Acting VA CIO Neil Evans, MD

WASHINGTON — For years, VA has struggled to secure its IT systems, with cybersecurity appearing as a persistent weakness in inspectors’ reports.

The department has said it believes that one of the steps toward making progress is addressing the buildup of outdated technology and software, or “technical debt,” that VA has accrued over the decades. VA estimates the total cost of fixing that current debt at $1.3 billion. 

In June, VA announced that it would begin tackling that debt for the first time, building dedicated funding into the VA budget to do so. However, legislators expressed doubts about VA’s long-term ability to see that effort to completion. 

Fueling those doubts is a recent VA Office of the Inspector General (OIG) report that focused on a VA clinic that was unable to accurately identify system weaknesses or even provide a complete inventory of its own computer equipment. Also giving the legislators pause is yet another new person in the VA Chief Information Officer (CIO) role—the ninth since 2009 and the fifth in the last five years. 

“I’m concerned about VA’s ability to protect the information of veterans, as well as to prevent disruptions in service,” declared Rep. Frank Mrvan (D-IN) at a House VA Subcommittee on Technology Modernization hearing last month. 

Asked how VA plans to pay for the elimination of its technical debt over the long-term, Todd Simpson, VA’s deputy assistant secretary of DevSecOps, told Mrvan and the subcommittee that the only way to achieve the goal was by steady effort and by regularly adding funding for that effort into VA’s base budget. 

“Building the funding into the base budget and continuing to allocate the funds into the Infrastructure Readiness Plan (IRP) is the only way that we’re going to attack the $1.3 billion in technical debt that is part of the IRP,” Simpson said. “It’s got to be a persistent effort, and it will take a disciplined steady approach to do that.”

Incomplete Information

Legislators questioned whether that effort was enough, especially if the VA is working with incomplete information. An OIG review of a VA outpatient clinic in Austin found that during its regular, random scanning of the clinic’s network, VA’s Office of Information Technology (OIT) failed to discover 150 of the 246 network vulnerabilities that were eventually identified by investigators. Also, an inventory provided by OIT listed 944 technology components at the clinic—less than half of the 1,985 that were actually present. 

According to VA, this disparity was mostly due to a misunderstanding with investigators over the scope of their investigation and what exactly they were looking for. However, OIT officials recognized that VA could improve the accuracy of how it oversees its vast computer network.

“VA has 1.4 million endpoints, and the inventory of those are across several inventory databases. In management of those, there’s a challenge there, and we’re definitely working on developing a more seamless way to inventory our equipment and sharing that information when we have assessments,” explained Paul Cunningham, VA chief information security officer. “Can we do better? I think that’s a fair assessment. Is it a fair assessment that we don’t know where all of our equipment is? I don’t think that’s truly a fair assessment. Part of the efforts we’re putting into modernizing is increasing the fidelity in our ability to manage and track and avoid the double counting of equipment.”

In August, Acting VA CIO Neil Evans, MD, replaced Acting CIO Dominic Cussatt, who had been in the position since January. Because the position requires Senate confirmation, there is a tendency for the role to be held by “acting” officials for years at a time. Six of the last nine CIOs were never confirmed by the Senate. 

The Government Accountability Office (GAO) has identified the high turnover at OIT as a root cause of the failure of many of VA’s large IT projects. Without consistent leadership and vision driving a project that might span many years, the effort can fizzle. Legislators were worried that this could include VA’s effort to address its technical debt, not to mention the Electronic Health Record Modernization (EHRM) project. 

When legislators probed whether Evans planned to provide a vision and act as a driving force, Evans assured them that, regardless of how long he was in the role, he would not merely be a seat-warmer. His vision, he said, was of a VA information system that was not just functional but made people happy to use. 

“At the top line of my strategy and priority scheme is focusing relentlessly on the needs of our users,” Evans explained. “Increasingly technology is a part of how we in society access resources. … When we focus on the needs of the user, whether that user be a front-line clinician, whether it be somebody in the VBA who is adjudicating benefits applications and most importantly when that person is a veteran or a caregiver or somebody involved in the care of veterans, our information technologies should be designed to provide, frankly, delight. We should be delivering experiences that are consistent with our vision of what a modern VA should look like.”