Hospital ADP Systems:

VA Needs To Better Manage Its Decentralized System Before Expansion

IMTEC-87-28: Published: Jul 24, 1987. Publicly Released: Jul 24, 1987.

Additional Materials:

Contact:

Melroy D. Quasney
(202) 275-4659
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

In response to a congressional request, GAO reviewed the Veterans Administration's (VA) Decentralized Hospital Computer Program (DHCP) system, which services 172 medical centers, to determine: (1) the status of the decentralized system; (2) VA effectiveness in managing the system's development and implementation; and (3) the possibility of using three commercial systems VA tested as alternatives to the decentralized system.

GAO found that: (1) the DHCP system did not adequately safeguard patient records from inaccurate data entry, unauthorized changes, or destruction, and permitted the creation of multiple patient records; (2) VA is planning a multimillion-dollar expansion of the system without an adequate analysis to determine the most cost-effective approach; and (3) although the test of three commercial systems does not provide an appropriate basis for comparison with the DHCP system, VA believes they are too expensive and are not viable alternatives.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: VA issued policy on software development controls, risk analysis, and contingency plans in October 1987. VA implemented an interim policy and began holding its management office accountable for it in February 1987.

    Recommendation: The Administrator of Veterans Affairs should report the lack of sufficient software development controls and continue to report the lack of risk analyses and contingency plans as material control weaknesses under the Federal Managers' Financial Integrity Act until: (1) appropriate software development controls have been implemented; (2) risk analyses, as well as needed corrected action identified by such analyses, have been completed for all computer centers; and (3) contingency plans have been developed, certified, and tested.

    Agency Affected: Veterans Administration

  2. Status: Closed - Implemented

    Comments: VA recognized and began holding its management office accountable for the existing and expanded DHCP system. VA is instituting procedures to: (1) collect cost-benefit data; (2) implement software controls; (3) track software/hardware problems and correct them; (4) implement new security policy; (5) restrict software release; (6) define data requirements; and (7) monitor computer capacity.

    Recommendation: The Administrator of Veterans Affairs should hold the Management Office accountable for ensuring that the existing and expanded DHCP system is effectively managed and adequately protected. At a minimum, this office should: (1) institute procedures to collect work-load and cost-benefit data on prototype modules at test sites; (2) implement controls to ensure that software is adequately tested, documented, and approved, and that software and hardware problems are systematically tracked and corrected; (3) implement appropriate internal controls to protect data, equipment, and facilities as required in Office of Management and Budget Circular A-130; (4) issue a policy to restrict release of DHCP software under the Freedom of Information Act; (5) ensure that the data requirements are defined and incorporated in the DHCP modules so that the data can be efficiently assessed by system users; and (6) establish policies and procedures for regular system monitoring and assessment.

    Agency Affected: Veterans Administration

 

Explore the full database of GAO's Open Recommendations »

Mar 2, 2021

Feb 3, 2021

Jan 29, 2021

Jan 19, 2021

Jan 13, 2021

Dec 16, 2020

Dec 9, 2020

Dec 3, 2020

Looking for more? Browse all our products here