Hon. Harry E. Mitchell, Chairman, and a Representative in Congress from the State of Arizona
This hearing will come to order.
Thank you all for coming today. I am pleased that so many folks could attend this oversight hearing on VA information technology inventory issues. We know that VA has serious problems with keeping track of its IT inventory. This is not just a dollar issue, although it certainly is that. It is also a security and privacy issue. VA’s inventory deficiencies mean that VA cannot ensure that private medical and other information belonging to the nation’s veterans remains private.
We are going to begin today by hearing from the General Accounting Office concerning GAO’s report, Inadequate Controls over IT Equipment at Selected VA Locations Pose Continuing Risk of Theft, Loss, and Misappropriation, released just today, showing the results of its testing of inventory systems and procedures at four VA locations. The results are not pretty. As you can see from the chart, the sample locations GAO tested show that from 6 to 28 percent of IT items listed as being in inventory could not be located. The Washington, DC VA medical center could not find an astonishing 28 percent of the IT items on inventory. The missing items at the four locations had a combined value of $6.4 million.
Sad to say, this is not a recent problem. In July 2004 GAO reported that the six VA medical centers it audited did not have reliable property databases. GAO followed up on these sites as part of its current report and concluded that more than $13 million in IT equipment was still missing from those sites. Incredibly, an inventory being conducted by one of the sites in response to the 2004 GAO report is still not completed.
If this were not bad enough, GAO further reports that VA has seriously flawed policies and procedures. Again, the chart illustrates the extent of the problem. One line says “incorrect user organization” – that means the inventory system incorrectly identified to whom the equipment was assigned. Look at the numbers – 80 percent at the Washington DC medical facility, 69 percent in Indianapolis, and 70 percent in San Diego. VA’s central headquarters does better – “only” 11 percent, but more than makes up for this with the physical location of 44 percent of its IT equipment misidentified in its inventory database.
The issue of security could not be better illustrated than by the photograph you see over there. That photograph is of an IT equipment storeroom at VA’s central headquarters. It seems hardly necessary for GAO to have pointed out that this storeroom did not meet VA’s requirements for motion intrusion detection, alarms, secure doors, locks, and special access keys.
Security is no small matter, and we are not concerned only about hardware. GAO found hard drives at two of the four locations that were designated as excess property to be disposed of that still had hundreds of veteran names and social security numbers. This is completely unacceptable.
I can assure you, we will all be back here. We intend to ask GAO to conduct another check of VA’s inventory system in a few months time, and if another hearing turns out to be necessary, we will have one.
Last week, Ms. Brown-Waite and I sent a letter to the VA requesting copies of the most recent annual equipment inventory certification letters from all facility directors. We also requested a list of all facility directors who did not provide certification for completing their annual inventories. I would like to thank the VA for their prompt response to this request.