Witness Testimony of Hon. Roger W. Baker, U.S. Department of Veterans Affairs, Assistant Secretary for Information and Technology and Chief Information Officer
Chairman Johnson, Ranking Member Donnelly, members of the Subcommittee: thank you for inviting me to testify regarding the Department of Veterans Affairs’ (VA) Information Technology (IT) strategy for the 21st century. I appreciate the opportunity to discuss VA’s plans, actions, and accomplishments that will position VA’s IT organization as a 21st century leader in the federal government.
I am pleased to be accompanied today by Peter Levin, Ph.D., VA’s Chief Technology Officer.
Through Secretary Shinseki’s leadership, the VA continues to focus on the strategic goals VA established two years ago to transform VA into an innovative, 21st century organization that is people-centric, results-driven, and forward-looking. These strategic goals seek to reverse ineffective decision making, systematic inefficiency, and poor business practices in order to improve quality and accessibility to VA healthcare, benefits, and services; increase Veteran satisfaction; raise readiness to serve and protect in a time of crisis; and improve VA internal management systems to successfully perform our mission. The Office of Information and Technology (OI&T), which I am honored to lead, proudly support our strategic goals as we rapidly deliver technology to transform VA.
The VA IT enterprise is a massive single, consolidated network with 152 hospitals, 791 community-based outpatient clinics (CBOC), 57 benefits processing offices, and 131 cemeteries and 33 soldier’s lots and monument sites. Our OIT workforce numbers over 7,100, serving over 300,000 VA employees and more than 10 million Veterans. Within our $3.1 billion FY 2011 budget, OIT manages a technology profile of over 314,000 desktop computers, 30,000 laptops, 18,000 blackberries and mobile devices, and 448,000 email accounts. These figures describe an IT enterprise that is certainly one of the largest consolidated IT organizations in the world.
Disciplines for 21st Century Information Technology
Managing an organization of this size and scope requires disciplined management and processes. To instill those disciplines, VA implemented five major focus areas immediately after my confirmation. These five areas – customer service, product delivery, information security, operational metrics, and financial reporting – continue to guide our efforts in a disciplined and measurable way.
- Customer Service
OIT continues to build upon our excellent relationships with VA’s Administrations (Veterans Health, Veterans Benefits, and National Cemeteries). We have worked hard to set a tone of cooperation that has made it possible for us to effectively address many complex problems at the second largest agency in the Federal government. Thanks to my partners, Dr. Robert Petzel, Under Secretary for Health, Mr. Michael Walcoff, Acting Under Secretary for Benefits, and Mr. Steve Muro, Acting Under Secretary for Memorial Affairs, that same cooperative approach continues to spread throughout VA.
- Product Delivery
IT is an enabler to the implementation of the Secretary’s 16 Transformational Initiatives, which cannot be executed without newly developed IT products. These initiatives are key to improving VA’s services to Veterans, and IT investments have allowed us to deliver products or plan for on-time delivery of the following programs:
- Successful, on-time delivery of the critical G.I. Bill project. VA successfully converted all processing of new Post-9/11 GI Bill claims to the Long Term Solution (LTS) prior to the commencement of the Fall 2010 enrollment process. Since installation, processing with the new system has been excellent, with no significant “bugs” encountered. The Veterans Benefits Administration claims processors like the new system and find it easier and more efficient to use. By dramatically changing its development processes, adopting the Agile methodology for this project, VA also dramatically changed its system development results;
- Veterans Benefits Management System (VBMS), in which IT provides Veterans Benefits Administration the enabling technology to break the claims backlog;
- The Blue Button program, in which IT provides the systems and information security to allow Veterans to download their currently available personal health information from their MyHealtheVet account, allowing them to share their personal health information with doctors outside the VA;
- The eBenefits portal (a joint DoD and VA service), which is evolving to a “one-stop shop” for benefit applications, benefits information and access to personal information such as official military personnel documents;
- Veterans Relationship Management (VRM), in which IT will provide the capability to improve Veterans access to VA services and benefits through phone, web and email systems enabling easier and more effective communications; and
- The Pharmacy Reengineering program that replaces existing pharmacy software modules with new technology that will enhance Pharmacy services, improve customer service and enhance patient safety.
As these examples illustrate, IT plays a pivotal role in the transformation of VA into a 21st century organization as envisioned by the President and Secretary Shinseki.
- Information Security
Ensuring the security of the large VA network and devices is vital. We have made substantial progress in information security since the challenges experienced in 2006 by instituting controls that now provide for remote access to VA resources for employees and selected business partners, and implementing a sound security strategy to facilitate secure data exchange with Department of Defense and private sector healthcare organizations, and facilitating access to electronic health records for our Veterans over the internet. These efforts are instrumental in making the administration’s vision towards a virtual lifetime health record possible.
We have already made great strides with some efforts that will be discussed in greater detail below, including: visibility to the desktop to ensure compliance with security policies; visibility to every network device; strong user authentication; and medical device isolation architecture. It is vital to us that Veterans feel confident that we are doing everything we can to secure their private information.
- Operational Metrics
Our operations organization provides excellent service to our hospitals, benefits offices, and cemeteries. We now measure and publish key metrics that tell us how we are doing. Beginning in June of 2009, we started at the core, measuring network availability (which averages 99.99 percent), Veterans Health Information Systems and Technology Architecture (VistA) system availability (99.95 percent), and help desk wait times. We have expanded these measurements to include a list of nearly 167 metrics covering aspects of our network, our service provision and our system/application provisioning that help us understand what works well and what does not. The ability to measure these key processes and adjust accordingly is central to continuous operational improvement—a hallmark of a mature operation and essential to any 21st century IT organization.
As an example, we recently completed our second enterprise-wide customer satisfaction survey, using the American Customer Satisfaction Index methodology, which allows us to compare our results to those of like organizations throughout government and industry. Our primary purpose in conducting this survey is to understand and address the issues that affect user satisfaction with IT services at each of our facilities. We showed substantial progress between the two surveys, increasing our satisfaction score from 67 to 71. For comparison purposes, our near-term target is to achieve a rating of 75, which would indicate we are in the top half of the ratings for similar organizations globally. VA also uses the ACSI Survey tool to monitor satisfaction with the award winning My HealtheVet Personal Health Record portal and our scores in this area (75) benchmark well with the E-Government Index (75).
Finally, we created a detailed financial plan for OIT in both 2010 and 2011, known as the Prioritized Operating Plan. This plan has two main purposes. First, it creates a vehicle for us to agree, with our customers, on what the high priority IT services and projects are, and allocate our resources to ensure success on the most important items. It also allows us to communicate, clearly and objectively, which projects and services will and will not be accomplished. Second, it allows us to track our expenditures, from plan to budget to spend to results, and know the business purpose for spending each dollar and then track the results we expect to obtain from the expenditure. For 2011, that plan is over 1400 lines long.
VA IT is a Leader in Federal IT
Our efforts in the five focus areas have produced results across the board – results that are seen every day by each of our customers, from a VA employee at a hospital, benefits office, or cemetery, to the Secretary of Veterans Affairs, and to our most important customer, the American Veteran. VA IT is a leader in the federal government, and is transforming itself into a 21st Century IT leader by implementing innovative approaches to improve our results.
Our goal is to be the best IT organization in the federal government, and comparable to large private sector organizations. Achieving that goal means being a leader, and being a leader requires more than being good. It requires defining a path in advance of others, and boldly moving forward on that path. To that end, I will highlight a few areas where VA IT is, today, clearly leading the way for the federal government.
OMB’s 25 point plan
VA has been an early and rapid adopter of the elements of Office of Management and Budget’s (OMB) 25 point plan for improving federal IT. In fact, VA began pursuing many of the initiatives outlined in the 25 point plan while the plan was being formulated. Consequently, VA was uniquely positioned to support the creation of many of the initiatives and become an “early adopter.” For example, VA had already begun work on Data Center Consolidation, and was able to provide insight and lessons learned on the process for many other federal agency participants.
Another initiative in which VA is ahead of the curve is in cloud computing, which we expect to increase efficiency through secure remote access to files and programs. For example, we have a large-scale, successful cloud program in the Post 9/11 GI Bill, with another starting development for VBMS.
Finally, the VA adapted a key component of our Program Management Accountability System (PMAS), the “strike” meeting to become an early adopter of the program’s intervention meetings OMB calls “Techstats.” Due to VA’s forward thinking, implementation of many of the initiatives outlined in the 25 Point plan was seamless and fit within the plan’s structures.
VA IT has been a leader in meeting the transparency goals of this administration. One key component of our transparency efforts are the monthly meetings I hold with the staff of the House and Senate Veterans Affairs Committees. As you know, these meetings serve as an opportunity for VA to inform Congress about IT progress and issues at VA. Through these meetings we have developped a constant dialog that helps keep Congress informed and opens lines of communication.
VA IT is also providing transparency into our development progress. Every increment of every development project is reported in the PMAS Dashboard, which I will discuss in more detail below, which is tied to the OMB dashboard. This gives OMB, Congress, and the public a clear view into VA’s IT program management progress.
VA’s privacy breach report, discussed below, is another great example of VA’s leadership in transparency. Our efforts to present to Congress and the public our data breaches each month has had the effect of limiting the number of breaches that have occurred, and helped our information security staff to better identify potential risks. In addition, the breach report is discussed on a teleconference with the media to ensure an even greater level of transparency.
Shortly after the President’s January 21, 2009 Freedom of Information Act (FOIA) Memorandum, VA publicized and implemented the Attorney General’s FOIA Guidelines throughout the agency by prominently publishing access links on the VA’s FOIA website at http://www.foia.va.gov/. VA’s Chief Information Officer and VA’s Under Secretary for Health appeared in a video directed to all VA FOIA Officers to discuss the importance of FOIA and the implementation of the President’s FOIA guidelines by ensuring any releasable items are rapidly made available to the public without requiring a FOIA request. VA has actively improved transparency by routinely posting information about VA Data Breaches. Other offices have also followed the lead and ensured transparency, i.e., VA Office of Finance (OF) posts information regarding VA purchase card holders (credit card) transaction data, First Class and Business Class Travel Reports, VA Civil Service Employee holiday pay data, Unclaimed Moneys Accounts data, VA’s FY 2012 President’s Budget Submission, and VA’s FY 2010 Highlights for the Citizen (Summary of Performance and Financial Information). High level contract award data is also posted without a formal request. VA’s ASPIRE for Quality Initiative, a VA-wide program designed to document key measures of health care quality posts outcome information for acute care services, intensive care units, outpatient services, safety and process measures, and indicators of how successful each VA Medical Center has been in meeting its quality goals.
In June of 2009, VA introduced the Program Management Accountability System (PMAS). The PMAS process has transformed product delivery at the VA. Before the implementation of PMAS, approximately 283 development projects at VA met their milestone dates an estimated 30 percent of the time. This is an estimate, as IT development projects simply were not tracked to their committed dates prior to PMAS. Today, VA has 107 active development projects, tracked in real-time through a project database and dashboard, that are meeting their milestone dates approximately 75 percent of the time. I know of no other Chief Information Officer (CIO), government or private sector, who has this level of insight into such a large portfolio of development projects. VA is a true trailblazer in product delivery, as I can assure you that most IT development organizations, public or private sector, would be ecstatic with meeting 75 percent of their committed milestones.
PMAS is important for two reasons. Most importantly, we are able to deliver on the transformational capabilities VA requires. PMAS also ensures we meet this administration’s goal of ensuring that every taxpayer dollar is well spent. In 2010, VA had a cost avoidance of nearly $200 million by eliminating poorly performing projects and restructuring many others to lower risk, reduce spend rates, and implement incremental development project plans.
PMAS helps VA manage our contracts better by ensuring that proper planning is done prior to beginning development on an increment. That includes having the contracting officer and counsel as part of the Integrated Project Team during the planning phase. During the planning phase of a project, the work is broken into increments that deliver capability to the customer in six months or less. As soon as the first increment is planned in sufficient detail, the project can begin development on that increment while continuing to plan future increments. By using PMAS criteria, we ensure that we have good plans and necessary resources in place before a project increment goes active. Once the project is active, it will receive a strike whenever an increment milestone is missed. A project can receive no more than three strikes before it is stopped and forced to re-evaluate the requirement and the plan. While project failures can still occur, we manage the timeline and work so closely that projects cannot fail for years on end before being stopped.
A primary driver of our success under PMAS has been the adoption of incremental development. Every project at VA, without exception, must deliver functionality to its users at least every six months. Several of our most important projects, including the GI Bill and VBMS, have adopted Agile development methodologies. Whereas PMAS addresses the planning and management aspects of short, incremental delivery, the Agile development methodology provides the technical management guidance of how to turn project requirements into working software quickly and in collaboration with the customer.
Agile development is important to the VA because it encourages continuous input from our customers. In agile projects, all the development priorities are set by the customer, which ensures that the work is performed in the order of importance. To increase the likelihood of success, large projects are broken down into small but valuable increments, each of which could potentially be a candidate for release. This is consistent with our PMAS delivery requirements. Lastly, agile development requires continuous quality assurance throughout the entire development effort, further ensuring high quality deliverables.
Agile software development methodologies are an effective means of improving the predictability, quality, and transparency of software products and their development. At the core of Agile is the iterative work process. Business problems are broken down into small increments of delivery that are tangible products that can be reviewed and verified regularly by business stakeholders. By constantly incorporating feedback, the software that is essential to solving the business problem is created in partnership with stakeholders and any miscommunications, revisions, or changes in business needs can be accommodated quickly and with little rework. The quality of software is kept high throughout the development process as the product in development is kept as close to a production-ready state as possible with each release increment. In addition, prior to the start of each increment, business stakeholders and the development team agree upon which features or requirements are to be satisfied during that increment thus ensuring that the most important work is completed first.
Contrary to popular belief, the successful Agile program requires great rigor as it is essentially a process based on statistical analysis. Every work product (software or otherwise) is defined, broken down and estimated. As work progresses, these work products are carefully tracked on a daily basis and results of progress are published to the team and stakeholders (and any other authorized, interested party) to provide complete transparency. The result of this hyper-transparency is that problems in the development process are identified early and changes, regardless of their origin, can be accommodated quickly and efficiently.
To vastly improve our information security posture, we have achieved the goal of providing visibility to every desktop on the network. Visibility to the desktop allows the CIO and our Information Security Team the ability to see, for every machine on the network, what software is installed, whether security policies are met and what vulnerabilities exist – that’s more than 314,000 desktops and more than 30,000 laptops reviewed for issues each day. We are easily able to identify outliers and enforce compliance on computers that do not meet our network security requirements.
In our continued effort to further enhance our security posture, we will gain visibility to all servers in the VA environment and implement a strong authentication solution for system administrators by September 2011. In addition to gaining visibility to the server computing domain, VA will take the additional step of gaining increased visibility of network infrastructure devices. Strong authentication coupled with visibility all the way down to the end user desktop is first-rate for an organization the size of VA and stands to be the one of the largest deployments ever made of security and network management software in a centralized and consolidated network environment. When completed, the VA will have unmatched near real time security situational awareness of its computing resources, consisting of more than three quarters of a million devices.
We have also achieved full implementation of our medical device isolation architecture, which is essential to mitigating security vulnerabilities in our medical devices. The isolation architecture allows us to localize virus outbreaks in populations where providing protection proves more difficult for equipment such as medical devices, by using virtual local area networks and access control lists. These technologies allow us to easily identify threats and vulnerabilities and quarantine them to prevent viruses from spreading across the VA network.
Our achievements on visibility to the desktop and our medical device isolation architecture put us well ahead of most federal organizations, and on par with well managed private sector organizations. Our ability to provide immediate response to vulnerabilities and threats within our enterprise, as well as enacting a proactive approach to centralized monitoring, reporting, compliance validation and providing maximum service availability, is quickly establishing VA as a model of excellence for the rest of the Federal Government.
Protecting Personal Private Information
While we have made important strides in reducing the number of data breaches that occur, VA has led the way in both responding to incidents, and providing transparency when reporting data breaches. Our Incident Resolution Team compiles a comprehensive report detailing every reported data breach on a daily and weekly basis. The reports are then discussed with the Data Breach Core Team which is made up of representatives from the Office of General Counsel, Veterans Health Administration, Veterans Benefit Administration, National Cemetery Administration and VA Central Office staff offices. At the end of each month, our Incident Resolution Team compiles a comprehensive report detailing every reported data breach, the circumstances of the breach, the number of Veterans affected, the steps taken to remedy the situation, and any pertinent follow-up information. This information is submitted to Congress, and is also posted publicly on the VA website. After its publication, I hold a press conference to discuss the breaches in an open, transparent manner. The number of facilities and the complex IT environments at VA present unique security and privacy challenges. VA’s Incident Resolution Team consistently monitors and responds to every privacy or security event, no matter if it deals with one Veteran or thousands. The team members are considered experts in their field, and have assisted other government agencies individually and spoken at federal IT and privacy events.
In April 2009, President Obama charged the Secretary of Defense and Secretary of Veterans Affairs to create a Virtual Lifetime Electronic Record (VLER) to bring together the plethora of systems. This was done in order to create a seamless way for Service members, Veterans and those who support and care for them to access and manage benefits and care from the day they enter military service and throughout their lives. VLER itself is not a “system”, but rather a business and technical redesign initiative that establishes the interoperability and communication environment necessary for DOD, VA and other public and private partners to securely exchange information. The result will improve health, benefits delivery and personnel activities by enabling providers to easily access the information they need. In this way, VLER is enabling healthcare and benefit providers to proactively deliver the full continuum of services and benefits Veterans have earned through several capability areas that are brought on-line in a measured approach.
The VLER initiative ensures doctrine, policies, organizational structures, personnel training and IT solutions converge to create an environment of information transparency that improves the quality of life for Veterans and Service members. The benefits of VLER are already being felt by Veterans and Service members around the country in many different ways.
VLER is now being used to support the exchange of health care information between DOD, VA and private healthcare providers in San Diego, CA; Hampton Roads and Richmond, VA; and Spokane, WA; and Asheville, NC areas. The capability delivered at these pilot sites will become more robust over time and expand to include six additional regions throughout the country by the end of this Fiscal Year. In 2012, we will leverage the tools and lessons learned in these 11 areas to provide this clinical encounter support to healthcare providers who care for Veterans throughout the entire United States.
VLER and the further expansion of the eBenefits portal will empower Veterans and service members by enabling them to access their information, including healthcare records; benefit applications, benefits information, and other personal information through an interactive web portal. The eBenefits portal is a rapidly growing joint VA/Department of Defense (DoD) service with more than 278,000 registered users as of March 31, 2011. As VLER continues to mature, it will enable the eBenefits portal to provide Service members and Veterans more capabilities, including accessing their official military personnel documents, viewing the status of their disability compensation claim, updating direct deposit information for certain benefits, and obtaining a VA guaranteed home loan Certificate of Eligibility. The eBenefits portal effectively bridges the conversion from active duty to Veteran status by allowing Service members to retain the same login information they had as an active duty participant. This simple change is critical as it realizes the goal for the VA to be Veteran-centric.
VLER will provide on-line access to all eligibility information, “Notice of Death” reporting, and enhanced support of final honors and memorial benefits under the National Cemetery Administration. Redesign and modernization of cemetery IT systems will include great collaboration with the Department of Defense.
VLER should reduce the cost of the delivery of services, increases efficiency of operations, reduces cycle times for benefits delivery, contributes to the elimination of homelessness, reduces claims backlogs by delivering information sharing capabilities, increases access to benefits by connecting data owners and data users; and, increases the quality and effectiveness of services provided to Veterans and Service members. There are certainly obstacles to achieving these lofty goals, but we are optimistic that VLER is making progress to meet the President’s vision for the future.
The VistA Electronic Health Record (EHR) system is a proven and essential element of VA’s ability to provide Veterans with high quality health care and control health care costs. In part because of VistA, VHA has excelled in the last 15 years in both areas. Independent studies have pegged the rate of return on VA’s investments in VistA at about $2 returned for every dollar invested.
While the current VistA EHR system meets or exceeds the capabilities currently available from commercial EHR vendors, low investment in VistA over the last decade has eroded its standing from the once-clear clear market leader to being merely competitive. While VA clinicians express strong support and preference for VistA as a clinical tool, they are also vocal and unanimous in calling for us to re-invigorate the innovation that made VistA the best EHR system available.
Clearly, the private sector must play a role in that innovation. The size of private sector investment and the rate of innovation in the commercial EHR sector far exceeds the government’s ability to produce timely, cost-effective EHR products.
VA estimates the cost of replacing VistA with an existing commercial package at$16 billion, based both on VA-commissioned independent validation exercise and on the real-world experiences of Kaiser Permanente. Published reports say that Kaiser spent $4 billion implementing a commercial off-the-shelf EHR system in their 36 hospitals and supporting facilities. Based on size of VA relative to Kaiser (VA has 153 hospitals), $16 billion is a reasonable estimate.
To avoid those costs, and to find a way to involve the private sector in modernizing VistA, the VA is turning to Open Source. Open source software (OSS) began as the “free software” initiative in the early 1980’s, though the word free in this context is ambiguous. In this case, it should be thought of as free speech. EHR users from across the community are free to comment and contribute to the evolution of the code base, and VA is free to accept or reject any of those contributions.
In practice, Open Source has proven to be a powerful method of producing production quality software. Market leading products such as Unix, Linux, Netscape, Mozilla, Apache, and many others are the result of Open Source software approaches. And while key product elements such as licensing, cost, security, etc. are different with an Open Source product, they are neither better nor worse. Open source methodologies have been proven many times in high-reliability production environments in the private sector to deliver products that meet or exceed the quality and robustness of proprietary and Government off the Shelf (GOTS) products.
VA has spent more than a year conducting a very deliberative process to examine the implications of Open Source for VistA. We have seen two substantial studies on the topic contributed by the private sector and academia. We have consulted with hundreds of organizations, and thousands of individuals. We have conducted three Requests for Information (RFIs), and received numerous papers, emails, and comments. Our path forward with Open Source has been broadly advised and highly transparent, and is certainly much the better for it.
VA expects that the rate of innovation and improvement in VistA can be increased without increasing our current budget by better involving the private sector (and true private sector practices) in both the governance and development of the VistA system through Open Source. To that end, we have released a Request for Proposal to establish an Open Source “Custodial Agent,” to run the Open Source community. Our estimate of the costs of establishing the Custodial Agent are less than $10 million per year.
Mr. Chairman, over the last two years, VA’s IT organization has made many significant improvements and had many successes, but there are numerous challenges ahead. We are solidly on the path that we must follow to achieve our ultimate goal of being a leader in federal IT. But I believe it prudent to reiterate the words from my confirmation testimony that are still true today: “There is no easy path, no simple answer, and no short-cut solution to creating a strong IT capability at VA. Achieving this will require hard work, disciplined management, and honest communications.” Mr. Chairman, Ranking Member Donnelly, and Members of this Subcommittee, I am committed to continuing that work. Thank you for your continued support of Veterans, their families and survivors, of VA, and of our efforts to transform VA IT. My colleague and I are prepared to answer any questions you and other Members of the Subcommittee may have.