VA Information Technology:
Progress Continues Although Vulnerabilities Remain
T-AIMD-00-321: Published: Sep 21, 2000. Publicly Released: Sep 21, 2000.
Pursuant to a congressional request, GAO discussed the Department of Veterans Affairs' (VA) information technology (IT) program, focusing on VA's efforts to: (1) improve its process for selecting, controlling, and evaluating IT investments; (2) fill the chief information officer (CIO) position; (3) develop an overall strategy for reengineering its business processes; (4) complete a departmentwide integrated systems architecture; (5) track its IT expenditures; (6) implement the Veterans Health Administration's (VHA) Decision Support System and the Veterans Benefits Administration's (VBA) compensation and pension replacement project; and (7) improve the department's computer security.
GAO noted that: (1) overall, VA's IT investment decision-making process has improved, and it has started to implement recommendations GAO enumerated in May and August of this year; (2) further, VA is obtaining a full-time CIO now that the Administration has identified a candidate for the position; (3) however, the department no longer plans to develop an overall strategy for reengineering its business process to effectively function as "One VA," nor has it defined the integrated IT architecture needed to efficiently acquire and utilize information systems across VA; (4) in addition, VA lacks a uniform mechanism that readily tracks IT expenditures; (5) instead, VA's different offices use various mechanisms for tracking IT expenditures; (6) VHA's Decision Support System (DSS) and VBA's compensation and pension replacement project continue to face challenges; (7) as demonstrated in a survey to all Veterans Integrated Service Networks and medical centers directors, DSS is not being fully utilized; (8) in addition, while VBA plans to pilot test portions of its compensation and pension replacement system in January 2001, other key issues need to be addressed before the system can be fully implemented; (9) for example, VBA does not have a plan or schedule for converting data from the old system to the new system and exchanging data between the new system and other systems; (10) regarding computer security, VA has begun to address weaknesses identified by GAO and its Office of Inspector General; and (11) until it develops and implements a comprehensive, coordinated security management program, VA will have limited assurance that financial information and sensitive medical records are adequately protected from misuse, unauthorized disclosure, and destruction.