Veterans Affairs
Sustained Management Attention Is Key to Achieving Information Technology Results
Gao ID: GAO-02-703 June 12, 2002
The Department of Veterans Affairs (VA) has made important progress in raising corporate awareness of the department's information technology (IT) needs and in taking actions to improve key areas of IT performance. Nevertheless, the department has significant work to accomplish in order to use IT investments to improve mission performance. VA has taken important steps in laying the groundwork for an integrated, departmentwide enterprise architecture--a blueprint for evolving its information systems and developing new systems that optimize their mission value--by establishing crucial executive support and a strategy to define produces and processes essential to its development. VA has also strengthened its department-level information security program by requiring greater management accountability from senior executives, through mandated information security performance standards. In addition, Veterans Health Administration managers and clinicians have shown good progress in expanding their use of the decision support system to facilitate clinical and financial decisionmaking. However, many aspects of the department's IT environment remain troublesome. The department continues to report pervasive computer security challenges, including access and other general control weaknesses. Moreover, in pursuing critical information systems investments, the Veterans Benefits Administration has not addressed important concerns related to managing, defining requirements for, and testing software supporting the veterans service network compensation and pension replacement system initiative. These issues present continuing challenges to VA.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director:
Team:
Phone:
GAO-02-703, Veterans Affairs: Sustained Management Attention Is Key to Achieving Information Technology Results
This is the accessible text file for GAO report number GAO-02-703
entitled 'Veterans Affairs: Sustained Management Attention Is Key to
Achieving Information Technology Results' which was released on June
12, 2002.
This text file was formatted by the U.S. General Accounting Office
(GAO) to be accessible to users with visual impairments, as part of a
longer term project to improve GAO products‘ accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
Report to the Chairman, Subcommittee on Oversight and Investigations,
Committee on Veterans‘ Affairs, House of Representatives:
June 2002:
Veterans Affairs:
Sustained Management Attention Is Key to Achieving Information
Technology Results:
GAO-02-703:
June 12, 2002:
The Honorable Steve Buyer
Chairman, Subcommittee on Oversight and Investigations
Committee on Veterans‘ Affairs
House of Representatives:
Dear Mr. Chairman:
On March 13, 2002, we testified before the Subcommittee on the
Department of Veterans Affairs‘ (VA) continuing actions to address
critical weaknesses in its overall information technology (IT)
program.[Footnote 1] In brief, we noted that VA had made important
progress in raising corporate awareness of the department‘s IT needs
and in taking actions to improve key areas of IT performance.
Nevertheless, the department has significant work to accomplish in
order to use IT investments to improve mission performance. This report
officially transmits recommendations that we are making to the
Secretary of Veterans Affairs based on our work presented in our
testimony. Prior to the testimony, we discussed the results of our
review with VA officials, and they generally agreed with our findings.
We performed our work from June 2001 through March 2002, in accordance
with generally accepted government auditing standards.
In our testimony, we noted that VA had taken important steps in laying
the groundwork for an integrated, departmentwide enterprise
architecture--a blueprint for evolving its information systems and
developing new systems that optimize their mission value--by
establishing crucial executive support and a strategy to define
products and processes essential to its development. VA also had
strengthened its department-level information security program by
requiring greater management accountability from senior executives,
through mandated information security performance standards. In
addition, Veterans Health Administration (VHA) managers and clinicians
had shown good progress in expanding their use of the decision support
system (DSS) to facilitate clinical and financial decisionmaking.
However, we also testified that many aspects of the department‘s IT
environment remained troublesome. For example, we noted the need for
continued attention to instituting a sound program management
structure, including a permanent chief architect and an established
program office, to manage and advance the department‘s enterprise
architecture program. Further, VA‘s efforts to establish a
comprehensive information security management program required
additional work to ensure that the department‘s computer systems,
networks, and sensitive veterans health care and benefits data were
protected from unnecessary exposure to vulnerabilities and risks. The
department continued to report pervasive computer security challenges,
including access and other general control weaknesses.
Moreover, in pursuing critical information systems investments, the
Veterans Benefits Administration had not addressed important concerns
related to managing, defining requirements for, and testing software
supporting the veterans service network compensation and pension
replacement system initiative. In addition, as part of the government
computer-based patient record (GCPR) initiative, VA had achieved
limited progress in its joint efforts with the Department of Defense
(DOD) and Indian Health Service (IHS) to create an interface for
sharing data in their disparate health information systems. We noted
that the scope of the project increasingly had been narrowed from its
original objectives and that the initiative continued to proceed
without a comprehensive strategy. Finally, while VHA managers and
clinicians had continued to expand their use of DSS, VHA had not
selected a permanent director to provide consistent management and
oversight for the DSS program or fully staffed the DSS program office
to support the system‘s operation.
Collectively, these issues present continuing challenges for VA. It is
paramount that VA‘s leadership successfully address these matters in
order to achieve a more stable, reliable, and modernized systems
environment that can effectively support critical decisionmaking and
operations and to realize better overall returns on the department‘s IT
investments. To assist the Subcommittee in its oversight role and to
help the Secretary accomplish needed improvements, we are making
recommendations based on the findings reported in our March testimony,
which is reprinted in appendix I. In providing written comments on a
draft of this report, the Secretary of Veterans Affairs concurred with
our recommendations.
Recommendations for Executive Action:
Successful implementation of an enterprise architecture is essential
for effectively and efficiently engineering business processes and for
implementing and evolving their supporting information systems. Our
experience with federal agencies has shown that attempting to modernize
IT environments without an enterprise architecture to guide and
constrain investments often results in systems that are duplicative,
not well integrated, unnecessarily costly to maintain and interface,
and ineffective in supporting mission goals.[Footnote 2] We therefore
recommend that the Secretary take action to ensure that VA effectively
develops, implements, and manages its enterprise architecture by
instructing the department-level Chief Information Officer (CIO) to:
* expeditiously fill the position of chief architect with a full-time
permanent employee who has the requisite core competencies needed for
this position;
* immediately establish and adequately staff the enterprise
architecture program management office;
* ensure that all critical process steps outlined in the federal CIO
Council‘s suggested guidance[Footnote 3] on managing the enterprise
architecture program for (1) establishing management structure and
control, (2) developing a baseline enterprise architecture, (3)
developing a target enterprise architecture, (4) developing a
sequencing plan to move from the baseline to the target architecture,
(5) using the enterprise architecture to implement new projects, and(6)
maintaining the enterprise architecture[Footnote 4] are sufficiently
addressed and completed; and:
* integrate securities practices into the enterprise architecture.
Effectively securing VA‘s information systems and telecommunications
networks is vital to the department‘s ability to safeguard its assets,
maintain the confidentiality of sensitive veterans‘ health and
disability benefits information, and ensure the reliability of its
financial data. Without a complete, comprehensive, and fully integrated
computer security management program in place, VA will lack essential
elements required to protect the department‘s systems and networks from
unnecessary exposure to vulnerabilities and risks. We therefore
recommend that the Secretary take actions to complete a comprehensive
and secure information systems environment by instructing the CIO, in
conjunction with VA‘s cyber security officer, to:
* implement all actions needed to complete a comprehensive security
management program,[Footnote 5] including those related to (1) central
security management functions, (2) security policies and procedures,
(3) risk assessments, (4) security awareness, and (5) monitoring and
evaluating computer controls;
* develop a process for managing the department‘s updated security plan
to include collecting and tracking performance data, ensuring
management action when needed, and providing independent validation of
reported issues; and:
* regularly report to the Secretary, or his designee, on progress in
implementing VA‘s security plan.
We further recommend that the Secretary enforce management
accountability for information security by ensuring the consistent use
of the mandated information security performance standards when
appraising the department‘s senior executives.
VA‘s consistent and effective delivery of benefits payments is vital to
fulfilling its service delivery obligations to our nation‘s veterans.
Accordingly, successful implementation of a system to replace the
existing aging benefits delivery network is essential. We therefore
recommend that, before the Secretary approves any new funding for the
compensation and pension replacement system, he should ensure that
actions have been taken to address our long-standing concerns regarding
VBA‘s development and implementation of this system by directing the
Undersecretary for Benefits, in coordination with VBA‘s CIO, to:
* appoint and direct a project manger to develop an action plan for and
oversee a complete analysis of the current systems replacement
initiative, to include (1) assessing and validating users‘ requirements
for the new system to ensure that business needs are met and (2)
testing the system‘s functional business and end-to-end processing
capabilities to ensure that accurate and timely benefits payments are
made;
* finalize and approve a revised compensation and pension replacement
system strategy, based on the results of the analysis, and complete and
implement an integrated compensation and pension replacement project
plan;
* develop and implement an action plan to move VBA from the current to
the replacement system; and:
* develop and implement an action plan to ensure that the benefits
delivery network will be able to continue accurately processing
benefits payments until the new compensation and pension system is
deployed.
The original goal of the GCPR initiative was to provide VA, DOD, and
IHS health care providers the capability to electronically share
comprehensive patient information and thus improve the quality of care
for patients. With the narrowing of the original objectives and the
lack of a comprehensive strategy, GCPR‘s ability to deliver expected
benefits is in doubt. Moreover, VA still needs to implement the
recommendations from our April 2001 report,[Footnote 6] which called
for (1) designating a lead agency for the GCPR initiative and (2)
developing detailed plans for the remainder of the endeavor. To make
significant progress beyond the current strategy, we are additionally
recommending that the Secretary instruct the VHA undersecretary and VHA
CIO, in cooperation with DOD and IHS, to:
* revisit the original goals and objectives of the GCPR initiative to
determine if they remain valid and where necessary, revise the goals
and objectives to be aligned with the current strategy and direction of
the project; and:
* commit the executive support necessary for adequately managing the
project and ensure that sound project management principles are
followed in carrying out the initiative.
VHA‘s decision support system provides its managers and clinicians with
data on patterns of patient care and patient health outcomes, and
allows them to analyze resource allocation and determine the cost of
providing health care services. We recommend that the Secretary take
action to ensure continued progress in improving DSS operational
efficiency and effectiveness and the realization of full clinical and
financial benefits of the system by directing the Undersecretary for
Health, in conjunction with VHA‘s Chief Financial Officer, to:
* assign a permanent director to provide consistent management and
oversight of the DSS program; and:
* fill the existing vacant positions in the DSS program office with
individuals possessing the necessary skills to provide leadership and
program direction for the overall DSS program.
Agency Comments and Our Evaluation:
In providing written comments on a draft of this report, the Secretary
of Veterans Affairs concurred with our recommendations and stated that
the department has initiated a number of actions to address them. These
comments are reprinted in appendix II.
We are sending copies of this report to the Secretary of Veterans
Affairs and to the Director, Office of Management and Budget, as well
as to other interested parties. Copies will also be available at our
Web site at www.gao.gov.
If you or your staff have any questions concerning matters discussed in
this report, please contact me at (202) 512-6257, or Valerie Melvin,
Assistant Director, at (202) 512-6304. We can also be reached by e-mail
at:
mcclured@gao.gov and melvinv@gao.gov, respectively. Individuals making
key contributions to this report included Dave Irvin, Tonia Johnson,
Barbara Oliver, and J. Michael Resser.
Sincerely yours,
David L. McClure
Director, Information Technology Management Issues:
Signed by David L. McClure:
[End of section]
Appendix I: GAO‘s March 13, 2002, Testimony:
[See PDF for image]
[End of section]
Appendix II: Comments from the Secretary of Veterans Affairs:
THE SECRETARY OF VETERANS AFFAIRS WASHINGTON:
MAY 23 2002:
Mr. David L. McClure:
Director, Information Technology Team U.S. General Accounting Office:
441 G Street, NW Washington, DC 20548:
Dear Mr. McClure:
The Department of Veterans Affairs (VA) has reviewed your draft report,
VETERANS AFFAIRS: Sustained Management Attention is Key to Achieving
Information Technology Results (GAO-02-703) and concurs with your
recommendations. VA has actions underway and plans in development to
implement the General Accounting Office (GAO) recommendations.
In addition to the information VA has already provided GAO on the
actions taken in implementing the recommendations, it is worthy to note
the progress made to date on the Government Computer Patient Records
(GCPR) project. We believe the actions described in the enclosed fact
sheet address all outstanding recommendations on this project.
Improving the quality of VA‘s information technology services is a
critical factor in providing quality service to our Nation‘s veterans.
The recommendations contained in your report, once implemented, will go
a long way in helping VA enhance those services.
Thank you for the opportunity to comment on this draft report.
Sincerely yours,
Anthony J. Principi:
Signed by Anthony J. Principi:
Enclosure:
DEPARTMENT OF VETERANS AFFAIRS GOVERNMENT COMPUTER PATIENT RECORD
(GCPR) ACCOMPLISHMENTS:
VA and the Department of Defense (DOD) have revisited the original
goals and objectives of GCPR and established realistic goals and
objectives for the future as documented in a May 3, 2002 Memorandum of
Agreement (MOA) signed by VA‘s Deputy Secretary and the Under Secretary
for Personnel and Readiness, DOD. This MOA plus the plan for sharing
medical information covered by the MOA were recently forwarded to you
separately.
With respect to the issues raised in your April 2001 report on GCPR,
the following actions have been taken:
*VA is the agreed ’executive agent“ for GCPR, per the May 3, 2002, MOA,
*A dedicated project manager was assigned September 2001, and:
*Project management oversight is provided by VA‘s Chief Information
Officer (CIO) as described below.
-In September 2001, the CIO reviewed the GCPR Near Term Solution (NTS)
where a comprehensive testing schedule was developed to support the
deployment of GCPR by June 2002.
-A deployment readiness review was conducted on April 26, 2002.
-All actions from both reviews are complete.
-GCPR NTS will be operational on Memorial Day.
May 2002:
[End of section]
FOOTNOTES
[1] U.S. General Accounting Office,VA Information Technology: Progress
Made, but Continued Management Attention Is Key to Achieving Results,
GAO-02-369T (Washington, D.C., March 13, 2002).
[2] U.S. General Accounting Office, Information Technology: Enterprise
Architecture Use across the Federal Government Can Be Improved, GAO-02-
6 (Washington, D.C.: February 19, 2002).
[3] Chief Information Officer Council, A Practical Guide to Federal
Enterprise Architecture, Version 1.0 (Washington, D.C., February 2001).
[4] Some examples of key actions yet to be performed by VA in
developing, implementing, and using an enterprise architecture are
highlighted in table 1 of appendix I.
[5] The actions still needed are highlighted in table 2 of appendix I.
[6] U.S. General Accounting Office, Computer-Based Patient Records:
Better Planning and Oversight by VA, DOD, and IHS Would Enhance Data
Sharing, GAO 01-459 (Washington, D.C., April 30, 2001).
GAO‘s Mission:
The General Accounting Office, the investigative arm of Congress,
exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO‘s commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO‘s Web site ( www.gao.gov ) contains
abstracts and full-text files of current reports and testimony and an
expanding archive of older products. The Web site features a search
engine to help you locate documents using key words and phrases. You
can print these documents in their entirety, including charts and other
graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as ’Today‘s Reports,“ on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
www.gao.gov and select ’Subscribe to daily E-mail alert for newly
released products“ under the GAO Reports heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. General Accounting Office
441 G Street NW,
Room LM Washington,
D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Public Affairs:
Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S.
General Accounting Office, 441 G Street NW, Room 7149 Washington, D.C.
20548: