Hospital ADP Systems:

VA Needs To Better Manage Its Decentralized System Before Expansion

IMTEC-87-28: Published: Jul 24, 1987. Publicly Released: Jul 24, 1987.

Contact:

Melroy D. Quasney
(202) 275-4659
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

In response to a congressional request, GAO reviewed the Veterans Administration's (VA) Decentralized Hospital Computer Program (DHCP) system, which services 172 medical centers, to determine: (1) the status of the decentralized system; (2) VA effectiveness in managing the system's development and implementation; and (3) the possibility of using three commercial systems VA tested as alternatives to the decentralized system.

GAO found that: (1) the DHCP system did not adequately safeguard patient records from inaccurate data entry, unauthorized changes, or destruction, and permitted the creation of multiple patient records; (2) VA is planning a multimillion-dollar expansion of the system without an adequate analysis to determine the most cost-effective approach; and (3) although the test of three commercial systems does not provide an appropriate basis for comparison with the DHCP system, VA believes they are too expensive and are not viable alternatives.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: The Administrator of Veterans Affairs should report the lack of sufficient software development controls and continue to report the lack of risk analyses and contingency plans as material control weaknesses under the Federal Managers' Financial Integrity Act until: (1) appropriate software development controls have been implemented; (2) risk analyses, as well as needed corrected action identified by such analyses, have been completed for all computer centers; and (3) contingency plans have been developed, certified, and tested.

    Agency Affected: Veterans Administration

    Status: Closed - Implemented

    Comments: VA issued policy on software development controls, risk analysis, and contingency plans in October 1987. VA implemented an interim policy and began holding its management office accountable for it in February 1987.

    Recommendation: The Administrator of Veterans Affairs should hold the Management Office accountable for ensuring that the existing and expanded DHCP system is effectively managed and adequately protected. At a minimum, this office should: (1) institute procedures to collect work-load and cost-benefit data on prototype modules at test sites; (2) implement controls to ensure that software is adequately tested, documented, and approved, and that software and hardware problems are systematically tracked and corrected; (3) implement appropriate internal controls to protect data, equipment, and facilities as required in Office of Management and Budget Circular A-130; (4) issue a policy to restrict release of DHCP software under the Freedom of Information Act; (5) ensure that the data requirements are defined and incorporated in the DHCP modules so that the data can be efficiently assessed by system users; and (6) establish policies and procedures for regular system monitoring and assessment.

    Agency Affected: Veterans Administration

    Status: Closed - Implemented

    Comments: VA recognized and began holding its management office accountable for the existing and expanded DHCP system. VA is instituting procedures to: (1) collect cost-benefit data; (2) implement software controls; (3) track software/hardware problems and correct them; (4) implement new security policy; (5) restrict software release; (6) define data requirements; and (7) monitor computer capacity.

    Jul 29, 2014

    Jul 23, 2014

    Jul 16, 2014

    Jul 15, 2014

    Jul 10, 2014

    Jun 30, 2014

    Jun 25, 2014

    Jun 24, 2014

    Jun 23, 2014

    Looking for more? Browse all our products here