|
Statement of Dr.
John A. Gauss Assistant
Secretary for Information and Technology Department
of Veterans Affairs Before
the Subcommittee
on Oversight and Investigations Committee
on Veterans’ Affairs U.
S. House of Representatives March
13, 2002 Good morning Mr.
Chairman and members of the subcommittee.
On behalf of the Secretary of Veterans Affairs, I am pleased to
have this opportunity to come here today and update you on the
progress the Department has made in strengthening our Information
Technology program, and specifically address issues relating to: §
VA’s Enterprise Architecture; §
Cyber Security program; §
VBA’s VETSNET program; §
VHA’s Decision Support System; and, §
VHA’s Government Computer-Based Patient Records
Program. On April 4, 2001, the
Secretary appeared before this committee and gave you his personal
commitment to reform the way VA uses information technology.
He committed to: §
Developing a comprehensive integrated Enterprise
Architecture that would end “stove-pipe” system design and
incompatible system development; §
Ensuring that networks and systems we depend upon are
secure and available; §
Conducting an independent audit of VETSNET to enable us
to chart the proper course for future modernization of our
Compensation & Pensions System; and, §
Standardizing the use of the Decision Support System (DSS)
in VHA to support day-to-day business and management decision
processes. I am pleased to
report to you today that it is no longer “business as usual” in
VA’s information technology program.
With respect to Enterprise Architecture (EA), the Department
has selected a methodology known as the Zachman Framework to develop
and maintain its One-VA EA. This
methodology requires us to define all aspects of the VA Enterprise
from a business process, data, technical, location, personnel, and
requirements perspective. This has been accomplished.
The next step in implementing the Zachman methodology is to
define all functions related to each business process and identify
associated data elements. Once
identified, duplication of function and inconsistency in data
definition can be identified. The
hard job then follows to de-conflict the data definitions and resolve
duplicative implementations of the same business function.
This work is underway. Concurrent
with reconciling business functions and data definitions, we have
developed a technical implementation model for the future VA
Information Technology (IT) Enterprise and are completing the
development of a set of technical standards that will apply to all IT
projects. Some of these
standards will be based on open system commercial standards and some
of these standards will be based on individual products for those
cases where industry standards are immature or incomplete. Companies in the
private sector that have successfully modernized their IT enterprises
have taken a two-pronged approach to their modernization.
First they modernized their IT infrastructure to provide a
network and computing environment capable of implementing
re-engineered business processes.
In parallel, they re-engineered their business processes,
modernized the IT used to implement those processes, and finally
implemented the IT on the modern, high performance, cost effective
infrastructure. These
commercial best practices are part of our overall strategy.
Enterprise Architecture imposes a discipline on how we manage
and implement our IT programs. Implementing
these disciplines will be accomplished in the near term; however,
completing the Zachman Framework for the entire VA enterprise will
take several years and will require modernization of several of our
major IT systems such as VistA. Specific progress
since the last hearing follows: §
The Department of Veterans Affairs “Enterprise
Architecture: Strategy, Governance & Implementation” was
approved in September 2001. §
The Information Technology Board (ITB), which is a
critical element of the Enterprise Architecture Governance, was
established in October 2001. §
VA’s ITB has chartered an Enterprise Architecture
Council (EAC), and an Enterprise Architecture Working Group has been
established. §
An Acting Chief Architect has been appointed.
We are in the process of establishing and recruiting for a VA
Chief Architect (SES level); and a program-staffing plan has been
developed. §
The top-level definition of the VA enterprise has been
completed. §
A technical model for the implementation of new IT
projects has been defined. §
A comprehensive change in how we oversee the management
of our IT Projects has recently been approved.
This new oversight process will ensure that all new IT projects
are developed in compliance with the Enterprise Architecture. §
A draft Enterprise Architecture Implementation Plan is
under final review by my staff and will be approved by no later than
30 April 2002. With respect to
ensuring that the networks and systems we depend upon are secure and
available, Cyber Security is another issue that has the Secretary’s
highest priority. In
order to effectively secure our networked information, we must
completely understand the topology of our data network.
Our current network is overly complex, too expensive for the
performance it provides, and does not have an enterprise wide network
management capability. This
complexity and lack of network management capability seriously impede
our ability to properly secure and assure network services.
Further, our current network infrastructure will not support
the modernization of our enterprise as previously discussed.
To correct these deficiencies, we have embarked on a project to
re-architect our data network and change the network from a
circuit-based network to a performance-based network.
The VA Strategic Management Council reviewed and the Deputy
Secretary has approved this project in concept. The detailed Business
Case Analysis, Cost Benefit Analysis, Return on Investment Analysis,
and Analysis of Alternatives are being developed. I anticipate these analyses will show that converting our
data network from a circuit-based network to a performance-based
network will:
As Secretary Principi
stated in his April 4, 2001 testimony, he takes the privacy and
security of the information VA collects on our veterans very
seriously. Since the last
hearing, our Office of Cyber Security has conducted a review of the
Department’s security posture, paying particular attention to the
findings of our Office of Inspector General (OIG) and the General
Accounting Office (GAO). As
a result of this review, we have established Department-wide
priorities for securing VA’s computing enterprise. Our first priority is securing VA’s boundary against
external attack. An
Enterprise Cyber Security project, approved for project initiation by
VA’s Strategic Management Council in February, was the first step in
meeting this priority. This project will
coincide with the previously discussed data network project. As we transition to a performance-based network, we will
collapse the total number of gateways to external networks to a
manageable number while providing significantly increased security
protections at these gateways. Design
and implementation of this standardized architecture and configuration
will better protect VA’s information systems and internal critical
information repositories from external and internal attack.
This and our data network project are key components of our
approach to implementing a secure Enterprise Architecture and
correcting Cyber Security deficiencies noted by our OIG and the GAO. Other major
improvements in our Cyber Security posture include: §
Deployment of anti-virus software across the entire
Department; §
Implementation of a VA-wide firewall policy to protect
the boundaries of our enterprise from external attack; §
Development of an acquisition strategy to enhance VA’s
existing central incident response capabilities, thereby ensuring
immediate and effective action to counter such threats as the recent
Code Red virus attack; §
Development of a comprehensive Certification and
Accreditation policy to ensure that IT systems undergo a rigorous
security review prior to being authorized to process sensitive
information; and §
Deployment of several intrusion detection system pilot
projects, which will serve as components of the Enterprise Cyber
Security Infrastructure Project, to detect when external sources are
attempting to intrude our networks so that proper defensive measures
can be taken to protect the confidentiality of veteran data. Since completing the
GISRA self-assessment survey last August, the Department has
aggressively pursued remediation of its reported information
technology security deficiencies.
Remediation of many of these deficiencies has increased our
compliance with security requirements considered essential in ensuring
data integrity, confidentiality, and sensitivity. Concerning VETSNET,
as you are aware, VBA embarked on a path to modernize and integrate IT
used to support all of their business lines in the mid 1990s; however,
they embarked on this path without the benefit of creating an
Enterprise Architecture with its associated disciplines.
When this “grand design” was found to be too hard to
execute in the late 1990s, VETSNET became the name applied to the
development and modernization of IT used to support the Compensation
& Pension (C&P) program.
VETSNET became a set of independently developed applications
that, when fully fielded, would replace the Benefits Delivery Network
(BDN). Many of these
VETSNET applications have been fielded.
Development activities remain on two applications required to
replace BDN. This past summer,
Secretary Principi directed an independent audit of VETSNET to
determine if the entire collection of VETSNET applications would be
capable of operating under a full workload if deployed in all of
VBA’s Regional Offices (ROs). This
audit examined the overall architecture of VETSNET and included a set
of stress tests to determine if the system could perform as required.
The results of this audit determined that the system would be
capable of performing acceptably, in a fully loaded environment, once
several changes are made to the system.
This audit did not include a comprehensive set of functional
tests to determine if each function performed as designed. As a result of this
audit, I directed VBA’s CIO to develop a comprehensive plan to bring
VETSNET into compliance with the Enterprise Architecture to include
completing the two remaining VETSNET, or C&P Replacement,
applications; implementing the changes recommended from the
independent audit; performing detailed functional testing of all
VETSNET applications; and conducting a comprehensive stress test to
ensure all changes are implemented correctly. FY2003 and FY2004 funding will be used to complete this
effort. I anticipate
these actions will be completed in April 2004.
Actual deployment of VETSNET (C&P Replacement) will be
determined as a function of when VBA can afford to insert a new system
into the ROs, with the companion learning curve, such that the impact
on working off backlogged claims can be effectively managed. I know this is a very
sensitive issue and I will personally oversee progress to ensure
VETSNET meets the projected time line.
Should this effort proceed with the same problems of its past,
I will recommend to the Secretary that the effort be terminated. With respect to the
Decision Support System (DSS), we have made significant strides to
improve data quality and access.
Combining clinical and financial information from existing data
systems into an integrated database to support informed
decision-making, DSS serves all VA Medical Centers and about 800
Outpatient Clinics. Not
only does the system continue to provide critical data for making
informed decisions for planning, programming and budgeting, DSS also
aids in patient care process improvement and quality control.
A DSS Steering
Committee, comprised of field representatives and chaired by a
Veterans Integrated Service Network (VISN) Director, serves as VHA’s
advisory body to ensure field requirements are identified and
considered as functional upgrades.
Further, this steering committee works to achieve standard
operation of DSS across all of VHA. Much progress has
been made in achieving VHA-wide standardization in the way DSS is
utilized; however, this is still work in progress that is being
addressed through improved staff training.
We have identified numerous Centers of Excellence for DSS
application that will impart best practices across all of VHA. I recently conducted
a post implementation review of DSS.
During that review, I directed VHA’s CIO to develop a
proposal for modernizing DSS to address several noted deficiencies for
consideration in the FY2004 budget submission.
DSS was developed in late 1980s technology and is therefore
very expensive to operate, maintain and implement new functions
identified by the DSS Steering Committee.
Further, since DSS was developed prior to the definition of
today’s cyber security requirements, DSS was not designed with the
proper level of cyber security protection. Considering all of these factors, it is worth developing a
Business Case, performing an Analysis of Alternatives and determining
the possible return on investment for a potential FY2004 modernization
project. With respect to the
Government Computer Patient Records (GCPR) program, we have re-baselined
and re-scoped the program to address issues identified in a 2001 GAO
report. The re-baselined
GCPR program uses a VA application called the Computer Patient Record
System (CPRS) as a fundamental building block.
CPRS enables a clinician to access clinical data from any VA
health facility. GCPR is
a database that receives DoD clinical data (but not physician notes).
CPRS is the application that will enable VA to import clinical
data from the GCPR database in addition to clinical data available
within VA as previously described.
GCPR is in the final stages of field-testing.
As part of the test program, DoD has completed transmitting
health information on approximately 3.7 million records on separated
service members to GCPR (note: a separated service member may have
more than one record if treated at more than one military heath
facility). Within the
next few weeks, I will chair a review of the test results to determine
whether or not the first phase of GCPR is ready for deployment.
Future investment in GCPR will enhance functionality based on
clinician feedback once operational. This implementation
of GCPR addresses only part of the ultimate solution of medical
information sharing with DoD. We
are currently working closely with DoD to determine the correct path
for the future. We need
to address matters of data standardization, technology sharing, and
the establishment of interoperable data interfaces. Mr. Chairman, I am
very concerned about two other areas in addition to what I have
presented to you today.
I
hope I have provided some insight as to why it is no longer
“business as usual” at VA. I
believe these efforts demonstrate our very strong commitment, at all
levels, to building an effective information technology program for
the long-term. I also
hope to establish confidence that we will be successful in
implementing a comprehensive, coordinated, and efficient IT program
within the Department. With
your assistance, we will be able to continue on this path forward to
ensure our continued ability to service the health and benefit
requirements of our veteran population and their dependents. Thank you for this opportunity to discuss these very important IT issues. I will be happy to answer your questions. Back to Witness List |