WASHINGTON — The management and upkeep of information technology structures has historically been a challenge for federal agencies.
IT is a field where systems evolve quickly, many times as a result of new security needs. Federal agencies, on the other hand, move relatively slowly, being required to go through layers of approval before major decisions can be made, much less implemented.
For VA, the second-largest federal agency and one that has complex IT security needs, this challenge has been especially difficult. With more veterans taking advantage of telehealth programs, more veterans demanding easy electronic access to their records, and with the impending replacement of VistA, VA’s electronic healthcare record, those challenges will only grow.
However, with a new cybersecurity program being implemented nationwide and by actively incorporating lessons learned by DoD and the private sector, VA says it believes the agency can keep up with growing IT security demands.
According to VA, as of October 2016, there were 576 active or in-development IT systems in the department’s inventory. These systems are used for the determination of veteran’s benefits, processing of benefits claims and accessing health records among other services. Of these, 319 are being used primarily by the VHA, with 244 of them considered mission-related to veterans healthcare delivery. VistA alone is made up of more than 200 applications that assist in healthcare delivery and other functions like enrollment, financial management, and registration.
The sheer number of systems, along with variations in how each medical facility implements cybersecurity procedures, has resulted in a number of less-than-stellar audits of the department’s IT systems.
Appearing before Congress last year, VA Office of the Inspector General (OIG) officials testified that they found VA seriously lacking when it came to overseeing the security of its systems, noting that the age of some systems and the variation from facility to facility were partly to blame. The investigators also found weaknesses in how systems were configured, how access was controlled, and in the timely updating of passwords and installation of security patches.
The VA’s Office of the Inspector General (OIG) had made similar findings as early as FY 2000. At the time of last year’s audit, there were more than 100 open IT security recommendations OIG had made to VA officials, 25% of which had been on the books for over three years. The FY 2017 audit, released last month, has 29 recommendations, many of which are repeats or modified repeats from previous years.
Many of those recommendations revolve around ensuring that existing security procedures are followed uniformly across all VA facilities and that VA implements a risk-management structure that can identify, monitor and manage cybersecurity risks across the entire department.
A recent example of the need for VA to strengthen its cybersecurity was unearthed by the OIG in February at the Orlando, FL, VAMC. An OIG investigation found that the medical center had set up its wireless Veterans Service Adaptable Network (VSAN) without coordinating its efforts with their Office of Information and Technology (OI&T). According to the report, local OI&T staff did not effectively oversee the project and did not evaluate security protocols.
The result was that the VSAN implementation, which was designed to deliver standardized guest internet access across all VHA facilities, left the medical center’s systems open to unauthorized access and put veterans’ healthcare information at risk. According to OIG, the problem was discovered before any unauthorized access could occur.
Turning a Corner
According to VA, the department is turning a corner in cybersecurity. At a congressional hearing in December, VA’s OIT Chief Scott Blackburn testified that VA had resolved the lingering recommendations from previous audits and is making cybersecurity a higher priority moving forward.
Blackburn testified that VA’s new Enterprise Cybersecurity Strategy Program (ECSP) would give VA the tools to better secure its systems. “With the establishment of the ECSP, we are embarking on a change in mindset of how to manage cyberrisk,” he said. “Through the ECSP, we will make prioritized, defensible decisions related to the implementation of cybersecurity projects.”
Asked by U.S. Medicine how this advances VA’s cybersecurity practices, a VA spokesperson explained, “The ECSP [better] aligns VA’s policies with federal priorities and requirements. By moving away from a checklist approach and framing VA’s strategy around risk management, VA is taking a proactive approach to mitigating IT security risks.”
As to how this approach can avoid security flaws such as the one at the Orlando VAMC, the spokesperson responded, “VA is committed to maintaining the same security standards at each and every facility. The ECSP establishes policies and procedures that will be followed at every VA facility nationwide, so that each VA site has the proper guidance for cybersecurity-related issues.”
While the ECSP might put VA on the right track toward effective IT security nationwide, the size of the VA puts a limit on how quickly improvements will be seen. In its most recent audit, OIG recognized that VA has implemented many new enterprise cybersecurity improvements over the past year. Those include reducing the number of individuals with outdated background investigations, expanding enforcement of two-factor authentication and improving security risk monitoring.
But such improvements cannot happen overnight, the OIG audit noted. “The aforementioned controls require time to mature and demonstrate evidence of their effectiveness. Accordingly, we continue to see information system security deficiencies similar in type and risk level to our findings in prior years and an overall inconsistent implementation of the security program.”
First adopted by VA in 1994, the VistA electronic health record (EHR) system has been praised by users for its functionality and customizability. Proponents of the system say it remains the best option for VA medical facilities, that it’s been a proven success and the ability to customize it to fit each facility’s needs reflects the differences in various medical centers throughout the country. Vista’s critics point out that, with each passing year, the system’s age makes it both more expensive to maintain and more susceptible to security flaws.
As VA has wrestled with the modernization of its EHR, it has also struggled with achieving interoperability with DoD’s electronic records system. The goal has always been the seamless transition of patient healthcare information from DoD to VA. But over the years, the path to achieving that goal has shifted considerably.
In 2001, VA implemented an overhaul of VistA called the HealtheVet initiative, which was designed to standardize the department’s IT system across all locations by 2018. In 2008, the OIG reported progress but noted significant management problems with the effort. In 2009, VA terminated the initiative, with officials explaining that they wanted to strengthen agency oversight of IT projects across the board.
In 2011, VA began its second modernization initiative—the iEHR initiative—in conjunction with DoD. The program was intended to replace the two separate EHR systems used by the departments with a single, shared system, which the agencies hoped would sidestep interoperability issues. However, in 2013 the departments abandoned the plan, citing concerns that it would cost too much and take too long to implement.
In 2013, VA initiated its VistA Evolution program as a joint effort between VA and the OI&T. The program was designed to modernize the department’s current health IT systems and increase interoperability with DoD and private healthcare sector partners. In the ensuing years, the program met several of its goals, including providing a real-time view of EHR data to providers, releasing a web-based user interface that assembles patient data from VistA and DoD, and continuing to standardize VistA across VA facilities.
Then, in June 2017, then-VA Secretary David Shulkin announced that VA would be piggybacking on DoD’s recent contract with Cerner—a health information and EHR technologies company—to design a new DoD EHR. VA would contract with the company to use the same EHR for VA facilities. The reasoning was that, by using the same system, information sharing would be much easier.
DoD’s contract with Cerner was for $4.3 billion, with the total amount expected to grow by the end of the 10-year contract. VA’s healthcare system is about three times larger than of DoD’s, and, as of March 2018, the cost of the proposed VA contract with Cerner could be as much as $16 billion.
That steep pricetag is still preferable to the alternative, VA officials said. Blackburn told Congress in December that replacing VistA is a must and that the 10-year cost of upgrading and maintaining the current EHR to industry standards would be approximately $19 billion.
“VistA is in many ways like the car that we love and don’t want to trade in, though it is now costing us way too much money to maintain,” Blackburn said in his testimony.
While Shulkin’s departure from VA prior to the signing of a contract with Cerner leaves the initiative on uncertain footing, VA says it is actively partnering with DoD when it comes to the cybersecurity needs of the potential new, shared EHR.
“We intend to leverage the architecture, tools and process that have already been put in place to protect DoD data,” a VA spokesperson explained. “We’re collaborating with DoD working groups, including information protection and security engineering groups to achieve a common set of best practices.”
The new DoD system—the MHS Genesis—was deployed as part of a test rollout to sites in the Pacific Northwest beginning in February 2017. The full development phase of the project is expected to begin next year. In the interim, DoD is learning how the system functions within its facilities and what cybersecurity needs exist. It’s VA’s hope that DoD learning those lessons now will result in a quicker, smoother implementation when it’s VA’s turn.