WASHINGTON—High turnover among leadership, gaps in accountability, and long-standing problems in cybersecurity represent significant challenges for VA in its ongoing efforts to improve its IT infrastructure, oversight officials told legislators last month.

These challenges will prove particularly dangerous as VA embarks on a new shared electronic health record system with DoD—its fourth attempt at creating a shared system in the last 20 years.

Officials from the Government Accountability Office and VA’s Office of Inspector General were blunt in their assessment of VA’s deficiencies at a hearing before the House VA Subcommittee on Technology Modernization last month.

“VA’s management of IT system modernization efforts continues to be high risk,” explained Carol Harris, GAO’s director of IT Acquisition Management. “VA’s track record of delivering failed or troubling IT systems is a large part of why we designated VA healthcare as a high risk area for the federal government in 2015.”

The most critical problem VA faces is its high turnover rate in the chief information officer position. The Senate confirmed James Gferer, the current CIO, on Jan. 3, making him VA’s fifth CIO in the past five years and its 10th since 2004.

“Our work has shown that a CIO has to be in office roughly three to five years to be effective and five to seven years for any significant change to take hold in any major public organization,” Harris explained.

While high CIO turnover is common among federal agencies, VA’s average rate of a new CIO every two years rates among the worst. With no single continuing leader overseeing VA’s IT efforts, initiatives can stall or languish in development phases.

VA’s OIG found lack of accountability to be a common theme when it comes to problems plaguing VA’s IT efforts. “When it’s time to make final decisions about an initiative or an application, there’s nobody there to do that. So it stalls the initiative,” explained Brent Arronte, VA’s deputy assistant inspector general. “The initiatives tend to be pushed out the door when they’re not ready. So we end up seeing functionality problems with those programs as they mature. And then they try to fix it in flight, so to speak, and they struggle with that. I think they struggle with program management across the board. And with such turnover in [the CIO position], it’s difficult for VA to support and drive IT innovation.”

Harris applauded the administration’s recent decision to make the CIO position directly accountable to the VA secretary, however. This effectively raises the profile of the position and could help with recruitment and retention, she said.

Accountability Issues

Legislators have been particularly concerned about accountability issues when it comes to VA’s electronic health record modernization project. Specifically, they have urged VA to define the role of the VA/DoD Interagency Program Office in overseeing the project. In January, VA officials said they were searching for someone both VA and DoD could agree on that would be placed in the role of final arbiter on EHR-related conflicts.

This is not a decision that can wait much longer, Harris warned. “The IPO as it’s currently operating is not an effective office for being that central point of accountability. You have two departments who are unwilling to relinquish control to a third party to make those decisions. I think that this is the most important recommendation that we have made for the EHRM program. If DoD and VA cannot formalize a process for how they will adjudicate these really tough issues, they are going to fail again in this fourth attempt at integrating their systems.”

Another major concern by the oversight agencies is VA’s reliance on outdated technology. Approximately 80% of the $4.2 billion allocated to VA’s Office of Information Technology is spent supporting legacy systems—systems relying on outdated technology. These will only grow more expensive over time as replacement parts become more expensive and VA has to spend more to take care of old code. Older systems also are less secure than modern ones.

In May 2016, GAO issued a report on legacy systems in use by federal agencies. It identified two of VA’s systems—its Personnel and Accounting Integrated Data system and its Benefits Delivery Network system—as being among the 10 oldest systems among the agencies audited, both clocking in at over 50 years old. In May 2018, VA released a Comprehensive Information Technology Plan that included a detailed roadmap of key programs and systems required for modernization. The plan included time frames, activities to be performed and functions to be replaced or enhanced and indicated that it would be decommissioning its two oldest systems.

Harris noted that, for this plan to get traction, however, it would require strong, consistent leadership in the CIO position.

Inconsistency at the CIO position impacts VA’s budget in other, more immediate ways. When one legislator noted that the $4.2 billion in VA’s IT budget does not include all VA IT spending and wondered why that was, Arronte said that he had asked the same question of VA’s chief financial officer.

“We asked the CFO at the time why there’s a specific line item for the hospitals or the VAMCs or the VISNS to purchase equipment without going through the CIO,” Arronte testified. “We were told it takes the CIO’s office too long to approve equipment we need right now.”

The consequences of having IT activities the CIO is unaware of can include cost overruns, duplication of IT acquisitions and security threats. “If you’re unaware of this equipment, you can’t place security on it,” Arronte said. “You can’t track it.”