This testimony discusses our work on information technology challenges at the Department of Veterans Affairs.
Despite spending over $4 billion annually on IT:
VA still doesn't have IT systems that fully support critical services—e.g., veterans health care, the Family Caregiver Program, and disability benefits.
Some VA IT management processes do not effectively implement federal IT acquisition law, making congressional oversight of IT acquisitions more difficult.
Cybersecurity management has weaknesses, which increase vulnerability to cyber threats.
VA health care and federal IT acquisitions are also on our High Risk List.
Photo of the Department of Veterans Affairs headquarters
What GAO Found
The Department of Veterans Affairs (VA) has made limited progress toward addressing information technology (IT) system modernization challenges.
From 2001 through 2018, VA pursued three efforts to modernize its health information system—the Veterans Health Information Systems and Technology Architecture (VistA). However, these efforts experienced high costs, challenges to ensuring interoperability of health data, and ultimately did not result in a modernized VistA. Regarding the department's fourth and most recent effort, the Electronic Health Record Modernization, GAO recently reported that the governance plan for this program was not yet defined. VA has not fully implemented GAO's recommendation calling for the department to define the role of a key office in the governance plans.
The Family Caregiver Program, which was established to support family caregivers of seriously injured post-9/11 veterans, has not been supported by an effective IT system. Specifically, GAO reported that, due to limitations with the system, the program office did not have ready access to the types of workload data that would allow it to routinely monitor workload problems created by the program. GAO recommended that VA expedite the process for identifying and implementing an IT system. Although the department concurred with the recommendation, VA has not yet fully addressed it.
VA had developed the Veterans Benefits Management System—its system that is used for processing disability benefit claims; however, the system did not fully support disability and pension claims, as well as appeals processing. GAO made five recommendations for VA to improve its efforts to effectively complete the development and implementation of the system. The department concurred with the recommendations but has implemented only one thus far.
VA has demonstrated uneven progress toward fully implementing GAO's recommendations related to key Federal Information Technology Acquisition Reform Act (FITARA) provisions. Specifically, VA has implemented all six recommendations in response to GAO's 2014 report on managing software licenses, leading to, among other things, savings of about $65 million over 3 years. However, the department has not fully addressed two recommendations from GAO's 2016 report on managing the risks of major IT investments. Further, the department has not implemented (1) two of four recommendations related to its effort to consolidate data centers and (2) GAO's four recommendations to increase the authority of its Chief Information Officer.
VA's management of cybersecurity has also lacked key elements. For example, GAO reported in May 2016 that VA had established numerous security controls, but had not effectively implemented key elements of its information security program. In addition, as GAO reported in March 2019, the department had not accurately categorized positions to effectively identify critical staffing needs for its cybersecurity workforce. VA has implemented three of six cybersecurity-related recommendations from these two reports.
Why GAO Did This Study
The use of IT is crucial to helping VA effectively serve the nation's veterans. Each year the department spends billions of dollars on its information systems and assets. However, VA has experienced challenges in managing its IT programs, raising questions about its ability to deliver intended outcomes needed to help advance the department's mission. To improve federal agencies' IT acquisitions, in December 2014 Congress enacted FITARA. GAO has previously reported on IT management challenges at VA, as well as its progress in implementing FITARA and cybersecurity requirements.
GAO was asked to summarize key results and recommendations from its work at VA that examined systems modernization efforts, FITARA implementation, and cybersecurity efforts.
To do so, GAO reviewed its recently issued reports and incorporated information on the department's actions in response to GAO's recommendations.
GAO has made numerous recent recommendations to VA aimed at improving the department's IT management. VA has generally agreed with the recommendations and has taken steps to address them; however, the department has fully implemented less than half of them. Fully implementing all of GAO's recommendations would help VA ensure that its IT effectively supports the department's mission.