Does VA’s Plan for Fixing Cyber Weaknesses Take Too Long?

The Department of Veterans Affairs’ top tech official says the agency has a plan to close long-ignored watchdog recommendations for improving information security -- but it’ll take some time.

Testifying March 16 before the House Oversight and Government Reform Committee, VA Chief Information Officer LaVerne Council said her team plans to implement all recommendations identified by the agency’s inspector general -- some of them going back years -- by the end of 2017.

She aims to adopt about 30 percent of the recommendations by the yearend. 

"We have made significant progress in improving our cybersecurity posture,” Council testified, pointing in part to increased budgets. “For the first time, our security efforts are fully funded and resourced.”

In its fiscal 2017 budget request, VA is seeking to nearly double its information security spending -- from about $180 million to $370 million.

Council rolled out a new departmentwide cybersecurity strategy last fall. In addition, during the 30-day “cybersecurity sprint” initiated by the White House after the massive Office of Personnel Management breach, VA exceeded targets for reducing the number of privileged users and implementing multifactor authentication.

Still, in the latest version of an annual cybersecurity scorecard required by the Federal Information Security Management Act, the IG -- for the 16th year in a row -- cited IT security as a “material weakness.”

Rep. Will Hurd, R-Texas, who otherwise praised Council’s performance as CIO, suggested the timeline for implementing what he described as “fairly basic cybersecurity best practices” was too sluggish.

"Two years is too long, and I think we can do better," Hurd said.

Commercial Scheduling Software ‘On Hold’

Council also discussed the agency’s plans to roll out new software designed to improve the scheduling of veterans’ medical appointments at VA clinics nationwide.

Starting next month, VA will launch system updates to VA’s homegrown electronic medical record system known as VistA as well as a new system that allows VA employees to schedule appointments via a mobile app.

Notably absent from VA’s short-term planning, however, is the Medical Appointment Scheduling System, an effort to replace outdated in-house scheduling software with commercial, off-the-shelf technology. VA even awarded a 5-year, $624 million contract last August to two companies -- Epic and Systems Made Simple -- to provide the technology.

But Council said the department could end up putting the commercial option on hold indefinitely.

“The idea was that if these could not deliver,” -- the VistA upgrade and the mobile app -- “that we would have through MASS … an ability to move forward.”

Council added, “Right now, if these new products roll out fine, we will stay with those new products."

In the spring of 2014, revelations of long wait times experienced by veterans seeking care led to led to outrage on Capitol Hill, a series of investigations and resignations of officials, including top leadership. Along with outright manipulation by employees, officials blamed antiquated technology.

"Obviously, VA has had some history, trouble with their scheduling systems, so changes need to be made,” said Michael Bowman, the director of the IG’s information technology and security audits division. “I think the question is whether or not they're worthwhile investments and whether or not they're going to have an immediate impact to help with the scheduling. So, pursuing these makes a lot of sense. But whether or not you're going to see an immediate impact -- that's really the question."