The U.S. Department of Veterans Affairs (VA) Information Technology (IT) Reorganization: How Far Has VA Come?.
THE U.S. DEPARTMENT OF VETERANS AFFAIRS INFORMATION TECHNOLOGY REORGANIZATION: HOW FAR HAS VA COME?
COMMITTEE ON VETERANS' AFFAIRS
U.S. HOUSE OF REPRESENTATIVES
ONE HUNDRED TENTH CONGRESS
SEPTEMBER 26, 2007
SERIAL No. 110-47
Printed for the use of the Committee on Veterans' Affairs
U.S. GOVERNMENT PRINTING OFFICE
For sale by the Superintendent of Documents, U.S. Government Printing Office
CORRINE BROWN, Florida
STEVE BUYER, Indiana, Ranking
Malcom A. Shorter, Staff Director
Pursuant to clause 2(e)(4) of Rule XI of the Rules of the House, public hearing records of the Committee on Veterans' Affairs are also published in electronic form. The printed hearing record remains the official version. Because electronic submissions are used to prepare both printed and electronic versions of the hearing record, the process of converting between various electronic formats may introduce unintentional errors or omissions. Such occurrences are inherent in the current publication process and should diminish as the process is further refined.
C O N T E N T S
September 26, 2007
The U.S. Department of Veterans Affairs Information Technology Reorganization: How Far Has VA Come?
Chairman Bob Filner
Prepared statement of Chairman Filner
Hon. Steve Buyer, Ranking Republican Member
Hon. Stephanie Herseth Sandlin, prepared statement of
Hon. Henry E. Brown, Jr., prepared statement of
Hon. Ginny Brown-Waite, prepared statement of
Hon. John T. Salazar, prepared statement of
U.S. Government Accountability Office:
Valerie C. Melvin, Director, Human Capital and Management Information Systems Issues
Gregory C. Wilshusen, Director, Information Security Issues
Prepared statement of Ms. Melvin and Mr. Wilshusen
U.S. Department of Veterans Affairs:
Hon. Robert T. Howard, Assistant Secretary for Information and Technology and Chief Information Officer, Office of Information and Technology
Prepared statement of General Howard
Arnaldo Claudio, Executive Director, Office of IT Oversight and Compliance, Office of Information and Technology
Prepared statement of Mr. Claudio
Paul A. Tibbits, M.D., Deputy Chief Information Officer, Office of Enterprise Development, Office of Information and Technology
Prepared statement of Dr. Tibbits
Davoren, Ben J., M.D., Ph.D., Director of Clinical Informatics, San Francisco Veterans Affairs Medical Center, Veterans Health Administration, U.S. Department of Veterans Affairs
Prepared statement of Dr. Davoren
SUBMISSIONS FOR THE RECORD
Mitchell, Hon. Harry E., a Representative in Congress from the State of Arizona, statement
U.S. Department of Veterans Affairs, Bryan D. Volpp, M.D., Associate Chief of Staff, Clinical Informatics, Veterans Affairs Northern California Healthcare System, Veterans Health Administration, statement
MATERIAL SUBMITTED FOR THE RECORD
Post Hearing Questions and Responses for the Record:
THE U.S. DEPARTMENT OF VETERANS AFFAIRS INFORMATION TECHNOLOGY REORGANIZATION: HOW FAR HAS VA COME?
Wednesday, September 26, 2007
U. S. House of Representatives,
Committee on Veterans' Affairs,
The Committee met, pursuant to notice, at 9:58 a.m., in Room 334, Cannon House Office Building, Hon. Bob Filner [Chairman of the Committee] presiding.
Present: Representatives Filner, Snyder, Herseth-Sandlin, Hare, Salazar, Walz, Buyer, Stearns, Brown of South Carolina, Brown-Waite, Bilbray, and Lamborn.
The CHAIRMAN. This meeting of the House Committee on Veterans' Affairs is called to order. Today, the Committee will be looking at the U.S. Department of Veterans Affairs (VA) Information Technology (IT) Reorganization: How Far Have We Come?
Obviously, this is a very important issue. And we will be looking at the progress of VA in centralizing its IT efforts.
We want to explore the progress that the VA has made in its efforts to be what Secretary Nicholson called the "gold standard" of information security among Federal agencies, a goal that was enunciated in the wake of a data breach last year that involved over 25 million veterans and succeeding incidents including one recently in Birmingham, Alabama.
We understand that such a centralization will not happen overnight. We are not asking you to do this overnight. But we are asking, and our veterans are demanding, that the VA be held accountable for getting the job done.
This past June, the U.S. General Accountability Office (GAO), while praising the commitment from senior leadership, found fault with a number of areas in the VA's efforts, efforts that hinder the VA's ability to successfully reach its reorganization goals.
These include rejecting the GAO's recommendation that VA create a dedicated implementation team responsible for day-to-day management of major change initiatives. Instead, the VA is apparently dividing the responsibility among two organization in this new structure. And the GAO was concerned that this approach would not work. Many of us on this Committee share that sense.
More recently, GAO reported that out of 17 recommendations made by the VA Inspector General (IG), 16 had not yet been implemented. Implementing these recommendations is essential if the VA is to protect private information and meet its obligations under the Federal Information Security Management Act (FISMA).
In the final analysis, we must remember that IT is merely a tool, a tool used by the VA in furtherance of its mission of caring for veterans. This Committee has continued to work in a bipartisan fashion to encourage the VA to centralize its IT efforts. These efforts, we think, will lead to concrete benefits for both the VA, taxpayers, and most importantly, our veterans.
Our charge is to ensure that while VA is carrying out its mission, it does so with the best and most up-to-date technology that the 21st century provides, while securing that technology from outside manipulation and preventing improper disclosure of our veterans' confidential information.
We must at the same time foster creativity and innovation and the use of electronic medical records and other systems that have put VA at the forefront of medical care. These are not easy tasks. We are heartened by many of the steps the VA has undertaken, but remain concerned that more should be done, and could be done, at a faster pace.
We remain hopeful that the VA can simultaneously provide our veterans the greatest security, management, and healthcare. Undoubtedly, the efficient and effective management and operation of VA IT efforts will result in tangible benefits for our veterans.
I would yield for an opening statement to the Ranking Member of our Committee, Mr. Buyer. And you have five minutes.
[The statement of Chairman Filner appears in the Appendix.]
Mr. BUYER. Thank you very much, Mr. Chairman. First I would like to address the issue regarding the Vietnam Veteran's Memorial Wall. I was heartbroken to learn about the callous act of vandalism that resulted in the damage to the Vietnam Veteran's Memorial Wall on September 7th.
For every person that has ever stood before that wall, you can reflect upon your feelings and emotions as you stood before the 147 black granite panels. I could not help but sense and feel the humility of a grateful Nation and how small one feels standing before the granite.
What I will say publicly to the vandal is that you are nothing but a coward. These are cowardly acts to stand before that wall and to throw such a substance and attempt to deface the Vietnam Veteran's Memorial Wall.
The reality is that despite that act, you have no impact upon history. You have no impact upon the families who embraced their loved ones, that gave their lives for this country.
So to the coward, you can either step forward and accept responsibility for your act or forever crawl back under the rock from which you came.
Right now I would like to thank the Chairman. He and I worked together last year along with other Members of the Committee. And I want to publicly thank Mr. Evans, in our efforts to centralize the IT architecture within the VA.
Mr. Chairman, I would like to thank you for responding to my request. More in particular, I compliment your timeliness in holding this hearing, with the exit and retirement now of the VA Secretary. I think it is just a wonderful time for us to get an update.
It is important for us to look back over the past year and see how the VA has implemented the instructions given in Public Law 109-461 and moved its IT infrastructure to a centralized model. This is the first step for any large, Federal department or agency of government.
We held a lot of hearings on VA's data breach, Mr. Filner. And so as we talk about the centralization of the IT infrastructure, it is also about security assurances. And I can't—when I think about the challenges that the Chief Information Officer (CIO) of the VA has, it is extraordinary.
And so while I compliment you, Mr. Chairman, for holding this hearing and getting the input, we also have to be cognizant of the task at hand and how long it is going to take to perfect a centralized model.
And patience is one thing that is going to be very hard for us to have, and for me in particular, because of my seven years of interest in the issue. But I recognize how long it is going to be take.
The goal of Public Law 109-461 was to provide the means to allow growth and development to move forward with a main central IT structure in which new, improved technologies and methodologies can be encouraged and shared throughout the VA. The new law also brought fiscal discipline to VA IT for the first time.
What I am interested in finding out today is how the centralized model is being implemented. And whether there has been any cultural resistance from local facilities towards centralizing.
I am also interested in learning what new technologies are being used. How will these technologies enhance the VA's ability to provide faster, better, and safer services to our Nation's veterans. What measures are being used to protect the identity of our veterans when they seek treatment or benefits from the VA.
I was very concerned when I learned about the 2006 Federal Information Security Management Act report being delayed and the VA receiving an incomplete in its FISMA reporting requirements. I trust that this will not occur again in 2007 reporting period.
I am also concerned about the continuing problems in IT security, which are detailed in the weekly Network Security Operations Center reports received by this Committee.
The Birmingham VA research breach involves more than a million Medicare and Medicaid providers. I would like to know how the IT vulnerabilities that we have seen in VA's research community are going to be addressed, so that incidents such as this no longer occur.
Last week, the GAO testified before the Senate Veterans' Affairs Committee and made 17 recommendations to the Secretary. Those recommendations aimed at improving the effectiveness of VA's efforts to strengthen information security practices by developing and documenting processes, policies, procedures, and completing the implementation of key initiatives.
For instance, why is the Veterans Health Administration's (VHA's) waiver for not encrypting physicians' laptops and other devices still in effect. I am looking forward to hearing the status of each of these recommendations from both the GAO and the VA.
Mr. Chairman, I would like to thank the witnesses for coming to testify before the Committee, and General Bob Howard who took the reigns for the VA IT infrastructure during a wave of change.
I compliment you, sir. It is under his watch that the goals and policies set up by Public Law 109-461 are being implemented. And I look forward to hearing from you and continue to work with you.
General, I also want you to rely upon your military experience, because once you have made your advance, you have taken ground. And now that you have someone leaving, i.e. the Secretary as an agent of change, other individuals are seeking to take ground back.
So you are going to have to defend. And I recognize that. And at the first moment, please pick up the phone, call the Chairman, call me. We want to work with you to make sure that you have the ability to implement the law.
And I would say to the witnesses, I had an opportunity last night to read your testimony. I have a Commerce Committee hearing on my other issue dealing with counterfeit drugs. And so I am going to have to excuse myself.
But thank you, Mr. Chairman.
The CHAIRMAN. Thank you. Any other opening statements. Dr. Snyder? Mr. Walz? Mr. Brown? Mr. Lamborn?
All Members have five legislative days to revise and extend their remarks and all written statements will be made part of the record. Hearing no objection, so ordered.
Our first panel this morning is from the U.S. Government Accountability Office. Ms. Valerie Melvin is the Director of the Human Capital and Management Information Systems Issues Office. Mr. Gregory Wilshusen, is the Director of Information Security Issues. And accompanying you is Ms. Oliver. If you will introduce her, Ms. Melvin. Your written statements will be made a part of the record, so if you can keep oral remarks to about five minutes, that would be great.
STATEMENTS OF VALERIE C. MELVIN, DIRECTOR, HUMAN CAPITAL AND MANAGEMENT INFORMATION SYSTEMS ISSUES, U.S. GOVERNMENT ACCOUNTABILITY OFFICE; AND GREGORY C. WILSHUSEN, DIRECTOR, INFORMATION SECURITY ISSUES, U.S. GOVERNMENT ACCOUNTABILITY OFFICE; ACCOMPANIED BY BARBARA OLIVER, ASSISTANT DIRECTOR, HUMAN CAPITAL AND MANAGEMENT INFORMATION SYSTEMS ISSUES, U.S. GOVERNMENT ACCOUNTABILITY OFFICE
STATEMENT OF VALERIE MELVIN
Ms. MELVIN. Mr. Chairman and Members of the Committee, thank you for inviting us to discuss VA's information technology realignment and actions toward strengthening its information security program.
With me today, as you have noted, is Mr. Greg Wilshusen, GAO's Director of Information Security Issues, and Ms. Barbara Oliver, Assistant Director for VA IT issues.
In serving our Nation's veterans, VA relies heavily on information technology, for which it spends about $1 billion annually.
However, the Department has long been challenged in IT management, having experienced cost, schedule, and performance problems in its information systems initiatives, as well as security breaches that threaten to compromise sensitive and personally-identifiable information.
To provide greater authority and accountability over its resources, VA is realigning its organization to centralize IT under the Chief Information Officer, relying on a defined set of improved management processes to standardize operations. VA began this realignment in October 2005 and plans to complete it by July 2008.
Over the past year, we have assessed and reported on the realignment. And just last week, as you noted, released a report on the Department's information security. At your request, our testimony today summarizes our findings in these two important areas.
In short, VA has made progress in moving to a centralized structure by fully or partially addressing all but one of six critical factors that we identified for a successful transformation such as this realignment.
Among its actions, the Department has ensured top leadership commitment to the initiative and established a governance structure to manage resources. However, it continues to operate without a single dedicated implementation team to oversee this important change.
And in addition, while improved IT management processes are a cornerstone of the realignment, VA has not kept to its timeline for implementing the processes. And thus, has not made significant progress, having only piloted two of the thirty-six planned processes.
At the same time, VA has ongoing programs and a system development initiatives that depend on effective management and use of IT resources, the essence of this realignment. Our recent studies have noted measures of progress in its efforts. But essential work remains, including addressing numerous and long-standing information security weaknesses.
Our report, released last week, notes that although VA has made progress in strengthening information security, much work remains to resolve its security weaknesses.
The Department has undertaken several major initiatives to strengthen information security practices and secure personally-identifiable information, including continuing efforts to realign its management structure, establishing an information protection program, and improving its incident management capability.
Yet while these initiatives have led to progress, their implementation has short comings. For example, although a new security management structure exists, improved security management processes have not yet been completely developed and implemented.
In addition, this new security management structure divides responsibility for information security functions between two organizations, but with no documented process for the two offices to coordinate with each other.
Further, the Department has made limited progress in addressing prior recommendations to improve security that we and its Inspector General have made. Although VA has taken certain steps, it has not yet completed the implementation of 22 out of 26 prior recommendations.
In summary, Mr. Chairman, VA is making progress on its IT realignment. But important work remains to ensure that effective management processes exist and that its IT programs and initiatives are fully and successfully implemented.
In our view, an implementation team and established management processes are crucial to the overall success of the realignment, without which the Department is in danger of missing its 2008 targeted completion date and of not realizing the potential benefits of this initiative.
Similarly, until the Department addresses the shortcomings in its IT security program, it will have limited assurance that it can protect its systems and information from unauthorized disclosure, misuse, or loss.
This concludes our prepared statement. We would be pleased to respond to any questions that you may have.
[The statement of Ms. Melvin and Mr. Wilshusen appears in the Appendix.]
The CHAIRMAN. Thank you. There are no other prepared statements from the panel?
Ms. MELVIN. No. This is our statement.
The CHAIRMAN. Thank you. And I appreciate you undertaking this. It has been very helpful.
Dr. Snyder, do you have any questions?
Mr. SNYDER. Yes.
The CHAIRMAN. Go ahead. I will wait.
Mr. SNYDER. I think you all make a great contribution in these areas.
I am always struck that somebody like us that can sit on these panels and, you know, make—we are prone to make accusatory comments about administrative agencies and their failures to do certain things.
I couldn't do this. I don't have the skills to do what we are asking the VA. Can you all do this? If you were plucked out and put in Secretary Nicholson's slot, could you do this, what you are asking this system to do?
Ms. MELVIN. Sir, this initiative is a complicated one.
Mr. SNYDER. Yeah.
Ms. MELVIN. It is one that from its inception, we have noted would take a lot of dedication. Was one in which VA was stepping out in a way that few other agencies have, in fact, done.
It is an effort that will require tremendous discipline, tremendous coordination, and exceptional communication on the Department's part to ensure that all of its management is involved, all of its users are adequately considered. That there is the necessary governance in place and the discipline process is in place to ensure that this can be undertaken.
Mr. SNYDER. Was that a no? Regardless of—
Ms. MELVIN. It means that it is a very complicated process that—
Mr. SNYDER. I think it is.
Ms. MELVIN. —will require a lot of effort on the Department's part.
Mr. SNYDER. I think it is. I think the problem with it too is it is complicated. It is a challenge. And you outline, I think, some kind of hard attributes of the process. But it is about leadership, I think, and getting people to buy into it.
Did you—have you all looked at what the downside for veterans' healthcare is if these things are not being done?
Ms. MELVIN. Obviously, this overall initiative, it is in place so that the Department can have more effective processes for managing all of the initiatives that it is undertaking.
Certainly one of those, for example, is its veterans health information system. All of these initiatives are impacted by the efforts that are being undertaken and the sense that VA has previously operated in a centralized manner. And in moving—I am sorry, in a decentralized manner.
And in moving to centralization, it will be critical to make sure that the processes exist so that requirements can be understood effectively, identified effectively, and that solutions are in place to address them.
When you are looking at that, obviously there is the chance that if this is not undertaken properly, if it is not put in place in a discipline manner that allows all of the administration's IT needs to be addressed in a manner that supports the veterans, it could, in fact, impact veterans through the systems that are either put in place effectively or not put in place effectively.
Mr. SNYDER. I spent several hours sitting in an airport yesterday, because of something that happened with Memphis radar that shut down planes over several States. There was no—nothing—it was earlier at the Little Rock Airport. Nothing was coming in or going out.
And if you had asked us, I would think most of us would say well, there has got to be some redundancy in some system—in the system. We can handle whatever kind of technical problem. And yet ,these kinds of things get so complicated that it can be—it can get so complicated it is difficult for a group of civilians here to provide that kind of oversight.
So we count on you all to do that for us. And I always struggle a little bit about what exactly do I think is the clear next step for them to take. What do I think they should be doing.
And it comes down to me as a matter of almost the personal leadership of the people at the top, the people that are at the highest position of leadership at the VA. This has got to be a number one priority, maybe second only to veterans' healthcare, or it is not going to get done.
Why I sometimes read these reports, they almost get so dry, which is I think what your approach is. That is what we want you to do. But that we forget about the dynamic leadership that can make this kind of thing occur through a big system.
Thank you for your contribution. I don't have any further comments, Mr. Chairman.
The CHAIRMAN. Thank you. Mr. Stearns?
Mr. STEARNS. Thank you, Mr. Chairman. I sort of tend to think that we can solve this problem. General Motors, a large corporation, is able to keep track of their security. They set up a security database with a security chief officer. They are able to coordinate with all the plants, not just in the United States but around the world.
IBM, as I understand, is a subcontractor to you folks. And IBM has been successful in setting up internally their own IT network.
So I don't think it is without the realm of possibility. In fact, if the private sector came in and did this, wholly I suspect they could get it done.
I think Dr. Snyder's probably correct, it is one of leadership. But it also inherently difficult with bureaucracies, because it has been decentralized. And these bureaucracies are not talking to each other. But I am optimistic that you can get it done.
In May 2006, VA experienced the largest data breach in the history of the Federal Government. In January 2007, VA Birmingham, Alabama, suffered a breach of unbelievable magnitude involving any practitioner that has ever billed Medicare or Medicaid.
My question is, is the VA data at risk today? Notwithstanding where we are, is the VA data at risk today? Can you tell me "yes" or "no"?
Mr. WILSHUSEN. Yes, it is, sir.
Mr. STEARNS. And is that agreed by all three of you? Was that pretty much the unanimous consent of all of you that the VA data is at risk?
Ms. MELVIN. Based on my understanding of the work that Mr. Wilshusen has done, I would say yes.
Mr. STEARNS. Now, Mr. Wilshusen, why don't you explain why you think it is at risk?
Mr. WILSHUSEN. Okay, certainly. First of all, I would like to note that VA has made important progress in improving its information security practices and policies. However, much more needs to be done.
For example, VA has not yet fully implemented two of our four prior recommendations, including one to complete a department-wide information security program.
In addition, it has not yet fully implemented 20 of 22 recommendations made by the Inspector General (IG) with regard to improving information security.
For example, it has not yet completed the activities to appropriately restrict access to its information, computer systems, and networks. It has not yet implemented appropriate physical security safeguards to protect its information technology resources and facilities, nor has it ensured that all authorized—that only authorized changes and upgrades have been made to computer programs.
Until these recommendations are implemented, unnecessary risk exists that personal information of veterans and others, including medical providers, such as—or such medical providers, will be exposed to data tampering, fraud, and unauthorized or inappropriate disclosure.
Mr. STEARNS. Based upon what you said, would you be willing to track the VA's progress in implementing their consolidation plan and report back to us on a regular basis?
Mr. WILSHUSEN. Yes, we would. Yes, I would.
Mr. STEARNS. What are the short-term, mid-term, long-term consequences and vulnerabilities for the delay in VA's integration and consolidation plan? And I guess—go ahead.
Ms. MELVIN. In terms of VA's centralization, the concerns that we have relate to the extent to which the Department implements the critical processes that it has identified for this initiative.
The Department has identified 36 processes that are critical or the foundation I should say to the overall—having an overall discipline process in place that allows it to oversee and account for its IT investments.
In the immediate, we noted that the Department has, in fact, put a governance structure in place, so that they have some immediate levels of responsibility.
However, in looking out over the initiative as it continues to carry out this implementation, we have concerns from a longer term relative to how they are actually—or the progress that they are making, I should say, in actually fielding the leadership for the positions that it has. The extent or the time frame in which it would get its management processes in place.
At the same time that the Department is undertaking this realignment, as I mentioned in my statement, its systems development initiatives and programs are still being undertaken.
So in the long term, having this system in place and having it in place the sooner the better relative to its impact on the overall initiatives that it is undertaking and how effectively it can continue to move forward with those project for systems development.
Mr. STEARNS. Have you seen any bureaucratic or cultural push back toward this implementation in the administration?
Ms. MELVIN. We have heard through our assessment that there has been concern from the clinicians, for example within the Veterans Health Administration, that in doing this, some of their innovation will be stifled.
And I think this is driven by their past experience in the initial—the development of the initial VistA system. However, what we have stated through our work is that if the Department is able to move forward and maintain momentum in terms of having an effective communication strategy in place, having the overall leadership in place relative to the many offices that it has identified.
For example, they have identified 25 offices that are being put in place to implement and execute the 36 management processes that will give it a disciplined approach to managing its investments and resources.
However, at the time of our review, those—not all of those offices had been filled. I think it is somewhere in the range of probably 15 or more either had not been filled or had been filled only in an acting capacity.
Our concern with that is that without the stable leadership, the Department does not put itself on a solid and a sustainable foundation for being able to carry through with the realignment itself. And then certainly to execute all of the processes that are necessary to carry out its investments and its projects.
Mr. STEARNS. Thank you, Mr. Chairman.
The CHAIRMAN. Thank you. Mr. Walz, your witness.
Mr. WALZ. Thank you, Mr. Chairman. And thank you to each of you for being here. It is a very important service that you provide. And every time we testify in this Committee, I think it is very important for us to always remember the ultimate goal here is the service to our veterans and making sure that is possible.
And I think I associate myself with Mr. Snyder—Dr. Snyder's comments on this. It is all too easy to point fingers at this. And this is a—this is a large task.
And I also associate myself to a certain degree with my colleague, Mr. Stearns, that I believe this can be fixed. Although his faith in the private sector, seems to forget the letter that I received in June of 2005 when my MasterCard data, along with 40 million others, were compromised.
So it cuts both ways. It is a difficult task. But it is one that I think we are hitting on, and some of the questions got asked. But I just have two questions that I am concerned about.
I represent the Southern Minnesota district that includes the Mayo Clinic. And I have had a lot of talks on this issue, on the VA side of things, on the quality of the VistA system and their medical records, which is arguably the best in the world.
My concern is, and you hit on it to a certain degree, do you have a concern that any of this is going to be the movement forward we have had on the VistA system, the electronic medical records, and our push to seamless transition with the U.S. Department of Defense (DoD) is going to be affected by this realignment? If you could comment on that in your opinion.
Ms. MELVIN. Obviously, in undertaking the realignment, the key will be making sure that the Central Office of Information and Technology, which is the key point at which the centralization is taking place, is in touch, if you will, with the administration, in this case the Veterans Benefits Administration (VBA). I'm sorry, Veterans Health Administration.
And what we have seen in our work and what we have advocated through the success factors that we have emphasized as a part of our most recent study, was the need for the Department to have adequate communication and a balance relative to ensuring that the requirements, the needs of the administrations, are adequately identified, heard, and dealt with as a part of the overall efforts that are undertaken.
Obviously, that means that the Department has to get in place its main office that is identified to serve as the conduit of communication between the administrations and the central office.
At the time of our assessment, that office had not been staffed and its leadership had not been put in place. So we view that as critical to making sure that they have the necessary balance for making—for ensuring that administration needs are identified, that solutions are identified to address those needs, and that there is a necessary follow up to ensure that the delivery takes place in terms of services provided through the IT that the central office supports.
Mr. WALZ. And my—just my final question here. And this is I guess a bit more subjective. I come from—my background is in cultural studies and this issue of culture or what is there. I know when the issue came out of the data breach, I also received a letter on that as a veteran for my data breach.
And it seemed like at that point though there was a slowness to it, a reluctance to move on this. Do you get a feeling, and this as I said is very subjective? I have complimented many of the Members who have taken over on this in a very difficult time.
And I feel that there is a—maybe there is a shift in the culture of understanding this. And I am convinced that this is central before we can move forward, if they really understand that. If you may—if you could comment on that.
Ms. MELVIN. I would agree with you. Definitely key to this is the cultural transformation that is necessary, along with the actual implementation of new processes.
Key to that, again, as I have mentioned earlier, is communication. We do feel that that is one of the critical aspects that has to take place. In our work, we found that the Department has taken some efforts toward trying to improve its communication in dealing with the administrations.
But there is still more work that can be done through ensuring, as I mentioned earlier, that its business relationship management office is staffed up. That the necessary individuals are in place in positions there to serve as the conduit of communication, through actual information sharing and making sure that the users understand what it is that the Department is trying to accomplish and how they plan to do that. And the impact of how that change to centralization will affect the Department from the standpoint of identifying business requirements, addressing the requirements.
Only until they have had an opportunity to really communicate and reach agreement and understanding on those aspects will there be a cultural change, will there be what I would say is more user buy into this overall initiative.
Mr. WILSHUSEN. And I would just add from an information security perspective that the tone at the top has increased significantly with regard to taking corrective actions to implement effective security controls since the May 2006 data theft.
I think that was a watershed event, which really caused and highlighted the need for strong information security control. And we have seen a shift throughout the entire organization in the terms of—particularly with reporting incidents of potential data breaches or loss of information. Just prior to and subsequent to that May 2006 event, for example, the number of reported incidents doubled over the five months following it, versus the five months preceding that point.
In addition, the number of initiatives that the VA has undertaken to improve security, and they are making progress. Many of them have not yet—many of those initiatives have not yet been completed. But they are taking steps to implement stronger controls.
Mr. WALZ. Great. Well I thank you. I yield back, Mr. Chairman.
The CHAIRMAN. Mr. Brown, any questions?
Mr. BROWN OF SOUTH CAROLINA. Thank you, Mr. Chairman. And thank you to the witnesses for coming this morning. I know this is a major concern of mine and of course of all the veterans around the country.
Do you think we are—we are better off today than we were back in 2006?
Mr. WILSHUSEN. With regard to the—
Mr. BROWN OF SOUTH CAROLINA. Security.
Mr. WILSHUSEN. —security of—
Mr. BROWN OF SOUTH CAROLINA. Right.
Mr. WILSHUSEN. —their personal information, I believe VA has taken steps to improve information security. And these steps include encrypting the information on thousands of laptops, initiating a remedial action plan to identify and to take corrective steps to improve the security controls, but much more still needs to be done.
There are still significant and unnecessary risks to veterans' information. But I believe that they are taking steps in the right direction.
Mr. BROWN OF SOUTH CAROLINA. Do we have a system in place that we can identify if there is a breach at some point in time?
Mr. WILSHUSEN. Well there are technical controls that are available to look for and to detect anomalous behavior and whether or not there have been breaches, if you will, or intrusions into the systems in networks of VA.
VA, I believe, is in the process of acquiring and installing intrusion prevention systems on various devices that will help prevent and to detect such occurrences.
Mr. BROWN OF SOUTH CAROLINA. Well I believe in the past we have had like people taking their laptops home and this sort of thing. So I was just trying to—
Mr. WILSHUSEN. That is correct. And that is why the physical security controls and the use of encryption on portable media and laptops is so important, because you correctly state that many of the or several of the most significant security breaches were the result of physical theft of equipment.
And so it is important that VA first inform and train their staff on what the proper controls are over that equipment and over that information and to put in the appropriate controls to prevent them from occurring.
Mr. BROWN OF SOUTH CAROLINA. And how long do you think it will take to implement a system that we can feel comfortable with that our records are secure?
Mr. WILSHUSEN. VA, in its remedial action plan, has identified over 400 action items in which it is undertaking to improve various different aspects of information security.
Some of those actions extend out to June—or I am sorry, out to 2009. Even upon completion of those actions, many of which are to develop or update a policy or procedure, the true test of determining whether or not the agency has effective information security controls is whether or not they effectively execute those policies and procedures.
And, as my father once told me, and I am paraphrasing him now, "The road to insecurity is paved with good intentions." And developing policies and procedures shows what the management's intentions are with regard to securing information.
But it gets down to the detail of actually implementing those on a sustainable, ongoing and consistent basis throughout the organization.
Mr. BROWN OF SOUTH CAROLINA. We don't recognize the cultural education we must perform. Is there anything that we can do as Members of Congress to help expedite that process?
Mr. WILSHUSEN. Well, one, the passage of the Veterans Benefits Healthcare and Information Technology Act of 2006, I think, was a positive step forward. And in addition to holding these types of hearings, holding VA officials accountable for their actions and maintaining a dialogue with them, with you and your staffs with the VA officials to assure that appropriate actions are being taken.
Mr. BROWN OF SOUTH CAROLINA. Thank you very much.
Mr. WILSHUSEN. You're welcome.
The CHAIRMAN. Ms. Herseth Sandlin?
Ms. HERSETH SANDLIN. Thank you, Mr. Chairman. Thank you for your testimony today. I would like to pick up a little bit where Mr. Stearns had asked your willingness, GAO's willingness, to track the VA's progress and report back. And you had answered "yes." And I appreciate that.
But let me ask you this, I assume that in doing that, your job would be easier if the VA would actually dedicate an implementation team to manage the change, so that you had a team you were directly working with, which is the team within the Department that's supposed to be tracking the progress and managing the change.
So could you confirm for me that the VA has not yet acted on that critical success factor?
Ms. MELVIN. As it pertains to the realignment initiative, the VA has not put what we would desire to see in terms of a single dedicated implementation team to manage that overall effort.
It does have multiple offices designated to oversee the realignment effort. Our concern is that there is not a single body that is dedicated to ensuring that there is the necessary oversight for the—managing, for example, the schedule against goals and time frames for accomplishment. Identifying shortfalls and being able to ensure that there is a consistent coordination throughout the Department relative to how these are handled.
We feel that it is important also in terms of having some consistency through leadership changes that occur so that the Department has a voice that speaks for the overall realignment. And that ensures, from an oversight perspective, that it is occurring as it should.
Ms. HERSETH SANDLIN. So I think you answered my other question. There is no time table other than the July 2008 date upon which this is to be completed. But there is no quarterly objectives. There is no, as you said, single entity in place to help set the objectives, track the progress.
What has been the Department's reaction to your concern about the lack of that type of entity that would help effectively manage the transformation?
Ms. MELVIN. The Department has stated that it is taking some actions, for example, toward business processes in terms of identifying time frames. And they prioritized some of those. But we have not seen specific dates attached to those.
But when it comes to the realignment team in and of itself, the Department has effectively stated that it would agree to disagree with us on the need for a single dedicated team.
They have not indicated that they wouldn't have multiple teams working. But, again, our desire would be to see a single dedicated team that can ensure a coordinated oversight for this initiative.
Ms. HERSETH SANDLIN. Well, Mr. Chairman, I would just suggest that in light of the Secretary's resignation, and of course our continued hope that there is the tone at the top with the Under Secretary's, the deputy assistant secretary's, to improve the system.
I actually think that given the transition here, the lack of stable leadership at the top. And I do think Secretary Nicholson, working with this Committee, working with the Ranking Member, working with Committee staff last year when this problem presented itself and how we go about the information security objectives, I was very committed to it.
My concern is the transition. And so I think it highlights the importance of a single dedicated board, governance board, within the VA in light of that transition. And would hope that with our oversight that we can, with the testimony we will be hearing from the later panels, continue to work with them to—if you would agree.
And if the Ranking Member and Mr. Stearns and other Members of the Committee agree with the GAO assessment as I do, that a single dedicated entity is of the utmost importance in helping manage the transformation that we work through our oversight and our discussions with the VA to see that that would happen to try to stay as on top of the July 2008 deadline as possible.
And I would yield back.
The CHAIRMAN. Thank you. Just to follow up, I mean, when you say you have agreed to disagree, is there a reason? What is their reason?
Ms. MELVIN. I think they can best answer that. But in talking to them through our assessment, they feel—felt strongly that the offices that they are putting in place, and they have identified two specific offices, they feel that those offices are capable of providing the necessary oversight and coordination for this effort.
Our concern is that this is an extremely large initiative that involves many processes, that involves many layers of management and the need for solid and extensive communication throughout the organization. And certainly established time frames that can be monitored closely and that the organization have some consistency in how it measures and tracks performance toward achieving its overall goal for 2008.
The CHAIRMAN. And of the two major teams, one of them is—its top position is vacant, right?
Ms. MELVIN. Yes, that's correct.
The CHAIRMAN. Thank you. Mr. Bilbray?
Mr. BILBRAY. Thank you, Mr. Chairman. You know, Mr. Chairman, all the concerns about the information systems kind of reminds me of the fact that ever since man started messing with technology, there has been a fear of it, and a threat of it, and, obviously, an opportunity.
I mean, fire would be a good example. I think that there are a lot of people in Washington if they had been the caveman with the first fire, it would have been outlawed, restricted, and banished from the world.
I think the keys we are looking for though is that we first of all needed something that is expandable and transformable. It has got to be able to adapt to the situations.
And actually the Chairman and I went through years in local government working the same issue, the city of San Diego, trying to work out emergency response information systems, the county doing the same thing. And Mr. Chairman, I would just like to let you know that though you worked hard at the city, the city now has accepted that the county system is so much more effective and is adopting that system for their emergency information system. To have—I can't pass up the chance to take a cheap shot.
My question to you though, the laptop situation was sort of interesting. With all the encryption on there, wouldn't it be so much more secure if with these mobile information modes, that only the person who is authorized to use that or who supposedly has it delegated to them, if the technology was there to where only they could activate the system, wouldn't that be even a step further in securing the information of the veterans?
Mr. WILSHUSEN. Yes, it is. Certainly that would be like the first step in protecting sensitive information is to make sure that only those individuals who have a legitimate business need for access have access.
And once that is granted, then to have other controls to enforce that level of access. And then also to protect the information such as using encryption and other technologies to protect it—while it is being stored on laptops and other devices.
Mr. BILBRAY. How many of our mobile and how many of our stationary now are going or do have biometric access control systems?
Mr. WILSHUSEN. I don't know the precise number in terms of how many of the laptops or other devices have biometric capabilities on them at VA.
Mr. BILBRAY. Many laptops have as an option biometric access that have had it for over a decade. And after what happened with the laptops, I just think it is almost like any businessman would say we are going to go to this option now, just as a matter of fact.
And I would really challenge, if we haven't done it, why we haven't done it. And really look at the fact that here is those simple little things that the private sector would be doing at the snap of a hat. But we are always lagging behind in the hope that we will go over to that.
I mean, frankly, I don't know of a major manufacturer of a laptop who does not provide the option that a thumb print can be used as the primary access before the machine would even turn on. And I would sure like to see if we are moving forward with those little things that can really make a difference.
If somebody steals a laptop and can't even turn the thing on, that is even better than encryption control.
I yield back, Mr. Chairman.
The CHAIRMAN. Thank you. Mr. Hare?
Mr. HARE. Thank you, Mr. Chairman. I apologize for getting here at little bit late. I had another meeting. So if you have covered these, I hope you will bear with me. But I am just interested in the answers that you might have here.
What are the main reasons that you found for lack of a single integration team to oversee this implementation?
Ms. MELVIN. The main reason was that the Department, as I mentioned earlier, just felt that it had the necessary offices in place to carry out the oversight and monitoring of the implementation.
But, again, as was stated previously, one of those offices is vacant at this time. And our concern is that with the magnitude of this overall effort, there is a need for a coordinated oversight through a single dedicated implementation team.
Mr. HARE. Do you think there is a correlation between the lack of staffing in these key leadership positions and the delay in establishing the management processes?
Ms. MELVIN. I think it is certainly—if it has not had an impact, will have an impact on the Department's ability to meet its time frames for getting the processes in place. The individuals that it has identified and the offices that it has identified are the ones that are supposed to implement and execute these processes.
The Department has acknowledged that they are behind in doing that. But we do feel strongly that it is important to have the staff there to carry out the processes or you are unlikely to have a disciplined approach to managing the investments and resources.
Mr. HARE. What other hitches do you think—what are the other hitches that are causing the delay in developing the 36 management processes?
Ms. MELVIN. I am sorry, what are the delays?
Mr. HARE. What other hitches are causing do you think—
Ms. MELVIN. The issues that are causing it?
Mr. HARE. Uh-huh.
Ms. MELVIN. What—in talking with VA's management, we were told that—and quite frankly they do recognize that they are behind in implementing the processes. What they identified were some concerns relative to really the definition of the processes that the contractor recommended for them. And the need to redefine and reassess what those processes were relative to their offices in place.
Also they identified the need to really look at the processes relative to responsibilities and ensuring that they clearly discerned which offices would be responsible for key activities under those processes.
And in some cases, they are still clarifying who has key responsibilities. The Office of Information and Technology won't have full responsibility, for example, for all of the financial management processes, as the Department has an office of management that oversees its overall budget. So they are working through those issues.
And then as you mentioned earlier, a key concern of ours was the—that the 25 or so offices that they have identified to implement and execute the processes have not yet been fully staffed and don't all have full leadership to direct them.
Mr. HARE. Have they indicated when they would be staffed?
Ms. MELVIN. When they will be staffed?
Mr. HARE. Mm-hmm.
Ms. MELVIN. We did not get information on when they would be staffed.
Mr. HARE. Okay.
Ms. MELVIN. They did indicate that they were looking into the staffing. That they saw this as a difficult process that they would need to work through.
Mr. HARE. Thanks. And my last question is how much collaboration and communication did you find that there is or is not between the two implementation teams?
Ms. MELVIN. I believe that the implementation teams are collaborating with one another. I don't think our assessment looked fully at exactly how all of the collaboration is occurring.
We do maintain, however, that there has to be collaboration across those. And it has to be extensive relative to the processes, relative to the overall staffing of the offices that need to take place.
Again, however, from our standpoint, we would like to see more assurance that there is the necessary coordination that would be gained through having a single devoted body to overseeing this effort.
Mr. HARE. Okay. Thank you very much. I yield back, Mr. Chairman.
The CHAIRMAN. Thank you. Ms. Brown-Waite?
Ms. BROWN-WAITE. Thank you very much. I had votes in Financial Services. And that is why I was late.
I don't care which one answer this. And you may or may not have the information with you. But I understand the VA says that they have encrypted 16,000 laptops. Is that correct?
Mr. WILSHUSEN. I am not aware of that particular number. But they have an initiative underway where they are encrypting thousands of laptops. I don't know if 60,000 is the correct number.
Ms. BROWN-WAITE. No, 16.
Mr. WILSHUSEN. Oh, 16.
Ms. BROWN-WAITE. That they have encrypted—
Mr. WILSHUSEN. Okay.
Ms. BROWN-WAITE. —16,000, which brings me to the other part of my question. If it is 16,000, that is out of how many laptops that the VA has?
Mr. WILSHUSEN. Well—
Ms. BROWN-WAITE. Do you—
Mr. WILSHUSEN. —the total number of laptops, I don't have that information. But I do know there is a sizable number of laptops that have not been encrypted. Many of these are being considered medical devices.
And right now the VA's policy is not clear as to which devices or laptops should, in fact, be encrypted. And that is one of the recommendations that we are making that they clarify that policy.
Ms. BROWN-WAITE. So medical information may be out there without encryption. Is that what you are—
Mr. WILSHUSEN. That would be the case.
Ms. BROWN-WAITE. Okay, another question. There are many instances where there are laptops not owned by the VA but used by VA personnel, and/or perhaps contractors, or the VA research communities. Are they still unencrypted?
Mr. WILSHUSEN. I don't know. Our assessment did not look at the encryption of non-VA equipment. But if individuals or contractors have sensitive Veterans Administration information or sensitive veterans' information on them, on behalf of VA, those laptops should be protected to the same level as required by VA.
Under the Federal Information Security Management Act, VA is responsible for assuring that the systems and equipment that are being operated on its behalf by others, should be protected to prevent and protect against unauthorized use, access, and disclosure of information.
Ms. BROWN-WAITE. Let me ask another question. There is a program out there that you can buy. It is called "Go to My PC." If a VA employee is at home and uses this kind of a "Go to My PC," and there may be confidential information on their personal computer (PC) at the VA workplace, can they gain access to their PC in the VA workplace from a remote location?
Mr. WILSHUSEN. Well I am not familiar with the specific program, but—that you mention. But certainly implementing appropriate controls over remote access to VA information on VA devices is a consideration that VA needs to address and implement appropriate controls. Obviously, there are a number of individuals within the VA community that do access information remotely. And assuring