Robert P. Bubniak.

Acting Principal Deputy Assistant Secretary for

 Information and Technology

Department of Veterans Affairs

Before the

Subcommittee on Oversight and Investigations

Committee on Veterans' Affairs

U.S. House of Representatives

September 21, 2000

Good morning, Mr. Chairman and members of the Subcommittee. I am pleased to testify before you today to discuss the Department of Veterans Affairs' Information Technology programs.

On June 25, 1998, the decision was made by the Secretary to separate the Chief Information Officer (CIO) function from the Chief Financial Officer and create a new Assistant Secretary position to assume the duties of the CIO. The entire organization of the Deputy Assistant Secretary for Information Resources Management was realigned under the new Assistant Secretary. The new office was activated on July 1, 1998, with the assignment of a Principal Deputy Assistant Secretary. On June 1, 2000, the Principal Deputy Assistant Secretary retired and on June 2, 2000, Secretary Togo D. West, Jr. appointed me Acting Principal Deputy Assistant Secretary for Information and Technology and Acting Chief Information Officer for the Department. Until the appointment process for a new Assistant Secretary is completed, the Acting Principal Deputy Assistant Secretary is the Acting CIO. This separation of CFO and CIO duties permits the appropriate emphasis on the Department's information and technology issues, which are keys to improving service to veterans.

I'd like to bring you up to date on some of VA's major initiatives.

The Department of Veterans Affairs is committed to the development and full implementation of a Department-wide Information Technology Architecture. We do not expect this to be easy. VA has three (3) distinct Administrations, each with its own particular mission and large, legacy information systems. We have done many studies in the past aimed at coordinating or combining these stovepipe management information systems, all with little success. However, with the Acting Secretary's emphatic insistence on One VA, we are beginning to see more cooperation among the Administrations.

As a first step in developing an Information Technology Architecture (ITA), VA completed a Technical Reference Model and Standards Profiles in May 1999. VA is now developing the Enterprise Architecture to complete the ITA. An Enterprise Architecture is the explicit description of the current and desired relationships among business and management processes and information technology (IT). It will describe the "target" environment VA wishes to create and maintain by managing its IT portfolio. The Enterprise Architecture will be a tool used to enable VA to transition from the current to the targeted IT environment. We intend to create a status management capability to track our progress from the current environment to our target environment.

A cross-organizational workgroup, comprised of both business operations and information technology staff from each of the Administrations and staff offices, was approved by the VA's CIO Council to guide the development of the enterprise architecture and to ensure that the architecture fully integrates VA business processes and technology so that it truly reflects One VA. VA's Administrations and staff offices have been solicited for workgroup representatives.

At the May House Veterans' Affairs Committee oversight hearings, VA's then Acting CIO agreed to provide Congress with a plan for developing the Enterprise Architecture. In August 2000, VA provided a white paper, which described the plan and steps to be taken, a statement of work for contractor support, and a milestone chart with estimated completion dates. At that time financial data on information technology expenditures for the last five (5) years was also provided.

During the past sixteen months, VA has pursued an aggressive security improvement program that focuses attention to security in our capital investment planning and project approval processes. But most importantly, we created a durable central security organization, whose program model is a continuous process based on risk management principles endorsed by the General Accounting Office (GAO).

We want to assure you that VA does not underestimate the challenges we face to achieve adequate security in all six of the general control areas against which GAO measures any agency's security. We accept Congressman Horn's grade of a D as a rebuke and a wake up call. We are committed to changing that grade to an A as soon as possible. We have much work to do in the areas of access controls, application software development and change control, personnel controls, system software controls, and service continuity controls. And, of course, we must cultivate the security program management groups at the Department and component office levels that are the catalysts for improving all these controls.

Like many agencies, VA let the fast pace of the Internet and other computer innovations outstrip our attention to, and investment in, security practices. So we now have much catching up to do. We have experienced some of the same embarrassments as other agencies – defaced public web sites, sluggish reaction to virus attacks, and so forth. We appreciate the value of the comprehensive audit results we have from GAO and our Inspector General. These audit results are tangible evidence of how much work we have to do. But they also give us an excellent perspective on just what and where the problems are.

So we are now acutely aware that an underlying cause of our present security posture is that we had not instituted a management approach that proactively attacks risk at its roots. Instead, there was a tendency to react to individual audit findings, with little ongoing attention to systemic causes of weaknesses. Since we strengthened central security management in 1999, improvements have been pursued within a risk management framework, and will continue to be pursued in that way.

A variety of initiatives are already completed or underway in formal risk assessment, policy development, controls implementation, and awareness and training programs. Efforts are pursued from a Department-wide perspective, and concentrate on areas where consistency, balance, and economies of scale across the Department are essential to good security.

In just the last year, we contracted for, and completed, an independent VA-wide risk assessment. We vetted and issued policies in the areas of password strength, dial-in connections, anti-virus controls, and employees' personal use of government office technology. These were some policy areas of greatest concern based on existing audit findings. In addition, we now operate a VA-wide critical incident response operation that is VA's nerve center for rapid and coordinated action against virus outbreaks, network attacks, E-mail storms, or other kinds of security incidents.

We are investing real dollars in the development of a formal system certification and accreditation program to prevent a future generation of security-starved systems. We are also investing real dollars in awareness tools and events, and in a detailed curriculum of training for our security officers. For example, last June we broadcast live by satellite television into every VA facility a two-hour management panel titled "Information Security -- The High Cost of Management Apathy".

In the area of technical controls, we are laying the groundwork now for significant capital investments next year in major security infrastructures -- including public key infrastructure, biometric controls, intrusion detection, and better virus protection. These capital investments are embodied in an FY 2001 capital investment initiative approved by the Secretary last year in the amount of $17.5 million. This level of commitment to funding an agency's central security management is probably unprecedented in the civilian agency sector.

Because these efforts are now undertaken by a central security management office, scarce security resources in the Administrations and Staff Offices can now concentrate on internal compliance measurement, which by its nature demands inside change agents to overcome cultural and political barriers. We are very excited about what we are doing on information security, and do not plan to lose this momentum in the coming months.

I have begun investigation into the creation of a Senior Executive Service level position to head the Department's IT Security Program. This senior position would serve as the CIO's management advisor and senior consultant regarding development, publication and implementation of Department-wide information security standards, policies and guidance, as well as coordination and integration of all aspects of VA's cyber, telecommunications and information security program.

During the One VA conferences, discussion focused on providing veterans a Smart Card that would contain veteran-specific information. This information would be contained on a card the size of a credit card. The concept is that a veteran could use this card to obtain expedited services at any VA facility. For example, by using the Smart Card, veterans would not have to repeatedly fill out the same forms concerning eligibility and income information each time they visited a new medial facility or regional office. The card will have critical medical data such as blood type, known drug allergies, etc. The Acting Secretary is fully supportive of the Smart Card concept and has expressed his desire to have Smart Card functionality in place at VA.

The Veterans Health Administration (VHA), working closely with the Office of Information and Technology, was charged with taking the leadership role in combining the business needs of the VHA, the Veterans Benefits Administration (VBA), and the National Cemetery Administration (NCA) in implementing a Department-wide common Smart Card. A VA Smart Card Steering Committee and the VA Smart Card Project Management Team have been established to finalize plans and ensure effective acquisition and implementation. We are working together as One VA to develop the plans, requirements, and resources for a One VA Smart Card for America's veterans.

On August 31, 2000 a Smart Card proof-of-concept demonstration was conducted for the Acting Secretary and Veterans Service Organizations representatives. The demonstration showed how the Smart Card could support express registration to save time for the veteran and the VA staff while improving data quality. The demonstration also showed how a veteran using a kiosk could digitally sign forms using keys securely carried on the card. Our goal is to launch an initial implementation of the VA Smart Card in Veterans Integrated Service

Network (VISN) 2 and VISN 12 during January 2001 and begin national implementation by January 2002.

We have achieved much progress in addressing GAO's recommendations, particularly in our information technology review process. The Department will continue to strengthen its capital investment planning, make improvements to streamline the process while continuing to capture information needed to make informed investment decisions. We also recognize that VA faces real challenges, including those GAO identified.

When the Secretary decided in 1998 to establish an independent CIO function, the Department moved swiftly to realign its resources to support that decision. Since then the Principal Deputy Assistant Secretary for Information and Technology has served in the CIO capacity, spearheading the Department's efforts to streamline and integrate itself to a One VA posture that provides seamless service to our nation's veterans. While we have yet to achieve that vision, we continue to make strides towards this end. Our efforts in building an enterprise architecture and mature capital investment process are key strategies to achieving this vision.

DSS, which was implemented nation-wide in July 1998, is a medical center-based cost distribution program used to produce management information for VHA decision-makers. It directly supports the management of VHA facilities by providing workload, patterns of care and clinical outcomes information linked to resource consumption costs associated with health care processes. In an evolving competitive health care environment, DSS is aimed at improving procedures and practices while lowering costs of care at VHA facilities. As of August 31, 2000, 139 of 140 sites are processing FY 2000 data. The remaining site is on an accelerated plan to come up to the standards of the rest of the system.

Decision Support System (DSS) is a critical information system for effectively managing at the clinic, medical center, VISN and headquarters levels. While implementation has been slower than projected, the system is now in place.

DSS differs from other existing VA databases in that it integrates selected elements from each episode of care, resource allocation and clinical procedure into a longitudinal format. This allows statistical outcomes comparison amongst VHA facilities on key data elements, including fiscal, care descriptors and resources per episode of care. Using this information, DSS allows VHA management to analyze and compare workload and cost data in great detail. It also allows medical centers to perform product line analyses, modeling, clinical performance measurement and clinical quality management.

DSS supports VA's quality improvement initiatives by providing information systems support for outcome-based performance measures that document the effectiveness of the health care delivery process. The combination of observations relating patient care outcomes (quality) with resource utilization information (cost) can facilitate understanding of the value of health care services provided by the VA medical centers.

DSS supports a) budgeting and planning for medical centers; b) VISN resource distribution to medical centers; c) productivity analysis; d) outcome measurement based performance and effectiveness of health care; e) benchmarking for VA comparative aggregate data at network or national levels; and others. Significantly, in August 2000, the Acting Under Secretary for Health made the decision to transfer DSS to the Office of the Chief Financial Officer to be used as a replacement for the workload distribution engine for the Veterans Equitable Resource Allocation (VERA) system.

Initially, DSS was envisioned to be an individual medical center based system. As VHA evolved toward a more VISN-centered management model, different VISN and national reporting requirements were identified. Additionally, the degree of standardization required for VISN and national reporting and decision support added complexity to the implementation.

During implementation, a number of issues arose which still require additional attention. DSS is being asked to do corporate roll-ups of information that are beyond what original software was originally intended to do. Our people are finding that loading data into DSS is proving to take a lot of work and very careful attention. Further, DSS is not yet sufficiently user-friendly to make it as valuable as it needs to be to managers at all levels.

But let me very clear. We are strongly committed to a decision support system that helps us effectively manage the veterans health system at all levels. Managers need these tools and they need to use these tools.

VHA leadership and the DSS Steering Committee are working hard at improving the standardization and ease of use of this critical management support tool. At the same time, we are looking carefully at what is the best long term approach to ensuring that a user-friendly and effective decision support system is available to and used by all of our managers. We know this is an issue of high interest to the Committee and we will work closely with the Committee to ensure a decision support system is in place and effectively used.

VHA operates the largest centrally directed health care system in the United States made up of 172 medical centers, 341 Congressionally approved community based clinics, 134 nursing homes, and 41 domiciliaries. The operational support backbone is the Veterans Health Information Systems and Technology Architecture (VistA) system. VistA is a combination of more than 130 health care applications that have evolved over time. Let me provide more detail about the evolution of this environment.

In 1982, VHA committed to building an electronic health care architecture called the Decentralized Hospital Computer Program (DHCP). The focus of this program was the implementation of software applications that were easily integrated into a complete hospital information system. VA began developing applications using VHA programmers who worked directly with user groups in software prototyping environments.

In 1996, DHCP went through a major modernization. The existing processing architecture was overhauled to utilize state-of-the-art client server technology, and the applications were modified to utilize intelligent workstations using Graphical User Interface (GUI) conventions. This major renovation signaled the beginning of VistA, a rich automated environment that supports the day-to-day operations at VHA health care facilities. In addition, VistA includes necessary links that allow commercial off-the-shelf software and products to be used with existing and future technologies.

VistA incorporates all of the benefits of DHCP as well as an array of commercial and other information resources that are vital to the day-to-day operations at VHA medical facilities.

VHA's goal for VistA is to improve the quality and timeliness of health care service provided to veterans. To meet this goal, VHA has established standard criteria for the design, development, and implementation of software. The criteria are:

a) all software developed and implemented throughout the VHA medical care system must be standardized and able to be exported to all VA medical facilities;

b) all software must be technically integrated using a common database, programming standards and conventions, and data administration functions;

c) all software must use standard data elements;

d) all software must allow timely access to data;

e) all software must avoid dependence on a single vendor; and,

f) all software must have system integrity and protect data against loss and unauthorized change, access, or disclosure.

VistA, starting with DHCP, was developed some 20 years ago and represented a major breakthrough in providing a strong information system dedicated to providing quality health care and managing the medical centers. For all these years, DHCP and, more recently, VistA has carried a heavy load and done it well. We have the intellectual capital, amongst VA and our private sector partners, and the system underpinnings to deliver a much stronger information system for the future.

Today, it is a system that must become much more flexible for it to support a mobile veteran population or manage at the VISN and national levels. While some parts are up with current developments in information technology or are state of the art, other parts are not.

Today and for the future, the requirements placed on a veterans health information system are increasing and at a faster pace. For the future, VistA will need to evolve into an information system that makes an individual veteran's health information available any time, any place, to any authorized health care provider and in real time. It needs to be an information system that is flexible, can change quickly, incorporates the latest provider and management applications, and uses the power of the web to support veterans and health care providers. It also needs to be fully integrated with our efforts to establish One VA.

VHA's IT strategic vision focuses on expanding VistA to become a veteran's information resource, with the health record owned by the veteran and used in partnership with the veterans health system doctors, nurses, pharmacists and other providers. The VHA CIO is working with national leadership to translate the strategic vision into an operational plan.

Information is such a powerful tool to help us improve veterans health. It is incumbent upon us to use the best information system available to ensure the best health care for and maximize the health of our veterans.

VETSNET is an integrated information system designed to meet the critical needs of veterans and their families and/or beneficiaries who receive benefits and services from VBA. The initial phase of VETSNET created an infrastructure and then focused on replacement of the Compensation and Pension (C&P) payment systems.

During the last several months, VBA has conducted a series of planning summits to identify and plan for essential steps required for successful VETSNET C&P implementation. As a result of these summits, a wide number of VETSNET C&P sub-projects have been identified and project team leaders assigned responsibilities for each of these areas.

On June 12, 2000, VBA established a VETSNET Implementation Project Management Office (IPMO) to facilitate information exchange and coordination between all the VETSNET project teams and to serve as the focal point for the VETSNET project. The Director of the VETSNET IPMO is the same individual (Sally Wallace) who led VBA's successful Year 2000 (Y2K) conversion effort, and VBA is following the same model that was used for the Y2K initiative.

The VETSNET IPMO is currently in the process of developing an integrated project management plan with proposed costs and milestones. Project management methodology is currently being emphasized throughout VBA, and the IPMO is applying this technique to ensure that the application development and implementation remain on track. Additionally, the VETSNET IPMO is in the process of updating the VETSNET Capital Investment Plan to incorporate implementation and deployment costs and activities.

Both VETSNET and VISTA users can now access shared veteran information through an intranet application that is capable of capturing data from the Beneficiary Identifier and Records Locator System (BIRLS) and the Benefits Delivery Network (BDN) and displaying the data in a web browser environment. This new tool is called Intranet BIRLS/BDN Access (IBBA). IBBA is a tool which was developed by VBA with support from VHA. IBBA accesses VBA's key benefits information systems. It works through a standard web browser on any personal computer (PC) connected to the internal VA communications system. Inquiries are sent through the system, through a security application and routed to the appropriate database. A snapshot of the requested information is taken and returned to the browser screen. Appropriate personnel in each of VA's Administrations and the Board of Veterans' Appeals were given access to IBBA in a phased approach during June, July and August, 2000. VA is starting to build One VA with IBBA.

Mr. Chairman, we know that we have problems. We know that we are not where we need to be, particularly in the areas of IT Security and our IT Architecture; but we are making progress toward One VA.

Mr. Chairman, that concludes my statement. My colleagues and I will be happy to respond to any questions you may have.