Veterans Affairs: Sustained Management Attention Is Key to Achieving Information Technology Results
GAO-02-703
Published: Jun 12, 2002. Publicly Released: Jun 12, 2002.
Skip to Highlights
Highlights
The Department of Veterans Affairs (VA) has made important progress in raising corporate awareness of the department's information technology (IT) needs and in taking actions to improve key areas of IT performance. Nevertheless, the department has significant work to accomplish in order to use IT investments to improve mission performance. VA has taken important steps in laying the groundwork for an integrated, departmentwide enterprise architecture--a blueprint for evolving its information systems and developing new systems that optimize their mission value--by establishing crucial executive support and a strategy to define produces and processes essential to its development. VA has also strengthened its department-level information security program by requiring greater management accountability from senior executives, through mandated information security performance standards. In addition, Veterans Health Administration managers and clinicians have shown good progress in expanding their use of the decision support system to facilitate clinical and financial decisionmaking. However, many aspects of the department's IT environment remain troublesome. The department continues to report pervasive computer security challenges, including access and other general control weaknesses. Moreover, in pursuing critical information systems investments, the Veterans Benefits Administration has not addressed important concerns related to managing, defining requirements for, and testing software supporting the veterans service network compensation and pension replacement system initiative. These issues present continuing challenges to VA.
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Department of Veterans Affairs | Successful implementation of an enterprise architecture is essential for effectively and efficiently engineering business processes and for implementing and evolving their supporting information systems. Attempting to modernize IT environments without an enterprise architecture to guide and constrain investments often results in systems that are duplicative, not well integrated, unnecessarily costly to maintain and interface, and ineffective in supporting mission goals. Therefore, the Secretary of Veterans Affairs should take action to ensure that VA effectively develops, implements, and manages its enterprise architecture by instructing the department-level Chief Information Officer (CIO) to expeditiously fill the position of chief architect with a full-time permanent employee who has the requisite core competencies needed for this position. |
Closed – Implemented
On March 23, 2003, the Department of Veterans Affairs filled the position of Associate Deputy Assistant Secretary for Knowledge Management (VA's chief architect) with a full-time, permanent employee. The chief architect has the requisite core competencies needed for this position, including demonstrated leadership skills, information technology background, and in-depth knowledge of VA's business lines. The chief architect will report to the VA chief information officer (CIO) and will be responsible for: (1) leading development of VA's enterprise architecture; (2) ensuring the integrity of architectural development processes and content of enterprise architecture products; (3) ensuring that system development efforts are properly aligned with program and business unit requirements; and (4) managing the enterprise architecture program.
|
| Department of Veterans Affairs | Successful implementation of an enterprise architecture is essential for effectively and efficiently engineering business processes and for implementing and evolving their supporting information systems. Attempting to modernize IT environments without an enterprise architecture to guide and constrain investments often results in systems that are duplicative, not well integrated, unnecessarily costly to maintain and interface, and ineffective in supporting mission goals. Therefore, the Secretary of Veterans Affairs should take action to ensure that VA effectively develops, implements, and manages its enterprise architecture by instructing the department-level CIO to immediately establish and adequately staff the enterprise architecture program management office. |
Closed – Implemented
The Secretary of Veterans Affairs concurred with this recommendation and took action to address it. The department established the Office of Enterprise Architecture Management under the Associate Deputy Assistant Secretary for Enterprise Architecture Management (who serves as the department's Chief Enterprise Architect). The office is responsible for managing the department's enterprise architecture project and has authority and accountability for the overall architecture, including leading development of enterprise architecture work products, ensuring the integrity of the architectural development process and the content of enterprise architecture products. To ensure timely and accurate delivery of enterprise architecture products, the office's scope of responsibility includes the key enterprise architecture management components of: (1) repository management; (2) data modeling; (3) technical standards; (4) business alignment; (5) configuration, change, and oversight management; (6) acquisition of funding; and (6) scheduling. Within the office, the Enterprise Architecture Service and the Solution Architecture Service, which support the office's program management and oversee the department's One-VA Enterprise architecture initiative, have been fully staffed.
|
| Department of Veterans Affairs | Successful implementation of an enterprise architecture is essential for effectively and efficiently engineering business processes and for implementing and evolving their supporting information systems. Attempting to modernize IT environments without an enterprise architecture to guide and constrain investments often results in systems that are duplicative, not well integrated, unnecessarily costly to maintain and interface, and ineffective in supporting mission goals. Therefore, the Secretary of Veterans Affairs should take action to ensure that VA effectively develops, implements, and manages its enterprise architecture by instructing the department-level CIO to ensure that all critical process steps outlined in the federal CIO Council's suggested guidance on managing the enterprise architecture program for (1) establishing management structure and control, (2) developing a baseline enterprise architecture, (3) developing a target enterprise architecture, (4) developing a sequencing plan to move from the baseline to the target architecture, (5) using the enterprise architecture to implement new projects, and (6) maintaining the enterprise architecture are sufficiently addressed and completed. |
Closed – Not Implemented
VA concurred with this recommendation and has made progress in establishing a management foundation and developing the processes and tools necessary to build its enterprise architecture; however, much work remains. Subsequent to our recommendation, GAO developed its Enterprise Architecture Management Maturity Framework (EAMMF-version 1.1) a tool to evaluate federal agency enterprise architecture efforts. The framework incorporates the critical process steps of the CIO Council's enterprise architecture guide, which we used to assess VA's enterprise architecture initiative in 2002. These steps are included in the framework's enterprise architecture core processes. Based on analysis of information on its enterprise architecture provided by VA as part of GAO's review of federal agencies' enterprise architecture efforts, which was completed in June 2006, we concluded that, overall, VA's enterprise architecture program satisfied the criteria to be at stage 1 (Creating EA Awareness). While we did note that some aspects of VA's enterprise architecture program satisfied several core elements of stages 2, 3, 4 and 5 of our framework, these were not sufficient to attain a higher stage of maturity.
|
| Department of Veterans Affairs | Successful implementation of an enterprise architecture is essential for effectively and efficiently engineering business processes and for implementing and evolving their supporting information systems. Attempting to modernize IT environments without an enterprise architecture to guide and constrain investments often results in systems that are duplicative, not well integrated, unnecessarily costly to maintain and interface, and ineffective in supporting mission goals. Therefore, the Secretary of Veterans Affairs should take action to ensure that VA effectively develops, implements, and manages its enterprise architecture by instructing the department-level CIO to integrate securities practices into the enterprise architecture. |
Closed – Implemented
VA concurred with this recommendation and integrated cyber security practices into version 4.0 of the department's enterprise architecture, which was released in 2005. These practices include discussion and requirements for continuity of operations (COOP), certification and accreditation, establishing critical infrastructure protection capabilities, and protecting VA's critical infrastructure. The integration of these security practices into VA's enterprise architecture should ensure that security is appropriately considered in system development efforts.
|
| Department of Veterans Affairs | Effectively securing VA's information systems and telecommunications networks is vital to the department's ability to safeguard its assets, maintain the confidentiality of sensitive veterans' health and disability benefits information, and ensure the reliability of its financial data. Without a complete, comprehensive, and fully integrated computer security management program in place, VA will lack essential elements required to protect the department's systems and networks from unnecessary exposure to vulnerabilities and risks. Therefore, the Secretary of Veterans Affairs should take actions to complete a comprehensive and secure information systems environment by instructing the CIO, in conjunction with VA's cyber security officer, to implement all actions needed to complete a comprehensive security management program, including those related to (1) central security management functions, (2) security policies and procedures, (3) risk assessments, (4) security awareness, and (5) monitoring and evaluating computer controls. |
Closed – Not Implemented
The Department of Veterans Affairs concurred with this recommendation. However, as GAO testified in June 2006 (GAO-06-866T), the department's efforts to date had been insufficient to fully implement the components of a comprehensive information security program.
|
| Department of Veterans Affairs | Effectively securing VA's information systems and telecommunications networks is vital to the department's ability to safeguard its assets, maintain the confidentiality of sensitive veterans' health and disability benefits information, and ensure the reliability of its financial data. Without a complete, comprehensive, and fully integrated computer security management program in place, VA will lack essential elements required to protect the department's systems and networks from unnecessary exposure to vulnerabilities and risks. Therefore, the Secretary of Veterans Affairs should take actions to complete a comprehensive and secure information systems environment by instructing the CIO, in conjunction with VA's cyber security officer, to develop a process for managing the department's updated security plan to include collecting and tracking performance data, ensuring management action when needed, and providing independent validation of reported issues. |
Closed – Not Implemented
The Department of Veterans Affairs concurred with this recommendation. However, as of our June 2006 testimony (GAO-06-866T), VA's actions to develop a management process for the department's security plan remained incomplete.
|
| Department of Veterans Affairs | Effectively securing VA's information systems and telecommunications networks is vital to the department's ability to safeguard its assets, maintain the confidentiality of sensitive veterans' health and disability benefits information, and ensure the reliability of its financial data. Without a complete, comprehensive, and fully integrated computer security management program in place, VA will lack essential elements required to protect the department's systems and networks from unnecessary exposure to vulnerabilities and risks. Therefore, the Secretary of Veterans Affairs should take actions to complete a comprehensive and secure information systems environment by instructing the CIO, in conjunction with VA's cyber security officer, to regularly report to the Secretary, or his designee, on progress in implementing VA's security plan. |
Closed – Implemented
In June 2002, the Department of Veterans Affairs (VA) established a process in which VA's Chief Information Officer (CIO) briefs the VA Deputy Secretary monthly on the department's progress in implementing its security plan. In addition, the department CIO began holding ad hoc discussions and briefings with the Secretary of Veterans Affairs covering information technology security issues. Further, in conjunction with Government Information Security Reform Act reporting requirements, the CIO reports quarterly to the Secretary on the department's computer security management efforts.
|
| Department of Veterans Affairs | The Secretary of Veterans Affairs should enforce management accountability for information security by ensuring the consistent use of the mandated information security performance standards when appraising the department's senior executives. |
Closed – Implemented
The Department of Veterans Affairs concurred with this recommendation and has taken significant actions to implement it. Recognizing the need to improve the department's cyber security following the theft of a VA personal computer, in June 2006 the Secretary of Veterans Affairs directed that responsibility for information security be included as a critical element of all VA senior executive performance plans, tying security, performance and plans in the executives' performance reviews to the amount of bonuses awarded to those individuals. To implement the secretary's requirement, VA's Office of Executive Resources has drafted a memorandum for the Deputy Secretary's signature that directs the information security requirements be included in the FY 2007 senior executives' performance plans. As a result, management's accountability for information security should be improved.
|
| Department of Veterans Affairs | VA's consistent and effective delivery of benefits payments is vital to fulfilling its service delivery obligations to our nation's veterans. Accordingly, successful implementation of a system to replace the existing aging benefits delivery network is essential. Therefore, before the Secretary of Veterans Affairs approves any new funding for the compensation and pension replacement system, he should ensure that actions have been taken to address long-standing concerns regarding the Veterans Benefits Administration's (VBA) development and implementation of this system by directing the Undersecretary for Benefits, in coordination with VBA's CIO, to appoint and direct a project to develop an action plan for and oversee a complete analysis of the current systems replacement initiative, to include (1) assessing and validating users' requirements for the new system to ensure that business needs are met and (2) testing the system's functional business and end-to-end processing capabilities to ensure that accurate and timely benefits payments are made. |
Closed – Not Implemented
The Department of Veterans Affairs concurred with this recommendation, but has not yet completed actions to address it. Although the VETSNET team reported that it has completed the certification of users' requirements for the system's applications to ensure that business needs will be met, the administration has not yet provided critical documentation as evidence of these certifications. In addition, although VBA has begun testing the system's processing capabilities at the Lincoln, NE and Nashville, TN, regional offices, this testing has thus far been limited to the current capabilities of the system. Because they are using a systematic/incremental approach to deploying all VETSNET capabilities, the program manager has indicated that they are unsure when all functionality will be tested. As of August 2006, VBA still has not completed development of all the functionality that is needed to process claims and therefore has not performed end-to-end testing. Until VBA ensures that users' requirements are fully validated and that the system's functionality is fully tested, it will lack assurance that accurate and timely benefits payments will be made to its beneficiaries.
|
| Department of Veterans Affairs | VA's consistent and effective delivery of benefits payments if vital to fulfilling its service delivery obligations to our nation's veterans. Accordingly, successful implementation of a system to replace the existing aging benefits delivery network is essential. Therefore, before the Secretary of Veterans Affairs approves any new funding for the compensation and pension replacement system, he should ensure that actions have been taken to address long-standing concerns regarding VBA's development and implementation of this system by directing the Undersecretary for Benefits, in coordination with VBA's CIO, to finalize and approve a revised compensation and pension replacement system strategy, based on the results of the analysis, and complete and implement an integrated compensation and pension replacement project plan. |
Closed – Implemented
The Department of Veterans Affairs concurred with GAO's recommendation and completed revisions to the replacement system strategy. This revised strategy included the business case for this project, described the methodology used to identify system development alternatives, displayed the cost/benefit analysis results of the viable alternatives that could be used to develop the system, and provided a description of the recommended development plan and supporting justification. The final version of the replacement strategy was presented for review and approval to the Department of Veterans Affairs, Assistant Secretary for Information and Technology at the System Development Approval Decision Review (known as Milestone II Review) on September 24, 2002. Based on this final replacement strategy, the Secretary of Veterans Affairs, Assistant Secretary for Information and Technology, the Under Secretary for Benefits, and the Deputy Chief Information Officer for Benefits approved the continuance of VETSNET development.
|
| Department of Veterans Affairs | VA's consistent and effective delivery of benefits payments if vital to fulfilling its service delivery obligations to our nation's veterans. Accordingly, successful implementation of a system to replace the existing aging benefits delivery network is essential. Therefore, before the Secretary of Veterans Affairs approves any new funding for the compensation and pension replacement system, he should ensure that actions have been taken to address long-standing concerns regarding VBA's development and implementation of this system by directing the Undersecretary for Benefits, in coordination with VBA's CIO, to develop and implement an action plan to move VBA from the current to the replacement system. |
Closed – Not Implemented
The Department of Veterans Affairs concurred with GAO's recommendation and, in December 2002, drafted the VETSNET Compensation and Pension Awards Deployment Strategy. However, as of August 2006 the document remains in draft and has not been approved by the Veterans Benefits Administration or the department. While the draft document includes a general, high-level timeline for system deployment, it does not include specific information regarding VBA's plans for transitioning from the current to the replacement system, such as rollout dates to each office location and a contingency plan in the event deployment activities fail. Thus, the department continues to lack a formal, approved action plan containing specific details on how VBA will move from the current to the replacement system.
|
| Department of Veterans Affairs | VA's consistent and effective delivery of benefits payments if vital to fulfilling its service delivery obligations to our nation's veterans. Accordingly, successful implementation of a system to replace the existing aging benefits delivery network is essential. Therefore, before the Secretary of Veterans Affairs approves any new funding for the compensation and pension replacement system, he should ensure that actions have been taken to address long-standing concerns regarding VBA's development and implementation of this system by directing the Undersecretary for Benefits, in coordination with VBA's CIO, to develop and implement an action plan to ensure that the benefits delivery network will be able to continue accurate processing benefits payments until the new compensation and pension system is deployed. |
Closed – Implemented
The Department of Veterans Affairs concurred with GAO's recommendation and has taken steps to ensure that the aging Benefits Delivery Network (BDN) can continue to accurately and promptly process the 3.5 million payments made each month to veterans and their dependents. Specifically, the Veterans Benefits Administration has (1) purchased additional BDN hardware, (2) hired 11 new staff members to support BDN operations, (3) successfully tested a contingency plan in the event of disruption of the system, and (4) provided retention bonuses to staff familiar with BDN operations to ensure the continued viability of the system. In addition, the Deputy Chief Information Officer for Benefits stated that these actions would allow the BDN to remain operational until the implementation of the replacement system.
|
| Department of Veterans Affairs | The original goal of the government computer-based patient record (GCPR) initiative was to provide VA, Department of Defense (DOD), and Indian Health Service (IHS) health care providers the capability to electronically share comprehensive patient information and thus improve the quality of care for patients. With the narrowing of the original objectives and the lack of a comprehensive strategy, GCPR's ability to deliver expected benefits is in doubt. Moreover, VA still needs to implement the recommendations from GAO's April 2001 report, which called for (1) designating a lead agency for the GCPR initiative and (2) developing detailed plans for the remainder of the endeavor. To make significant progress beyond the current strategy, the Secretary of Veterans Affairs should instruct the Veterans Health Administration (VHA) undersecretary and VHA CIO, in cooperation with DOD and IHS, to revisit the original goals and objectives of the GCPR initiatives to determine if they remain valid and where necessary, revise the goals and objectives to be aligned with the current strategy and direction of the project. |
Closed – Implemented
The Department of Veterans Affairs concurred with GAO's recommendation and reevaluated and revised the original goals and objectives of the GCPR initiative. A May 3, 2002, Memorandum of Agreement between VA and DOD established that the Federal Health Information Exchange (FHIE) would replace the Government Computer-Based Patient Record (GCPR) initiative. The FHIE near-term objective is to enable the transfer of protected electronic health information from DOD to VA on separated service members. As of mid-July 2002, all VA medical centers had access to data on over 1 million service personnel who separated between 1987 and 2001.
|
| Department of Veterans Affairs | The original goal of the government computer-based patient record (GCPR) initiative was to provide VA, DOD, and IHS health care providers the capability to electronically share comprehensive patient information and thus improve the quality of care for patients. With the narrowing of the original objectives and the lack of a comprehensive strategy, GCPR's ability to deliver expected benefits is in doubt. Moreover, VA still needs to implement the recommendations from GAO's April 2001 report, which called for (1) designating a lead agency for the GCPR initiative and (2) developing detailed plans for the remainder of the endeavor. To make significant progress beyond the current strategy, the Secretary of Veterans Affairs should instruct VHA's undersecretary and VHA's CIO, in cooperation with DOD and IHS, to commit the executive support necessary for adequately managing the project and ensure that sound project management principles are followed in carrying out the initiative. |
Closed – Implemented
The Department of Veterans Affairs concurred with GAO's recommendation and has committed the executive support necessary for adequately managing the project. It has also ensured that project management principles are followed in carrying out the initiative. Specifically, in May of 2002 VA and DOD signed a memorandum of agreement that designated VA as the lead entity in implementing the project and formally renamed GCPR the Federal Health Information Exchange (FHIE) Program. The role of the Indian Health Service (IHS) has since changed as well. IHS has withdrawn from participating in the first phase of FHIE, but plans are in place, in the form of a memorandum of understanding, for IHS to be involved with later stages of the FHIE initiative. VA has committed executive support for FHIE by way of monthly updates, given by the FHIE program manager, to the VA CIO, as well as quarterly updates to the joint VA/DOD Executive Council. In addition, VA procured and implemented project management software that is used to better track the assignment and status of project tasks and initiatives.
|
| Department of Veterans Affairs | VHA's decision support system (DSS) provides its managers and clinicians with data on patterns of patient care and patient health outcomes, and allows them to analyze resource allocation and determine the cost of providing health care services. The Secretary of Veterans Affairs should take action to ensure continued progress in improving DSS operational efficiency and effectiveness and the realization of full clinical and financial benefits of the system by directing the Undersecretary for Health, in conjunction with VHA's Chief Financial Officer, to assign a permanent director to provide consistent management and oversight of the DSS program. |
Closed – Implemented
The department agreed with this recommendation and, in March 2004, appointed a permanent director to oversee the DSS program. The DSS program director reports directly to the VHA chief financial officer and is responsible for, among other tasks, program oversight and direction for DSS, as well as management of all software development contracts for the program. As a result of this appointment, VHA has improved its management and oversight of DSS, which should help the agency realize the full clinical and financial benefits of this system.
|
| Department of Veterans Affairs | VHA's DSS provides its managers and clinicians with data on patterns of patient care and patient health outcomes, and allows them to analyze resource allocation and determine the cost of providing health care services. The Secretary of Veterans Affairs should take action to ensure continued progress in improving DSS operational efficiency and effectiveness and the realization of full clinical and financial benefits of the system by directing the Undersecretary for Health, in conjunction with VHA's Chief Financial Officer, to fill the existing vacant positions in the DSS program office with individuals possessing the necessary skills to provide leadership and program direction for the overall DSS program. |
Closed – Implemented
The department agreed with our recommendation. By January 2006 all key managerial positions in the office had been filled. With appropriate levels of skilled staff for the DSS Program Office, VHA should be able to continue increasing both efficiency and usage of DSS, and fully realize the benefits of the system.
|
Full Report
Office of Public Affairs
Topics
Enterprise architectureHealth care servicesInformation resources managementInformation securityInformation systemsInformation technologyInteragency relationsMedical information systemsMedical recordsPerformance measuresStrategic information systems planningSystems compatibilityInformation systems investments