Witness Testimony of Ben J. Davoren, M.D., Ph.D., San Francisco Veterans Affairs Medical Center, Director of Clinical Informatics, Veterans Health Administration, U.S. Department of Veterans Affairs
Good morning Mr. Chairman and members of the Committee. Thank you for this opportunity to provide my personal perspective of the Veterans Affairs Office of Information & Technology (OI & T) reorganization that began in 2005. The views that I present today are my own and do not necessarily represent the views of the VA Medical Center San Francisco, Veterans Integrated Service Network (VISN) 21, or the Veterans Health Administration.
I would like to preface my testimony with VHA and OI &T’s mutual goals, and principles in the facilitation of the reorganization. In addition, the testimony will discuss realignment concerns I believe were voiced from the field in 2005, my views of the impact of the realignment on Veterans Health Administration’s (VHA) missions, and the regional computer system downtime of August 31, 2007, as a paradigm.
Mutual Goals and Principles
As described in a GAO interim report of June 2007, the primary goals of the OI&T reorganization was to centralize IT management under a department-level Chief Information Officer, to standardize operations, and the development of systems across the Department using new management processes based on industry best practices. The VA Inspector General reported that the lack of a centralized structure was a major impediment to successful IT management. Events related to the loss or potential loss of sensitive information reinforced VA’s need to reorganize IT, especially in terms of data security processes.
The OI & T stated principles for the reorganization process were that:
- A single IT leadership management system would facilitate achievement of enterprise strategic objectives, standardization, compatibility, interoperability, and fiscal discipline;
- A process-focused organization and IT management system would be aligned with best practices for IT processes, roles, metrics, and governance;
- Strong integration between OI&T and the business offices (VHA, Veterans Benefit Administration , National Cemetery Administration, and Staff Offices) would set IT strategy, determine requirements, and implement solutions;
- Approaches to legacy and new application development would be synchronized;
- New process-based organizational structure for the Office of the Assistant Secretary for Information & Technology would be defined; and
- IT realignment would transform VA into a service-based IT organization with a client-centric IT model that aligned IT with VA business needs, priorities, and mission.
Concerns voiced from the field in 2005
In response to the Secretary’s proposals for IT realignment, I believe that employees at some medical centers expressed a number of concerns about the details of the plan. In particular, I believe they felt that the regionalization of IT resources would create new points of failure that could not be controlled by the sites experiencing the impact, and that the system redundancy required to prevent this was never listed as a prerequisite to centralization of critical patient care IT resources. From my point of view as the Director of Clinical Informatics, it was clear to me that the focus of reorganization/realignment was on technical relationships and not on how the missions of VHA would be communicated to the new OI&T structure. For example, realignment success metrics were focused on Regional Data Processing Center (RDPC) deliverables rather than facility needs. Finally, key facility-based IT staff had been tightly integrated into local committees and planning groups as subject matter experts, but could no longer be tasked directly by the facility Director to participate, and had no clear OI&T-driven incentive to continue. Ultimately, the concern was that in trying to create a new structure in the name of “standardization”, support would wane to a “lowest common denominator” for all facilities, no matter how diverse their actual needs were.
Impact On VHA’s Four Principal Missions
With respect to the primary patient care mission, the good news has been that new policies and procedures regarding encryption of sensitive information have been well-publicized and have heightened the awareness of all care providers as to the critical nature of the information they use everyday. I think this has positively impacted the culture of VHA and improved respect for our veterans. The bad news is that centralization of physical IT resources to the RDPCs has directly led to more system downtime for individual medical centers than they have ever had before, resulting in hundreds of simultaneous threats to the safety of our veteran patients. In addition, it is my opinion that disagreements over whether new proposals for clinical application or device procurement are “IT” or “not-IT” has markedly delayed upgrading of aging systems and implementation of new systems for veterans’ care.
With respect to the education mission, the good news is again that standards for encryption of sensitive information have heightened the awareness of all staff and students as to the critical nature of the information they have at their fingertips in educational for a and the need to protect it in all settings.
However, from my vantage, rules on encryption of all portable devices, such as “thumb drives”, rather than just on encrypting sensitive information, have made it cumbersome to go about common work, such as giving academic and scientific presentations where no sensitive information is present. Further, security rules for using network resources have stopped some internet-based videoconferencing activities between VA and non-VA colleagues, while awaiting new funding cycles to procure next-generation equipment.
With respect to the research mission, the proposed standardization of VHA databases as part of centralization may create significant research opportunities, and has been supported by the research community though, at this time, no specific progress has been made. Rules regarding encryption of transported sensitive information have been warmly received by the research community as a best practice. However, security rules for using network resources have stopped some internet-based videoconferencing activities between VA and non-VA colleagues. Some additional unique local IT resources have been required to maintain other research activities which utilize the internet and I have concerns about how long they can continue.
In terms of our role in supporting the Department of Defense, I believe that initiatives to enhance electronic data-sharing between VHA and DoD have proceeded appropriately.
Impact on VHA’s Accomplishments and Morale
In my opinion, confirmed in many conversations with my peers, there has been a lack of transparent communication between VHA and the reorganizing OI&T structure. At present, economies of scale that were a cornerstone of the OI&T realignment proposal have not been communicated to the facility level where the work of VHA occurs. The focus on security and data integrity has led to a number of new requirements with impacts that generate significant concern without a clear pathway to resolution. For example, to fully comply with security requirements on our examination room PCs, we must log out of both a clinical application such as our Computerized Patient Record System and the Microsoft Windows operating system each time we leave the room even for a moment, yet it may take as long as 12 minutes to log back on when we return. Given a 20 or 30 minute visit with their veteran patient, the clinician is thus forced to choose to “do the right thing” for either the patient or the system, but cannot do both.
In my view, there remains a tremendous uncertainty about how to work with our longstanding IT colleagues to address local or regional clinical care, research, or educational needs. These arise on an almost daily basis as the result of new mandates from accrediting bodies, VA performance measures, or Congressional action. Accountability for all these activities remains with the individual Facility Directors, but they no longer have the authority to task IT staff nor directly acquire technological resources that are a part of every new idea that is put forth to meet the new needs. There is a sense of great inertia that overrides the anticipation of great opportunities in the new OI&T structure. I believe that this has greatly slowed the field development process that is the very foundation of our VA-created computer system, VistA.
Regional Computer System Downtime of August 31, 2007
On August 31, 2007, the new “Region One” of OI&T-supported facilities experienced the most significant technological threat to patient safety VA has ever had – a nine-hour downtime during standard business hours that crippled the clinical and other information systems of 17 different VHA medical facilities. During the downtime, it became clear to me that many assumptions about the RDPC model were erroneous. Specifically, rather than creating a redundancy to protect facilities from system problems, a new single point of failure caused a problem that could never have been replicated without the RDPC model having been created. In this vein, the ability to “failover” from the RDPC in Sacramento to Denver, previously described as a major advantage to the RDPC model, was never taken advantage of. Electronic contingency systems, put in place as a part of the RDPC migration strategy, were unavailable or overwhelmed in four of the medical centers, despite prior experience that this was a known risk during the pilot phase of the RDPC collocation project. Lastly, and of great concern to the medical centers as a harbinger of future support, clinical need was expected to be the driver of the service restoration process. Instead, half a day of troubleshooting and error log evaluation and analysis went by before the shutdown and reboot process was initiated to actually fix the problem.
The after-action report, while done in a timely fashion and generally clear, did not address the two major concerns of the facilities that had to deal with the impact of the downtime at all. Specifically, how it could be that the RDPC model designed for redundancy could instead have been designed to create the single point of failure that facilities predicted two years earlier would paralyze them? Why was the “failover” from the Sacramento RDPC to the Denver RDPC not initiated immediately when the magnitude of the impact was known? Despite repeated queries about this on the official Region 1 VistA Outlook email thread designed to facilitate communication between OI&T and VHA facilities, I am unaware of whether this question was ever answered.
In my view, the OI&T realignment process begun in VA in 2005 for the right reasons has been focused on technical IT issues and the reporting structure of its new 6000-strong employee force. While there has been measurable success in those areas, my perspective is that this has not been the case for the planned linking of IT strategic planning with organizational strategic planning and communication between all stakeholders in VA. Mr. Chairman this concludes my statement. I will be pleased to answer any questions that you or other members of the Committee might have.