why one would want to optimize
software applications to do different things while converging the
databases underneath. So, per se, it is a much broader look at data
than that study itself is intended to focus on and we are moving
down that pathway to initiate that assessment ourselves with the
VA and DOD, smart people who can do that.
Senator BURR. Doctor, I thank you for that answer because that
gives me a much greater assurance that there is some value to, in
fact, the study, and I hope all of you know why the question comes,
is that we have asked it before. We have gone through a process.
I am not sure at that time we knew what it was we were looking
for or where it was we were trying to go. I feel fairly confident you
know where you want to go and I know from your answer you
know what you are looking for. I thank the Senator from Washington.
Senator MURRAY [presiding]. Thank you, Senator Burr, and Mr.
Secretary, again, thank you for being here. Let me just follow up
on that a little bit.
I think you sense that we are all frustrated that we keep talking
about an Electronic Health Care Record system and the date keeps
moving out. I understand the complexity of what you just walked
through with us, but in 2003, the President's task force told us or
recommended that a fully operational Joint Health Care Records
System be available by 2003. It is 2007. We are now being told it
is going to be 2012. I think we are all really worried that about
2011, we will hear it is 2020. Can you give us a time line of when
we can see this?
Mr. HOWARD. Senator Murray, I mentioned for modernizing our
application for 2015, and that has been on the table for a while.
We share the same frustration you do. This is extremely complex
stuff. I mean, it really is, and the estimates that we have laid on
the table in the past simply were not accurate. As we dig more and
more into this, we find improvements that have to be made in just
program management of some of these activities in order to bring
this forward.
The intensity that we now see between DOD and VA-much of
that is a result of the press of Congress, as you know-we believe
is going to improve things. I feel more comfortable with the time
lines that you mentioned than I might have a year ago. And all I
can tell you is we will keep the pressure on and continue to work
toward a solution as rapidly as we can.
Senator MURRAY. Well, feel the pressure.
Mr. HOWARD. Yes, we do. We do. And we know that you have
been generous in the funding side. We are reluctant to ask for
money that we don't need. We don't want to--
Senator MURRAY. Twenty-fifteen, that is a long time away for all
of the issues that we have seen because of the lack of sharing
information and challenges and problems and everything else. That is
very hard for me to go home and tell the people I represent that,
yes, we have a problem, but it is going to be long past any of
us--
Mr. HOWARD. And when I say 2015, this is modernizing this.
This is no more VistA. This is a brand new, modernized system.
But in that period of time, in fact, I think you have a copy of it
in front of you now, if you look at the lower right, you will see the
various phases. If you look at that color scheme--
Senator MURRAY. Yes.
Mr. HOWARD.-you will see that whereas the whole egg may go
out to 2015, quite a bit of this--
Senator MURRAY. What will we see sooner than that? Let me ask
that question.
Mr. HOWARD. Let me ask Paul to answer that.
Dr. TIBBITS. Yes. As General Howard pointed out, the 2015 is for
everything you see in that chart, which is the data and the applications
in our Department's Electronic Health Record. That is not the
schedule for information interoperability between the two Departments.
And again, I would encourage you, Senator, and all here to
think about the application software versus the data.
While that is going on, we have other activities, some of which
I mentioned already, focused on the sharing of the information
itself at the database level, which would not require full exporting
of all the applications over to the new platform. And interoperability
is not an all-or-none phenomenon. It is shades-fortunately
or unfortunately, comes in shades of gray, and the shades of gray
are anything from what would amount to a computerized fax,
where electronically information is sent back and forth that is not
computable but electronic, all the way over to fully interoperable
data where my blood pressure in one system and my blood pressure
in another system can be put together on one chart and added, subtracted,
multiplied, and divided together, fully computable data.
Those activities are underway now, and the reason we can't provide
you-I cannot with confidence provide you an answer to the
schedule question, it is not that date, it is the mix of standardization
work, which you know to have been going on already to make
sure when I say blood pressure and you say blood pressure we
mean exactly the same thing, that is the main standardization
work. That is very painful, laborious work for which we still need
to articulate a full schedule between the two Departments, which
is not necessarily 2015.
On top of that, however, I want to add that there is a lot of value
in health care delivery to the exchange of information electronically
that is not fully computable. That can happen faster. It does not
require full domain standardization and that would require, in
order to approach this in a rational way, to focus on the high-priority
problems that we in the Department and DOD are now experiencing,
Traumatic Brain Injury, PTSD, et cetera, et cetera. What
is the structured, computable data that relates to those conditions?
What is the unstructured and heretofore non-computable data that
relates to those conditions? Putting a plan together whereby both
of those together get shared between both Departments, and nothing
I just said requires standardization of the application--
Senator MURRAY. I think we all are beginning to understand the
complexity of this, but on the other side, we have got to keep the
pressure on. This has to be done. There are too many problems
with the current system and we want to see improvements, and I
know my constituents do, the people who use these records.
Let me go back, Secretary Howard. I know in my opening statement
I mentioned this issue, and I know both Senator Akaka and
Burr did, too, that I think we all get that there are clear benefits
from centralizing your IT system, as you shared with us. But we
are hearing from some of our local VAs that they are very concerned
that the centralized model will take away some of their ability
for innovation and flexibility, particularly in perhaps purchasing.
I just want to ask you how you are going to make sure
that we don't lose that really important flexibility at the local level.
Mr. HOWARD. Ma'am, communication is the key to that and we
do have very good communication with the individuals that we support,
you know, from the administrations. We clearly do not want
to impact that negatively.
What they are experiencing, though, there is a bit of frustration.
If I was a hospital director, I got my resources, I got what I needed
to do my job, fully decentralized operation, quite frankly, there is
probably no one in this room that would prefer not to operate that
way. That is a good way to operate. The only difficulty is a big
organization like we have, if you don't keep adequate control over
that, you begin to lose standardization and interoperability, which
is where we find ourselves today. So the idea is to try to centralize
those activities but without excluding the individuals that we are
supporting, and there is no intent to do that.
Communication is the key. We do have a governance process in
place where there is active involvement from the administrations
and the staff agencies that we support. I can assure you that as
far as my objective is concerned, our objective is clear, an open
transparency, open communications.
Senator MURRAY. OK. I did want to ask you about communications,
too, because as you recall, when the VA lost the information
of 26.5 million veterans a while back, reporting that was a huge
issue. Congress didn't know about it immediately. People who were
affected did not know about it. Apparently information was out
there. Two weeks later, Congress was told about it. Two weeks
after that, we were told that 50,000 Navy personnel were affected.
The next day, it was another figure and more people. What have
we done to make sure that if a breach occurs today, that the information
is there immediately so those people whose information has
been impacted will know right away?
Mr. HOWARD. Senator Murray, we have got a lot of initiatives
going on here, but if there is one area where we have absolutely
improved things, it is in the incident reporting and incident response
area. There is no doubt about that. Incidents are now reported
very rapidly all the way up to the Secretary. As soon as I
read the daily incident reports, a copy is at the Secretary's level
also. There is no reading the thing and massaging it before it goes,
and to U.S. CERT, to the Computer Emergency Response Team.
You know, we have to report within 1 hour. We don't even think
about it. It goes right to them as soon as it comes to us.
Now, what that has resulted in is a lengthy list of incidents, because
what we have told people, again, if you even think that you
have an incident, don't think too long. Get it reported so we can
do something about it. We would much rather have that than
worry about the length of our reporting, our reporting list.
Senator MURRAY. What happened in between.
Mr. HOWARD. So the thing is that we also have weekly meetings
to resolve these. If we don't have sufficient information regarding
a particular incident, we demand that and issue papers and what
have you. As I mentioned, my oversight and compliance team led
by Arnie Claudio is constantly moving. He has done almost 95 assessments
since January, looking at the hospitals, looking at things
that are wrong that may never make the incident reports because
they catch them in time. They have also discovered things that
they have reported in our incident response program.
So that area, I feel fairly comfortable that we are at least able
to capture the incidents and adequately report them and then do
something about them.
Senator MURRAY. OK. Mr. Chairman, I just have one additional
question. I wanted to ask you, I understand that there was a recent
outage of the VA's electronic medical information that affected
about 17 of our VA medical centers. Can you share with us what
the impact of that outage was on their operations and what we are
doing to prevent that from happening again?
Mr. HOWARD. Yes. This was a big deal and we are very, very concerned
about it. This refers to the Regional Data Processing Center
Initiative that I believe you are aware of. The Regional Data Processing
Center Program was put in place in response to 9/11, to serious
incidents like that, and what we mainly were concerned about
was the loss of the information. And so we began to migrate VistA
systems into highly protected data centers, and this is a tier four
data center that you are referring to in Sacramento.
What we did not do, and first of all, that incident was inexcusable.
The fact of the matter is we were down for too long. There
was human error involved, probably the press of business, you
know, thinking that this particular act would solve the problem
and bring the systems back up, in fact, was wrong. It did not solve
the problem and the system went down again.
And so we have corrected that. In fact, Arnie Claudio, my oversight
people were on the scene. We also have a team that is currently at
work trying to examine in great detail what might have
happened. And in addition, we are putting a contract in place for
an independent look at just what we are doing here, because what
we have discovered is the VistA application itself is perhaps-does
not really lend itself to a robust Regional Data Processing Initiative
like that. We need to understand that better.
The final thing I will say about it that we have discovered is the
read-only capability at the hospitals. In other words, the systems
went down in the Regional Data Processing Center, but there was
a read-only capability at hospital level. What we have discovered
is that at some hospitals that read-only capability was not robust
enough. We don't know why. We may not have done that in the
past. But that can't happen.
In fact, in one hospital, they were only able to accommodate 300
users. Well, that is not good enough. You know, at a hospital level,
you need to be able to sign in and sign out a lot more than 300.
So we are taking a look at that. We clearly need to provide a more
robust back-up capability and a fail-over capability because if it is
a finance system that goes down, you might be able to afford a few
hours' wait. You can't afford that with hospitals and we clearly
understand that. We are examining it in great detail. In fact, I have
directed no further migration of the VistA systems into the Regional
Data Processing Centers until we can understand in detail
what is going on.
There is some concern over distances. You know, on the West
Coast, the hospitals are much more spread out geographically, as
you well know. That may be a factor in what we are experiencing
--
Senator MURRAY. Well, if I can ask you to share with this Committee
the information as you get it from what happened and what
you are doing to respond and make sure that we are doing everything
we can to fix that, I would appreciate it.
Mr. HOWARD. We will, Senator Murray.
Senator MURRAY. Thank you. Mr. Chairman.
Chairman AKAKA [presiding]. Thank you very much, Senator
Murray, for your questions.
I understand, Mr. Secretary, that almost a year ago, VBA asked
for access to the Electronic Health Record files because of the
delays in processing claims and this request has not been approved.
It is my further understanding that VBA will not be able
to view these records until sometime in 2008. Now, Secretary, during
an oversight visit to the Honolulu regional office, Committee
staff learned that claims are being delayed because VBA staff are
not able to read medical reports which are scanned into VHA's electronic
health system.
Given the current backlog in claims processing, this seems like
an IT solution that should be given a priority, and you mentioned
priorities being important here. So my question to you is what can
be done to improve the electronic transmission of medical information
from in-house VHA to VBA in a more timely manner?
Mr. HOWARD. I am going to ask Dr. Tibbits to answer that, but
I will say one thing, sir. In what you are describing, there is always
a concern over security and privacy. In other words, we are dealing
with health information and that is one of the things that when-
ever we permit another agency to look at our information, the security
and the privacy aspect of it is extremely important and we
need to make sure those procedures are in place during the transmittal
of the information. But I would ask Dr. Tibbits to comment
on that.
Dr. TIBBITS. Senator, thank you for your question. First, let me
start off by saying I am going to plead ignorance here and tell you
I am going to have to take your question for the record and get
back to you with a more specific answer. That said, I work very
closely, I would say nearly on a daily basis, with the key business
leaders inside of the Veteran Business Administration, VBA. None
of them have told me that there is a pending request to view medical
data that they currently view as high priority that we have not
been able to address, so I want to find out exactly what that is and
let you know with more specificity.
That said, there are capabilities in place today by which the medical
data, to some extent, medical data can be viewed by claims
administrators for the purpose of processing benefits claims. Why
that might not be adequate or what additional capability they
need, I am going to need to go back and find out. That is not a request
that I am actually aware of.
Chairman AKAKA. Thank you. As you can see, as was said, to
wait until 2008 really delays the system.
Secretary Howard, as I mentioned in my opening statement, my
requested investigation on VHA's waiting times yielded findings
about the accuracy and completeness of the waiting lists. Senator
Tester has also brought my attention to the need to refine the
pharmacy ordering system so that prescriptions aren't mailed out
to veterans until they are needed. Is responsibility for matters such
as fixing the electronic waiting list and refining pharmacy systems
your responsibility or does that still vest in VHA?
Mr. HOWARD. Sir, defining the requirement is VHA. Solving the
problem is primarily VHA, but clearly we can provide assistance in
the IT arena because sometimes the solution may not be totally IT.
It may be a methodology kind of fix that needs to be put in place.
But the requirement definition of it, prioritization of it, having us
work on it, that is a VHA responsibility.
Chairman AKAKA. Do you happen to know what priority does VA
place on finding specific health information solutions?
Mr. HOWARD. On that one, sir, I would have to get back to you.
I don't know where that would lie on the list.
Chairman AKAKA. Thank you. Secretary Howard, I understand
there was a recent outage of VA's electronic medical information
system that affected 17 VA medical centers. What was the impact
of this outage on these facilities' operations and what is VA doing
to prevent this from recurring?
Mr. HOWARD. Yes, sir. In fact, Senator Murray asked a similar
question. This involved the Regional Data Processing Center out in
Sacramento. We experienced difficulties in input-output loads, excessive
times involved. The system did go down. The reason the
number of hospitals, there were 17 hospitals affected was because
we had regionalized the VistA systems and this regionalization was
done in order to better protect the information involved. In other
words, it actually went all the way back to 9/11. This program
itself has been in existence for a number of years.
In this particular case, human error was involved. A fix was
made to the system that should not have been made. They did that
in order to try to bring it up and that did not happen. It went down
again. In hindsight, another mistake that was made is that they
did not make the decision to fail-over these particular VistA systems
to our back-up in Denver, Colorado, which could have been
done. So there were a number of mistakes made.
We have already conducted several reviews of what happened
and we are going to conduct a third. The third review will be much
more comprehensive because we now want to take a very hard look
at what we are doing with respect to regional data processing
across the country, to include not only the VistA systems, but some
of our corporate data assets, like, for example, in our Austin
Automation Center, Hines, and Philly, which weren't part of this
particular program in the past.
There are other aspects of what we have discovered. For example,
in order to provide a back-up capability, we actually do have
read-only VistA capability remain at the hospital level. They did
have this read-only capability. However, in a couple of instances,
we have discovered that was not robust enough and we need to correct
that. The read-only capability must be adequate to support the
particular hospital that has it.
So in summary, this resulted from human error, but it has also
surfaced some issues that we need to address very quickly here because
this whole program is extremely important, because we do
need to protect the information inside very well-protected data centers,
which is what the Sacramento data center was, a tier four,
very-and all kinds of organizations are moving toward that way
of doing business, you know, putting their data inside very highly
protected data centers. We need to step back and make sure that
the VA's program makes sense and that we are not pushing things
too fast and that we have the right back-up capability in place in
order to continue to support the mission.
Chairman AKAKA. Secretary Howard, it seems as though VA has
been in the process of modernizing its health and benefits IT systems
for years. GAO reviews have consistently cited poor program
management as one of the major reasons for a lack of progress.
What is VA doing to address the issue of improving the program
management for the modernization of its health and benefits IT
systems, and what is the timeframe for completing the migration
of VistA and BDN to modern IT platforms?
Mr. HOWARD. Sir, I am going to ask Paul Tibbits in a minute to
describe the specifics of the migration, because it is a multi-year
process both with respect to VistA modernization and the
VETSNET in support of VBA.
On the discipline aspect within program management, you hit
the nail on the head. We have clearly seen that. There have been
a number of studies. In fact, Carnegie Mellon did a study, as well,
that highlighted that as a problem. Fortunately, Dr. Paul Tibbits
has a great deal of DOD experience in the acquisition process, a
disciplined acquisition process which, quite frankly, we do not have
to the degree we need to in the VA. We have recognized that. Dr.
Tibbits is well on the way to solving that problem, to provide adequate
baselines, cost, and performance, earned value metrics, all of
those things that need to be done within a robust, well-disciplined
acquisition and program management process.
We are on the way to improving that, but I will tell you, we have
got a long way to go, and I would ask Paul Tibbits to comment, because
he is in charge of the program managers that you are referring
to.
Chairman AKAKA. Thank you.
Dr. TIBBITS. Senator, thank you very much for the very important
question. Actually, the two are quite related to each other, the
program management and the BDN migration, and let me just
start off with that relationship, which I think, by the way, my personal
opinion is that the centralization of IT authority in the Department
positions the Department very well to do the workforce
reshaping necessary to inculcate those disciplines which you are
referring to were absent in the past.
In any case, when my organization was stood up, which was really
April of this year, I was fortunate to inherit the VETSNET Program,
which over the preceding 18 months or so, in responding to
specific findings of a Carnegie Mellon study, had set up an excellence
governance and program management structure, in fact, good
enough in my view that it has served as a template of program
management and governance which we are, in fact, exporting to
the rest of VA and to other programs.
I mention that because that is an example of a very good program
management discipline applied specifically to the problem
you asked about, which is migration off of BDN. So that particular
piece of the Benefits Delivery Network system is being delivered on
time, at cost, as promised, based on a schedule that was created,
I would say, approximately 18 months ago, and much of that due
to careful oversight by both VBA itself and external entities,
MITRE, in making sure that the recommendations of the Carnegie
Mellon study were, in fact, institutionalized in the way that program
is managed.
We are now challenged with taking that as a model and exporting
it throughout the rest of the VBA and the rest of VA. We have
done so in our FLITE program, for example, which is the internal
financial management and logistics system. We have exactly patterned,
and now have approved and have actually stood up a governance
structure on top of FLITE which is a template and replicate
of the governance structure that was set up by VBA on top
of VETSNET.
The rest of the capabilities, education, vocational rehab on
VETSNET migration, using that discipline, we are approaching in
two ways. One, a code migration pathway which will give us exactly
the same functionality but in new software, and a separate
set of initiatives which will give us new functionality and new
software, two different pathways to get off of that industrial-a system
that has exceeded its industrial life.
The target date for both of those is 2011. Right now, that is our
target date to complete both of those pathways. Whether we will
have to, in fact, continue down both of them will remain to be seen
as we learn more about each of those pathways as we go along. But
at the moment, we are wearing belt and suspenders with respect
to trying to get off of that platform. That is the program management
discipline piece and how we have applied it to migration off
of BDM.
Chairman AKAKA. Well, I want to thank you, Dr. Tibbits, and,
of course, Mr. Secretary for being here today.
There has been a vote that has been called. It is on now, and so
I want to thank you for your testimony. Without question, it is
going to be helpful. At least we have timeframes here to look at
and we have an idea of how we are approaching the kind of problems
that we are facing, as well, in the system. As you mentioned,
Mr. Secretary, it is not the technology, it is really the ability of the
managers and you have filled that slot real well and we are looking
forward to continuing to work with you on this.
We will take a recess now for 10 minutes and I will be back after
that vote and we will have them panel two. Thank you very much,
and this Committee hearing is in recess.
Mr. HOWARD. Thank you, sir.
[Recess.]
Chairman AKAKA. Will the panel please be seated. The hearing
will come to order.
I am pleased to welcome our second panel. First, is Valerie Melvin,
the Director of Human Capital and Management Information
Systems Issues at GAO. Next is Stephen Lucas, the Director of the
James A. Haley VA Medical Center in Tampa, Florida. Then we
have Kim Graves, the Special Assistant to the Under Secretary for
Benefits at VA, who has a particular responsibility for IT matters
in VBA. Last is Dr. John Glaser, the Vice President and CIO of
Partners HealthCare in Boston, Massachusetts.
I want to thank you all for being here and look forward to your
testimony. The witnesses will testify in the order that I just
introduced you. I ask that you keep your statements to 5 minutes.
Your full statements will be included in the record.
Ms. MELVIN?
STATEMENT OF VALERIE MELVIN, DIRECTOR, HUMAN CAPITAL
AND MANAGEMENT INFORMATION SYSTEMS ISSUES,
U.S. GOVERNMENT ACCOUNTABILITY OFFICE; ACCOMPANIED
BY McCOY WILLIAMS, DIRECTOR, FINANCIAL MANAGEMENT
AND ASSURANCE TEAM, U.S. GOVERNMENT ACCOUNTABILITY
OFFICE; GREGORY WILSHUSEN, DIRECTOR,
INFORMATION SECURITY ISSUES, U.S. GOVERNMENT ACCOUNTABILITY
OFFICE; AND BARBARA OLIVER, ASSISTANT
DIRECTOR, INFORMATION TECHNOLOGY, U.S. GOVERNMENT
ACCOUNTABILITY OFFICE
Ms. MELVIN. Mr. Chairman, thank you for inviting me to discuss
VA's Information Technology Program. In serving our Nation's veterans,
VA spends about $1 billion annually on information technology,
but the Department has been challenged in managing its
IT programs and initiatives. To address this challenge, VA is realigning
its organization to centralize IT under the Chief Information
Officer, guided by a defined set of improved management processes.
VA began this realignment in October 2005 and plans to
complete it by July 2008.
At your request, my testimony today summarizes our previous
work on the Department's realignment efforts. In this context, I
will also briefly discuss our recent work on several of the Department's
IT programs and initiatives, including information security,
inventory control over IT equipment, the modernization of existing
benefits systems, and sharing electronic health information with
the Department of Defense.
In short, VA has made progress in moving to a centralized structure.
However, when we last reported in June, it still had to address
several of six factors that we identified as critical to a successful
transformation. In this regard, it either acted or indicated
intent to act on all except one factor, to dedicate an implementation
team to manage this important change.
In addition, while improved management processes are a cornerstone
of the realignment, as of May, VA had not made significant
progress, having only begun to pilot test two of 36 planned new
processes. In our view, an implementation team and established
management processes are fundamental to the overall success of
the realignment initiative.
In the meantime, VA has ongoing programs and systems development
initiatives that depend on effective management and use of
IT resources, the essence of the realignment. Our recent studies
have noted measures of progress in these areas, but more work remains,
including addressing numerous and longstanding information
security recommendations that we and the Department's Inspector
General have made.
For example, our report being released today notes that although
VA has made progress, it has not yet fully implemented numerous
recommendations to strengthen its information security practices.
Also, while it has begun to realign its security program, it has not
completed development of improved security management processes
or ensured effective coordination between organizations responsible
for information security functions.
In addition, our prior work noted that VA had taken certain
steps to strengthen controls over IT equipment, such as clarifying
property management policies. Overall, however, it had not ensured
consistent implementation of controls to effectively account
for its IT equipment inventory.
Regarding VA's modernization of existing benefits systems, our
recommendations have placed particular emphasis on the need for
comprehensive planning. In turn, we recently noted after the
implementation
of improved management processes, progress on the
Veterans Benefits Administration's new compensation and pension
benefits system. Further systems development is needed, however,
and certain process improvements must still be institutionalized to
realize continued success.
In VA's effort to share electronic health information with DOD,
a milestone was achieved when the two Departments began exchanging
limited medical data at selected sites through an interface
between their respective new data repositories. However, to
fulfill the long-term vision of a comprehensive electronic medical
record, much work is still needed, including effectively planning
and managing efforts to expand data sharing among both Departments.
In summary, Mr. Chairman, VA is making progress in its IT realignment,
but important work remains to ensure that effective
management processes exist and that its IT programs and initiatives
are fully and successfully implemented. Further progress in
these areas could be significantly aided by the key management
processes that are the cornerstone of the realignment. Until these
processes are fully institutionalized throughout the Department,
VA may not realize the full benefits of the realignment or achieve
its many IT goals.
This concludes my prepared statement and I would be happy to
respond to any questions that you may have.
[The prepared statement of Ms. Melvin follows:]
PREPARED STATEMENT OF VALARIE C. MELVIN, DIRECTOR, HUMAN CAPITAL AND
MANAGEMENT INFORMATION SYSTEMS ISSUES
<GRAPHICS NOT AVAILABLE IN TIFF FORMAT>
Chairman AKAKA. Thank you very much, Ms. Melvin.
Now, Mr. Lucas.
STATEMENT OF STEPHEN M. LUCAS, DIRECTOR, JAMES A.
HALEY; VA HOSPITAL AND CLINICS, TAMPA, FLORIDA
Mr. LUCAS. Thank you, Chairman Akaka. I am most pleased to
have this opportunity to appear before this Committee as a proud
and long-time employee of the Veterans Health Administration. In
the interest of time, I will summarize my written testimony while
discussing with you my personal knowledge and experience with
the realignment of the Department of Veterans Affairs Office of
Information and Technology.
I would like to state up front as a personal but also well-known
observation that VistA is a system put together by clinicians for
clinicians, and it works. And no one who uses it ever wants to go
back to what they had, or in many cases didn't have.
In March 2006, Secretary Nicholson approved the new IT system
model as the framework for VA's IT system. The new business
model involved the realignment of approximately 6,000 employees.
The Secretary has directed the transition to be completed by June
2008. Working together, VHA and OI&T will meet that expectation.
I believe that the realignment, due to its magnitude, has created
many concerns as well as anxieties in VHA's medical community.
At Tampa, we were concerned that we would lose the authority
to make necessary medical decisions at the point of care and that
by the transfer of our development team to OI&T, we would lose
our ability to innovate. Thus far, these fears have not materialized
thanks to the Secretary's commitment to VHA that we would not
lose our ability to recognize and implement innovation originating
from VHA's clinicians in the field.
What is working. The people have been moved and they are now
concentrating on getting the job done. The new centralized structure
gives us greater purchasing power through economies of scale
while at the same time granting facilities the flexibility to meet
local needs and unforseen emergencies. A centralized approach to
data security and patient privacy can be remarkably effective with
goals and policies set at the national level while continuing to provide
local staff and leadership with the needed training to roll out
these policies and expectations and provide the tools necessary to
act.
What needs to be closely watched as we move forward? VHA and
OI&T need to continue to work closely together to assure that
decisionmaking capability resides at the direct point of care.
Communication between our clinicians and developers needs to be
robust.
We must continue to engage front-line clinicians in the development
of the tools they use and use their input to provide effective
and safe health care. There needs to be a balance between the benefits
of centralization and the ability of local facilities to make IT
purchasing decisions affecting efficiency and effectiveness of local
operations.
And why is all of this so critical? The needs of today's VA patients
require a patient-centric approach which will allow veterans
and their care providers access to seamless health records and in-
formation at any time regardless of location. And so it is important
that VHA and OI&T continue to work together to, (1) replace current
hospital-centric systems with a patient-centric system; (2) provide
a complete medical record available everywhere at all times;
(3) support interoperability with other government and private
health care systems; (4) support patient decision support and
interdisciplinary clinical care.
Let me conclude by saying that while the realignment is not
without its challenges, I see a spirit of cooperation and a sense of
shared mission that will allow us to overcome them. I am proud to
say that despite all of the natural and expected distraction that
occur during a major realignment, we are still serving veterans
with high-quality care and I expect that to get better as we continue
to improve the process and work toward improved communication
and cooperation.
Mr. Chairman, this concludes my statement. I will be pleased to
answer any questions that you may have. Thank you.
[The prepared statement of Mr. Lucas follows:]
PREPARED STATEMENT OF STEPHEN M. LUCAS DIRECTOR, TAMPA VAMC VETERANS
HEALTH ADMINISTRATION DEPARTMENT OF VETERANS AFFAIRS
Thank you Chairman Akaka and Members of the Committee. I am pleased to
have this opportunity to appear before this Committee as a proud and
long time employee of the Veterans Health Administration (VHA). Today
I would like to discuss my personal knowledge and experience with the
realignment of the Department of Veterans Affairs (VA) Office of
Information and Technology (OI&T). I wanted to first take a moment to
review the reorganization process. I will then follow with some
personal observations on what I think has worked, and what I think
needs to be watched closely to ensure that we improve the effectiveness
of the newly revised IT organization.
I would also like to state upfront as a personal observation, that
VistA is a system put together by clinicians for clinicians and it
works, still works, and no one who uses it, ever wants to go back to
what they had, or in many cases, didn't have. We should never lose
sight that VA's VistA system remains a world class system and the
Industry Standard for Electronic Health Records (EHRs) by a long shot.
In March, 2006, Secretary Nicholson approved a new business model as
the framework for VA's IT System. This generated the initial
realignment to OI&T in the neighborhood of 6,000 Operations and
Maintenance personnel who were previously part of VHA, the Veterans
Benefit Administration (VBA), National Cemetery Administration
(NCA) and other parts of VA. On October 31, 2006, Secretary Nicholson
approved the transition of the VA IT Management System for the
Department of Veterans Affairs (VA) to a single IT leadership
authority-the VA Chief Information Officer (VA CIO). This included the
permanent assignment of all VA personnel dedicated to IT development,
approximately 1,000 personnel, to the Office of the Assistant Secretary
for Information Technology (AS/IT) to be completed by April 2007. The
final transition and realignment, to include institution of a
governance structure, clear understanding of roles and
responsibilities, establishment of standardized policies
and business practices, etc., was directed to be completed by the
Secretary by June 2008. This transition is significant due to the large
numbers of people transitioned, many new polices and business processes
having to be evaluated and implemented, and new communication paths and
operating procedures tried, rejected in some cases, restructured and
then re-implemented. All the while, caring for our patients has
remained our primary mission. I will certainly not try to hide the fact
that the realignment, due to its magnitude, has created some
distractions, as well as anxieties in VHA's medical community.
Specifically, at Tampa, we were concerned that we would lose the
authority to make the necessary medical decisions at the point of care
and that, by the transfer of our development team to OI&T, we would
lose our ability to ''innovate''-the very engine that created the World
Class VistA system in the first place. Thus far, those fears have not
proven true and more importantly, we have not lost sight of our first
priority to provide the highest quality care to our veteran patients,
the men and women who deserve no less given the sacrifices they have
made for our Nation.
WHAT IS WORKING?
The people have been moved and they can and are now concentrating on
getting the job done. The uncertainty is over.
The new centralized structure gives us far greater purchasing power
through ''economies of scale'' although I would like to mention that,
at the same time, facilities need the flexibility to be able to meet
local needs and unforeseen emergencies as I will reiterate later.
A centralized approach to Data Security and Patient Privacy can be
remarkably effective with goals, expectations and policies set at the
national level, but at the same time local staff and leadership will
continue to require training in the ''roll out'' of these policies and
expectations, as well as be provided the tools necessary to act.
WHAT NEEDS TO BE CLOSELY WATCHED AS WE MOVE FORWARD?
As I said in my earlier testimony, while I believe that there are
many good things that have occurred as a result of centralization like
central procurements with inherent economies of scale, and
standardization in policies and processes (provided the user
contributes to policy formation)), they can not be at the expense of
effective and safe health care delivery. We must continue to find the
right balance. We also can not take away the decisionmaking
capability at the direct point of care or we will have created a
bureaucracy and impediment to the kind of organizational construct that
in my mind has made the VHA's health care delivery the best in the world.
We can not put a wall, however slight, between our clinicians and our
developers as this would effectively stifle that very innovation that
was the genesis of VistA in the first place.
We must engage clinicians about the tools they use and to leverage
effective and safe health care.
While I understand that there are many changes that we need to make
as an organization in terms of privacy, security, etc, these policies
and procedures must always be accomplished with a joint assessment of
the impact of that policy or directive on VA's ability to deliver
safe, effective health care.
There must be a continuing balance between the needs and priorities
of infrastructure and medical system requirements as well as the
ability for local facilities to make IT purchasing decisions that can
improve the efficiency and effectiveness of their operations.
Continued work on VA's governance process will be critical to ensure
that this is the case and not the exception.
And why is all of this so critical? VA has made significant progress in
the evolution of its IT systems and we must continue to foster an
environment where we can continue to do so in the future. The original
VA IT health care system was hospital-centric, meaning it focused
primarily on establishing over 100 applications at specific care
locations. The needs of VA patients require a patient-centric approach,
which will allow veterans and their care providers to access seamless
health records and information at any time regardless of location. And
so it is important that VHA and OI&T continue to work together to ensure
we have a system in the future that: Replaces current hospital-centric
systems with patient-centric system to better support modern health care
needs
Provides a complete medical record available everywhere and at all
times Supports interoperability with other government and private
health care systems Supports patient decision support and
interdisciplinary clinical care
Provides an open, robust systems architecture that is cost effective
and easy to maintain
Remains available to support hospital operations 24 hours every day
Let me conclude by saying that the realignment was not without its
challenges, but I see a spirit of cooperation and mutual objectives
that will allow us to overcome them as we continue to remain the
world's leader and benchmark for health care delivery. I am also proud
to say today that, despite all of the natural and expected distraction
that occur in a major realignment, we are still serving the veteran with
quality care, and I only expect it to get better as we continue to
improve the process and work toward better communication and cooperation.
Mr. Chairman, this concludes my statement. I will be pleased to answer
any questions that you or other Members of the Committee might have.
Chairman AKAKA. Thank you very much, Mr. Lucas.
Ms. GRAVES?
STATEMENT OF KIM GRAVES, SPECIAL ASSISTANT TO THE
UNDER SECRETARY FOR BENEFITS, U.S. DEPARTMENT OF
VETERANS AFFAIRS
Ms. GRAVES. Thank you, Mr. Chairman. It is a privilege to be
here today to talk about the current state of information technology
in the Veterans Benefits Administration. My statement this morning
will focus on two major topics, the impact of the reorganization
of information technology management on VBA activities, and the
migration of VBA's legacy IT systems to the VETSNET platform.
I am pleased to report that from VBA's perspective, the reorganization
of IT took place without major disruptions. While no reorganization
of this magnitude can occur without some challenges,
we believe that it was a smooth transition overall.
One of the main reasons why the reorganization went smoothly
for us is that VBA's IT structure was highly centralized both in
applications development and in the operations of our national benefits
delivery systems. We also had in place a regionalized Network
Support Center structure for our field op organization with established
policies and procedures governing our local IT operations.
Equally as significant, the Under Secretary for Benefits, Admiral
Daniel L. Cooper, had instituted a formal IT application change
control and deployment process immediately upon his appointment
as Under Secretary. The changes he made were based on recommendations
of the Claims Processing Task Force, which he
chaired. He also established a uniform IT structure and standard
application configurations that were made mandatory for use by all
regional offices. These actions provided the essential framework for
the transition to a fully centralized environment and served to minimize
many of the problems that would otherwise have been anticipated
in a reorganization of this magnitude. Similarly, because of
the way VBA has executed its IT organization, the transfer process
caused much less anxiety for the individuals involved and minimized
disruption to our overall operations.
However, as with any reorganization, this transition has not
been without some challenges for us. For example, some of our regional
offices have experienced problems and delays with the delivery
and installation of new equipment. Also, we face a number of
challenges due to the issues such as band width to handle the volume
of encrypted communications we now require. Our concerns in
these areas are being addressed by the IT organization.
During this transition year, we have actively participated in the
development of the Department's IT governance process. The governance
structure being implemented will ensure that the administrations
and staff offices have a forum for communicating their
business needs and that all decisions related to our IT requirements
and systems are mission focused. Already we have seen that
when we have well-developed business plans that are consistent
with Department-wide IT objectives, we are well supported by the
new IT organization. We are also pleased with changes such as the
decision to meet our new equipment needs through leases, which
will allow VBA to upgrade equipment more frequently and keep up
with advances in technology. We believe that we our governance
and business processes mature and communication channels are
more fully developed, greater improvements will result.
With respect to transitioning from legacy systems, VBA has
made significant progress in the migration of our compensation and
pension claims processing activities from the legacy Benefits Delivery
Network, or BDN, to a modernized corporate platform.
VETSNET is a suite of applications which not only provide the benefit,
payment, and accounting functionalities of the legacy Benefits
Delivery Network, but also provides enhanced information and
workflow management across the compensation and pension claims
process.
In 2005, Under Secretary Cooper he requested an independent
technical assessment of the VETSNET project to identify areas of
concern which were inhibiting our ability to complete the final two
components of the application suite, the awards and Finance and
Accounting System. These two components provide benefit award
generation as well as the payment and accounting interfaces.
As a result of the assessment, the Under Secretary engaged
MITRE Corporation to assist in the development and implementation
of mitigation strategies. In conjunction with this effort, the
Under Secretary also appointed me to serve as his Special Assistant
with purview over all resources required to bring the project
to fruition. At that time, aligned resources included personnel from
our compensation and pension business line, our Office of Resource
Management, and VBA IT personnel. Although the organizational
lines have changed since the IT consolidation, this interdisciplinary
effort continues today, ensuring a business-focused approach to this
complex systems development project.
This approach has resulted in significant progress over the past
18 months. At the end of September 2006, a total of 2,385 veterans
were receiving their monthly benefits via VETSNET. Today, more
than 200,000 veterans are on the VETSNET payment rolls. During
fiscal year 2006, 5 percent of VBA's rating-related claims for veterans
new to the VA's compensation rolls were processed entirely
through the VETSNET suite. In August 2007, the figure for veterans
new to the rolls was 97 percent. More than three-quarters of
a billion dollars in compensation benefits payments have been processed
through the VETSNET system this fiscal year.
However, our most significant gains in migrating compensation
and pension claims processing from the BDN will be with the conversion
of approximately 3.5 million active payment records from
BDN to VETSNET. That process is underway and will be substantially
complete by June 2008. The final stages of the conversion effort
will be finished by June 2009. At that time, the entirety of
compensation and pension claims processing activities will be off of
the legacy BDN platform.
Mr. Chairman, that concludes my statement. I will be pleased to
answer any questions you may have. Thank you.
[The prepared statement of Ms. Graves follows:]
PREPARED STATEMENT OF KIM GRAVES, SPECIAL ASSISTANT TO THE UNDER
SECRETARY FOR BENEFITS, VETERANS BENEFITS ADMINISTRATION, DEPARTMENT
OF VETERANS AFFAIRS
Chairman Akaka and Members of the Committee, it is a privilege to be
here today to talk about the current state of information technology in
the Veterans Benefits Administration (VBA). My testimony will focus on
two major topics: the impact of the reorganization of information
technology (IT) management on VBA activities, and the migration of
VBA's legacy IT systems to the VETSNET platform.
IT REORGANIZATION
I am pleased to report that, from VBA's perspective, the reorganization
of IT took place without major disruptions. While no reorganization of
this magnitude can occur without some challenges, we believe that it
was a smooth transition overall.
One of the main reasons why the reorganization went smoothly for us is
that VBA's IT structure was already highly centralized, both in
applications development and in the operations of our national benefits
delivery systems. We also had in place a regionalized Network Support
Center structure for our field organization, with established policies
and procedures governing our local IT operations.
Equally as significant, the Under Secretary for Benefits, Admiral
Daniel L. Cooper, had instituted a formal IT application change control
and deployment process immediately on his appointment as Under
Secretary. The changes he made were based on recommendations of the
Claims Processing Task Force, which he chaired.
He also established a uniform IT structure and standard application
configurations that were made mandatory for use by all regional
offices. These actions provided the essential framework for the
transition to a fully centralized environment and served to minimize
many of the problems that would otherwise have been anticipated
in a reorganization of this magnitude.
Similarly, because of the way VBA had structured its IT organization,
the transfer process caused much less anxiety for the individuals
involved and minimized disruption to our overall operations.
However, as with any reorganization, this transition has not been
without some
challenges for us. For example, some of our regional offices have
experienced problems and delays with the delivery and installation of
new equipment. Also, we face a number of challenges due to issues such
as bandwidth to handle the volume of encrypted communications we now
require. Our concerns in these areas are being addressed by the IT
organization.
During this transition year, we have actively participated in the
development of the Department's IT governance process. The governance
structure being implemented will ensure that the Administrations and
Staff Offices have a forum for communicating their business needs and
that all decisions related to our IT requirements and systems are
mission-focused. Already we have seen that when we have well-developed
business plans that are consistent with Department-wide IT objectives,
we are well supported by the new IT organization. We are also most
pleased with changes such as the decision to meet our new equipment
needs through leases, which will allow VBA to upgrade equipment more
frequently and keep up with advancements in technology. We believe that
as our governance and business processes mature and communications
channels are more fully developed, greater improvements will result.
MIGRATION OF LEGACY SYSTEMS
VBA has made significant progress in the migration of our Compensation
and Pension claims processing activities from the legacy Benefits
Delivery Network system to a modernized corporate platform. VETSNET is
a suite of applications which not only provide the benefit payment and
accounting functionalities of the legacy Benefits Delivery Network, but
also provide enhanced information and workflow management across the
compensation and pension claims process.
In 2005, Under Secretary Cooper requested an independent technical
assessment of the VETSNET project to identify areas of concern which
were inhibiting our ability to complete the final two components of
the application suite: Awards and the Finance and Accounting System
(FAS). These two components provide benefit award
generation, as well as the payment and accounting interfaces.
As a result of the assessment, the Under Secretary engaged MITRE
Corporation to assist in the development and implementation of
mitigation strategies. In conjunction with this effort, the Under
Secretary also appointed me to serve as his Special Assistant, with
purview over all resources required to bring the project to fruition.
At that time, the aligned resources included personnel from the
Compensation and Pension business line, our Office of Resource
Management, and VBA IT personnel.
Although the organizational lines have changed since the IT
consolidation, this interdisciplinary effort continues today,
ensuring a business-focused approach to this complex systems
development project. This approach has resulted in significant
progress over the past 18 months. At the end of September 2006, a
total of 10,385 veterans were receiving their monthly benefit payments
via VETSNET. Today, more than 200,000 veterans are on the VETSNET
payment rolls. During fiscal year 2006, 5 percent of VBA's rating-
related claims for veterans new to the VA's compensation rolls were
processed entirely through the VETSNET suite. In August 2007, the
figure for veterans new to the rolls was 97 percent. More than three
quarters of a billion dollars in compensation benefit payments have
been processed through the VETSNET system this fiscal year.
However, our most significant gains in migrating compensation and
pension claims processing from the Benefits Delivery Network (BDN)
will be the conversion of the approximately 3.5 million active
payment records from BDN to VETSNET. That process is underway and
will be substantially complete by June 2008. The final stages of
this conversion effort will be finished by June 2009. At that time,
the entirety of compensation and pension claims processing activities
will be off the legacy platform.
OTHER INITIATIVES
VBA's Vocational Rehabilitation and Employment (VR&E) Program and
Education Program benefit payment applications are also resident on
the legacy BDN. The C-WINRS II project (which provides enhanced
support for the VR&E program) and The Education Expert System (TEES)
project are both slated to transfer to the corporate platform. The
award and financial components of VETSNET are central to these
development efforts. By reusing these common services across the
business lines, we will experience greater consistency across our
business systems and improved efficiencies in application development
and maintenance. We are creating a new operating element within the
VBA Headquarters structure to be the focal point for development of
business requirements and to interface with the VA Office of
Information and Technology. We believe this alignment will ensure
that VBA business requirements are clearly documented and communicated
to our IT partners, and that systems development efforts have an
appropriate business focus.
To effectively use the available technology, sufficient time and
attention must be devoted to documenting and communicating business
requirements. As noted previously, VBA will use the knowledge gained
from developing VETSNET in all future systems development efforts, as
we maximize the integration of technology into the claims process.
The claims development and rating decision support components of VETSNET
have been in full production mode in all of our regional offices for a
number of years. Further efficiencies are being seen as we aggressively
strive toward full implementation of the final components of the VETSNET
system.
Other gains will be realized by working in a contemporary computing
infrastructure. This allows us to readily make software modifications
to support improved work processes, legislative mandates, or security
enhancements. These types of changes are simply not possible in the
legacy BDN. The modernized corporate infrastructure will also make it
possible to further incorporate and enhance decision-support and
''expert-system'' applications. We are also making strides in the use
of electronic data and records in place of paper records in the claims
process. We are working to integrate ''paperless'' processing into our
data and information systems and processing procedures. We are using
imaging technology to support paperless processing in all of our
Education and Insurance benefit programs. We are also incorporating
imaging technology and electronic records in our pension program
processing.
We are now conducting a pilot program to incorporate imaging technology
into disability compensation processing as well. The pilot uses claims
from recently separated veterans filed through our Benefits Delivery
at Discharge Program. We receive the veterans' service medical records,
create images of these records, and maintain them as part of the
electronic claims folders for each claim filed under this pilot program.
We believe the pilot will successfully demonstrate the feasibility of
this technology in the disability compensation program for newly
separated servicemembers. However, because of the magnitude of the
paper records we store, the extent to which we can ''paperlessly''
process claims from veterans of previous periods of service has yet to
be determined.
Expanded use of business-rules engines and related types of application
tools offers promise for further improving our claims processing. We
recently solicited and received information from a variety of vendors
on tools which may have potential to assist us in more efficiently
processing certain types of claims. Together with the Office of I
nformation and Technology, we are currently evaluating this vendor infor-
mation. The Supplemental Appropriation passed by Congress earlier this
year will facilitate our implementation of these types of tools to
improve the claims process. Mr. Chairman, this concludes my statement.
I will be pleased to answer any questions
that you or other Members of the Committee might have.
Chairman AKAKA. Thank you very much, Ms. Graves.
And now, Dr. Glaser.
STATEMENT OF JOHN P. GLASER, VICE PRESIDENT AND
CHIEF INFORMATION OFFICER, PARTNERS HEALTHCARE
Mr. GLASER. Thank you, Mr. Chairman. It is an honor to be here.
I thought I would point out a personal connection to the State that
you serve. When I was growing up, we lived in Lahaina for 2 years
and I have a very fond memories of that time.
I am going to summarize the comments that I have. You have
the written material with you. I am the Chief Information Officer
for Partners HealthCare. We are a group of hospitals in the Boston
area, Brigham and Women's Hospital, Massachusetts General Hospital,
some community hospitals, health centers, physician offices,
and I am responsible for the IT function for those organizations. I
have been a CIO for 20 years, and in all humbleness, have some
reasonable expertise in the application of IT in the health care
setting.
My comments are threefold or in three general areas. One is
comments on the accomplishments of the VA health care IT program
to date. The second has to deal with alignment, which we will
talk about when we get there, between the IT activity and the
organization
overall. And the third is some challenges of integrating
two very large, complex electronic health records, in this case the
VA and the DOD, although there are other examples across the
globe.
Let me just, on the accomplishment, I think there is no question
in the health care IT industry and amongst the CIO communities
across the world that the VA has one of the most successful and
the most remarkable health care IT programs that we are aware
of at all. I personally think, and I told this to our leadership and
our board, it is the most successful, certainly in the U.S. and probably
in the globe today. So I just want to make sure, not that you
do or all of you do, to not forget that as we discuss a range of
issues that the organization must confront, is to admire and respect
the work that has been done to date and in lots of ways you
can see that.
I mean, if you look across the U.S. about 15 percent of hospitals
use computerized physician order entry or provider order entry, entering
medications, lab tests, procedure orders into the computers.
About 9 percent of the physicians in outpatient practice use electronic
medical records with very advanced decision support to guide
and remind, et cetera.
As you all know, the VA levels of use are well beyond into the
high 80's, high 90 percent. It is just a remarkable difference between
where the country is and where the VA is on the adoption
by physicians and nurses of these technologies in the course of taking
care of people.
And in addition to the technology, if you look at, well, does it do
any good? Is the care any better? I think there have been a range
of studies that show that the care delivered by the VA, particularly
in the outpatient care, is superior to that to which we would find
in the same communities, and so the VA in Boston and the rest of
the community in Boston. So it is not only being adopted well, but
the gains in care have been remarkable.
I think at my organization, Partners HealthCare, which has
some all-galaxy class organizations and has done well in IT and
does well in working at care, we are not where you are. We aspire
to be where the VA is, but we have not yet achieved those levels
of competency, skill, and effectiveness. So again, the point being is
from an outsider, for you all to hear how much respect exists and
for us to preserve that in the efforts that go forward.
The second set of comments has to do with alignment. There
have been a lot of studies over the decades that say when an
organization is very effective in using IT, why is it very effective?
What factors lead to that? In organizations that have been studied,
American Airlines, Federal Express, Capital One, Merrill Lynch, a
variety of organizations, and there are a bunch of-well, there are
actually really a small number of factors that determine excellence
at the end of the day and one that is dominant is this notion of
alignment. And by alignment, there is a very specific sort of set of
ideas behind it.
One is that the leadership of the organization, the leadership of
Capital One or the leadership of American Airlines is able to set
the direction, say given our objectives and our goals and what we
want to be, this is where we need to put our IT energies. These
are the resources, and we may move resources from time to time.
We are watching the big implementations to make sure that they
are going well. We are monitoring the issues, and frankly, we are
holding ourselves and all of you accountable for those results.
So there is this good linkage and integration between the IT
strategy game plan and where the organization wants to go. And
it is not only at this lofty high level but it is also down in the
trenches, and that is those who do the work on any given day, that
they, in fact, know they are responsible for the implementations,
know they are responsible for making sure the design is the right
design, know that they are critical to changing workflow, and know
that they, in fact, are obligated to use the tool to make their prowess
and their customers' prowess as effective as it can be.
When this alignment doesn't happen, there can be a lot of sort
of bad things that occur. Now, you can have an IT group that is
well managed and very efficient, but if it is not aligned, it may be
working on the wrong things or it may be crafting applications
which are not quite what the rest of the organization had in mind.
And a caution, and that is I think occurs in any organizational
change, and certainly Partners went through its efforts where it
merged ten IS groups in the course of this and began its own
centralization efforts, is to preserve that alignment and to make
sure that what does not occur as a result is that front-line
doctors and nurses feel that they are in control and command and
directing the system's activities.
And so there is this balance to make sure that the alignment is
such that the CEOs or the leaders of the hospitals and the health
centers, et cetera, know that they are accountable for IT results,
have the ability to guide the agenda, have the ability to directly
deal with issues and the physician and nurses know and feel the
same, and we can see the fruits of their contribution to the work
that is being done here.
So that is the great caution in the efforts to achieve efficiency,
which matters, and I see this in our organization, and standardization,
is to balance that against the need for those physicians and
nurses who do the work-I don't do any real work, they do the
work-to make sure that we are meeting their needs and addressing
all the challenges that they face, because frankly, at the end
of the day, that is why we are here. So be cautious, and it is a
challenge and a difficult one to get right, be cautious about the
alignment thing.
The third thing I will comment on, the interoperability, is that
getting exchange of data, and there are flashes and examples of
this in the prior testimony that went on, it is very, very difficult
to exchange data between organizations. There are standards that
are being developed but not fully developed. There are areas where
no standards exist and hence one has of course to create them.
There are areas that have to do with privacy. There are areas that
have to do with policies and procedures regarding use of data, so
if I move it from my organization to yours, what rights do you have
of changing and adding and subtracting, et cetera. The country is
grappling with this. This is part of the broad HHS agenda,
interoperability. Our region is grappling with this, including the
VA and the DOD.
I think as we discuss progress that goes on here, we ought to be
mindful of the extraordinary difficulty here, both technically, policy,
procedure, privacy that exists here, and while making sure we
have good game plans and accountability, et cetera, that we appreciate
that this will take several years to effect and to effect well,
certainly to the degree that we would like to see in broad operability.
So let us appreciate the challenge that confronts those who
are making these organizations happen.
So, Mr. Chairman, I am done. I thank you for the opportunity
here. Again, remember how good this organization is and the work
that it has done and how admired and respected it is while appreciating
the desire and the need to tackle challenges such as have
been mentioned before and such as mentioned in my testimony.
Thank you.
[The prepared statement of Mr. Glaser follows:]
PREPARED STATEMENT OF JOHN GLASER, PH.D., VICE-PRESIDENT AND CHIEF
INFORMATION OFFICER, PARTNERS HEALTHCARE
Mr. Chairman, Senator Burr, and Members of the Committee. Thank you for
inviting me to take part in this hearing on the state of information
technology within the Veterans Health Administration.
My name is John Glaser. I am the Vice President and Chief Information
Officer of Partners HealthCare. Partners HealthCare is an integrated
system of medical care whose members include the Brigham and Women's
Hospital, the Massachusetts General Hospital, community hospitals,
health centers, physician practices and visiting nurses. I have been
a CIO for 20 years.
I am also the Founding Chairman of the College of Healthcare
Information Management Executives (CHIME); the country's premier
organization for healthcare CIOs. I was recently inducted into the
CIO Hall of Fame hosted by CIO magazine.
My testimony centers on three areas: the accomplishments of the VA
health care information technology (IT) program, the importance of
information technology alignment within a health care organization
and the difficulty of integrating two large, complex electronic
health records-the VA and DOD.
ACCOMPLISHMENTS
There is no question that the world's health care CIOs and the heath
care IT industry regard the Veterans Health Administration information
technology program as extraordinarily successful. I personally believe
that the VA program is the most accomplished program in the world.
Across the country, 15 percent of hospitals have broad physician use
of Computerized
Provider Order Entry (CPOE). Nine percent of physicians use advanced
electronic medical records (EMR) with clinical decision support. In
the VA, CPOE and EMR use are commonplace. For example:
85 percent of the 57 million outpatient visits and almost all of the
inpatient notes are online
94 percent of the outpatient prescriptions-equivalent to 200 million
30-day prescriptions-as well as almost all of the inpatient
prescriptions are entered directly by the prescribing clinician.
The VA has not only achieved remarkable levels of adoption of health
care IT but has also leveraged those systems to make very impressive
gains in care. A study published in 2004 compared care of VA and non-VA
patients in 12 communities and found that the care for VA patients
scored higher on care quality, chronic disease care and preventive care.
Partners HealthCare is widely regarded as very effective at applying
information technology to improve care. While we have high levels of
adoption of CPOE and the EMR and we have improved the care that we
provide to our patients, we have not yet achieved the adoption levels
or care gains being seen today at the VA across more than 150 medical
centers and greater than 1,400 sites of care.
In addition to our efforts to improve today's patient care, Partners
HealthCare has established highly regarded research programs designed
to explore new uses of the information technology to improve health
care. We routinely partner with the VA in grant applications and
research studies. This relationship recognizes the track record of
the VA in health care information technology and the VA's sophisticated
understanding of new opportunities to improve care.
I appreciate the fact that the VA has information technology
challenges. So does Partners HealthCare and every other healthcare
system in the world. We also face threats of data loss, projects that
are over budget and under perform and difficulty integrating complex
information systems across organizational boundaries. While these
challenges must be effectively addressed by the VA, I would encourage
us to not forget the excellence that has, and continues to be,
exhibited by the VA health information technology program and the
world's admiration of that program.
ALIGNMENT OF INFORMATION TECHNOLOGY
Numerous studies of information technology investments by a wide range
of organizations across many industries have all identified a factor
critical to effective use of the technology-alignment of the
information technology function, agenda and accountability
with the needs and management of the organization.
Organizations, such as American Airlines, Federal Express, Capital One
and Merrill Lynch, which have consistently demonstrated exceptional
information technology use have several common characteristics:
The leadership of the organization sets the information technology
strategy and agenda. The leadership actively defines the plan,
manages project resources and implementation, addresses issues and
assumes accountability for results.
The staff of the organization have been given the responsibility for
the ensuring
that an application meets their needs, managing specific
implementations and changing related process.
Failure to achieve strong alignment can pose significant problems for
the organization. Information technology projects may be well managed
and the information technology group may be very efficient but, without
alignment, they are at great risk that their work is not addressing the
priority needs of the organization and the delivered applications do
not reflect the needs of the staff who do the organization's work on a
daily basis.
The excellence that characterizes the VA health care information systems
was a result of exceptional alignment. The VA Health Administration
leadership had direct authority over the information technology
strategy, resource allocation and
management of results. The physicians and nurses who deliver care to
our veterans had direct access to the analysts and programmers who
created the applications. Indeed the analysts and developers viewed
these providers as their true bosses.
I am concerned that recent changes in the VA information technology
organization structure will damage alignment. Steps that centralize
authority within the VA in a manner that reduces the direct management
of information technology by those who are accountable for the delivery
of medical care and are most knowledgeable about the needs of the
healthcare system runs a very significant risk of undermining
the progress that has been made.
These concerns acknowledge the value of a central VA information
technology group in areas such as developing technology standards and
providing nonhealthcare specific financial systems. However, too much
centralization will damage alignment and diminish the excellence of
medical care.
INTEROPERABILITY OF ELECTRONIC HEALTH RECORDS
The value of interoperability of electronic health records across
organizations is difficult to dispute. Such interoperability is likely
to improve the safety, efficiency, timeliness and effectiveness of
patient care.
The difficulty of achieving interoperability of electronic health
records is difficult to dispute.
There are a large number of formidable challenges to achieving
comprehensive interoperability.
While the Federal Government is making significant progress in
defining standards for healthcare data, these standards are still
largely in the approval process and have not become widely adopted
across the industry.
There are critical aspects of healthcare data for which broadly
accepted data models and standards do not exist, for example, the
history and physical.
Accurate identification of patients who have different medical record
numbers remains difficult and labor intensive.
Procedures and processes must be developed that provide ''rules of
the road'' for using exchanged clinical data. What categories should
be used to classify physician notes? Under what circumstances can a
physician in one organization change the problem list entry of a
physician in another organization? Which clinical staff from one
organization can discontinue a medication given by a provider in
another organization?
How should institutional review board processes work when the data
spans multiple organizations? How will privacy policies and procedures
be enforced across organizations?
There are complex technical issues that surround the interoperability
of electronic health records that span organizational boundaries. There
are also complex governance, policy and procedure issues that must be
addressed.
The VA and DOD have made considerable progress in achieving
interoperability between their electronic health records. Outpatient
medication and drug allergy data is being exchanged. Mechanisms exist
for the VA systems to receive DOD health date for discharged military
personnel.
Achieving the interoperability of the VA and DOD electronic health
records is an important goal. And those who are charged with creating
this exchange should be held accountable for delivering on their plans.
Nonetheless, we should all appreciate the immense challenges that
exist. And we should respect the fact achieving this goal will take
several years.
CONCLUSION
We all appreciate the importance of the VA's health information
technology program to the efforts to provide great medical care to our
veterans. We also all appreciate that the program, as do all large
information technology undertakings, faces issues.
As we collectively tackle those issues, let us not forget the true
excellence of the program. And let us appreciate the importance of
alignment and the significant difficulty of achieving interoperability
between the electronic health records of two large providers of care.
Thank you for the opportunity to testify. I welcome the opportunity to
respond to your questions.
Chairman AKAKA. Thank you very much, Doctor, for your testimony.
I have some questions for this panel. This question is for all of
the panelists, and I will take your responses in the order in which
you were introduced. What can VA do to maintain the entrepre-
neurial spirit that has been a hallmark of VA IT while realizing
the advantages and efficiencies that come with a centralized
management structure? Ms. Melvin?
Ms. MELVIN. Mr. Chairman, in our work, we emphasize and support
the need for VA to balance innovation with a disciplined process
for carrying out its systems development efforts. In looking at
the overall realignment plan that VA is undertaking, the key that
we have identified are six critical factors that we think are essential
to making sure that the Department is able to implement its
realignment and maintain the balance relative to being sure that
it understands and is able to respond to user needs.
Within that, the Department has identified 36 critical management
processes that it views as essential to being able to have an
effective overall management process for information technology. A
part of those processes deals with ensuring that the Department
has adequate communications, enterprise-wide communications,
that effectively allows it to convey information relative to the
realignment, which is essential to ensuring that the culture of the
organization understands what the realignment is about and supports
its mission.
Secondly, within the overall process of looking at these initiatives,
it is important that there be disciplined processes and that
they be followed. I think in the earlier panel, there was discussion
of the need to balance the requirements processes, understanding
the overall needs of the users, in this case the physicians, the
clinicians who have been vital to the innovation that was a part of
the original system, ensuring that there are proper places, proper
channels, I should say, for their ideas and innovative thoughts to
be addressed, to be prioritized, and to be considered in the overall
mission and organization goals for having information technology.
Key to that also is a governance process that does, in fact, consider
all of the levels of users, managers, and other resources that have
to be considered and prioritized within the overall decisions that
are made for what is best for the organization in terms of information
technology.
Chairman AKAKA. Thank you very much. Mr. Lucas?
Mr. LUCAS. Mr. Chairman, I will go back to, I guess, what is
working. I was talking with General Howard on the way over in
the van and we talk about this, and clearly, at least in Network
Aid in Florida, we get outstanding support from the OI&T staff,
very responsive, and we appreciate that support.
As was mentioned in the previous panel, purchasing, centralized
purchasing gives us remarkable economies of scale. And then, of
course, we all know that we can do a lot better with respect to data
security and privacy issues and we need to do a lot better and
centralization
helps us with that.
The things that are worrisome, from a strategic standpoint, it
seems to me, is the Electronic Health Record. That record is the
product of a marriage of developers and clinicians over time and it
has produced a remarkable, remarkable product, the envy of the
world. Under the realignment, we have changed that relationship,
and so I worry that the EHR will not be as robust as it is now.
And so that is something from the strategic standpoint we need to
pay attention to.
In my testimony, I also mention the flexibility of local facilities
to purchase equipment that they find they need in terms of to enhance
effectiveness and efficiency. We are not there yet. The relationship
between OI&T and VHA is not there yet. So, for example,
the Haley Center is a very busy place and we have a lot of construction
going on all of the time and we treat upwards of 3,000
patients a day. That is a lot of traffic and we felt like we needed
to have some directional capability and we wanted to buy some kiosks,
informational kiosks. We were prevented from doing that.
We wanted to-when patients come into a hospital, principally
there are there for nursing support, and so we need to support our
nurses as they are caring for our veterans and we wanted to buy
a PICIS system. That is a Peri-Operative Critical Care Information
System that helps nurses in documentation and reduces errors. We
are unable to do that.
In addition, there is a remarkable communication device called
Voicera that allows nurses instant communication amongst and between
themselves on the wards. That saves steps and enhances
communication between and among the nurses. We are not able to
do that.
So these are not mission critical-this is not mission critical
equipment, but it is important equipment, and so the flexibility is
not there yet. But as General Howard pointed out in his testimony
or in response to a question from Senator Burr, it is a work in
progress. As I mentioned, as long as we have got good communication
and we feel like we are on the same team and the most important
issue is the care of our veterans, we will get there. Thank you,
sir.
Chairman AKAKA. Thank you. Ms. Graves?
Ms. GRAVES. Thank you, Mr. Chairman. I would like to echo the
testimony of the prior panelists. I believe that having an effective
communication structure in place so that the business requirements
are clearly defined, clearly understood, and that we continue
to develop a very strong partnership between the business elements,
the service elements of the VA organization, and the IT organization,
we will ensure that we have a successful implementation
of this process. Thank you.
Chairman AKAKA. Dr. Glaser?
Mr. GLASER. Mr. Chairman, I think I will give you some examples
of initiatives we do in my organization. It sounds like, from
the prior testimony, some of these are in place at the VA to do.
An example is all of the IT staff, or virtually all of them, actually
live in the hospitals or they live in those settings in the clinics so
they don't forget why they are here, and they encounter doctors
and nurses in the hallways who remind them of what is working.
Second, for the majority of them, the reviews are joint reviews.
In other words, I might give your performance review, but somebody
from the hospital is also joining me in giving that review. So
you have to take care of them and take care of me at the same
time.
The third is that when we have committees who guide us in our
own electronic health record efforts, et cetera, those committees are
composed only of providers, physicians and nurses, and only of providers
who practice. So we want to make sure that after our Com-
mittee meeting of what the five things we ought to do here are that
you have to go back the following day and take care of people and
understand the realities that go along with that.
Another-two more items that we do here. One is in our case,
the CEOs of our hospitals, the community hospital or the person
running a health center, of the IT budget, 50 percent is theirs to
spend at their discretion. They are bound by certain standards and
there are certain things you can't do. You can't decide to unilaterally
change the payroll system or the security system. But you
have, within some broad guidance, you have the discretion to spend
it here or spend it there or a variety of ways. We still like to
understand it and make sure you are not doing something crazy, but that
is rare that that kind of thing occurs.
The last thing we do is that we have a program where if you are
an employee of Partners, a physician, a nurse, or an IT person, and
say, I have an innovative idea, you can apply for a small grant. We
have blessed 64 such projects over the last 4 years. The general
size of the grant is about $40,000. It is not a whole lot of money.
They put more of their own effort into this than we can possibly
pay them for and they just want the permission to go off and explore
this, learn about that. We ask that you write it up. We have
a symposium in which people share these ideas. Not all of them
work out. Some of them didn't turn out so well. But nonetheless,
we try to harvest those ideas and to broadly adopt them because
there are some very clever, very smart people who are willing to
work really hard on their own effort or their own weekends to go
off and do that. So a small internal grant program can accomplish
a phenomenal amount of innovation.
Chairman AKAKA. Thank you. Mr. Lucas, what would be the impact
on your facility and your ability to furnish care to veterans if
you lost access to the Electronic Health Record system for even 1
day?
Mr. LUCAS. Mr. Chairman, it would be a very long day. We
would immediately go over-and we practice this because it is that
important as part of our disaster preparedness plan-we would immediately
go over, call a Code Z, Code Zebra. And so all of the notations
in the medical record would be on paper. All of the results
reporting out from all of the diagnostic areas would be on paper.
Hopefully, we would still be able to print out health summaries for
the clinicians at the front end with our veterans, but the health
summaries are just the latest information with respect to the veteran.
And that isn't particularly helpful in the specialties and
subspecialties, so a large number of those appointments for our veterans
would probably be canceled or delayed.
In addition, because we are on paper, it slows us down, and that
means that instead of seeing upwards of 3,000 patients in any
given day, we would see substantially less than that, probably less
than half of that, which means that appointments would be canceled.
In addition to that, since the computers are unavailable up in the
OR, certain of the procedures would probably be canceled, and that
is where it really starts to inflict pain, because when you are going
into a procedure, even a minor procedure, you gear up for that. I
mean, anybody does. And to have that canceled and delayed is an
emotional trial.
So all of that would happen. We would then, when the system
came back up, engage in putting all of that paper into the system.
And, of course, some physicians' writing ability is not as good as
others and so you end up with legibility issues. You end up with
the potential for errors, and I won't even go into the lack of bar
code med administration when the computer goes down and the
possibility of med errors with that.
So, this could be a very long day. Recovery would also take considerable
time, several days, I would expect, to get all of that back
in, to make sure we haven't made errors and to check it out. A difficult
situation, but most difficult for our veteran patients. And I
guess that is what, at the end of the day, what I would like to be
assured of as a medical center director, as a veteran, is that the
leadership of OI&T has a situational awareness of the most important
interface of all, that interface between the provider and our
veteran patient, and that they understand the ramifications of
change and also the ramifications of a loss of our IT system. Thank
you, sir.
Chairman AKAKA. Thank you. Dr. Glaser, how do facilities in the
private sector protect their electronic medical information systems
from disruptions and what can be done to prevent such disruptions?
Mr. GLASER. Mr. Chairman, I think the actions we take are no
different than the actions that you take or no different from the
actions that you would take in a banking setting, a manufacturing
setting, et cetera. There are steps that are taken to try to thwart
malevolent efforts of viruses and trojans and other types of bad
things that people try to do. There are efforts taken to make sure
that software is tested so that inadvertent changes to software
don't cripple the organization as a result of activities.
We are all confronting, and it was mentioned in some of the testimony
earlier, the growing use of people with their own personal
devices, their own Blackberries or PDAs or notebooks and connected
to wireless. It becomes a lot easier to extract data or maintain
separate lists and walk out with it. And I think the industry
broadly is grappling with how to do this.
I think it sounds like from the testimony before that the types
of work that is done, both the technologies and management practices
that are broadly adopted across this industry, are well understood
by the VA IT group and are making progress in adapting
that. You have a complicated organization, so I don't doubt the
complexity of making it happen. But I don't know that there is a
set of insight that the industry has to offer that you are unaware
of.
Chairman AKAKA. Yes. We have been talking about the importance
of information security. Ms. Melvin, in the information security
report released today, GAO refers to shortcomings in VA's programs
and procedures designed to improve VA's information security.
Please comment on areas where VA can improve and share
your views on whether veterans can be confident that VA is doing
everything possible to protect their personally identifiable
information.
Ms. MELVIN. Mr. Chairman, if I could, I have one of my colleagues
with me who was directly involved in the assessment of
that. We did find some areas in which the Department was making
progress, but also some areas in which we felt that there was a
need for additional progress and additional efforts on the Department's
part, and I would like to defer to him to respond to your
question, if I may.
Chairman AKAKA. Will you introduce him, please?
Ms. MELVIN. Yes. This is Mr. Greg Wilshusen, Director in our Information
Technology Team who is responsible for our information
security work.
Chairman AKAKA. Thank you.
Mr. WILSHUSEN. Good morning, Mr. Chairman, and thank you
for your question. What we have found during our review of information
security practices at the Veterans Affairs is that, indeed,
they have been making progress in a number of areas and improving
and starting to provide the foundation, if you will, framework,
for an information security program. However, there are still several
areas where they need to take additional steps. I would say
first and foremost, it is defining and assuring that they have the
adequate policies and procedures in place to effectively assess their
risk. They are taking steps, as I mentioned, to do that.
Where VA needs additional work is the actual execution or implementation
of these policies and procedures. One of the things
that the Federal Information Security Management Act requires is
that agencies implement an agency-wide information security program
that includes assessing risk; developing cost-effective policies
and procedures that reduce those risks to an acceptable level; assuring
that staff and agency personnel, as well as contractor personnel,
are adequately trained in their security responsibilities,
and to include technical training for those staff with significant
security responsibilities; and then establishing a process in place to
test and evaluate the effectiveness of those controls, and as weaknesses
are identified, to take prompt remedial actions to correct
them.
VA has set up several processes and controls to help implement
those requirements. However, there are still, as I mentioned, several
areas where they need to go further in implementing those
controls.
Chairman AKAKA. Thank you very much for that. Let me ask Mr.
Lucas and Ms. Graves to please share any thoughts you have on
shortcomings of the information security initiatives and what can
be done to regain the confidence of veterans in VA's information security
programs. Mr. Lucas?
Mr. LUCAS. We are in the process, as was mentioned, as I think
General Howard mentioned, we are in the process of changing a
culture here and so locally at Tampa, we have trained our over
3,700 employees in both security and privacy issues. We have
trained over 700 of our volunteers and over 625, if memory serves
me, of our students, stressing the importance of security, of data
security. We are going to continue to do that.
Last year, we had 108 reports of security incidents, data security
incidents. I am happy to be getting those reports. I think General
Howard mentioned he is happy to be getting those reports and we
acted on them very quickly. Some of them, it turned out, were not
valid. But we have got a full frontal assault on this notion of data
security and we are going to continue to work through it until, as
Secretary Nicholson said, we are the gold standard.
Chairman AKAKA. Ms. Graves?
Ms. GRAVES. Thank you. Echoing what Mr. Lucas said, education
and training of our employees is a critical first step. VBA has
implemented data and privacy training into all of its formal training
courses, beginning when the employee first comes on board with
the Veterans Benefits Administration. That training and enforcement
of good security and information practices continues throughout
all of our formal and informal training structures.
Along with that, all of our employees are required to take annual
privacy and security training and to annually recertify that they
understand their requirements and their responsibilities in protecting
veteran data. Again, changing the culture does take some
time, but I believe with the guidance from OI&T and putting the
policies and procedures in place so that everyone understands their
roles and responsibilities, we will achieve the gold standard that
Secretary Nicholson is looking for. Thank you.
Chairman AKAKA. Thank you. Ms. Melvin, for almost a decade,
VA and DOD have been attempting to develop an Electronic Health
Record that can be used by both Departments. How big of an obstacle
to the success of achieving interoperability is the fact that both
Departments are still in the process of completing the development
of their own modernized health information system? Can you comment
on that?
Ms. MELVIN. I can comment on that from the standpoint of the
work that we have done and looking at VA's relationship with DOD
in implementing exchanges of data. What we have found, the issue
of how big of an obstacle it is really is driven largely by the
relationship and the interactions that those Departments have. Our
biggest concern has been with the overall project management,
with the lack of integrated project management, that would really
establish who is in charge, what the specific goals and objectives
are that they want to achieve, and how they intend to make that
happen.
We have consistently seen throughout the work what we have
done that both Departments have their separate modernization efforts
underway. They are working and they have achieved some degrees
of exchange through various short-term initiatives and ad hoc
processes that they have put in place and they have also achieved
some interoperability in the form of sharing computable pharmacy
and drug allergy data through an interface that they put in place.
However, we still feel that even though they have made these
accomplishments, VA has its modernization effort underway. The
Department of Defense also has its modernization effort underway,
coupled with multiple systems that it currently must rely on to exchange
data. What we have not seen and what we do consider to
be a concern that potentially could be an obstacle is that there
hasn't been a long-term detailed plan, at least through the work
that we have done thus far, that would explain or detail how the
two Departments are collaborating and how they intend to ensure
that they achieve the common goal of a shared Electronic Health
Record.
Chairman AKAKA. Thank you. Let me ask Dr. Glaser, do you
have a comment on this issue of VA-DOD interoperability?
Mr. GLASER. I may be expressing ignorance here, Mr. Chairman.
I think the idea of a common EHR that both organizations use
would be an interesting idea and I would be curious about it, but
that is sort of a cover for saying, you have got to be kidding me.
[Laughter.]
Mr. GLASER. But maybe it is credible, I don't really know. But
I would just be struck on that one.
I think even though their efforts are still in progress, both
modernization and roll-out of clinical systems, one can effect a degree
of data exchange while that is going on here. So one does not have
to reach the pinnacle in order to be exchanging some forms of data.
Paul Tibbits ran through a shades of gray, which is absolutely correct.
So one can run in parallel with the modernization, the further
adoption by physicians and nurses, and the exchange.
I think above and beyond, and I don't know all the details of the
GAO account, it becomes a question of what people have as the priorities
on any given day. Where are people spending their time and
energy, because those are all huge undertakings-protecting privacy,
modernization, moving the clinical agenda and exchange. So
I think there is a non-trivial management challenge of balancing
those demands and where you put people's time and energy on any
given day.
Chairman AKAKA. Thank you. Ms. Melvin, VA has been in the
process of modernizing VHA's and VBA's legacy IT systems for
years. Do you believe that VA currently has program management
processes in place that will allow for these initiatives to be
successful, and if so, by when?
Ms. MELVIN. I will speak to your last question first. I don't know
by when the Department would have its initiatives in place. What
we have seen from the standpoint of the initiatives that it is
undertaking, you are correct. Over time, we have had concerns relative
to their project management and these are concerns that have been
ongoing and longstanding. However, in the case of the Veterans
Benefits Administration, what we have found is that where the Department
has instituted a governance structure and taken steps to
improve its project management, we have seen progress on their
part in moving forward with their overall development of their new
system. However, they have still got work to do. That is not to indicate
that it is complete. But we do see indications that if the Department
implements sound project management strategies and
structure, they can be successful.
A lot of this will be driven, obviously, by the realignment that
is put in place and by how successfully the Department does implement
the management processes that I mentioned earlier. That will
be key to ensuring that they have a disciplined approach that is
grounded in sound project management and that that approach is
applied throughout the organization for the IT initiatives that it
undertakes.
Chairman AKAKA. Thank you. Let me further ask Mr. Lucas and
Ms. Graves, what impact are these modernization efforts having on
the daily delivery of health care and benefits within VA? Mr.
Lucas?
Mr. LUCAS. Any time that you can enhance the operability of
your systems, it means faster information getting to the clinicians,
and so we begin to see that. Beyond that, I am not-beyond that,
I can't comment further, Mr. Chairman.
Chairman AKAKA. Well, Ms. Graves?
Ms. GRAVES. Thank you, sir. The project that I have the most insight
into is the VETSNET project, which is the transition of our
largest benefit program, the Compensation and Pension Program,
from our legacy platform to a modernization infrastructure. What
we have seen from our user base, our veterans' service representatives
and rating veterans' services representatives who deal with
our veterans on a daily basis. There is a strong pull for that
technology, to continue to deliver that technology to them.
They have found that it enhances their ability to do their jobs.
It reduces the rekeying of data, redundant rekeying of data that
can cause errors in the claims process. They have much more ability
to answer a veteran's question when he or she calls to check
on the status of their claim or to see how their benefits claim is
progressing. We have to move paper much less than we did before
we were able to move into our more modernized environment.
We expect to see that continue to improve our processes as we
are able to use the technologies available to us with image data,
the types of things that Dr. Tibbits spoke of in the earlier testimony.
That will help us, again, reduce the movement of paper,
making sure that information that is necessary to adjudicate a veteran's
claim is at the desktop of all of our users. It reduces the likelihood
of a claims file being lost or misplaced and therefore unable
to adjudicate the claim.
So we do see a significant pull from our users and we expect to
continue to enhance our end users' ability to serve veterans as we
make progress toward implementing a modernized platform.
Chairman AKAKA. Well, I want you to know that I really appreciate
your responses and, of course, your testimony to begin with.
You know that we are doing this to try to look for better ways of
improving VA's IT system. So once again, I would like to thank all
of our witnesses for joining us today.
Veterans rely upon VA's information technology programs on a
daily basis for the delivery of their benefits and services. For their
sake, we need to ensure that these programs are effectively managed
and that they work as intended.
I want you to know that the hearing record will remain open for
3 weeks to provide time for any additional views. I thank you for
being so patient.
This hearing is adjourned.
[Whereupon, at 12:07 p.m., the Committee was adjourned.]
�