House panel presses VA CIO about info security

Technology watchdogs in the House of Representatives quizzed Department of Veterans Affairs CIO LaVerne Council about agency modernization and information security at a March 16 hearing, set against the release of yet another disappointing FISMA report from the agency's Office of Inspector General.

"The modernization of the VA's legacy technology is a real concern that is affecting millions of veterans. Systems are unsecure, inefficient and inoperable," said House Oversight and Government Reform IT Subcommittee Chairman Rep. Will Hurd (R-Texas)

The current IT programs at the VA are still exposed to potential performance problems and cost overruns. According to Brent Arronte, the deputy assistant inspector general for audits and evaluations, 57 of the 69 information security recommendations made to the VA still remain open. Out of those, 17 are what he called "repeat recommendations" and 13 are "modified repeat recommendations."

The VA has a history of failing the annual audits required under federal IT law, but Council told lawmakers that things are looking up. Council, who started at VA in July 2015, and was on the job for fewer than two months of the period covered by the FISMA report, said she hoped to close all open information security recommendations by the end of 2017. She described the Office of Information and Technology at VA as a place where "everyone wants to sort of roll their sleeves up and get it right."

"We have made significant progress in improving our cybersecurity posture," Council told the panel.

Some outstanding recommendations include fully implementing two-factor authentication for local and remote access to VA systems; improving security patching to reach all devices; encrypting all sensitive data as it moves across VA networks; and improving access controls and restricting user access to only needed systems.

"We remain concerned that continuing delays in implementing effective corrective actions to address these open recommendations can potentially contribute to reporting an information technology material weakness for this year’s audit of VA’s consolidated financial statements," Arronte wrote in the OIG report.

Vista Question Looms

In previous hearings this year, Council noted that it was time to "take a step back" from VA's planned modernization of its homegrown Vista health record system. That modernization plan, conceived in 2014, has been overtaken by new developments in the VA's health care delivery plan, including increased focus on mobility, security, women's health and connections with private sector providers.

But, some lawmakers remain skeptical of the pause.

"While I certainly appreciate big thinking, especially in government IT, I have to ask whether or not this is another example of the VA taking a U-turn on a substantial IT investment," Hurd asked Council. "We have been down this road before with the effort to make the electronic health records of the DOD and the VA interoperable. Is Vista going to end up in a multi-year investment that never delivers the functionality that the VA's health care providers need?"

Council remained optimistic throughout the hearing but also acknowledged to legislators that that "we must do more," and said VA must continually innovate the digital health platform.