We testified about our work on the Department of Veterans Affairs' efforts to modernize its health information and financial IT systems, address cybersecurity, and more.
For example, although potential hurdles remain, VA made progress modernizing electronic health records. Three earlier efforts to modernize health information systems failed.
VA needs to do more to strengthen cybersecurity, such as determining and addressing the areas that pose the greatest risks. Although VA has implemented many of our recommendations, risks to sensitive information remain.
VA health care and federal IT acquisitions are on our High Risk List.
What GAO Found
The Department of Veterans Affairs (VA) has faced long-standing challenges in its efforts to deploy information technology (IT) initiatives in two critical areas needing modernization: the department's aging health information system, known as the Veterans Health Information Systems and Technology Architecture (VistA); and VA's outdated, non-integrated financial and acquisition management systems requiring complex manual work processes that have contributed to the department reporting financial management system functionality as a material weakness. Specifically,
- GAO has reported on the challenges that the department has faced with its three previous unsuccessful attempts to modernize VistA over the past 20 years. In February 2021, GAO reported that VA had made progress toward implementing its fourth effort—a modernized electronic health record system. However, GAO stressed that the department needed to address all critical severity test findings (that could result in system failure) and high severity test findings (that could result in system failure, but have acceptable workarounds) before deploying the system at future locations.
- In March 2021, GAO reported on the department's Financial Management Business Transformation, a program intended to modernize financial and acquisition systems. GAO found that VA had generally adhered to best practices in the areas of program governance, project management, and testing. However, the department had not fully met best practices for developing and managing cost and schedule estimates. GAO recommended that VA follow such practices to help minimize the risks of cost overruns and schedule delays.
GAO has also reported that VA has struggled to secure information systems and associated data; implement information security controls and mitigate known security deficiencies; establish key elements of a cybersecurity risk management program; and identify, assess, and mitigate the risks of information and communications technology supply chains. GAO has made numerous recommendations to VA to address these areas. Many of those recommendations have been addressed, but others have not been fully implemented.
VA has demonstrated mixed results in implementing key provisions of the Federal Information Technology Acquisition Reform Act (commonly referred to as FITARA). Specifically, VA has made substantial progress in improving its licensing of software, which led it to identify $65 million in cost savings. Further, it has made some progress in consolidating its data centers and achieving cost savings and avoidances. However, it has made limited progress in addressing requirements related to managing IT investment risk and enhancing the authority of its Chief Information Officer. Fully implementing the act's provisions would position the department to deliver better service to our veterans through modern, secure technology.
Why GAO Did This Study
The use of IT is crucial to helping VA effectively serve the nation's veterans. The department annually spends billions of dollars on its information systems and assets. Its fiscal year 2022 budget request is about $4.8 billion for its Office of Information and Technology and $2.7 billion for electronic health record modernization.
GAO was asked to testify on its prior IT work at VA. Specifically, this testimony summarizes results and recommendations from GAO's issued reports that examined VA's efforts in (1) modernizing VistA and its financial and acquisition management systems; (2) addressing cybersecurity issues; and (3) implementing FITARA. GAO reviewed its recently issued reports that addressed IT and cybersecurity issues at VA and followed up on the department's actions in response to recommendations.
GAO has made numerous recommendations in recent years aimed at improving VA's IT system modernization efforts, cybersecurity program, and implementation of key FITARA provisions. While VA has generally agreed with these, it still needs to implement many of the recommendations.