[Senate Hearing 110-]
[From the U.S. Government Publishing Office]


                                                          S. HRG. 110-  

                        HEARING ON THE CURRENT STATE OF 
                          AFFAIRS FOR INFORMATION TECHNOLOGY 
________________________________________________________________________



 
                                   HEARING 


                                 BEFORE THE 


                    COMMITTEE ON VETERANS' AFFAIRS 

                         UNITED STATES SENATE 


                       ONE HUNDRED TENTH CONGRESS 

                                FIRST SESSION 

                                 __________

                             SEPTEMBER 19, 2007 

                                 __________


Printed for the use of the Committee on Veterans' Affairs 











Available via the World Wide Web:http://www.access.gpo.gov/congress/senate 







                                   _________

                      U.S. GOVERNMENT PRINTING OFFICE 
                      
39-599 PDF                    WASHINGTON : 2007 
_________________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Printing Office 
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC area 
(202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC 20402-0001



















                                 COMMITTEE ON VETERANS' AFFAIRS 

                               DANIEL K. AKAKA, Hawaii, Chairman 

JOHN D. ROCKEFELLER IV, West Virginia RICHARD M. BURR, North Carolina, Ranking 
PATTY MURRAY, Washington               Member 
BARACK OBAMA, Illinois                LARRY E. CRAIG, Idaho, 
BERNARD SANDERS, (I) Vermont          ARLEN SPECTER, Pennsylvania 
SHERROD BROWN, Ohio                   JOHNNY ISAKSON, Georgia 
JIM WEBB, Virginia                    LINDSEY O. GRAHAM, South Carolina 
JON TESTER, Montana                   KAY BAILEY HUTCHISON, Texas 
                                      JOHN ENSIGN, Nevada 
                                 WILLIAM E. BREW, Staff Director 
                               LUPE WISSEL, Republican Staff Director 






























                                             (II) 




















                                   C O N T E N T S 
                                      __________


                                     SEPTEMBER 19, 2007 

                                         SENATORS 
                                                                    Page 


Akaka, Hon. Daniel K., Chairman, U.S. Senator from Hawaii .......     1 
Burr, Richard, Ranking Member, U.S. Senator from North Carolina..     2
Murray, Patty, U.S. Senator from Washington .....................     4 

                                         WITNESSES 

Howard, T. Robert, Assistant Secretary for Information and Technology, U.S. 
 Department of Veterans Affairs; accompanied by Paul A. Tibbits, M.D., 
 Deputy Chief Information Officer, Office of Enterprise Development, Office 
 of Information and Technology, U.S. Department of Veterans Affairs; and  
 Ray H. Sullivan, Director of Field Operations, Office of Information and 
 Technology, U.S. Department of Veterans Affairs .................    5
   Prepared statement ............................................    8 
   Response to written questions submitted by: 
     Hon. Daniel K. Akaka ........................................   10   
     Hon. Bernard Sanders ........................................   12
Melvin, Valerie, Director, Human Capital and Management Information 
 Systems Issues, U.S. Government Accountability Office; accompanied 
 by McCoy Williams, Director, Financial Management and Assurance 
 Team, U.S. Government Accountability Office; Gregory Wilshusen, 
 Director, Information Security Issues, U.S. Government Accountability 
 Office; and Barbara Oliver, Assistant Director, Information 
 Technology, U.S. Government Accountability Office ................  29 
   Prepared statement .............................................  31 
Lucas, Stephen M., Director, James A. Haley; VA Hospital and Clinics, 
  Tampa, Florida ..................................................  64 
    Prepared statement ............................................  65 
Graves, Kim, Special Assistant to the Under Secretary for Benefits, 
  U.S. Department of Veterans Affairs .............................  67 
  Prepared statement ..............................................  68 
Glaser, John P., Vice President and Chief Information Officer, 
  Partners Healthcare .............................................  71 
   Prepared statement .............................................  73 










                                   (III)
                                   





















 
HEARING ON THE CURRENT STATE OF AFFAIRS 
FOR INFORMATION TECHNOLOGY 
WITH VA 
                                   ___________

         WEDNESDAY, SEPTEMBER 19, 2007

U.S. SENATE, 
COMMITTEE ON VETERANS' AFFAIRS, 

 
Washington, DC. 
The Committee met, pursuant to notice, at 9:29 a.m., in room 
562, Dirksen Senate Office Building, Hon. Daniel K. Akaka, Chairman 
of the Committee, presiding. 
Present: Senators Akaka, Murray, and Burr. 
OPENING STATEMENT OF HON. DANIEL K. AKAKA, CHAIRMAN, 
U.S. SENATOR FROM HAWAII 
Chairman AKAKA. Aloha and welcome to all of you today to this 
hearing on the state of information technology within the Department 
of Veterans Affairs. 
Before we get started, I take this opportunity to welcome the 
Senators of this Committee. I look forward to working closely with 
them and look forward to that, as well. You all know that we have 
a long history of bipartisan work on this Committee, and I am sure 
that this will continue. 
Over the past several years, this Committee has held multiple 
oversight hearings on VA IT issues. Often, these hearings have 
been in reaction to public failures of IT, including last year's data 
theft. This year, as we talk about seamless transition, we also 
think about IT and how we can do that, as well. 
Lost in the outcry about these failures was the recognition that 
while IT can help VA in many ways, it is only a tool, not an overall 
solution to a problem or a need. Without competent management, 
sound business practices, trained users, and a clear idea of desired 
outcomes, IT not only fails to be an asset, it can even become part 
of the problem. 
A recent VA IG audit that I requested on waiting times at VA 
facilities is a good example of how IT can and cannot be used. The 
investigation looked into the disconnect between what VA managers 
tell us about waiting times for VA appointments-that there 
are virtually none-and what veterans and stakeholders tell us 
about the existence of long lines. What the IG found was problems 
with the accuracy and completeness of the waiting lists, lists that 
are generated from VA's electronic health care records system. VA 
responded to the IG's findings in part by suggesting that new computer 
software will solve the problem. This is not an exclusive answer.  
 Unless and until Congress and VA leadership can rely on 
VA's data as it is entered into databases, we cannot work together 
to get an accurate picture of the state of VA care and provide appropriate 
resources. IT can help, but only when there is a clear 
agreement on how to collect and report information. 
Today's hearing will focus on a wide range of information technology 
issues. Last year, there was a major change in the management 
of IT affairs at VA and this hearing is a chance to get a reading 
on the impact of that change. We hope to get a sense of where 
the Department is and where it is going with IT. We will hear testimony 
on the effects of changes to VA's IT management structure 
on the Department's ability to deliver health care benefits and 
services to veterans. Other issues before us include the impact of 
new VA IT security policies and procedures since the 2006 data 
theft, the prognosis for the development of a DOD-VA bi-directional 
interoperable Electronic Health Record, and other significant 
IT issues. 
Also, we are today releasing a GAO report on information security 
that I, along with other Members of the Senate and House, requested 
in response to last year's data theft. The report finds that 
although VA has made progress, there is still much work to do and 
part of that work is to hear from you and discuss this report today. 
Secretary Howard, at your confirmation hearing last year, I challenged 
you to restore the confidence of veterans in VA's ability to 
protect their personal information while leveraging IT solutions to 
maintain VA's preeminence as a health care and benefits provider. 
So I look forward to your assessment of where we are today and 
where we need to go in these areas. Millions of veterans rely upon 
VA for benefits and services, and in so doing have to rely on VA's 
IT systems. We must do all we can to ensure that they can do so 
with confidence. 
I want to thank all of our witnesses today for being here and 
sharing with us what they have done thus far. 
Before we start, I want to take this opportunity to welcome Senator 
Richard Burr of North Carolina to his new role as the Committee's 
Ranking Republican Member. I look forward to working 
closely with him as we continue to seek ways to meet the many 
challenges that continue to confront veterans and VA. As I said, we 
do have a history of bipartisanship here on this Committee and I 
am sure that will continue with Senator Burr, without question. 
We must do all we can to ensure that we can do that with confidence. 
I am glad to have the Senator from Washington here, as 
well. So let me call on Senator Burr for his statement. 

STATEMENT OF HON. RICHARD BURR, RANKING MEMBER, U.S. 
SENATOR FROM NORTH CAROLINA 

Senator BURR. Mr. Chairman, let me thank you for your gracious 
welcome. As you and I both know, we serve as Chair and Ranking 
Member on other Subcommittees and we find ways to address the 
business that we need to continue friendship and stay focused on 
the issues that are important to that Committee. I look forward to 
continuing that as we address the issues before us in the Veterans 
Affairs Committee. I thank you for calling this hearing. More 
importantly, I thank all of our witnesses today. I take the Ranking 
Membership on a temporary basis until other things are sorted out, 
but I certainly look forward to the information that we are here to 
talk about. 
The topic of information technology covers a wide variety of different 
areas, all of which are important and all of which have the 
ability to positively or negatively impact a veteran's quality of life. 
From electronic health and benefit records, to the electronic 
infrastructure 
that enhances VA services, to protecting our veterans' 
personal information, IT is the driving factor in accomplishing all 
these things. 
The May 3, 2006 theft of computer external hard drive from a 
VA employee's home resulted in the compromise of over 26 million 
veterans' personal information. It drew national attention to the 
VA and highlighted problems with its information technology policies, 
procedures, and structures. The theft initiated a strong reaction 
from Congress, as it should have, and last December, we 
passed the VA Information Security Enhancement Act of 2006. 
Among many of the mandated improvements to the VA IT system, 
we assigned responsibilities to hold specific individuals 
accountable. 
We have created prompt Congressional reporting requirements, 
and we provided for recruitment and retention of individuals 
skilled in information technology. 
The theft also expedited a complete restructuring of the VA's IT 
organization so that the VA headquarters could have more IT oversight 
over all of its facilities throughout the United States. It then 
served as a catalyst for complete review of security systems and 
procedures and raised Congressional interest in and scrutiny of the 
IT program. 
The result of all of this is that the VA has undertaken a massive 
effort to restructure their IT program. VA's efforts to create 
consistency 
and enhanced security within a formerly decentralized IT program 
has resulted in a new and centralized IT architecture. Individual 
hospital directors used to have control over their own IT 
staff and programs. This resulted in inconsistent technologies within 
VA and little or no oversight from the VA main office. This new 
restructuring of VA IT is meant to consolidate efforts in the areas 
of policy, planning, purchasing, and training. 
However, no decision comes without consequences and I have 
some concerns as to whether this centralization will result in an IT 
system that is too slow and doesn't respond to local needs. That 
being said, I look forward to learning more about the current state 
of these efforts, the successes and the challenges that have yet to 
be addressed. I also hope to hear more about VA's progress with 
DOD-VA efforts to create an interoperable, interchangeable health 
records system. I hope to learn more about where we stand in the 
area of VA-DOD data sharing and standardization, what we have 
accomplished and what we have left to do. Someone who served 
this country should not have to compromise their health just because 
VA and DOD can't get health information from each other. 
With all this in mind, we convene today to learn about the current 
status of the newly centralized IT management system, current 
improvements in IT security, and the state of IT infrastructure 
and the progress made in VA and DOD information sharing. 
 
I would like to personally thank the Chair for his indulgence as 
we have transitioned on this side and to once again thank all of 
our witnesses today for their very candid testimony. I thank the 
Chair. 
Chairman AKAKA. Thank you very much, Senator Murray. This 
Committee is in order as I call on our Hon. Senator Patty Washington 
from Washington for her statement. 

STATEMENT OF HON. PATTY MURRAY, U.S. SENATOR FROM 
WASHINGTON 

Senator MURRAY. Thank you very much, Chairman Akaka. I join 
you in welcoming Senator Burr to the position of Ranking and look 
forward to working with you on many issues. I know we have 
talked about what we share in common, as well, for our veterans. 
Mr. Chairman, the topic of today's hearing, which is the state of 
information technology within the VA, is incredibly important. It 
impacts nearly everything the VA does, from delivery of health care 
and benefits, to the protection of sensitive personal information, to 
the pursuit of a truly seamless transition with DOD. The VA's IT 
system is really kind of the glue that holds everything together. 
The VA has a lot to be proud of when it comes to its IT system. 
Its Electronic Health Records have improved the quality of health 
care for veterans while at the same time reducing the cost of 
delivering 
health care. And as we all know, when Hurricane Katrina hit 
New Orleans, veterans who were enrolled in the VA system, unlike 
many others, did not lose their medical records because the VA's 
back-up files preserved their records and enabled them to get care 
across the country at different VA facilities. 
Despite all this, the VA's IT system does have some very serious 
challenges. Chairman Akaka, I know that you and many other 
Members of this Committee share my deep concern over the VA's 
information security and inventory control practices. Since the VA's 
now well publicized loss of personal data in May of 2006 and January 
of 2007, the VA has taken steps to improve its information security 
practices, but as the GAO recently pointed out, more does remain 
to be done. 
Mr. Howard, I hope to hear from you today about why the VA 
has not fully implemented most of the key GAO and IG recommendations 
to strengthen your agency's information security 
practices. According to a July 2007 GAO report, four audited VA 
facilities reported more than 2,400 missing items estimated to cost 
$6.4 million. A 2004 GAO report of VA's inventory control revealed 
that fewer than half of the items selected for testing could be located, 
and most of that was IT equipment. These deeply troubling 
revelations raise some serious questions about who is minding the 
shop at the VA. Our veterans need to know that their personal and 
sensitive data is well protected and they deserve to know what is 
being done to improve the accountability and control of the VA's IT 
inventory. 
As we will surely hear from Mr. Howard, one of the key ways the 
VA has acted to minimize the risk of data loss has been to centralize 
the VA's information technology system. This effort certainly 
has its merits, but some have raised questions about how 
 
this change will impact the ingenuity and flexibility that local 
providers have on the development of the system. 
So I look forward to hearing from our witnesses today on how 
they think the VA can balance the needs for centralized management 
of the IT system while still meeting our local needs out in our 
communities. I also look forward to hearing from our witnesses 
about where things stand in the development of a joint VA-DOD 
Electronic Health Care Record. For too long, as we all know, our 
servicemembers and veterans have suffered the consequences of 
this system failure and we need to make sure, Mr. Chairman, that 
we are doing everything in our power to right that wrong. 
So I really appreciate the opportunity to be at this hearing today 
and look forward to the testimony from the witnesses. 
Chairman AKAKA. Thank you very much for that, Senator Burr. 
I am pleased this morning to introduce our first panel. Assistant 
Secretary for Information and Technology Bob Howard has served 
in his current position since the fall of the year 2006. He has the 
daunting task of reorganizing VA's IT and its management structure 
while continuing to provide uninterrupted support for the delivery 
of health care and benefits. 
Secretary Howard is accompanied by Dr. Paul Tibbits, Deputy 
Chief Information Officer in the Office of Enterprise Development, 
and Ray Sullivan, Director of Field Operations. 
Secretary Howard, I want to thank you for coming today. We 
look forward to your assessment of where VA IT is and where it 
needs to go, and I know we are looking forward to your kind of 
leadership and would like to hear from you at this time. Will you 
please proceed with your testimony. 

STATEMENT OF ROBERT T. HOWARD, ASSISTANT SECRETARY 
FOR INFORMATION AND TECHNOLOGY, U.S. DEPARTMENT 
OF VETERANS AFFAIRS; ACCOMPANIED BY PAUL A. TIBBITS, 
M.D., DEPUTY CHIEF INFORMATION OFFICER, OFFICE OF 
ENTERPRISE DEVELOPMENT, OFFICE OF INFORMATION 
AND TECHNOLOGY, U.S. DEPARTMENT OF VETERANS AFFAIRS; 
AND RAY H. SULLIVAN, DIRECTOR OF FIELD OPERATIONS, 
OFFICE OF INFORMATION AND TECHNOLOGY, U.S. 
DEPARTMENT OF VETERANS AFFAIRS 

Mr. HOWARD. Thank you, Mr. Chairman. I would like to thank 
you for the opportunity to testify on the current status of the VA 
OIT reorganization and its impact on the delivery of health care 
and benefits, the effect of enhanced VA IT security policies and 
procedures 
on health care and benefits delivery, the status of asset 
management for IT systems, the legacy system transition, the Joint 
Inpatient Records System and unresolved problems identified during 
the realignment. These are all very important issues that need 
to be addressed. 
As you mentioned, sir, I am accompanied by Dr. Paul Tibbits and 
Ray Sullivan. Paul will discuss issues associated with development 
and Ray on the operations side. 
First, sir, though, I would like to thank you for actually being the 
catalyst for establishing my top priorities as Assistant Secretary for 
the Office of Information and Technology. These were developed in 
response to a nomination post-hearing question presented by you 
back in September of last year. At the time of your question, the 
paper was blank, so I thank you for prompting me to develop what 
has turned out to be very helpful, extremely helpful, priority 
statements. 
These priorities are guiding the realignment process we see 
taking place today. There are seven of them. 
Briefly, they include, (1) establishing a well-led, high-performing 
organization that delivers responsive support. 
(2) standardizing IT infrastructure and IT business processes 
throughout the VA. 
(3) establish programs that make VA's IT system more interoperable 
and compatible. 
(4) effectively managing the IT appropriation to ensure 
sustainment and modernization of our IT infrastructure and more 
focused application development to meet increasing and changing 
requirements of our business units. 
(5) priority is strengthening information security controls within 
VA and among our contractors in order to substantially reduce the 
risk of unauthorized exposure of veteran or VA employee sensitive 
personal information. 
(6) priority is creating an environment of vigilance and awareness 
to the risk of compromising veteran or employee sensitive personal 
information by integrating security awareness into daily activities. 
And lastly, sir, the last priority is to remedy the Department's 
longstanding IT material weaknesses relating to a general lack of 
security controls, and sir, I assure you that we are working hard 
to give these priorities the required attention. 
As you know, the Secretary approved the Department's new 
reorganization 
structure in 2007 and we set a goal to complete the realignment 
by July of 2008. We have transferred over 6,000 employees 
to the Office of Information and Technology, and this, along 
with the centralized IT appropriation and delegation of authority 
for FISMA, provides a very unique opportunity to significantly improve 
IT activities within VA. 
Another critical element in that regard is the full commitment 
for VA's leadership to make this reorganization successful, and we 
do have that commitment. 
I have provided an organization chart for you, a reference 
throughout the hearing, and as you see there, there are five additional 
deputies that we have. We also have an IT oversight and 
compliance capability and a Quality and Performance Office. We 
have also implemented a new IT governance plan which establishes 
the processes, responsibilities, and authorities required to manage 
IT's resources. 
Clearly an important question associated with this realignment 
is how has it impacted the delivery of health care and benefits to 
our veterans. In my opinion, there has been no significant change 
in these two areas, which was, in fact, a key objective of this 
reorganization, 
and that was to do no harm. This is not to say we have 
not had problems. We have. But we have also experienced improvements 
in our ability to gain knowledge over IT activities that were 
not very visible in the past. We have gained benefits in IT funding 
details across the VA and also in our ability to protect the sensitive 
information of our veterans. 

An area in which information protection has dramatically improved 
is incident response. VA has encrypted over 18,000 laptop 
computers and has implemented procedures for issuing encrypted 
portable data storage devices. This month, the Department is procuring 
software to address the encryption of data at rest. And just 
last week, we awarded an extremely important contract, and that 
is for an extensive port monitoring capability which will help us 
better control what devices can access our network. 
At the same time, VA continues to increase self-reporting security 
and policy and privacy violations and incidents. This trend is 
a direct positive outcome of the significant amount of policy guidance 
and training conducted on information protection over the 
past year and a half. Since the May 2006 data breach, the VA staff 
is now more aware of the importance of protecting our veterans' 
and employees' information and identities. While we do have a way 
to go here, I have definitely seen an improvement. 
Regarding the annual FISMA report that we will submit this 
year, not only will we submit one-and as you know, we didn't submit 
one last year, we got an incomplete-for the first time, we have 
completed testing of over 10,000 security controls on our 603 computer 
systems. This is the first time that has been done. We are 
also addressing some critical problem areas. 
As you know, the House Veterans Affairs Oversight and Investigations 
Committee recently held a hearing on VA's IT asset management 
based on a GAO report which found inadequate controls 
and risks associated with theft, loss, and misappropriation of IT 
equipment at selected VA locations. For the past 6 months, tightening 
IT inventory control throughout the VA has been the focus 
of a cross-functional tiger team. Types of equipment to be inventoried 
are Blackberries, thumb drives, cell phones, and in addition, 
VA has issued a memorandum requiring each VA facility to complete 
it by the end of December of this year, a wall-to-wall inventory 
of all IT equipment assets, including sensitive items, regardless 
of cost. This initial inventory will help provide a VA IT asset 
baseline, something that has not existed before. 
We have also made progress in the evolution of our health care 
and benefits systems and in improving ties with DOD. The work 
with DOD has been most helpful in the area of data sharing and 
data standardization. We are moving our health care system from 
a hospital-centric model to a patient-centric approach. This approach 
will ultimately allow veterans and their care providers to 
access seamless health records and information at any time regardless 
of location. This modernization will utilize a central IT architecture 
and a six-phase transition plan to be completed by 2015. 
The existing portfolio of VBA applications are based on various 
legacy technologies, most of which are not web-based. These legacy 
applications are more expensive in that they require more intensive 
support since they rely on outdated software. To remedy this, VBA 
has established an application architecture blueprint to be used for 
all applications and a pilot is being performed for the Benefits 
Delivery Network Rehost Program to migrate the legacy system to a 
more modern browser-based environment. 
In closing, Mr. Chairman, I want to assure you, that we will remain 
focused in our efforts to improve all aspects of the informa- 
tion technology environment in the VA and to make sure that we 
do not negatively impact the delivery of health care or benefits in 
the process, but instead begin to see steady improvements in modernizing 
both our health care and benefits IT environments. 
Thank you for your time and the opportunity to speak on this 
issue and we would be happy to answer any questions you may 
have. 
[The prepared statement of Mr. Howard follows:] 

PREPARED STATEMENT OF ROBERT T. HOWARD, ASSISTANT SECRETARY FOR 
INFORMATION AND TECHNOLOGY, DEPARTMENT OF VETERANS AFFAIRS 

Thank you, Mr. Chairman. I would like to thank you for the opportunity 
to testify on the current status of the VA Office of Information & 
Technology's (OIT) reorganization and it's impact on the delivery of 
healthcare and benefits; the effect of enhanced VA IT security policies 
and procedures on healthcare and benefits delivery; the status of asset 
management/inventory control for IT systems; the legacy system 
transition; joint in-patient record systems; and unresolved problems 
identified during the realignment. These are all very important issues 
that need to be addressed. 
To assist in discussing these issues today, I am accompanied by: 
  Dr. Paul Tibbits, my Deputy Chief Information Officer for Enterprise 
  Development, 
  Mr. Ray Sullivan, my Director of Field Operations 
First, I would like to thank you Mr. Chairman for being the catalyst for 
establishing my top priorities as Assistant Secretary for the Office of 
Information and Technology. They were developed in response to a 
nomination post-hearing question presented by you back in September of 
last year. Thank you for prompting me to develop what has turned out to 
be very helpful and extremely important priority statements. 
These priorities are guiding the realignment process we see taking place 
today. 
There are seven of them. Briefly, they include (1) establishing a 
well-led, high-performing, IT organization that delivers responsive IT 
support to the three Administrations and Central Office staff sections; 
(2) standardizing IT infrastructure and IT business processes throughout 
VA; (3) establishing programs that make VA's IT system more 
interoperable and compatible; (4) effectively managing the VA 
IT appropriation to ensure sustainment and modernization of our IT 
infrastructure and more focused application development to meet 
increasing and changing requirements of our business units; (5) 
strengthening information security controls within VA and among our 
contractors in order to substantially reduce the risk of unauthorized 
exposure of veteran or VA employee sensitive personal information; (6) 
creating an environment of vigilance and awareness to the risks of 
compromising veteran or employee sensitive personal information within 
the VA by integrating security awareness into daily activities; and 
(7) remedying the Department's longstanding IT material weaknesses 
relating to a general lack of security controls. I assure you that 
we are working hard to give these priorities the required attention. 
As you know, the Secretary approved the Department's new organization 
structure in 2007, and we've set a goal to complete the realignment by 
July 2008. We have transferred over 6,000 employees to the Office of 
Information and Technology. This, along with the centralized IT 
appropriation and delegation of authority for FISMA provides a unique 
opportunity to significantly improve IT activities within VA. Another 
critical element in that regard is the full commitment from VA's 
leadership to make this reorganization successful. 
I have provided an organization chart for your reference throughout the 
hearing. In addition to five additional deputies, we have an IT 
Oversight and Compliance capability and a Quality and Performance 
Office. We also have implemented a new IT governance plan which 
establishes the processes, responsibilities and authorities required to 
manage VA's IT resources. The GAO recently released a report on our 
realignment progress and correctly identified that there is more work 
to be done to 
have a successful transition from a decentralized to a centralized 
organization. We have already begun implementing some of their 
recommendations. Clearly an important question associated with this 
realignment is how has it impacted the delivery of healthcare and 
benefits to our veterans? In my opinion, there has been no significant 
change in these two areas-which was a key objective of this 
reorganization-to do no harm. This is not to say we have not had 
problems-we have. But we have also experienced improvements in our 
ability to gain knowledge over IT activities that were not very visible 
in the past, in IT funding details across the VA, and in our ability to 
protect the sensitive information of our veterans. An area in which 
information protection has dramatically improved is incident response. 
VA has encrypted over 18,000 laptop computers, and has implemented 
procedures for issuing encrypted portable data storage devices. This 
month, the Department is procuring software to address the encryption 
of data at rest. And just last week we awarded a contract for an 
extensive port monitoring capability which will help us better control 
what devices can access our network. At the same time, VA continues to 
increase self-reporting security and privacy violations and incidents. 
This trend is a direct, positive outcome of the significant amount of 
policy, guidance, and training conducted on information protection over 
the past year and a half. Since the May 2006 data breach, the VA staff 
is now more aware of the importance of protecting our veterans' and 
employees' information and identities. While we do have a way to go 
here, I have definitely seen improvement. The Department has also 
undertaken a concerted effort to reduce the use of social security 
numbers and to review and eliminate a significant amount of personally 
identifiable information VA currently holds. To that end, VA has 
drafted two documents outlining plans to achieve both these goals. 
These plans were developed in accordance with OMB Memorandum 
M-07-16, ''Safeguarding Against and Responding to the Breach of 
Personally Identifiable Information'' and it will be included in this 
year's FISMA report. Regarding the FISMA report, not only will we 
submit one this year, (we got 
an incomplete last year), but we have, for the first time, completed 
testing of over 10,000 security controls on our 603 computer systems. 
We are also addressing some critical problem areas. As you know, the 
House Veterans Affairs Oversight & Investigations Committee recently 
held a hearing on VA's IT asset management based on a GAO report 
(report 07-505) which found inadequate controls and risk associated 
with theft, loss, and misappropriation of IT equipment at selected 
VA locations. In that report, GAO found many problems regarding 
the IT asset management environment and included a number of important 
recommendations-with which we agree and are implementing. We have 
completed a handbook on the Control of Information Technology 
Equipment within the VA which includes each of the recommendations 
made by GAO in its report. These documents are now being finalized 
within the Department, but we have already implemented the procedures 
they describe. They will provide clear direction on all aspects 
of IT asset management. 
For the past 6 months, tightening IT inventory control throughout VA 
has been the focus of a cross-functional Tiger Team. Types of equipment 
to be inventoried are black berries, thumb drives, cell phones, etc. 
In addition, VA has issued a memorandum requiring each VA facility to 
complete, by the end of December of this year, a wall-to-wall inventory 
of all IT equipment assets, including sensitive items, regardless 
of cost. Reporting requirements have been established at the Facility, 
Regional and Field Operations levels to ensure that issues are 
identified and addressed early in the process. By way of support, we 
have established an IT Inventory Control Knowledge Center that is 
accessible by all VA personnel. This website provides references, 
templates, definitions, frequently asked questions and a link to contact 
the Tiger Team directly. Also, the Office of Oversight and Compliance 
is working with Tiger Team members to develop a compliance checklist 
that will be used for scheduled and unscheduled audits regarding IT 
assets. This initial inventory will help provide a VA IT asset 
baseline-something that has not existed before. We have also made 
progress in the evolution of our healthcare and benefits systems 
and in improving ties with DOD. The work with DOD has been most helpful 
in the area of data sharing and data standardization. We are moving our 
healthcare system from a hospital-centric model to a patient-centric 
approach. This approach will ultimately allow veterans and their care 
providers to access seamless health records and information at any 
time, regardless of location. This modernization will utilize a central 
IT architecture and a six-phase transition plan to be completed by 
2015. 
The existing portfolio of VBA applications are based on various legacy 
technologies, most of which are not web-based. These legacy 
applications are more expensive in that they require more intensive 
support since they rely on outdated software. 
To remedy this, VBA has established an application architecture 
blueprint to be used for all applications. A pilot is being performed 
for the Benefits Delivery Network (BDN) Re-host program to migrate the 
legacy system to a more modern browser-based environment. 
In closing, Mr. Chairman, I want to assure you that we will remain 
focused in our efforts to improve all aspects of the Information 
Technology environment in the VA and to make sure that we do not 
negatively impact the delivery of healthcare or benefits in the process 
but instead begin to see steady improvements in modernizing both our 
healthcare and benefits IT environments. Thank you for your time 
and the opportunity to speak on this issue. We would be happy to answer 
any questions you may have. 

RESPONSE TO WRITTEN QUESTIONS SUBMITTED BY HON. DANIEL K. AKAKA TO ROBERT 
T. HOWARD, ASSISTANT SECRETARY FOR VETERANS AFFAIRS 

Question 1. During an oversight visit to the Honolulu Regional Office, 
Committee 
staff learned that claims are being delayed because VBA staff are not 
able to read medical reports which are scanned into VHA's electronic 
health record system. I understand that happen almost a year ago. VBA 
asked for access to the electronic health record files because of the 
delays in processing claims and this request has not been approved. It 
is my further understanding that VBA will not he able to view these 
records until some time in 2008; in the meantime, processing of claims 
is delayed until the records can be printed out and sent to VBA. Given 
the current backlog in claims processing, this seems like an IT 
solution that should be given a priority. What can be done to improve 
the electronic transmission of medical information from VHA to VBA in 
a more timely manner? 
Response. The compensation and pension records interchange application 
(CAPRI), provides the Veterans Benefits Administration (VBA) employees 
with online access to electronic medical records, stored at Veterans 
Health Administration (VHA) facilities. This application allows VBA 
employees to access and print medical evidence needed for claims 
processing. It also allows text from electronic documents to be copied 
and pasted into rating decisions, to eliminate the need for re-keying 
this important information, cited as evidence, in support of a 
veterans' disability claim. 
One additional element that has been requested is access to the imaged 
files, stored in the VHA systems in VistA Imaging. The plan has always 
been to expand CAPRI, to provide access to these imaged records. We are 
assessing current priorities to determine when it will be feasible to 
incorporate this type of information into the CAPRI interface. Once the 
enhancement is completed, this additional type of medical evidence can 
be obtained and stored in Virtual VA, the VBA imaging system. 
Question 2. As mentioned in my opening statement, my requested 
investigation on VHA's waiting times yielded findings about the 
accuracy and completeness of the waiting lists. Senator Tester has also 
brought to my attention the need to refine the pharmacy ordering system, 
so that prescriptions aren't mailed out to veterans until they are 
needed. Is responsibility for matters such as fixing the electronic waiting 
list and refining pharmacy systems your responsibility or does that still 
vest in VHA? What priority does VA place on finding specific health 
information solutions? Response. The responsibility for addressing the 
electronic waiting list and refining pharmacy systems is jointly shared 
by VHA and VA's Office of Information and Technology (OIT). VHA is 
responsible for defining software requirements. OIT is responsible 
for the development of software which meets those requirements. 
VHA has conveyed to OIT that the two software packages (pharmacy and 
scheduling) are both top priorities for VHA and that development 
efforts should be managed to address those priorities. Therefore, here 
are the current OIT milestones for the pharmacy re-engineering and 
replacement scheduling application projects: Planned Finish Planned Start 



Question 3. It seems as though VA has been in the process of 
modernizing its health and benefits IT systems for years. What is the 
time line for completing the migration of VistA and BDN to modern IT 
platforms? 
Response. A completion date for the migration of VistA to a modern IT 
platform, also referred to as the HealtheVet modernization effort, is 
currently in the proposal phase and is being reviewed. A six-phase 
transition plan is proposed to deploy all applications within the new 
VistA-HealtheVet environment, which will use a central IT architecture, 
by 2015. Phase I focuses on the deployment of core infrastructure 
components such as the health data repository, administrative data 
repository, and several common services; as well as, the first major 
applications built upon this services oriented architecture (SOA). 
Major applications under development as part of Phase II include the 
laboratory and pharmacy replacement systems. Upon completion of all six 
phases, VA will have an IT health care system that holds a comprehensive, 
interdisciplinary medical record, which will be available anywhere. The 
estimated cost for the proposed plan does not include operations and 
maintenance costs. 
The current schedule to migrate BDN business functionality off the 
Honeywell/Bull mainframe projects completion in September 2012. Upon 
successful completion, the Honeywell/Bull Mainframe will be retired 
from the VA IT environment. BDN is composed of several applications 
that support three VBA business lines: compensation and pension (C&P), 
education, and vocational rehabilitation and employment (VR&E). C&P 
unctionality within BDN is scheduled to be fully replaced by VETSNET in 
the third quarter of fiscal 2009. VR&E functionality is contained in 
the Chapter 31 application, which is scheduled for conversion to the VA 
''To Be'' architecture in Fiscal Year 2011. The remaining BDN 
functionality supports education service and is scheduled to be fully 
migrated to the VA ''To Be'' architecture by third quarter 2012. 
Subsequent to validation efforts to ensure all functionality has been 
successfully transitioned, the Honeywell/Bull mainframe will be shutdown 
and removed 
from the VA IT environment in September 2012. 
Question 4. This question pertains to the issue of VA and DOD 
interoperability. I understand that VA has an integrated medical 
information system, while DOD has multiple systems that are not i
ntegrated. What are the challenges for VA health professionals to 
receive accurate and timely medical information from DOD when it does 
not have an integrated system that cannot fully communicate within DOD, 
much less with VA and when not all of DOD's medical information is 
available electronically? Response. VA and the Department of Defense 
(DOD) are working together to address challenges related to VA 
obtaining access to the multiple systems in which DOD data is held. 
Despite these challenges, VA and DOD are now sharing unprecedented 
amounts of electronic medical data. Over the past several years, VA and 
DOD have worked closely and collaboratively to develop incremental data 
exchanges, which now support the one way and bi-directional exchange of 
most health data that are available in electronic format. 
For example, VA and DOD worked to first develop the bi-directional 
health information exchange (BHIE), to support the exchange of text 
data from legacy composite health care system (CHCS). VA and DOD later 
collaborated on additional work that permitted the exchange of data via 
the inpatient essential clinical information system (CIS), and later 
with the clinical data repository of AHLTA, DOD's electronic health 
information system. 
Despite the lack of uniform implementation across DOD and the resulting 
increased time it took to make DOD data available, VA providers are now 
able to use BHIE to view electronic laboratory results, allergy, 
pharmacy, radiology results, theater data, and select inpatient data 
available electronically from major DOD facilities, such as discharge 
summaries and emergency department notes. We also have demonstrated the 
successful bi-directional exchange of digital radiology images at a 
pilot site in El Paso, Texas. Additional work will support the future 
exchange of encounter notes, problem lists, vital signs, history data 
and questionnaires. VA's ongoing ability to share data with DOD, in a 
seamless fashion, is dependent upon VA's ability to develop modern 
tools and technologies and DOD's ongoing efforts to develop a complete 
electronic health record. VA is working with DOD to document a study to 
explore developing a joint in-patient electronic health record. This 
will have the potential to address the unavailability of electronic data 
for much of 
the DOD inpatient record. 
Question 5. The House Appropriations Committee report language 
accompanying the 2008 VA MILCON Appropriations Bill would cutoff funds 
for VA's continued development of its electronic health record system, 
unless it is interoperable with DOD. What would be the impact on future 
development of VA's electronic health record system should funding be 
cutoff? 
Response. As the electronic health record is at the center of VA's 
health care system, possible impacts on future development of VA's 
electronic health record system should funding be eliminated include: 
  Inability to comply with regulatory changes that would require 
software modifications for implementation and reporting. 
  Compromise in patient safety due to elimination of funding to correct 
software deficiencies. 
  Inability to enhance the current interoperable features within VistA 
(e.g. remote data interoperability, laboratory data sharing, Vista 
imaging sharing pilot). 
  Inability to enhance the bi-directional health information exchange 
  (BHIE), another aspect of VA/DOD interoperability. 
  Compromised ability to effectively report on and monitor pandemic 
  disease outbreaks. 
  Inability to meet Global War on Terror (GWOT) and/or Operation Enduring 
Freedom/Operation Iraqi Freedom (OEF/OIF) mandates. 
VA would fall from industry leading position as the private sector 
continues to improve in this arena, reducing public opinion of VA 
activities. 
Question 6. During questioning, Mr. Lucas testified that he was denied 
authority 
by VACO to purchase certain IT equipment that he considered would be 
helpful, to improve the efficiency and operations of his hospital. 
Dr. Glaser followed-up, by testifying that within his health care 
network, 50 percent of a hospital's IT spending was discretionary, so 
long as it was spent within established guidelines. He also mentioned a 
program for awarding grants for IT innovation. Please comment on the 
policy that precludes a VA Medical Center Director from using 
discretionary funds to purchase IT equipment that they deem would 
improve the efficiency and operations of their facility. Also, please 
comment on whether or not VA has an existing IT innovation grant 
program and if not, if one is in the planning stages. 
Response. As stated in the attached memorandum dated April 13, 2006, 
all IT expenditures are directed and controlled under a separate 
appropriation and under the authority of the VA Chief Information 
Officer (CIO). The VA CIO allocates discretionary funds to each medical 
center as mentioned above. There is currently no program for awarding 
grants for IT innovation. 
Question 7. I understand that VA's Office of Information and Technology 
(OI&T) has metrics that measure how well VA Administrations are 
complying with VACO centralized management IT policies and procedures. 
Does a metric exist that measures how well OI&T is supporting VHA and 
VBA? 
Response. There are no metrics that measure either ''side'' of this 
concept, i.e., either how well VA's Administrations are complying with 
VACO centralized management IT policies, or conversely, how well OIT is 
supporting the Administrations. 

RESPONSE TO WRITTEN QUESTIONS SUBMITTED BY HON. BERNARD SANDERS TO 
ROBERT T. HOWARD, ASSISTANT SECRETARY FOR VETERANS' AFFAIRS 

Question 1. For years now, we have seen report after report about the 
unconscionable delays, appeals, and remands that characterize the VBA 
disability compensation process. I have thought for some time now that 
automating the rules embodied in the Veterans Administration Schedule 
for Rating Disabilities (VASRD) would go a long way toward speeding up 
the process of adjudication and appeal, reducing the existing backlog of 
claims, and improving the accuracy and consistency of decisions. 
It seems that there would be tremendous value in getting a complete and 
standardized set of data on each veteran, relevant to his or her 
particular problems, that can then be linked to the relevant sections 
of the Schedule for more accurate ratings, the same way, regardless of 
the skill of the rater. It seem the Department is busy hiring hundreds 
of new raters, but has done nothing to improve the underlying antiquity 
of the process they are being asked to assume. Please tell us what the 
Department's plans are to automate the VASRD, in order to make claims 
processing more accurate, timely, and efficient. Do you have the 
resources and authority you need to carry out such a task? 
Response. VBA is receiving more disability claims then at any time in 
recent history. 
Our expanded outreach program for active duty servicemembers and members 
of the National Guard and Reserves, the aging of the veteran population 
and the progression of their disabilities, and the addition of type-2 
diabetes to the list of presumptive disabilities for veterans, who 
served in Vietnam, are among the major factors driving up claims receipts. 
Our incoming claims volume is now 45-percent above our 2000 (year) level. 
This year, we received 838,000 disability claims, which is 32,000 more 
claims than last year. At the same time, we are receiving more claims, 
the claims decision process is becoming longer and more difficult, 
because veterans today, on average, claim more disabilities than 
veterans in previous areas and the nature of many of these disabilities 
is becoming increasingly complex (e.g., serious traumatic injuries, 
diabetes and its complications, PTSD, undiagnosed illness, etc.). VA 
must assign a percentage evaluation to each disability determined to be 
service-related. Changes in law and recent Court decisions have also 
introduced additional complications into the claims decision process 
and extended the length of time veterans must wait for decisions on 
their claims. 
Because of the large growth in claims receipts and the increased 
complexity of the claims, the pending inventory of rating-related 
claims remains high-391,000 at the end of September 2007. The high 
volume and complexity of incoming claims also impact average processing 
time, which is currently 183 days. We have developed a plan to address 
the workload challenges. While there are many components in this plan, 
the cornerstone of VB's long-term effort to reduce claims backlogs and 
improve claims processing timeliness remains unchanged-develop a well-
trained workforce that is sized commensurate with current and projected 
claims workload. 
  We are aggressively hiring across the Nation. We have already added 
  over 1,100 new employees since January 2007, and we will add a total 
  of 3,100 by the end of this year. 
  Because it takes at least 2 years for a new employee to become fully 
  trained in all aspects of claims processing, we have also 
  significantly increased the use of overtime. 
  Additionally, retired claims processors have been recruited to 
  return to work as rehired annuitants, enabling us to increase 
  decision output this year by nearly 16,000 claims. We are continuing 
  to hire additional annuitants. 
  To get our new employees productive as early as possible in their VA 
  career, we have modified our new employee training program, to focus 
  initial training on specific claims processing functions. This allows 
  our more experienced employees to focus on the more difficult claims. 
  We are looking at additional ways to achieve greater efficiencies in 
  the delivery of disability benefits. We are in the process of 
  centralizing the remaining pension claims workload, which includes 
  original disability and death claims processing, to our three pension 
  maintenance centers. This will allow regional offices to dedicate more 
  resources to compensation claims processing. 
  We will also gain processing efficiencies in 2008, through 
  centralization of all compensation and general assistance telephone 
  calls, to nine virtual information call centers. 
We are already seeing the results of the increased processing capacity 
and the initiatives begun earlier last year. On average, we are now 
producing 5,000 more claims decisions per month. 
Chairman AKAKA. Thank you very much for your testimony, Secretary 
Howard. 
Mr. Secretary, under the former decentralized VA IT management 
structure, field-based innovation and creativity were hallmarks 
leading to the creation of VA's electronic medical information 
system. How can you maintain this spirit of innovation and 
creativity while centralizing most of the decisionmaking in the 
central office? 

Mr. HOWARD. Sir, that is an extremely important question, and 
one thing we absolutely cannot impact is innovation throughout 
our medical system. That is for absolute certainty and we do not 
want to do that. But at the same time, we do need to get better 
visibility of these innovative ideas and we have begun to establish 
a program to do precisely that. 
In other words, if you are a physician working with your IT community 
at a hospital, working on a very innovative idea, that is 
fine. But at some point in the process, we need to make a decision 
as to what to do with that idea, whether we want to expand it 
throughout the VA, whether we want to adequately fund it and 
bring it forward. This is very, very important. We don't want to 
stop these ideas, but we do want to capture them and distribute 
them throughout the VA, so that everyone can gain the benefit of 
this particular innovative idea, and a lot of that is going on. 
With the reorganization, we actually have gained more visibility 
over these ideas than we perhaps have had before. The funding 
issue, though, is very key, and at some point in that innovative 
process, we need to decide whether to move forward or whether to 
stop that particular topic because it doesn't prove to be beneficial. 
But IT does not make that decision. A key aspect of your question, 
sir, deals with the word ''requirements.'' Requirements definition, 
requirements determination, and requirements prioritization, 
that is not IT. We have a priority process in place that does involve 
the administrations. They set the priorities on what should be 
done. We need to help them, though, in defining those requirements 
and in making clear the funding aspect of those requirements. 
As you can see on that drawing on the left side that I passed out, 
each of the administrations has got a requirements office that 
interfaces with us, and this is beginning to happen. We have 
established a governance process that includes requirements 
determination. 
So in answer to your question, sir, not only do we not want to 
stop innovation, we want to take advantage of the innovation by 
spreading it throughout the VA, properly funded, properly supported, 
and properly supported by the administrations involved. 
Chairman AKAKA. Thank you. I am delighted to hear what you 
said, because I have made comments that we need to restructure 
VA and not continue structures that we have had in World War II. 
Things have changed, been very different, and creativity and 
innovation play a huge part in putting together and developing a system 
that can help our veterans today and we are looking for that. 
I am glad you are heading in that direction. 
Last year, Mr. Secretary, following the lost laptop, Secretary 
Nicholson testified that VA intends to become the gold standard for 
information security within the Federal Government. GAO says in 
the report released today that VA still has not fully implemented 
20 of the 22 GAO and VA IG recommendations necessary to improve 
information security within the Department. My question to 
you is, how close is VA to implementing the GAO and IG recommendations, 
and in your view, how close is VA to becoming the 
government leader in information security? 

Mr. HOWARD. Sir, I agree with the reports that there is a lot 
more work to be done. There is no question about that. However, 
with that said, we have made some dramatic strides. 2008, quite 
frankly, is a key year for us. We now have got some key contracts 
in place that we have been working on for quite a while. I mentioned 
a couple of them in my testimony. And although they don't 
sound important, these are extremely important. Just the one dealing 
with port monitoring, we have been working through the contracting 
process to put that in place and now we have the availability 
to us where you will not be able to put in, for example, an 
unauthorized thumb drive. You won't be able to do it. It has to be 
an approved encrypted thumb drive in order even to be able to be 
used on our system. 
This software is beginning to be implemented now throughout 
the VA because we have received a contract for sufficient licenses 
to be deployed. That is just one example. You asked when we will 
be the gold standard. Sir, it is a difficult question. I don't know, 
to be honest with you. We hope to be very close by the end of this 
fiscal year, and I have here-you remember my hearing last year 
and we were all looking at my big plan. Well, you know, I have gotten 
it and we are working on these actions, but they are not all 
complete, and if you remember from last year, a good number of 
them did extend into fiscal year 2008, in some cases, even beyond. 
The plan that we have here, and to just refresh your memory, 
this was the assessment of strengthening of controls program we 
put in place, continues. We monitor this all the time. A lot of the 
organizations throughout the VA are involved in it and we intend 
to keep the pressure on. These programs are in three main areas. 
The managerial area, and we have made progress. In fact, we finally 
finished our handbook. It is a very thick handbook that describes 
the VA security program. In fact, that will be issued here 
in another week. It includes for the employees the behavior 
requirements that they must have-standards of behavior is included 
in that document. Managerial controls include completing these 
policies that we have to put in place, and we are well on our way 
to do that. 
The organizational controls-the operational controls, rather, 
deal with the way we do business, and we have instituted a number 
of those, as well. 
And then we have the technical controls, the encryption standards 
like the port monitoring capability that I have mentioned previously. 
Another key one that we now have implemented that we 
have sufficient licenses for is the RMS process. That is a better 
encryption capability for e-mail. Many of your staff probably have 
seen our weekly summaries that we send on incident reports and 
a lot of them deal with unencrypted e-mails. Before, we had PKI. 
In fact, on my Blackberry here, I can send encrypted e-mails, but 
it is not robust enough. We now have the right management system 
that we have sufficient licenses for. This is being distributed 
throughout the VA. This provides the capability to send a clear email, 
but encrypt the attachment and a number of options that you 
can work-much more robust than we have had heretofore. But we 
are not going to get rid of PKI. We are going to keep that, as well. 
 
In fact, the number of licenses continue to grow and the certificates 
that people have asked for throughout the VA. 
The last thing I want to say in the whole business of achieving 
the gold standard, sir, has to do with people. The main-the principal 
issue in all of this is the behavior of our people, the responsible 
activities-acting responsible and what have you. We have 
very intensive training programs going on. I know I have the full 
support of hospital directors and RO directors throughout the VA. 
There is no question about that. They are behind us in continuing 
to help educate our staffs and our employees in acting responsibly. 
tant area, and the last thing I would like to say on all this is 
sometimes we have to balance it, too. Even Secretary Nicholson said, 
why don't we implement this right away, and sometimes you need 
to be careful because you could impact the business. We have got 
to always keep track of making sure that we can stay actively engaged 
with our patients. So it has been a real balancing act, but 
the sum is that we have improved the security situation. Fiscal 
year 2008 is a key year for us. My plan, we are driving on. 
The incident response capability we have put in place-unfortunately, 
we see a lot of incidents, but at least they are reporting 
them and it is helping us drive down the serious ones. A good example 
is back to the Social Security number issue and encrypted 
e-mails and what have you. We now have in place a capability to 
shut off an e-mail if a Social Security number is in that particular 
e-mail, and we have been working on this for a while. When we 
started monitoring this capability, we saw over 7,000 messages 
coming through in a particular month that possibly had Social Security 
numbers embedded in the e-mails. 
We started putting a warning sign on the computers that basically 
said, ''You are about to send a Social Security number in this 
e-mail.'' We left the warning for a while and we watched it go down 
dramatically. Now we are at the point where if such an e-mail occurs, 
we take a look at it. If it does have a Social Security number, 
we do not let it go through, and it happens fast enough. Why did 
we wait for a while before we did that? Back to the impact of the 
business. We were very reluctant to implement a dramatic policy 
like that without understanding the impact on the business 
throughout the VA. 
I know it is a rather lengthy answer, sir, but it is a very impor- 
Chairman AKAKA. Thank you, Secretary Howard. 
Before I call on Senator Burr, I would like to ask Senator Murray 
to assume the Chairmanship while I step out to vote in another 
committee and I will be right back. 
Senator BURR? Thank you, Mr. Chairman. 
General Howard, welcome. I think it is safe to say there is no 
louder cheerleader for what you are doing than the Congress of the 
United States and we all hope that you are successful in the rollout 
of this new IT structure. As I have heard the specific detail 
that you are looking at and that you are implementing, it does 
make me a little bit concerned, and I should share it right up front, 
that on the back end of this, when we talk about the data sharing 
with DOD, that we not get so complicated that we create a new 
barrier to our ability to shift that data from one side to the other. 

Let me, if I could, go to some specific questions. You raised a list 
of seven priorities. If you would, on a scale of one to ten, ten being 
perfect, would you rate each one of those seven priorities from the 
standpoint of where you are today in your assessment. 
Mr. HOWARD. Yes, sir. 
Senator BURR. Thank you. 
Mr. HOWARD. Allow me to refer to the priorities. Sir, the first 
one-you need to get to page two here. 
Senator BURR. Page two. 
Mr. HOWARD. Sir, the first one is the business of a well-led, 
highperforming IT organization. I would probably say we are probably 
at a six there-- 
Senator BURR. Great. 
Mr. HOWARD.-and one of the reasons is-here is a-can I get 
into a reason, or just-- 
Senator BURR. If you will, let us just go through the seven of 
them and-- 
Mr. HOWARD. I have got you. 
Senator BURR. What I am trying to do is to begin to create a 
baseline. 
Mr. HOWARD. Right. I would give that one a 6. 
Senator BURR. All right. Number 2? 
Mr. HOWARD. Number 2 is probably down around 3 somewhere. 
Senator BURR. And number 3? 
Mr. HOWARD. That is probably a 2 or a 3. That is pretty low. 
Senator BURR. And number 4? 
Mr. HOWARD. That is up there. That is about a 7. 
Senator BURR. And No. five? 
Mr. HOWARD. That is about a 7, also. 
Senator BURR. And number 6? 
Mr. HOWARD. I would say that is an 8. 
Senator BURR. And the last one, number 7? 
Mr. HOWARD. That is down around five. 
Senator BURR. Great. Great. I really thank you for doing this, because 
as you know, we have got the GAO coming in, we have got 
other individuals that will testify, and I think it is important that 
we have a good understanding not just of what the priorities are 
but where you are in that process of completing them. 
Mr. HOWARD. Sure. 
Senator BURR. Now, you said in your testimony that clearly an 
important question associated with this realignment is how it has 
impacted the delivery of health care and benefits to our veterans. 
In my opinion, there has been no significant change in these two 
areas, which was a key objective of this reorganization, to do no 
harm. Let me ask you, what matrix did you use to determine that 
there hadn't been, as you referred to, a significant change, and in 
using that, do you mean positively and negatively or just negatively? 
Mr. HOWARD. Both directions, sir, and significant is the key 
word. There has been change. I mean, there is no doubt about that. 
But-and I deliberately stated it that way, that although there 
have been improvements, they haven't been significant yet. Significant 
is the key. We are working on that, and there have been some 
improvements, like, for example, just gaining visibility over the 
various innovative ideas that are going on out there. That is a positive 
step. 
Senator BURR. How does an IT section make a determination 
about the actual delivery of care, though? I mean, is this something 
that you have reached out with-- 
Mr. HOWARD. Feedback from the administration, sir, on that part 
of it. 
Senator BURR. You have discussed the efforts of moving the IT 
organization from a decentralized to a centralized model, and I 
understand the motivation and what you hope to achieve in budget 
control, standardization of equipment and processes. However, with 
a centralized organization, I am concerned about the possibilities 
of your office losing touch with local IT needs. How will you ensure 
that the hospitals, and clinics receive the IT support they need, and 
more importantly, is there a way for them to communicate problems 
or recommendations up the chain to your office? 
Mr. HOWARD. Yes, sir. We have established an organization. In 
fact, the key one, Ray is in charge of the Field Operations. Most 
of the individuals that were transferred to us, in fact, work for Ray, 
almost 4,000. He has organized the country, if you will, into geographic 
regions where we have regional directors in place. We meet 
with them very often. The CIOs, the senior IT officials at a hospital 
or regional office work for those regional directors and they are also 
in communication. In addition to that, we have established an information 
security element that also reports to Ray. They are more 
independent, though. They report almost directly up to the senior 
level. 
Now, if you take an environment at the hospital level, and this 
is the charge that we have given to the IT individuals throughout 
our organization, if you are the senior IT person at a hospital, you 
are like me. Your name is Bob Howard. You put on your Bob Howard 
mask or whatever, because you are responsible for everything 
I am responsible for at that particular facility, especially making 
sure that hospital director is adequately supported. We have 
preached that time and time again. There should be no question 
about that. And if you ever run into anybody that doesn't have that 
message, I would like to know about it because we have clearly 
driven that point home. 
Now, that is difficult for some of them because in the past, they 
perhaps were just a Member of the staff, you know, on the hospital, 
and now they have the charge they are out front. You are now 
right outside the hospital director's office. You have a responsibility 
here to stay engaged with that individual, to make sure that not 
only his desires are accounted for, but any problems that he may 
have. 
And along those lines, I mentioned we have our oversight and 
compliance capability. Arnie Claudio sitting behind me here runs 
that, and he goes out and he looks not just at the hospital director. 
He is looking at my people. And we have had a couple of instances 
where we have taken action because we were not too happy with 
the way the IT community has been operating. In other words, in 
our opinion, they were not adequately supporting that hospital director 
and we will not stand for that. 
Now, all of this will take time to put it in place-- 
Senator BURR. And I appreciate your passion for that because I 
will assure you, if there is a breakdown, the likelihood is those of 
us on the dais will be the first to hear about it from an individual 
or from a specific facility. 
With the Senator from Washington's indulgence, I would like to 
ask one more question, if I could, and it gets at the heart of the 
VA-DOD seamless transition of health care records. I understand 
some significant progress has recently been made, but the overall 
process still seems to be moving pretty slow. In fact, I am aware 
that the VA has just recently awarded a contract to pay for a study 
assessing what will be required to create a joint inpatient e-health 
record. Now, General, I have got to ask you, how is this different 
than what we have done before? 
Mr. HOWARD. Sir, I will say that the activity between us and 
DOD has been better. It has been more intense. In fact, there are 
weekly meetings that take place at the Deputy Secretary level-- 
Senator BURR. But share with me, if you will, what will we learn 
from this study that we don't know today? 
Mr. HOWARD. Sir, one thing that we hope to learn, and maybe 
clear the air on what we are really talking about, here is a good 
example. The absolute key in sharing between VA and DOD has 
to do with data. It has to do with the database itself, not as much 
with the application. And, you know, we have VistA. DOD has 
Alta. You don't necessarily have to has an exact replica of each 
application, but you must have the ability to get at the data and it 
has to be standardized, and this is a key area that we are focusing 
on. 
I am going to ask Dr. Tibbits in just a minute to chime in on this 
because he is leading this effort as far as VAIT is concerned. 
There is value in coming as close as we can to a single application, 
but we don't believe it is totally necessary to get this seamless 
transition that we both want. The key again is in the data set, and 
that we have a lot of work to do there just in standardizing the 
data, you know, call an aspirin an aspirin instead of something 
else. I mean, it sounds ridiculous, but it is true. There is a lot of 
data standardization work that still remains to be done, so that if 
a DOD physician is looking at a particular descriptor, it is the 
same thing that a VA physician might be looking at, and work continues 
in that area. 
Senator BURR. And I hope you would agree that there is a huge 
difference between two entities using the same descriptor so that 
you can accurately mine that data and trying to replicate two identical 
data programs. I mean, Google proved to all of us that they 
could come up with a way to mine whatever it is we asked them 
to go into and they could do it in a seamless, quick, and fairly 
successful way, given how successful the company has been. Yet in 
government, we seem to be bogged down in not accepting what others 
have proven to be paradigms that they can break down and 
overcome and we consistently continue to try to look for what the 
hurdles are. 
I want to hear from the Doctor, but I also just want to express 
one more time, my hope is that from this study, there is something 
new that we are attempting to learn, some piece of information 
that we don't currently have. If not, I would love to see us bypass 
a study and begin with further implementation. Doctor-- 
Mr. HOWARD. Sir, along those lines, I don't believe there is a document, 
you know, one document, where you can read about both 
systems in one place, VistA and Alta, and a comparison in detail, 
you know, not a DOD perspective or a VA perspective, but an independent 
look at what we really-because, again, making sure we 
know what we are talking about is awfully important here. This is 
really complex stuff. I have the famous egg here on the VistA system. 
I mean, this is really complicated. Of course, Alta is complicated, 
as well. This study, we think, will help us bridge the 
knowledge gap and a better understanding of what we are dealing 
with, but I would ask Paul if he wants to add anything to that. 
Dr. TIBBITS. Senator, thank you so much for the opportunity. 
Well, I can only emphasize what General Howard said. First of all, 
the study is going to give us a first-time look at both systems side 
by side from an inpatient perspective. In VA, we happen to have 
a very integrated capability right now, inpatient, outpatient, the 
full view of taking care of a patient. 
In addition, the study is going to help us clarify objectives, and 
I want to spend a few seconds on that if I can, on clarification of 
objectives. It is very clear to me that everyone is rightfully quite 
interested in information sharing to improve services to veterans. 
In addition to and over and above that objective, there are other 
objectives that one could focus on, for example, less costly development 
of software. Those are not necessarily strongly related objectives 
to each other. One thing this study is going to do is help tease 
apart, clarify, and focus people on one objective versus the other 
and make sure activities align with either one or both as we both 
come to agree what the objectives are. 
Clearly, serving veterans is everybody's highest priority. Information 
interoperability in the context that you have asked the 
question is clearly much more important with respect to that objective 
than is the joint development of software, which at the end of 
the day, with respect to serving the veterans, is really pretty marginal 
with respect to its contribution. It might save the Department 
some money, but it is really not a key to serving the veterans' 
needs. Standardizing the data and information sharing is. 
So over and above the study, you asked what are we doing? Are 
all of our eggs in one basket with respect to the study itself? The 
answer is no. Because of the interest of the administration in VA- 
DOD sharing, this process has been initiated where both Deputy 
Secretaries, Deputy Secretary of Defense and our Deputy, meet 
weekly, and therefore there are other meetings at a lower level 
weekly, which I am involved in. I am co-chair of the Live Action 
Four For Information Sharing with my counterpart, the Principal 
Deputy Assistant Secretary of Health Affairs, Dr. Steve Jones, and 
we are moving beyond just the study. 
The study, again, focuses on inpatient, data and applications. We 
are more broadly interested in serving veterans in the full spectrum 
of information interoperability, and in fact, less interested 
broadly in the applications themselves for that reason. 
So one of the ideas that we have articulated and Dr. Jones has 
agreed with, and I don't want to speak for him so you will have 
to talk to him, and the customers in VHA who have also agreed, 
with whom we are working this very closely-to actually look at 
the two databases underneath both of the Departments' medical 
records. In our case the Health Data Repository, in the case of the 
Department of Defense the Clinical Data Repository. Those are the 
databases. 
The real key to information sharing is what do we do in the future 
with respect to those two databases, irrespective and over and 
above and totally aside from what we do with the applications. 
With respect to those two databases, we are actually now beginning 
to look at what it would take to converge those databases so that, 
if feasible-and then working out a cost and schedule to do that- 
if feasible, it would, in fact, not only serve the information 
interoperability and service objectives of taking care of veterans 
and active duty servicemembers, but at the same time, largely liberate 
both Departments from the consternation of which application set 
you happen to want to use because my application set is better 
than your application set or whatever it happens to be, or because 
applications happen to be tailored to the mission of the organization 
where DOD has a medical support mission in theater which 
we do not have. 
So there are very good reasons why one would want to optimize 
software applications to do different things while converging the 
databases underneath. So, per se, it is a much broader look at data 
than that study itself is intended to focus on and we are moving 
down that pathway to initiate that assessment ourselves with the 
VA and DOD, smart people who can do that. 
Senator BURR. Doctor, I thank you for that answer because that 
gives me a much greater assurance that there is some value to, in 
fact, the study, and I hope all of you know why the question comes, 
is that we have asked it before. We have gone through a process. 
I am not sure at that time we knew what it was we were looking 
for or where it was we were trying to go. I feel fairly confident you 
know where you want to go and I know from your answer you 
know what you are looking for. I thank the Senator from Washington. 
Senator MURRAY [presiding]. Thank you, Senator Burr, and Mr. 
Secretary, again, thank you for being here. Let me just follow up 
on that a little bit. 
I think you sense that we are all frustrated that we keep talking 
about an Electronic Health Care Record system and the date keeps 
moving out. I understand the complexity of what you just walked 
through with us, but in 2003, the President's task force told us or 
recommended that a fully operational Joint Health Care Records 
System be available by 2003. It is 2007. We are now being told it 
is going to be 2012. I think we are all really worried that about 
2011, we will hear it is 2020. Can you give us a time line of when 
we can see this? 
Mr. HOWARD. Senator Murray, I mentioned for modernizing our 
application for 2015, and that has been on the table for a while. 
We share the same frustration you do. This is extremely complex 
stuff. I mean, it really is, and the estimates that we have laid on 
the table in the past simply were not accurate. As we dig more and 
more into this, we find improvements that have to be made in just 
program management of some of these activities in order to bring 
this forward. 
The intensity that we now see between DOD and VA-much of 
that is a result of the press of Congress, as you know-we believe 
is going to improve things. I feel more comfortable with the time 
lines that you mentioned than I might have a year ago. And all I 
can tell you is we will keep the pressure on and continue to work 
toward a solution as rapidly as we can. 
Senator MURRAY. Well, feel the pressure. 
Mr. HOWARD. Yes, we do. We do. And we know that you have 
been generous in the funding side. We are reluctant to ask for 
money that we don't need. We don't want to-- 
Senator MURRAY. Twenty-fifteen, that is a long time away for all 
of the issues that we have seen because of the lack of sharing 
information and challenges and problems and everything else. That is 
very hard for me to go home and tell the people I represent that, 
yes, we have a problem, but it is going to be long past any of 
us-- 
Mr. HOWARD. And when I say 2015, this is modernizing this. 
This is no more VistA. This is a brand new, modernized system. 
But in that period of time, in fact, I think you have a copy of it 
in front of you now, if you look at the lower right, you will see the 
various phases. If you look at that color scheme-- 
Senator MURRAY. Yes. 
Mr. HOWARD.-you will see that whereas the whole egg may go 
out to 2015, quite a bit of this-- 
Senator MURRAY. What will we see sooner than that? Let me ask 
that question. 
Mr. HOWARD. Let me ask Paul to answer that. 
Dr. TIBBITS. Yes. As General Howard pointed out, the 2015 is for 
everything you see in that chart, which is the data and the applications 
in our Department's Electronic Health Record. That is not the 
schedule for information interoperability between the two Departments. 
And again, I would encourage you, Senator, and all here to 
think about the application software versus the data. 
While that is going on, we have other activities, some of which 
I mentioned already, focused on the sharing of the information 
itself at the database level, which would not require full exporting 
of all the applications over to the new platform. And interoperability 
is not an all-or-none phenomenon. It is shades-fortunately 
or unfortunately, comes in shades of gray, and the shades of gray 
are anything from what would amount to a computerized fax, 
where electronically information is sent back and forth that is not 
computable but electronic, all the way over to fully interoperable 
data where my blood pressure in one system and my blood pressure 
in another system can be put together on one chart and added, subtracted, 
multiplied, and divided together, fully computable data. 
Those activities are underway now, and the reason we can't provide 
you-I cannot with confidence provide you an answer to the 
schedule question, it is not that date, it is the mix of standardization 
work, which you know to have been going on already to make 
sure when I say blood pressure and you say blood pressure we 
mean exactly the same thing, that is the main standardization 
work. That is very painful, laborious work for which we still need 
to articulate a full schedule between the two Departments, which 
is not necessarily 2015. 
On top of that, however, I want to add that there is a lot of value 
in health care delivery to the exchange of information electronically 
that is not fully computable. That can happen faster. It does not 
require full domain standardization and that would require, in 
order to approach this in a rational way, to focus on the high-priority 
problems that we in the Department and DOD are now experiencing, 
Traumatic Brain Injury, PTSD, et cetera, et cetera. What 
is the structured, computable data that relates to those conditions? 
What is the unstructured and heretofore non-computable data that 
relates to those conditions? Putting a plan together whereby both 
of those together get shared between both Departments, and nothing 
I just said requires standardization of the application-- 
Senator MURRAY. I think we all are beginning to understand the 
complexity of this, but on the other side, we have got to keep the 
pressure on. This has to be done. There are too many problems 
with the current system and we want to see improvements, and I 
know my constituents do, the people who use these records. 
Let me go back, Secretary Howard. I know in my opening statement 
I mentioned this issue, and I know both Senator Akaka and 
Burr did, too, that I think we all get that there are clear benefits 
from centralizing your IT system, as you shared with us. But we 
are hearing from some of our local VAs that they are very concerned 
that the centralized model will take away some of their ability 
for innovation and flexibility, particularly in perhaps purchasing. 
I just want to ask you how you are going to make sure 
that we don't lose that really important flexibility at the local level. 
Mr. HOWARD. Ma'am, communication is the key to that and we 
do have very good communication with the individuals that we support, 
you know, from the administrations. We clearly do not want 
to impact that negatively. 
What they are experiencing, though, there is a bit of frustration. 
If I was a hospital director, I got my resources, I got what I needed 
to do my job, fully decentralized operation, quite frankly, there is 
probably no one in this room that would prefer not to operate that 
way. That is a good way to operate. The only difficulty is a big 
organization like we have, if you don't keep adequate control over 
that, you begin to lose standardization and interoperability, which 
is where we find ourselves today. So the idea is to try to centralize 
those activities but without excluding the individuals that we are 
supporting, and there is no intent to do that. 
Communication is the key. We do have a governance process in 
place where there is active involvement from the administrations 
and the staff agencies that we support. I can assure you that as 
far as my objective is concerned, our objective is clear, an open 
transparency, open communications. 
Senator MURRAY. OK. I did want to ask you about communications, 
too, because as you recall, when the VA lost the information 
of 26.5 million veterans a while back, reporting that was a huge 
issue. Congress didn't know about it immediately. People who were 
affected did not know about it. Apparently information was out 
there. Two weeks later, Congress was told about it. Two weeks 
after that, we were told that 50,000 Navy personnel were affected. 



The next day, it was another figure and more people. What have 
we done to make sure that if a breach occurs today, that the information 
is there immediately so those people whose information has 
been impacted will know right away? 
Mr. HOWARD. Senator Murray, we have got a lot of initiatives 
going on here, but if there is one area where we have absolutely 
improved things, it is in the incident reporting and incident response 
area. There is no doubt about that. Incidents are now reported 
very rapidly all the way up to the Secretary. As soon as I 
read the daily incident reports, a copy is at the Secretary's level 
also. There is no reading the thing and massaging it before it goes, 
and to U.S. CERT, to the Computer Emergency Response Team. 
You know, we have to report within 1 hour. We don't even think 
about it. It goes right to them as soon as it comes to us. 
Now, what that has resulted in is a lengthy list of incidents, because 
what we have told people, again, if you even think that you 
have an incident, don't think too long. Get it reported so we can 
do something about it. We would much rather have that than 
worry about the length of our reporting, our reporting list. 
Senator MURRAY. What happened in between. 
Mr. HOWARD. So the thing is that we also have weekly meetings 
to resolve these. If we don't have sufficient information regarding 
a particular incident, we demand that and issue papers and what 
have you. As I mentioned, my oversight and compliance team led 
by Arnie Claudio is constantly moving. He has done almost 95 assessments 
since January, looking at the hospitals, looking at things 
that are wrong that may never make the incident reports because 
they catch them in time. They have also discovered things that 
they have reported in our incident response program. 
So that area, I feel fairly comfortable that we are at least able 
to capture the incidents and adequately report them and then do 
something about them. 
Senator MURRAY. OK. Mr. Chairman, I just have one additional 
question. I wanted to ask you, I understand that there was a recent 
outage of the VA's electronic medical information that affected 
about 17 of our VA medical centers. Can you share with us what 
the impact of that outage was on their operations and what we are 
doing to prevent that from happening again? 
Mr. HOWARD. Yes. This was a big deal and we are very, very concerned 
about it. This refers to the Regional Data Processing Center 
Initiative that I believe you are aware of. The Regional Data Processing 
Center Program was put in place in response to 9/11, to serious 
incidents like that, and what we mainly were concerned about 
was the loss of the information. And so we began to migrate VistA 
systems into highly protected data centers, and this is a tier four 
data center that you are referring to in Sacramento. 
What we did not do, and first of all, that incident was inexcusable. 
The fact of the matter is we were down for too long. There 
was human error involved, probably the press of business, you 
know, thinking that this particular act would solve the problem 
and bring the systems back up, in fact, was wrong. It did not solve 
the problem and the system went down again. 
And so we have corrected that. In fact, Arnie Claudio, my oversight 
people were on the scene. We also have a team that is currently at 
work trying to examine in great detail what might have 
happened. And in addition, we are putting a contract in place for 
an independent look at just what we are doing here, because what 
we have discovered is the VistA application itself is perhaps-does 
not really lend itself to a robust Regional Data Processing Initiative 
like that. We need to understand that better. 
The final thing I will say about it that we have discovered is the 
read-only capability at the hospitals. In other words, the systems 
went down in the Regional Data Processing Center, but there was 
a read-only capability at hospital level. What we have discovered 
is that at some hospitals that read-only capability was not robust 
enough. We don't know why. We may not have done that in the 
past. But that can't happen. 
In fact, in one hospital, they were only able to accommodate 300 
users. Well, that is not good enough. You know, at a hospital level, 
you need to be able to sign in and sign out a lot more than 300. 
So we are taking a look at that. We clearly need to provide a more 
robust back-up capability and a fail-over capability because if it is 
a finance system that goes down, you might be able to afford a few 
hours' wait. You can't afford that with hospitals and we clearly 
understand that. We are examining it in great detail. In fact, I have 
directed no further migration of the VistA systems into the Regional 
Data Processing Centers until we can understand in detail 
what is going on. 
There is some concern over distances. You know, on the West 
Coast, the hospitals are much more spread out geographically, as 
you well know. That may be a factor in what we are experiencing
-- 
Senator MURRAY. Well, if I can ask you to share with this Committee 
the information as you get it from what happened and what 
you are doing to respond and make sure that we are doing everything 
we can to fix that, I would appreciate it. 
Mr. HOWARD. We will, Senator Murray. 
Senator MURRAY. Thank you. Mr. Chairman. 
Chairman AKAKA [presiding]. Thank you very much, Senator 
Murray, for your questions. 
I understand, Mr. Secretary, that almost a year ago, VBA asked 
for access to the Electronic Health Record files because of the 
delays in processing claims and this request has not been approved. 
It is my further understanding that VBA will not be able 
to view these records until sometime in 2008. Now, Secretary, during 
an oversight visit to the Honolulu regional office, Committee 
staff learned that claims are being delayed because VBA staff are 
not able to read medical reports which are scanned into VHA's electronic 
health system. 
Given the current backlog in claims processing, this seems like 
an IT solution that should be given a priority, and you mentioned 
priorities being important here. So my question to you is what can 
be done to improve the electronic transmission of medical information 
from in-house VHA to VBA in a more timely manner? 
Mr. HOWARD. I am going to ask Dr. Tibbits to answer that, but 
I will say one thing, sir. In what you are describing, there is always 
a concern over security and privacy. In other words, we are dealing 
with health information and that is one of the things that when- 
ever we permit another agency to look at our information, the security 
and the privacy aspect of it is extremely important and we 
need to make sure those procedures are in place during the transmittal 
of the information. But I would ask Dr. Tibbits to comment 
on that. 
Dr. TIBBITS. Senator, thank you for your question. First, let me 
start off by saying I am going to plead ignorance here and tell you 
I am going to have to take your question for the record and get 
back to you with a more specific answer. That said, I work very 
closely, I would say nearly on a daily basis, with the key business 
leaders inside of the Veteran Business Administration, VBA. None 
of them have told me that there is a pending request to view medical 
data that they currently view as high priority that we have not 
been able to address, so I want to find out exactly what that is and 
let you know with more specificity. 
That said, there are capabilities in place today by which the medical 
data, to some extent, medical data can be viewed by claims 
administrators for the purpose of processing benefits claims. Why 
that might not be adequate or what additional capability they 
need, I am going to need to go back and find out. That is not a request 
that I am actually aware of. 
Chairman AKAKA. Thank you. As you can see, as was said, to 
wait until 2008 really delays the system. 
Secretary Howard, as I mentioned in my opening statement, my 
requested investigation on VHA's waiting times yielded findings 
about the accuracy and completeness of the waiting lists. Senator 
Tester has also brought my attention to the need to refine the 
pharmacy ordering system so that prescriptions aren't mailed out 
to veterans until they are needed. Is responsibility for matters such 
as fixing the electronic waiting list and refining pharmacy systems 
your responsibility or does that still vest in VHA? 
Mr. HOWARD. Sir, defining the requirement is VHA. Solving the 
problem is primarily VHA, but clearly we can provide assistance in 
the IT arena because sometimes the solution may not be totally IT. 
It may be a methodology kind of fix that needs to be put in place. 
But the requirement definition of it, prioritization of it, having us 
work on it, that is a VHA responsibility. 
Chairman AKAKA. Do you happen to know what priority does VA 
place on finding specific health information solutions? 
Mr. HOWARD. On that one, sir, I would have to get back to you. 
I don't know where that would lie on the list. 
Chairman AKAKA. Thank you. Secretary Howard, I understand 
there was a recent outage of VA's electronic medical information 
system that affected 17 VA medical centers. What was the impact 
of this outage on these facilities' operations and what is VA doing 
to prevent this from recurring? 
Mr. HOWARD. Yes, sir. In fact, Senator Murray asked a similar 
question. This involved the Regional Data Processing Center out in 
Sacramento. We experienced difficulties in input-output loads, excessive 
times involved. The system did go down. The reason the 
number of hospitals, there were 17 hospitals affected was because 
we had regionalized the VistA systems and this regionalization was 
done in order to better protect the information involved. In other 
words, it actually went all the way back to 9/11. This program 
itself has been in existence for a number of years. 
In this particular case, human error was involved. A fix was 
made to the system that should not have been made. They did that 
in order to try to bring it up and that did not happen. It went down 
again. In hindsight, another mistake that was made is that they 
did not make the decision to fail-over these particular VistA systems 
to our back-up in Denver, Colorado, which could have been 
done. So there were a number of mistakes made. 
We have already conducted several reviews of what happened 
and we are going to conduct a third. The third review will be much 
more comprehensive because we now want to take a very hard look 
at what we are doing with respect to regional data processing 
across the country, to include not only the VistA systems, but some 
of our corporate data assets, like, for example, in our Austin 
Automation Center, Hines, and Philly, which weren't part of this 
particular program in the past. 
There are other aspects of what we have discovered. For example, 
in order to provide a back-up capability, we actually do have 
read-only VistA capability remain at the hospital level. They did 
have this read-only capability. However, in a couple of instances, 
we have discovered that was not robust enough and we need to correct 
that. The read-only capability must be adequate to support the 
particular hospital that has it. 
So in summary, this resulted from human error, but it has also 
surfaced some issues that we need to address very quickly here because 
this whole program is extremely important, because we do 
need to protect the information inside very well-protected data centers, 
which is what the Sacramento data center was, a tier four, 
very-and all kinds of organizations are moving toward that way 
of doing business, you know, putting their data inside very highly 
protected data centers. We need to step back and make sure that 
the VA's program makes sense and that we are not pushing things 
too fast and that we have the right back-up capability in place in 
order to continue to support the mission. 
Chairman AKAKA. Secretary Howard, it seems as though VA has 
been in the process of modernizing its health and benefits IT systems 
for years. GAO reviews have consistently cited poor program 
management as one of the major reasons for a lack of progress. 
What is VA doing to address the issue of improving the program 
management for the modernization of its health and benefits IT 
systems, and what is the timeframe for completing the migration 
of VistA and BDN to modern IT platforms? 
Mr. HOWARD. Sir, I am going to ask Paul Tibbits in a minute to 
describe the specifics of the migration, because it is a multi-year 
process both with respect to VistA modernization and the 
VETSNET in support of VBA. 
On the discipline aspect within program management, you hit 
the nail on the head. We have clearly seen that. There have been 
a number of studies. In fact, Carnegie Mellon did a study, as well, 
that highlighted that as a problem. Fortunately, Dr. Paul Tibbits 
has a great deal of DOD experience in the acquisition process, a 
disciplined acquisition process which, quite frankly, we do not have 
to the degree we need to in the VA. We have recognized that. Dr. 
Tibbits is well on the way to solving that problem, to provide adequate 
baselines, cost, and performance, earned value metrics, all of 
those things that need to be done within a robust, well-disciplined 
acquisition and program management process. 
We are on the way to improving that, but I will tell you, we have 
got a long way to go, and I would ask Paul Tibbits to comment, because 
he is in charge of the program managers that you are referring 
to. 
Chairman AKAKA. Thank you. 
Dr. TIBBITS. Senator, thank you very much for the very important 
question. Actually, the two are quite related to each other, the 
program management and the BDN migration, and let me just 
start off with that relationship, which I think, by the way, my personal 
opinion is that the centralization of IT authority in the Department 
positions the Department very well to do the workforce 
reshaping necessary to inculcate those disciplines which you are 
referring to were absent in the past. 
In any case, when my organization was stood up, which was really 
April of this year, I was fortunate to inherit the VETSNET Program, 
which over the preceding 18 months or so, in responding to 
specific findings of a Carnegie Mellon study, had set up an excellence 
governance and program management structure, in fact, good 
enough in my view that it has served as a template of program 
management and governance which we are, in fact, exporting to 
the rest of VA and to other programs. 
I mention that because that is an example of a very good program 
management discipline applied specifically to the problem 
you asked about, which is migration off of BDN. So that particular 
piece of the Benefits Delivery Network system is being delivered on 
time, at cost, as promised, based on a schedule that was created, 
I would say, approximately 18 months ago, and much of that due 
to careful oversight by both VBA itself and external entities, 
MITRE, in making sure that the recommendations of the Carnegie 
Mellon study were, in fact, institutionalized in the way that program 
is managed. 
We are now challenged with taking that as a model and exporting 
it throughout the rest of the VBA and the rest of VA. We have 
done so in our FLITE program, for example, which is the internal 
financial management and logistics system. We have exactly patterned, 
and now have approved and have actually stood up a governance 
structure on top of FLITE which is a template and replicate 
of the governance structure that was set up by VBA on top 
of VETSNET. 
The rest of the capabilities, education, vocational rehab on 
VETSNET migration, using that discipline, we are approaching in 
two ways. One, a code migration pathway which will give us exactly 
the same functionality but in new software, and a separate 
set of initiatives which will give us new functionality and new 
software, two different pathways to get off of that industrial-a system 
that has exceeded its industrial life. 
The target date for both of those is 2011. Right now, that is our 
target date to complete both of those pathways. Whether we will 
have to, in fact, continue down both of them will remain to be seen 
as we learn more about each of those pathways as we go along. But 
at the moment, we are wearing belt and suspenders with respect 
to trying to get off of that platform. That is the program management 
discipline piece and how we have applied it to migration off 
of BDM. 
Chairman AKAKA. Well, I want to thank you, Dr. Tibbits, and, 
of course, Mr. Secretary for being here today. 
There has been a vote that has been called. It is on now, and so 
I want to thank you for your testimony. Without question, it is 
going to be helpful. At least we have timeframes here to look at 
and we have an idea of how we are approaching the kind of problems 
that we are facing, as well, in the system. As you mentioned, 
Mr. Secretary, it is not the technology, it is really the ability of the 
managers and you have filled that slot real well and we are looking 
forward to continuing to work with you on this. 
We will take a recess now for 10 minutes and I will be back after 
that vote and we will have them panel two. Thank you very much, 
and this Committee hearing is in recess. 
Mr. HOWARD. Thank you, sir. 
[Recess.] 
Chairman AKAKA. Will the panel please be seated. The hearing 
will come to order. 
I am pleased to welcome our second panel. First, is Valerie Melvin, 
the Director of Human Capital and Management Information 
Systems Issues at GAO. Next is Stephen Lucas, the Director of the 
James A. Haley VA Medical Center in Tampa, Florida. Then we 
have Kim Graves, the Special Assistant to the Under Secretary for 
Benefits at VA, who has a particular responsibility for IT matters 
in VBA. Last is Dr. John Glaser, the Vice President and CIO of 
Partners HealthCare in Boston, Massachusetts. 
I want to thank you all for being here and look forward to your 
testimony. The witnesses will testify in the order that I just 
introduced you. I ask that you keep your statements to 5 minutes. 
Your full statements will be included in the record. 
Ms. MELVIN? 
STATEMENT OF VALERIE MELVIN, DIRECTOR, HUMAN CAPITAL 
AND MANAGEMENT INFORMATION SYSTEMS ISSUES, 
U.S. GOVERNMENT ACCOUNTABILITY OFFICE; ACCOMPANIED 
BY McCOY WILLIAMS, DIRECTOR, FINANCIAL MANAGEMENT 
AND ASSURANCE TEAM, U.S. GOVERNMENT ACCOUNTABILITY 
OFFICE; GREGORY WILSHUSEN, DIRECTOR, 
INFORMATION SECURITY ISSUES, U.S. GOVERNMENT ACCOUNTABILITY 
OFFICE; AND BARBARA OLIVER, ASSISTANT 
DIRECTOR, INFORMATION TECHNOLOGY, U.S. GOVERNMENT 
ACCOUNTABILITY OFFICE 
Ms. MELVIN. Mr. Chairman, thank you for inviting me to discuss 
VA's Information Technology Program. In serving our Nation's veterans, 
VA spends about $1 billion annually on information technology, 
but the Department has been challenged in managing its 
IT programs and initiatives. To address this challenge, VA is realigning 
its organization to centralize IT under the Chief Information 
Officer, guided by a defined set of improved management processes. 
VA began this realignment in October 2005 and plans to 
complete it by July 2008. 
At your request, my testimony today summarizes our previous 
work on the Department's realignment efforts. In this context, I 
will also briefly discuss our recent work on several of the Department's 
IT programs and initiatives, including information security, 
inventory control over IT equipment, the modernization of existing 
benefits systems, and sharing electronic health information with 
the Department of Defense. 
In short, VA has made progress in moving to a centralized structure. 
However, when we last reported in June, it still had to address 
several of six factors that we identified as critical to a successful 
transformation. In this regard, it either acted or indicated 
intent to act on all except one factor, to dedicate an implementation 
team to manage this important change. 
In addition, while improved management processes are a cornerstone 
of the realignment, as of May, VA had not made significant 
progress, having only begun to pilot test two of 36 planned new 
processes. In our view, an implementation team and established 
management processes are fundamental to the overall success of 
the realignment initiative. 
In the meantime, VA has ongoing programs and systems development 
initiatives that depend on effective management and use of 
IT resources, the essence of the realignment. Our recent studies 
have noted measures of progress in these areas, but more work remains, 
including addressing numerous and longstanding information 
security recommendations that we and the Department's Inspector 
General have made. 
For example, our report being released today notes that although 
VA has made progress, it has not yet fully implemented numerous 
recommendations to strengthen its information security practices. 
Also, while it has begun to realign its security program, it has not 
completed development of improved security management processes 
or ensured effective coordination between organizations responsible 
for information security functions. 
In addition, our prior work noted that VA had taken certain 
steps to strengthen controls over IT equipment, such as clarifying 
property management policies. Overall, however, it had not ensured 
consistent implementation of controls to effectively account 
for its IT equipment inventory. 
Regarding VA's modernization of existing benefits systems, our 
recommendations have placed particular emphasis on the need for 
comprehensive planning. In turn, we recently noted after the 
implementation 
of improved management processes, progress on the 
Veterans Benefits Administration's new compensation and pension 
benefits system. Further systems development is needed, however, 
and certain process improvements must still be institutionalized to 
realize continued success. 
In VA's effort to share electronic health information with DOD, 
a milestone was achieved when the two Departments began exchanging 
limited medical data at selected sites through an interface 
between their respective new data repositories. However, to 
fulfill the long-term vision of a comprehensive electronic medical 
record, much work is still needed, including effectively planning 
and managing efforts to expand data sharing among both Departments. 
In summary, Mr. Chairman, VA is making progress in its IT realignment, 
but important work remains to ensure that effective 
management processes exist and that its IT programs and initiatives 
are fully and successfully implemented. Further progress in 
these areas could be significantly aided by the key management 
processes that are the cornerstone of the realignment. Until these 
processes are fully institutionalized throughout the Department, 
VA may not realize the full benefits of the realignment or achieve 
its many IT goals. 
This concludes my prepared statement and I would be happy to 
respond to any questions that you may have. 
[The prepared statement of Ms. Melvin follows:] 
PREPARED STATEMENT OF VALARIE C. MELVIN, DIRECTOR, HUMAN CAPITAL AND 
MANAGEMENT INFORMATION SYSTEMS ISSUES 




Chairman AKAKA. Thank you very much, Ms. Melvin. 
Now, Mr. Lucas. 
STATEMENT OF STEPHEN M. LUCAS, DIRECTOR, JAMES A. 
HALEY; VA HOSPITAL AND CLINICS, TAMPA, FLORIDA 
Mr. LUCAS. Thank you, Chairman Akaka. I am most pleased to 
have this opportunity to appear before this Committee as a proud 
and long-time employee of the Veterans Health Administration. In 
the interest of time, I will summarize my written testimony while 
discussing with you my personal knowledge and experience with 
the realignment of the Department of Veterans Affairs Office of 
Information and Technology. 
I would like to state up front as a personal but also well-known 
observation that VistA is a system put together by clinicians for 
clinicians, and it works. And no one who uses it ever wants to go 
back to what they had, or in many cases didn't have. 
In March 2006, Secretary Nicholson approved the new IT system 
model as the framework for VA's IT system. The new business 
model involved the realignment of approximately 6,000 employees. 
The Secretary has directed the transition to be completed by June 
2008. Working together, VHA and OI&T will meet that expectation. 
I believe that the realignment, due to its magnitude, has created 
many concerns as well as anxieties in VHA's medical community. 
At Tampa, we were concerned that we would lose the authority 
to make necessary medical decisions at the point of care and that 
by the transfer of our development team to OI&T, we would lose 
our ability to innovate. Thus far, these fears have not materialized 
thanks to the Secretary's commitment to VHA that we would not 
lose our ability to recognize and implement innovation originating 
from VHA's clinicians in the field. 
What is working. The people have been moved and they are now 
concentrating on getting the job done. The new centralized structure 
gives us greater purchasing power through economies of scale 
while at the same time granting facilities the flexibility to meet 
local needs and unforseen emergencies. A centralized approach to 
data security and patient privacy can be remarkably effective with 
goals and policies set at the national level while continuing to provide 
local staff and leadership with the needed training to roll out 
these policies and expectations and provide the tools necessary to 
act. 
What needs to be closely watched as we move forward? VHA and 
OI&T need to continue to work closely together to assure that 
decisionmaking capability resides at the direct point of care. 
Communication between our clinicians and developers needs to be 
robust. 
We must continue to engage front-line clinicians in the development 
of the tools they use and use their input to provide effective 
and safe health care. There needs to be a balance between the benefits 
of centralization and the ability of local facilities to make IT 
purchasing decisions affecting efficiency and effectiveness of local 
operations. 
And why is all of this so critical? The needs of today's VA patients 
require a patient-centric approach which will allow veterans 
and their care providers access to seamless health records and in- 
formation at any time regardless of location. And so it is important 
that VHA and OI&T continue to work together to, (1) replace current 
hospital-centric systems with a patient-centric system; (2) provide 
a complete medical record available everywhere at all times; 
(3) support interoperability with other government and private 
health care systems; (4) support patient decision support and 
interdisciplinary clinical care. 
Let me conclude by saying that while the realignment is not 
without its challenges, I see a spirit of cooperation and a sense of 
shared mission that will allow us to overcome them. I am proud to 
say that despite all of the natural and expected distraction that 
occur during a major realignment, we are still serving veterans 
with high-quality care and I expect that to get better as we continue 
to improve the process and work toward improved communication 
and cooperation. 
Mr. Chairman, this concludes my statement. I will be pleased to 
answer any questions that you may have. Thank you. 
[The prepared statement of Mr. Lucas follows:] 
PREPARED STATEMENT OF STEPHEN M. LUCAS DIRECTOR, TAMPA VAMC VETERANS 
HEALTH ADMINISTRATION DEPARTMENT OF VETERANS AFFAIRS 
Thank you Chairman Akaka and Members of the Committee. I am pleased to 
have this opportunity to appear before this Committee as a proud and 
long time employee of the Veterans Health Administration (VHA). Today 
I would like to discuss my personal knowledge and experience with the 
realignment of the Department of Veterans Affairs (VA) Office of 
Information and Technology (OI&T). I wanted to first take a moment to 
review the reorganization process. I will then follow with some 
personal observations on what I think has worked, and what I think 
needs to be watched closely to ensure that we improve the effectiveness 
of the newly revised IT organization. 
I would also like to state upfront as a personal observation, that 
VistA is a system put together by clinicians for clinicians and it 
works, still works, and no one who uses it, ever wants to go back to 
what they had, or in many cases, didn't have. We should never lose 
sight that VA's VistA system remains a world class system and the 
Industry Standard for Electronic Health Records (EHRs) by a long shot. 
In March, 2006, Secretary Nicholson approved a new business model as 
the framework for VA's IT System. This generated the initial 
realignment to OI&T in the neighborhood of 6,000 Operations and 
Maintenance personnel who were previously part of VHA, the Veterans 
Benefit Administration (VBA), National Cemetery Administration 
(NCA) and other parts of VA. On October 31, 2006, Secretary Nicholson 
approved the transition of the VA IT Management System for the 
Department of Veterans Affairs (VA) to a single IT leadership 
authority-the VA Chief Information Officer (VA CIO). This included the 
permanent assignment of all VA personnel dedicated to IT development, 
approximately 1,000 personnel, to the Office of the Assistant Secretary 
for Information Technology (AS/IT) to be completed by April 2007. The 
final transition and realignment, to include institution of a 
governance structure, clear understanding of roles and 
responsibilities, establishment of standardized policies 
and business practices, etc., was directed to be completed by the 
Secretary by June 2008. This transition is significant due to the large 
numbers of people transitioned, many new polices and business processes 
having to be evaluated and implemented, and new communication paths and 
operating procedures tried, rejected in some cases, restructured and 
then re-implemented. All the while, caring for our patients has 
remained our primary mission. I will certainly not try to hide the fact 
that the realignment, due to its magnitude, has created some 
distractions, as well as anxieties in VHA's medical community. 
Specifically, at Tampa, we were concerned that we would lose the 
authority to make the necessary medical decisions at the point of care 
and that, by the transfer of our development team to OI&T, we would 
lose our ability to ''innovate''-the very engine that created the World 
Class VistA system in the first place. Thus far, those fears have not 
proven true and more importantly, we have not lost sight of our first 
priority to provide the highest quality care to our veteran patients, 
the men and women who deserve no less given the sacrifices they have 
made for our Nation. 

WHAT IS WORKING? 
  The people have been moved and they can and are now concentrating on 
  getting the job done. The uncertainty is over. 
  The new centralized structure gives us far greater purchasing power 
  through ''economies of scale'' although I would like to mention that, 
  at the same time, facilities need the flexibility to be able to meet 
  local needs and unforeseen emergencies as I will reiterate later. 
  A centralized approach to Data Security and Patient Privacy can be 
  remarkably effective with goals, expectations and policies set at the 
  national level, but at the same time local staff and leadership will 
  continue to require training in the ''roll out'' of these policies and 
  expectations, as well as be provided the tools necessary to act. 
WHAT NEEDS TO BE CLOSELY WATCHED AS WE MOVE FORWARD? 
  As I said in my earlier testimony, while I believe that there are 
  many good things that have occurred as a result of centralization like 
  central procurements with inherent economies of scale, and 
  standardization in policies and processes (provided the user 
  contributes to policy formation)), they can not be at the expense of 
effective and safe health care delivery. We must continue to find the 
right balance.   We also can not take away the decisionmaking 
capability at the direct point of care or we will have created a 
bureaucracy and impediment to the kind of organizational construct that 
in my mind has made the VHA's health care delivery the best in the world. 
  We can not put a wall, however slight, between our clinicians and our 
  developers as this would effectively stifle that very innovation that 
  was the genesis of VistA in the first place. 
  We must engage clinicians about the tools they use and to leverage 
  effective and safe health care. 
  While I understand that there are many changes that we need to make 
  as an organization in terms of privacy, security, etc, these policies 
  and procedures must always be accomplished with a joint assessment of 
  the impact of that policy or directive on VA's ability to deliver 
  safe, effective health care. 
  There must be a continuing balance between the needs and priorities 
  of infrastructure and medical system requirements as well as the 
  ability for local facilities to make IT purchasing decisions that can 
  improve the efficiency and effectiveness of their operations. 
  Continued work on VA's governance process will be critical to ensure 
  that this is the case and not the exception. 
And why is all of this so critical? VA has made significant progress in 
the evolution of its IT systems and we must continue to foster an 
environment where we can continue to do so in the future. The original 
VA IT health care system was hospital-centric, meaning it focused 
primarily on establishing over 100 applications at specific care 
locations. The needs of VA patients require a patient-centric approach, 
which will allow veterans and their care providers to access seamless 
health records and information at any time regardless of location. And 
so it is important that VHA and OI&T continue to work together to ensure
we have a system in the future that:   Replaces current hospital-centric
systems with patient-centric system to better support modern health care 
needs 
  Provides a complete medical record available everywhere and at all 
  times   Supports interoperability with other government and private 
  health care systems   Supports patient decision support and 
  interdisciplinary clinical care 
  Provides an open, robust systems architecture that is cost effective 
  and easy to maintain 
  Remains available to support hospital operations 24 hours every day 
Let me conclude by saying that the realignment was not without its 
challenges, but I see a spirit of cooperation and mutual objectives 
that will allow us to overcome them as we continue to remain the 
world's leader and benchmark for health care delivery. I am also proud 
to say today that, despite all of the natural and expected distraction 
that occur in a major realignment, we are still serving the veteran with 
quality care, and I only expect it to get better as we continue to 
improve the process and work toward better communication and cooperation. 
Mr. Chairman, this concludes my statement. I will be pleased to answer 
any questions that you or other Members of the Committee might have. 
Chairman AKAKA. Thank you very much, Mr. Lucas. 
Ms. GRAVES? 

STATEMENT OF KIM GRAVES, SPECIAL ASSISTANT TO THE 
UNDER SECRETARY FOR BENEFITS, U.S. DEPARTMENT OF 
VETERANS AFFAIRS 
Ms. GRAVES. Thank you, Mr. Chairman. It is a privilege to be 
here today to talk about the current state of information technology 
in the Veterans Benefits Administration. My statement this morning 
will focus on two major topics, the impact of the reorganization 
of information technology management on VBA activities, and the 
migration of VBA's legacy IT systems to the VETSNET platform. 
I am pleased to report that from VBA's perspective, the reorganization 
of IT took place without major disruptions. While no reorganization 
of this magnitude can occur without some challenges, 
we believe that it was a smooth transition overall. 
One of the main reasons why the reorganization went smoothly 
for us is that VBA's IT structure was highly centralized both in 
applications development and in the operations of our national benefits 
delivery systems. We also had in place a regionalized Network 
Support Center structure for our field op organization with established 
policies and procedures governing our local IT operations. 
Equally as significant, the Under Secretary for Benefits, Admiral 
Daniel L. Cooper, had instituted a formal IT application change 
control and deployment process immediately upon his appointment 
as Under Secretary. The changes he made were based on recommendations 
of the Claims Processing Task Force, which he 
chaired. He also established a uniform IT structure and standard 
application configurations that were made mandatory for use by all 
regional offices. These actions provided the essential framework for 
the transition to a fully centralized environment and served to minimize 
many of the problems that would otherwise have been anticipated 
in a reorganization of this magnitude. Similarly, because of 
the way VBA has executed its IT organization, the transfer process 
caused much less anxiety for the individuals involved and minimized 
disruption to our overall operations. 
However, as with any reorganization, this transition has not 
been without some challenges for us. For example, some of our regional 
offices have experienced problems and delays with the delivery 
and installation of new equipment. Also, we face a number of 
challenges due to the issues such as band width to handle the volume 
of encrypted communications we now require. Our concerns in 
these areas are being addressed by the IT organization. 
During this transition year, we have actively participated in the 
development of the Department's IT governance process. The governance 
structure being implemented will ensure that the administrations 
and staff offices have a forum for communicating their 
business needs and that all decisions related to our IT requirements 
and systems are mission focused. Already we have seen that 
when we have well-developed business plans that are consistent 
with Department-wide IT objectives, we are well supported by the 
new IT organization. We are also pleased with changes such as the 
decision to meet our new equipment needs through leases, which 
will allow VBA to upgrade equipment more frequently and keep up 
with advances in technology. We believe that we our governance 
and business processes mature and communication channels are 
more fully developed, greater improvements will result. 
 
With respect to transitioning from legacy systems, VBA has 
made significant progress in the migration of our compensation and 
pension claims processing activities from the legacy Benefits Delivery 
Network, or BDN, to a modernized corporate platform. 
VETSNET is a suite of applications which not only provide the benefit, 
payment, and accounting functionalities of the legacy Benefits 
Delivery Network, but also provides enhanced information and 
workflow management across the compensation and pension claims 
process. 
In 2005, Under Secretary Cooper he requested an independent 
technical assessment of the VETSNET project to identify areas of 
concern which were inhibiting our ability to complete the final two 
components of the application suite, the awards and Finance and 
Accounting System. These two components provide benefit award 
generation as well as the payment and accounting interfaces. 
As a result of the assessment, the Under Secretary engaged 
MITRE Corporation to assist in the development and implementation 
of mitigation strategies. In conjunction with this effort, the 
Under Secretary also appointed me to serve as his Special Assistant 
with purview over all resources required to bring the project 
to fruition. At that time, aligned resources included personnel from 
our compensation and pension business line, our Office of Resource 
Management, and VBA IT personnel. Although the organizational 
lines have changed since the IT consolidation, this interdisciplinary 
effort continues today, ensuring a business-focused approach to this 
complex systems development project. 
This approach has resulted in significant progress over the past 
18 months. At the end of September 2006, a total of 2,385 veterans 
were receiving their monthly benefits via VETSNET. Today, more 
than 200,000 veterans are on the VETSNET payment rolls. During 
fiscal year 2006, 5 percent of VBA's rating-related claims for veterans 
new to the VA's compensation rolls were processed entirely 
through the VETSNET suite. In August 2007, the figure for veterans 
new to the rolls was 97 percent. More than three-quarters of 
a billion dollars in compensation benefits payments have been processed 
through the VETSNET system this fiscal year. 
However, our most significant gains in migrating compensation 
and pension claims processing from the BDN will be with the conversion 
of approximately 3.5 million active payment records from 
BDN to VETSNET. That process is underway and will be substantially 
complete by June 2008. The final stages of the conversion effort 
will be finished by June 2009. At that time, the entirety of 
compensation and pension claims processing activities will be off of 
the legacy BDN platform. 
Mr. Chairman, that concludes my statement. I will be pleased to 
answer any questions you may have. Thank you. 
[The prepared statement of Ms. Graves follows:] 
PREPARED STATEMENT OF KIM GRAVES, SPECIAL ASSISTANT TO THE UNDER 
SECRETARY FOR BENEFITS, VETERANS BENEFITS ADMINISTRATION, DEPARTMENT 
OF VETERANS AFFAIRS 
Chairman Akaka and Members of the Committee, it is a privilege to be 
here today to talk about the current state of information technology in 
the Veterans Benefits Administration (VBA). My testimony will focus on 
two major topics: the impact of the reorganization of information 
technology (IT) management on VBA activities, and the migration of 
VBA's legacy IT systems to the VETSNET platform. 
IT REORGANIZATION 
I am pleased to report that, from VBA's perspective, the reorganization 
of IT took place without major disruptions. While no reorganization of 
this magnitude can occur without some challenges, we believe that it 
was a smooth transition overall. 
One of the main reasons why the reorganization went smoothly for us is 
that VBA's IT structure was already highly centralized, both in 
applications development and in the operations of our national benefits 
delivery systems. We also had in place a regionalized Network Support 
Center structure for our field organization, with established policies 
and procedures governing our local IT operations. 
Equally as significant, the Under Secretary for Benefits, Admiral 
Daniel L. Cooper, had instituted a formal IT application change control 
and deployment process immediately on his appointment as Under 
Secretary. The changes he made were based on recommendations of the 
Claims Processing Task Force, which he chaired. 
He also established a uniform IT structure and standard application 
configurations that were made mandatory for use by all regional 
offices. These actions provided the essential framework for the 
transition to a fully centralized environment and served to minimize 
many of the problems that would otherwise have been anticipated 
in a reorganization of this magnitude. 
Similarly, because of the way VBA had structured its IT organization, 
the transfer process caused much less anxiety for the individuals 
involved and minimized disruption to our overall operations. 
However, as with any reorganization, this transition has not been 
without some 
challenges for us. For example, some of our regional offices have 
experienced problems and delays with the delivery and installation of 
new equipment. Also, we face a number of challenges due to issues such 
as bandwidth to handle the volume of encrypted communications we now 
require. Our concerns in these areas are being addressed by the IT 
organization. 
During this transition year, we have actively participated in the 
development of the Department's IT governance process. The governance 
structure being implemented will ensure that the Administrations and 
Staff Offices have a forum for communicating their business needs and 
that all decisions related to our IT requirements and systems are 
mission-focused. Already we have seen that when we have well-developed 
business plans that are consistent with Department-wide IT objectives, 
we are well supported by the new IT organization. We are also most 
pleased with changes such as the decision to meet our new equipment 
needs through leases, which will allow VBA to upgrade equipment more 
frequently and keep up with advancements in technology. We believe that 
as our governance and business processes mature and communications 
channels are more fully developed, greater improvements will result. 
MIGRATION OF LEGACY SYSTEMS 
VBA has made significant progress in the migration of our Compensation 
and Pension claims processing activities from the legacy Benefits 
Delivery Network system to a modernized corporate platform. VETSNET is 
a suite of applications which not only provide the benefit payment and 
accounting functionalities of the legacy Benefits Delivery Network, but 
also provide enhanced information and workflow management across the 
compensation and pension claims process. 
In 2005, Under Secretary Cooper requested an independent technical 
assessment of the VETSNET project to identify areas of concern which 
were inhibiting our ability to complete the final two components of 
the application suite: Awards and the Finance and Accounting System 
(FAS). These two components provide benefit award 
generation, as well as the payment and accounting interfaces. 
As a result of the assessment, the Under Secretary engaged MITRE 
Corporation to assist in the development and implementation of 
mitigation strategies. In conjunction with this effort, the Under 
Secretary also appointed me to serve as his Special Assistant, with 
purview over all resources required to bring the project to fruition. 
At that time, the aligned resources included personnel from the 
Compensation and Pension business line, our Office of Resource 
Management, and VBA IT personnel. 
Although the organizational lines have changed since the IT 
consolidation, this interdisciplinary effort continues today, 
ensuring a business-focused approach to this complex systems 
development project. This approach has resulted in significant 
progress over the past 18 months. At the end of September 2006, a 
total of 10,385 veterans were receiving their monthly benefit payments 
via VETSNET. Today, more than 200,000 veterans are on the VETSNET 
payment rolls. During fiscal year 2006, 5 percent of VBA's rating-
related claims for veterans new to the VA's compensation rolls were 
processed entirely through the VETSNET suite. In August 2007, the 
figure for veterans new to the rolls was 97 percent. More than three 
quarters of a billion dollars in compensation benefit payments have 
been processed through the VETSNET system this fiscal year. 
However, our most significant gains in migrating compensation and 
pension claims processing from the Benefits Delivery Network (BDN) 
will be the conversion of the approximately 3.5 million active 
payment records from BDN to VETSNET. That process is underway and 
will be substantially complete by June 2008. The final stages of 
this conversion effort will be finished by June 2009. At that time, 
the entirety of compensation and pension claims processing activities 
will be off the legacy platform. 
OTHER INITIATIVES 
VBA's Vocational Rehabilitation and Employment (VR&E) Program and 
Education Program benefit payment applications are also resident on 
the legacy BDN. The C-WINRS II project (which provides enhanced 
support for the VR&E program) and The Education Expert System (TEES) 
project are both slated to transfer to the corporate platform. The 
award and financial components of VETSNET are central to these 
development efforts. By reusing these common services across the 
business lines, we will experience greater consistency across our 
business systems and improved efficiencies in application development 
and maintenance. We are creating a new operating element within the 
VBA Headquarters structure to be the focal point for development of 
business requirements and to interface with the VA Office of 
Information and Technology. We believe this alignment will ensure 
that VBA business requirements are clearly documented and communicated 
to our IT partners, and that systems development efforts have an 
appropriate business focus. 
To effectively use the available technology, sufficient time and 
attention must be devoted to documenting and communicating business 
requirements. As noted previously, VBA will use the knowledge gained 
from developing VETSNET in all future systems development efforts, as 
we maximize the integration of technology into the claims process. 
The claims development and rating decision support components of VETSNET 
have been in full production mode in all of our regional offices for a 
number of years. Further efficiencies are being seen as we aggressively 
strive toward full implementation of the final components of the VETSNET 
system. 
Other gains will be realized by working in a contemporary computing 
infrastructure. This allows us to readily make software modifications 
to support improved work processes, legislative mandates, or security 
enhancements. These types of changes are simply not possible in the 
legacy BDN. The modernized corporate infrastructure will also make it 
possible to further incorporate and enhance decision-support and 
''expert-system'' applications. We are also making strides in the use 
of electronic data and records in place of paper records in the claims 
process. We are working to integrate ''paperless'' processing into our 
data and information systems and processing procedures. We are using 
imaging technology to support paperless processing in all of our 
Education and Insurance benefit programs. We are also incorporating 
imaging technology and electronic records in our pension program 
processing. 
We are now conducting a pilot program to incorporate imaging technology 
into disability compensation processing as well. The pilot uses claims 
from recently separated veterans filed through our Benefits Delivery 
at Discharge Program. We receive the veterans' service medical records, 
create images of these records, and maintain them as part of the 
electronic claims folders for each claim filed under this pilot program. 
We believe the pilot will successfully demonstrate the feasibility of 
this technology in the disability compensation program for newly 
separated servicemembers. However, because of the magnitude of the 
paper records we store, the extent to which we can ''paperlessly'' 
process claims from veterans of previous periods of service has yet to 
be determined. 
Expanded use of business-rules engines and related types of application 
tools offers promise for further improving our claims processing. We 
recently solicited and received information from a variety of vendors 
on tools which may have potential to assist us in more efficiently 
processing certain types of claims. Together with the Office of I
nformation and Technology, we are currently evaluating this vendor infor- 
mation. The Supplemental Appropriation passed by Congress earlier this 
year will facilitate our implementation of these types of tools to 
improve the claims process. Mr. Chairman, this concludes my statement. 
I will be pleased to answer any questions 
that you or other Members of the Committee might have. 
Chairman AKAKA. Thank you very much, Ms. Graves. 
And now, Dr. Glaser. 
STATEMENT OF JOHN P. GLASER, VICE PRESIDENT AND 
CHIEF INFORMATION OFFICER, PARTNERS HEALTHCARE 
Mr. GLASER. Thank you, Mr. Chairman. It is an honor to be here. 
I thought I would point out a personal connection to the State that 
you serve. When I was growing up, we lived in Lahaina for 2 years 
and I have a very fond memories of that time. 
I am going to summarize the comments that I have. You have 
the written material with you. I am the Chief Information Officer 
for Partners HealthCare. We are a group of hospitals in the Boston 
area, Brigham and Women's Hospital, Massachusetts General Hospital, 
some community hospitals, health centers, physician offices, 
and I am responsible for the IT function for those organizations. I 
have been a CIO for 20 years, and in all humbleness, have some 
reasonable expertise in the application of IT in the health care 
setting. 
My comments are threefold or in three general areas. One is 
comments on the accomplishments of the VA health care IT program 
to date. The second has to deal with alignment, which we will 
talk about when we get there, between the IT activity and the 
organization 
overall. And the third is some challenges of integrating 
two very large, complex electronic health records, in this case the 
VA and the DOD, although there are other examples across the 
globe. 
Let me just, on the accomplishment, I think there is no question 
in the health care IT industry and amongst the CIO communities 
across the world that the VA has one of the most successful and 
the most remarkable health care IT programs that we are aware 
of at all. I personally think, and I told this to our leadership and 
our board, it is the most successful, certainly in the U.S. and probably 
in the globe today. So I just want to make sure, not that you 
do or all of you do, to not forget that as we discuss a range of 
issues that the organization must confront, is to admire and respect 
the work that has been done to date and in lots of ways you 
can see that. 
I mean, if you look across the U.S. about 15 percent of hospitals 
use computerized physician order entry or provider order entry, entering 
medications, lab tests, procedure orders into the computers. 
About 9 percent of the physicians in outpatient practice use electronic 
medical records with very advanced decision support to guide 
and remind, et cetera. 
As you all know, the VA levels of use are well beyond into the 
high 80's, high 90 percent. It is just a remarkable difference between 
where the country is and where the VA is on the adoption 
by physicians and nurses of these technologies in the course of taking 
care of people. 
And in addition to the technology, if you look at, well, does it do 
any good? Is the care any better? I think there have been a range 
of studies that show that the care delivered by the VA, particularly 
in the outpatient care, is superior to that to which we would find 
in the same communities, and so the VA in Boston and the rest of 
the community in Boston. So it is not only being adopted well, but 
the gains in care have been remarkable. 
I think at my organization, Partners HealthCare, which has 
some all-galaxy class organizations and has done well in IT and 
does well in working at care, we are not where you are. We aspire 
to be where the VA is, but we have not yet achieved those levels 
of competency, skill, and effectiveness. So again, the point being is 
from an outsider, for you all to hear how much respect exists and 
for us to preserve that in the efforts that go forward. 
The second set of comments has to do with alignment. There 
have been a lot of studies over the decades that say when an 
organization is very effective in using IT, why is it very effective? 
What factors lead to that? In organizations that have been studied, 
American Airlines, Federal Express, Capital One, Merrill Lynch, a 
variety of organizations, and there are a bunch of-well, there are 
actually really a small number of factors that determine excellence 
at the end of the day and one that is dominant is this notion of 
alignment. And by alignment, there is a very specific sort of set of 
ideas behind it. 
One is that the leadership of the organization, the leadership of 
Capital One or the leadership of American Airlines is able to set 
the direction, say given our objectives and our goals and what we 
want to be, this is where we need to put our IT energies. These 
are the resources, and we may move resources from time to time. 
We are watching the big implementations to make sure that they 
are going well. We are monitoring the issues, and frankly, we are 
holding ourselves and all of you accountable for those results. 
So there is this good linkage and integration between the IT 
strategy game plan and where the organization wants to go. And 
it is not only at this lofty high level but it is also down in the 
trenches, and that is those who do the work on any given day, that 
they, in fact, know they are responsible for the implementations, 
know they are responsible for making sure the design is the right 
design, know that they are critical to changing workflow, and know 
that they, in fact, are obligated to use the tool to make their prowess 
and their customers' prowess as effective as it can be. 
When this alignment doesn't happen, there can be a lot of sort 
of bad things that occur. Now, you can have an IT group that is 
well managed and very efficient, but if it is not aligned, it may be 
working on the wrong things or it may be crafting applications 
which are not quite what the rest of the organization had in mind. 
And a caution, and that is I think occurs in any organizational 
change, and certainly Partners went through its efforts where it 
merged ten IS groups in the course of this and began its own 
centralization efforts, is to preserve that alignment and to make 
sure that what does not occur as a result is that front-line 
doctors and nurses feel that they are in control and command and 
directing the system's activities. 
And so there is this balance to make sure that the alignment is 
such that the CEOs or the leaders of the hospitals and the health 
centers, et cetera, know that they are accountable for IT results, 
have the ability to guide the agenda, have the ability to directly 
deal with issues and the physician and nurses know and feel the 
same, and we can see the fruits of their contribution to the work 
that is being done here. 
So that is the great caution in the efforts to achieve efficiency, 
which matters, and I see this in our organization, and standardization, 
is to balance that against the need for those physicians and 
nurses who do the work-I don't do any real work, they do the 
work-to make sure that we are meeting their needs and addressing 
all the challenges that they face, because frankly, at the end 
of the day, that is why we are here. So be cautious, and it is a 
challenge and a difficult one to get right, be cautious about the 
alignment thing. 
The third thing I will comment on, the interoperability, is that 
getting exchange of data, and there are flashes and examples of 
this in the prior testimony that went on, it is very, very difficult 
to exchange data between organizations. There are standards that 
are being developed but not fully developed. There are areas where 
no standards exist and hence one has of course to create them. 
There are areas that have to do with privacy. There are areas that 
have to do with policies and procedures regarding use of data, so 
if I move it from my organization to yours, what rights do you have 
of changing and adding and subtracting, et cetera. The country is 
grappling with this. This is part of the broad HHS agenda, 
interoperability. Our region is grappling with this, including the 
VA and the DOD. 
I think as we discuss progress that goes on here, we ought to be 
mindful of the extraordinary difficulty here, both technically, policy, 
procedure, privacy that exists here, and while making sure we 
have good game plans and accountability, et cetera, that we appreciate 
that this will take several years to effect and to effect well, 
certainly to the degree that we would like to see in broad operability. 
So let us appreciate the challenge that confronts those who 
are making these organizations happen. 
So, Mr. Chairman, I am done. I thank you for the opportunity 
here. Again, remember how good this organization is and the work 
that it has done and how admired and respected it is while appreciating 
the desire and the need to tackle challenges such as have 
been mentioned before and such as mentioned in my testimony. 
Thank you. 
[The prepared statement of Mr. Glaser follows:] 
PREPARED STATEMENT OF JOHN GLASER, PH.D., VICE-PRESIDENT AND CHIEF 
INFORMATION OFFICER, PARTNERS HEALTHCARE 
Mr. Chairman, Senator Burr, and Members of the Committee. Thank you for 
inviting me to take part in this hearing on the state of information 
technology within the Veterans Health Administration. 
My name is John Glaser. I am the Vice President and Chief Information 
Officer of Partners HealthCare. Partners HealthCare is an integrated 
system of medical care whose members include the Brigham and Women's 
Hospital, the Massachusetts General Hospital, community hospitals, 
health centers, physician practices and visiting nurses. I have been 
a CIO for 20 years. 
I am also the Founding Chairman of the College of Healthcare 
Information Management Executives (CHIME); the country's premier 
organization for healthcare CIOs. I was recently inducted into the 
CIO Hall of Fame hosted by CIO magazine. 
My testimony centers on three areas: the accomplishments of the VA 
health care information technology (IT) program, the importance of 
information technology alignment within a health care organization 
and the difficulty of integrating two large, complex electronic 
health records-the VA and DOD. 
ACCOMPLISHMENTS 
There is no question that the world's health care CIOs and the heath 
care IT industry regard the Veterans Health Administration information 
technology program as extraordinarily successful. I personally believe 
that the VA program is the most accomplished program in the world. 
Across the country, 15 percent of hospitals have broad physician use 
of Computerized 
Provider Order Entry (CPOE). Nine percent of physicians use advanced 
electronic medical records (EMR) with clinical decision support. In 
the VA, CPOE and EMR use are commonplace. For example: 
  85 percent of the 57 million outpatient visits and almost all of the 
  inpatient notes are online 
  94 percent of the outpatient prescriptions-equivalent to 200 million 
  30-day prescriptions-as well as almost all of the inpatient 
  prescriptions are entered directly by the prescribing clinician. 
The VA has not only achieved remarkable levels of adoption of health 
care IT but has also leveraged those systems to make very impressive 
gains in care. A study published in 2004 compared care of VA and non-VA 
patients in 12 communities and found that the care for VA patients 
scored higher on care quality, chronic disease care and preventive care. 
Partners HealthCare is widely regarded as very effective at applying 
information technology to improve care. While we have high levels of 
adoption of CPOE and the EMR and we have improved the care that we 
provide to our patients, we have not yet achieved the adoption levels 
or care gains being seen today at the VA across more than 150 medical 
centers and greater than 1,400 sites of care. 
In addition to our efforts to improve today's patient care, Partners 
HealthCare has established highly regarded research programs designed 
to explore new uses of the information technology to improve health 
care. We routinely partner with the VA in grant applications and 
research studies. This relationship recognizes the track record of 
the VA in health care information technology and the VA's sophisticated 
understanding of new opportunities to improve care. 
I appreciate the fact that the VA has information technology 
challenges. So does Partners HealthCare and every other healthcare 
system in the world. We also face threats of data loss, projects that 
are over budget and under perform and difficulty integrating complex 
information systems across organizational boundaries. While these 
challenges must be effectively addressed by the VA, I would encourage 
us to not forget the excellence that has, and continues to be, 
exhibited by the VA health information technology program and the 
world's admiration of that program. 
ALIGNMENT OF INFORMATION TECHNOLOGY 
Numerous studies of information technology investments by a wide range 
of organizations across many industries have all identified a factor 
critical to effective use of the technology-alignment of the 
information technology function, agenda and accountability 
with the needs and management of the organization. 
Organizations, such as American Airlines, Federal Express, Capital One 
and Merrill Lynch, which have consistently demonstrated exceptional 
information technology use have several common characteristics: 
  The leadership of the organization sets the information technology 
  strategy and agenda. The leadership actively defines the plan, 
  manages project resources and implementation, addresses issues and 
  assumes accountability for results. 
  The staff of the organization have been given the responsibility for 
  the ensuring 
that an application meets their needs, managing specific 
implementations and changing related process. 
Failure to achieve strong alignment can pose significant problems for 
the organization. Information technology projects may be well managed 
and the information technology group may be very efficient but, without 
alignment, they are at great risk that their work is not addressing the 
priority needs of the organization and the delivered applications do 
not reflect the needs of the staff who do the organization's work on a 
daily basis. 
The excellence that characterizes the VA health care information systems 
was a result of exceptional alignment. The VA Health Administration 
leadership had direct authority over the information technology 
strategy, resource allocation and 
management of results. The physicians and nurses who deliver care to 
our veterans had direct access to the analysts and programmers who 
created the applications. Indeed the analysts and developers viewed 
these providers as their true bosses. 
I am concerned that recent changes in the VA information technology 
organization structure will damage alignment. Steps that centralize 
authority within the VA in a manner that reduces the direct management 
of information technology by those who are accountable for the delivery 
of medical care and are most knowledgeable about the needs of the 
healthcare system runs a very significant risk of undermining 
the progress that has been made. 
These concerns acknowledge the value of a central VA information 
technology group in areas such as developing technology standards and 
providing nonhealthcare specific financial systems. However, too much 
centralization will damage alignment and diminish the excellence of 
medical care. 
INTEROPERABILITY OF ELECTRONIC HEALTH RECORDS 
The value of interoperability of electronic health records across 
organizations is difficult to dispute. Such interoperability is likely 
to improve the safety, efficiency, timeliness and effectiveness of 
patient care. 
The difficulty of achieving interoperability of electronic health 
records is difficult to dispute. 
There are a large number of formidable challenges to achieving 
comprehensive interoperability. 
While the Federal Government is making significant progress in 
defining standards for healthcare data, these standards are still 
largely in the approval process and have not become widely adopted 
across the industry. 
There are critical aspects of healthcare data for which broadly 
accepted data models and standards do not exist, for example, the 
history and physical. 
Accurate identification of patients who have different medical record 
numbers remains difficult and labor intensive. 
Procedures and processes must be developed that provide ''rules of 
the road'' for using exchanged clinical data. What categories should 
be used to classify physician notes? Under what circumstances can a 
physician in one organization change the problem list entry of a 
physician in another organization? Which clinical staff from one 
organization can discontinue a medication given by a provider in 
another organization? 
How should institutional review board processes work when the data 
spans multiple organizations? How will privacy policies and procedures 
be enforced across organizations? 
There are complex technical issues that surround the interoperability 
of electronic health records that span organizational boundaries. There 
are also complex governance, policy and procedure issues that must be 
addressed. 
The VA and DOD have made considerable progress in achieving 
interoperability between their electronic health records. Outpatient 
medication and drug allergy data is being exchanged. Mechanisms exist 
for the VA systems to receive DOD health date for discharged military 
personnel. 
Achieving the interoperability of the VA and DOD electronic health 
records is an important goal. And those who are charged with creating 
this exchange should be held accountable for delivering on their plans. 
Nonetheless, we should all appreciate the immense challenges that 
exist. And we should respect the fact achieving this goal will take 
several years. 
CONCLUSION 
We all appreciate the importance of the VA's health information 
technology program to the efforts to provide great medical care to our 
veterans. We also all appreciate that the program, as do all large 
information technology undertakings, faces issues. 
As we collectively tackle those issues, let us not forget the true 
excellence of the program. And let us appreciate the importance of 
alignment and the significant difficulty of achieving interoperability 
between the electronic health records of two large providers of care. 
Thank you for the opportunity to testify. I welcome the opportunity to 
respond to your questions. 
Chairman AKAKA. Thank you very much, Doctor, for your testimony. 
I have some questions for this panel. This question is for all of 
the panelists, and I will take your responses in the order in which 
you were introduced. What can VA do to maintain the entrepre- 
neurial spirit that has been a hallmark of VA IT while realizing 
the advantages and efficiencies that come with a centralized 
management structure? Ms. Melvin? 
Ms. MELVIN. Mr. Chairman, in our work, we emphasize and support 
the need for VA to balance innovation with a disciplined process 
for carrying out its systems development efforts. In looking at 
the overall realignment plan that VA is undertaking, the key that 
we have identified are six critical factors that we think are essential 
to making sure that the Department is able to implement its 
realignment and maintain the balance relative to being sure that 
it understands and is able to respond to user needs. 
Within that, the Department has identified 36 critical management 
processes that it views as essential to being able to have an 
effective overall management process for information technology. A 
part of those processes deals with ensuring that the Department 
has adequate communications, enterprise-wide communications, 
that effectively allows it to convey information relative to the 
realignment, which is essential to ensuring that the culture of the 
organization understands what the realignment is about and supports 
its mission. 
Secondly, within the overall process of looking at these initiatives, 
it is important that there be disciplined processes and that 
they be followed. I think in the earlier panel, there was discussion 
of the need to balance the requirements processes, understanding 
the overall needs of the users, in this case the physicians, the 
clinicians who have been vital to the innovation that was a part of 
the original system, ensuring that there are proper places, proper 
channels, I should say, for their ideas and innovative thoughts to 
be addressed, to be prioritized, and to be considered in the overall 
mission and organization goals for having information technology. 
Key to that also is a governance process that does, in fact, consider 
all of the levels of users, managers, and other resources that have 
to be considered and prioritized within the overall decisions that 
are made for what is best for the organization in terms of information 
technology. 
Chairman AKAKA. Thank you very much. Mr. Lucas? 
Mr. LUCAS. Mr. Chairman, I will go back to, I guess, what is 
working. I was talking with General Howard on the way over in 
the van and we talk about this, and clearly, at least in Network 
Aid in Florida, we get outstanding support from the OI&T staff, 
very responsive, and we appreciate that support. 
As was mentioned in the previous panel, purchasing, centralized 
purchasing gives us remarkable economies of scale. And then, of 
course, we all know that we can do a lot better with respect to data 
security and privacy issues and we need to do a lot better and 
centralization 
helps us with that. 
The things that are worrisome, from a strategic standpoint, it 
seems to me, is the Electronic Health Record. That record is the 
product of a marriage of developers and clinicians over time and it 
has produced a remarkable, remarkable product, the envy of the 
world. Under the realignment, we have changed that relationship, 
and so I worry that the EHR will not be as robust as it is now. 
And so that is something from the strategic standpoint we need to 
pay attention to. 
In my testimony, I also mention the flexibility of local facilities 
to purchase equipment that they find they need in terms of to enhance 
effectiveness and efficiency. We are not there yet. The relationship 
between OI&T and VHA is not there yet. So, for example, 
the Haley Center is a very busy place and we have a lot of construction 
going on all of the time and we treat upwards of 3,000 
patients a day. That is a lot of traffic and we felt like we needed 
to have some directional capability and we wanted to buy some kiosks, 
informational kiosks. We were prevented from doing that. 
We wanted to-when patients come into a hospital, principally 
there are there for nursing support, and so we need to support our 
nurses as they are caring for our veterans and we wanted to buy 
a PICIS system. That is a Peri-Operative Critical Care Information 
System that helps nurses in documentation and reduces errors. We 
are unable to do that. 
In addition, there is a remarkable communication device called 
Voicera that allows nurses instant communication amongst and between 
themselves on the wards. That saves steps and enhances 
communication between and among the nurses. We are not able to 
do that. 
So these are not mission critical-this is not mission critical 
equipment, but it is important equipment, and so the flexibility is 
not there yet. But as General Howard pointed out in his testimony 
or in response to a question from Senator Burr, it is a work in 
progress. As I mentioned, as long as we have got good communication 
and we feel like we are on the same team and the most important 
issue is the care of our veterans, we will get there. Thank you, 
sir. 
Chairman AKAKA. Thank you. Ms. Graves? 
Ms. GRAVES. Thank you, Mr. Chairman. I would like to echo the 
testimony of the prior panelists. I believe that having an effective 
communication structure in place so that the business requirements 
are clearly defined, clearly understood, and that we continue 
to develop a very strong partnership between the business elements, 
the service elements of the VA organization, and the IT organization, 
we will ensure that we have a successful implementation 
of this process. Thank you. 
Chairman AKAKA. Dr. Glaser? 
Mr. GLASER. Mr. Chairman, I think I will give you some examples 
of initiatives we do in my organization. It sounds like, from 
the prior testimony, some of these are in place at the VA to do. 
An example is all of the IT staff, or virtually all of them, actually 
live in the hospitals or they live in those settings in the clinics so 
they don't forget why they are here, and they encounter doctors 
and nurses in the hallways who remind them of what is working. 
Second, for the majority of them, the reviews are joint reviews. 
In other words, I might give your performance review, but somebody 
from the hospital is also joining me in giving that review. So 
you have to take care of them and take care of me at the same 
time. 
The third is that when we have committees who guide us in our 
own electronic health record efforts, et cetera, those committees are 
composed only of providers, physicians and nurses, and only of providers 
who practice. So we want to make sure that after our Com- 
mittee meeting of what the five things we ought to do here are that 
you have to go back the following day and take care of people and 
understand the realities that go along with that. 
Another-two more items that we do here. One is in our case, 
the CEOs of our hospitals, the community hospital or the person 
running a health center, of the IT budget, 50 percent is theirs to 
spend at their discretion. They are bound by certain standards and 
there are certain things you can't do. You can't decide to unilaterally 
change the payroll system or the security system. But you 
have, within some broad guidance, you have the discretion to spend 
it here or spend it there or a variety of ways. We still like to 
understand it and make sure you are not doing something crazy, but that 
is rare that that kind of thing occurs. 
The last thing we do is that we have a program where if you are 
an employee of Partners, a physician, a nurse, or an IT person, and 
say, I have an innovative idea, you can apply for a small grant. We 
have blessed 64 such projects over the last 4 years. The general 
size of the grant is about $40,000. It is not a whole lot of money. 
They put more of their own effort into this than we can possibly 
pay them for and they just want the permission to go off and explore 
this, learn about that. We ask that you write it up. We have 
a symposium in which people share these ideas. Not all of them 
work out. Some of them didn't turn out so well. But nonetheless, 
we try to harvest those ideas and to broadly adopt them because 
there are some very clever, very smart people who are willing to 
work really hard on their own effort or their own weekends to go 
off and do that. So a small internal grant program can accomplish 
a phenomenal amount of innovation. 
Chairman AKAKA. Thank you. Mr. Lucas, what would be the impact 
on your facility and your ability to furnish care to veterans if 
you lost access to the Electronic Health Record system for even 1 
day? 
Mr. LUCAS. Mr. Chairman, it would be a very long day. We 
would immediately go over-and we practice this because it is that 
important as part of our disaster preparedness plan-we would immediately 
go over, call a Code Z, Code Zebra. And so all of the notations 
in the medical record would be on paper. All of the results 
reporting out from all of the diagnostic areas would be on paper. 
Hopefully, we would still be able to print out health summaries for 
the clinicians at the front end with our veterans, but the health 
summaries are just the latest information with respect to the veteran. 
And that isn't particularly helpful in the specialties and 
subspecialties, so a large number of those appointments for our veterans 
would probably be canceled or delayed. 
In addition, because we are on paper, it slows us down, and that 
means that instead of seeing upwards of 3,000 patients in any 
given day, we would see substantially less than that, probably less 
than half of that, which means that appointments would be canceled. 
In addition to that, since the computers are unavailable up in the 
OR, certain of the procedures would probably be canceled, and that 
is where it really starts to inflict pain, because when you are going 
into a procedure, even a minor procedure, you gear up for that. I 
mean, anybody does. And to have that canceled and delayed is an 
emotional trial. 
So all of that would happen. We would then, when the system 
came back up, engage in putting all of that paper into the system. 
And, of course, some physicians' writing ability is not as good as 
others and so you end up with legibility issues. You end up with 
the potential for errors, and I won't even go into the lack of bar 
code med administration when the computer goes down and the 
possibility of med errors with that. 
So, this could be a very long day. Recovery would also take considerable 
time, several days, I would expect, to get all of that back 
in, to make sure we haven't made errors and to check it out. A difficult 
situation, but most difficult for our veteran patients. And I 
guess that is what, at the end of the day, what I would like to be 
assured of as a medical center director, as a veteran, is that the 
leadership of OI&T has a situational awareness of the most important 
interface of all, that interface between the provider and our 
veteran patient, and that they understand the ramifications of 
change and also the ramifications of a loss of our IT system. Thank 
you, sir. 
Chairman AKAKA. Thank you. Dr. Glaser, how do facilities in the 
private sector protect their electronic medical information systems 
from disruptions and what can be done to prevent such disruptions? 
Mr. GLASER. Mr. Chairman, I think the actions we take are no 
different than the actions that you take or no different from the 
actions that you would take in a banking setting, a manufacturing 
setting, et cetera. There are steps that are taken to try to thwart 
malevolent efforts of viruses and trojans and other types of bad 
things that people try to do. There are efforts taken to make sure 
that software is tested so that inadvertent changes to software 
don't cripple the organization as a result of activities. 
We are all confronting, and it was mentioned in some of the testimony 
earlier, the growing use of people with their own personal 
devices, their own Blackberries or PDAs or notebooks and connected 
to wireless. It becomes a lot easier to extract data or maintain 
separate lists and walk out with it. And I think the industry 
broadly is grappling with how to do this. 
I think it sounds like from the testimony before that the types 
of work that is done, both the technologies and management practices 
that are broadly adopted across this industry, are well understood 
by the VA IT group and are making progress in adapting 
that. You have a complicated organization, so I don't doubt the 
complexity of making it happen. But I don't know that there is a 
set of insight that the industry has to offer that you are unaware 
of. 
Chairman AKAKA. Yes. We have been talking about the importance 
of information security. Ms. Melvin, in the information security 
report released today, GAO refers to shortcomings in VA's programs 
and procedures designed to improve VA's information security. 
Please comment on areas where VA can improve and share 
your views on whether veterans can be confident that VA is doing 
everything possible to protect their personally identifiable 
information. 
Ms. MELVIN. Mr. Chairman, if I could, I have one of my colleagues 
with me who was directly involved in the assessment of 
that. We did find some areas in which the Department was making 
progress, but also some areas in which we felt that there was a 
need for additional progress and additional efforts on the Department's 
part, and I would like to defer to him to respond to your 
question, if I may. 
Chairman AKAKA. Will you introduce him, please? 
Ms. MELVIN. Yes. This is Mr. Greg Wilshusen, Director in our Information 
Technology Team who is responsible for our information 
security work. 
Chairman AKAKA. Thank you. 
Mr. WILSHUSEN. Good morning, Mr. Chairman, and thank you 
for your question. What we have found during our review of information 
security practices at the Veterans Affairs is that, indeed, 
they have been making progress in a number of areas and improving 
and starting to provide the foundation, if you will, framework, 
for an information security program. However, there are still several 
areas where they need to take additional steps. I would say 
first and foremost, it is defining and assuring that they have the 
adequate policies and procedures in place to effectively assess their 
risk. They are taking steps, as I mentioned, to do that. 
Where VA needs additional work is the actual execution or implementation 
of these policies and procedures. One of the things 
that the Federal Information Security Management Act requires is 
that agencies implement an agency-wide information security program 
that includes assessing risk; developing cost-effective policies 
and procedures that reduce those risks to an acceptable level; assuring 
that staff and agency personnel, as well as contractor personnel, 
are adequately trained in their security responsibilities, 
and to include technical training for those staff with significant 
security responsibilities; and then establishing a process in place to 
test and evaluate the effectiveness of those controls, and as weaknesses 
are identified, to take prompt remedial actions to correct 
them. 
VA has set up several processes and controls to help implement 
those requirements. However, there are still, as I mentioned, several 
areas where they need to go further in implementing those 
controls. 
Chairman AKAKA. Thank you very much for that. Let me ask Mr. 
Lucas and Ms. Graves to please share any thoughts you have on 
shortcomings of the information security initiatives and what can 
be done to regain the confidence of veterans in VA's information security 
programs. Mr. Lucas? 
Mr. LUCAS. We are in the process, as was mentioned, as I think 
General Howard mentioned, we are in the process of changing a 
culture here and so locally at Tampa, we have trained our over 
3,700 employees in both security and privacy issues. We have 
trained over 700 of our volunteers and over 625, if memory serves 
me, of our students, stressing the importance of security, of data 
security. We are going to continue to do that. 
Last year, we had 108 reports of security incidents, data security 
incidents. I am happy to be getting those reports. I think General 
Howard mentioned he is happy to be getting those reports and we 
acted on them very quickly. Some of them, it turned out, were not 
valid. But we have got a full frontal assault on this notion of data 
security and we are going to continue to work through it until, as 
Secretary Nicholson said, we are the gold standard. 
Chairman AKAKA. Ms. Graves? 
Ms. GRAVES. Thank you. Echoing what Mr. Lucas said, education 
and training of our employees is a critical first step. VBA has 
implemented data and privacy training into all of its formal training 
courses, beginning when the employee first comes on board with 
the Veterans Benefits Administration. That training and enforcement 
of good security and information practices continues throughout 
all of our formal and informal training structures. 
Along with that, all of our employees are required to take annual 
privacy and security training and to annually recertify that they 
understand their requirements and their responsibilities in protecting 
veteran data. Again, changing the culture does take some 
time, but I believe with the guidance from OI&T and putting the 
policies and procedures in place so that everyone understands their 
roles and responsibilities, we will achieve the gold standard that 
Secretary Nicholson is looking for. Thank you. 
Chairman AKAKA. Thank you. Ms. Melvin, for almost a decade, 
VA and DOD have been attempting to develop an Electronic Health 
Record that can be used by both Departments. How big of an obstacle 
to the success of achieving interoperability is the fact that both 
Departments are still in the process of completing the development 
of their own modernized health information system? Can you comment 
on that? 
Ms. MELVIN. I can comment on that from the standpoint of the 
work that we have done and looking at VA's relationship with DOD 
in implementing exchanges of data. What we have found, the issue 
of how big of an obstacle it is really is driven largely by the 
relationship and the interactions that those Departments have. Our 
biggest concern has been with the overall project management, 
with the lack of integrated project management, that would really 
establish who is in charge, what the specific goals and objectives 
are that they want to achieve, and how they intend to make that 
happen. 
We have consistently seen throughout the work what we have 
done that both Departments have their separate modernization efforts 
underway. They are working and they have achieved some degrees 
of exchange through various short-term initiatives and ad hoc 
processes that they have put in place and they have also achieved 
some interoperability in the form of sharing computable pharmacy 
and drug allergy data through an interface that they put in place. 
However, we still feel that even though they have made these 
accomplishments, VA has its modernization effort underway. The 
Department of Defense also has its modernization effort underway, 
coupled with multiple systems that it currently must rely on to exchange 
data. What we have not seen and what we do consider to 
be a concern that potentially could be an obstacle is that there 
hasn't been a long-term detailed plan, at least through the work 
that we have done thus far, that would explain or detail how the 
two Departments are collaborating and how they intend to ensure 
that they achieve the common goal of a shared Electronic Health 
Record. 
Chairman AKAKA. Thank you. Let me ask Dr. Glaser, do you 
have a comment on this issue of VA-DOD interoperability? 
Mr. GLASER. I may be expressing ignorance here, Mr. Chairman. 
I think the idea of a common EHR that both organizations use 
would be an interesting idea and I would be curious about it, but 
that is sort of a cover for saying, you have got to be kidding me. 
[Laughter.] 
Mr. GLASER. But maybe it is credible, I don't really know. But 
I would just be struck on that one. 
I think even though their efforts are still in progress, both 
modernization and roll-out of clinical systems, one can effect a degree 
of data exchange while that is going on here. So one does not have 
to reach the pinnacle in order to be exchanging some forms of data. 
Paul Tibbits ran through a shades of gray, which is absolutely correct. 
So one can run in parallel with the modernization, the further 
adoption by physicians and nurses, and the exchange. 
I think above and beyond, and I don't know all the details of the 
GAO account, it becomes a question of what people have as the priorities 
on any given day. Where are people spending their time and 
energy, because those are all huge undertakings-protecting privacy, 
modernization, moving the clinical agenda and exchange. So 
I think there is a non-trivial management challenge of balancing 
those demands and where you put people's time and energy on any 
given day. 
Chairman AKAKA. Thank you. Ms. Melvin, VA has been in the 
process of modernizing VHA's and VBA's legacy IT systems for 
years. Do you believe that VA currently has program management 
processes in place that will allow for these initiatives to be 
successful, and if so, by when? 
Ms. MELVIN. I will speak to your last question first. I don't know 
by when the Department would have its initiatives in place. What 
we have seen from the standpoint of the initiatives that it is 
undertaking, you are correct. Over time, we have had concerns relative 
to their project management and these are concerns that have been 
ongoing and longstanding. However, in the case of the Veterans 
Benefits Administration, what we have found is that where the Department 
has instituted a governance structure and taken steps to 
improve its project management, we have seen progress on their 
part in moving forward with their overall development of their new 
system. However, they have still got work to do. That is not to indicate 
that it is complete. But we do see indications that if the Department 
implements sound project management strategies and 
structure, they can be successful. 
A lot of this will be driven, obviously, by the realignment that 
is put in place and by how successfully the Department does implement 
the management processes that I mentioned earlier. That will 
be key to ensuring that they have a disciplined approach that is 
grounded in sound project management and that that approach is 
applied throughout the organization for the IT initiatives that it 
undertakes. 
Chairman AKAKA. Thank you. Let me further ask Mr. Lucas and 
Ms. Graves, what impact are these modernization efforts having on 
the daily delivery of health care and benefits within VA? Mr. 
Lucas? 
Mr. LUCAS. Any time that you can enhance the operability of 
your systems, it means faster information getting to the clinicians, 
and so we begin to see that. Beyond that, I am not-beyond that, 
I can't comment further, Mr. Chairman. 
Chairman AKAKA. Well, Ms. Graves? 
Ms. GRAVES. Thank you, sir. The project that I have the most insight 
into is the VETSNET project, which is the transition of our 
largest benefit program, the Compensation and Pension Program, 
from our legacy platform to a modernization infrastructure. What 
we have seen from our user base, our veterans' service representatives 
and rating veterans' services representatives who deal with 
our veterans on a daily basis. There is a strong pull for that 
technology, to continue to deliver that technology to them. 
They have found that it enhances their ability to do their jobs. 
It reduces the rekeying of data, redundant rekeying of data that 
can cause errors in the claims process. They have much more ability 
to answer a veteran's question when he or she calls to check 
on the status of their claim or to see how their benefits claim is 
progressing. We have to move paper much less than we did before 
we were able to move into our more modernized environment. 
We expect to see that continue to improve our processes as we 
are able to use the technologies available to us with image data, 
the types of things that Dr. Tibbits spoke of in the earlier testimony. 
That will help us, again, reduce the movement of paper, 
making sure that information that is necessary to adjudicate a veteran's 
claim is at the desktop of all of our users. It reduces the likelihood 
of a claims file being lost or misplaced and therefore unable 
to adjudicate the claim. 
So we do see a significant pull from our users and we expect to 
continue to enhance our end users' ability to serve veterans as we 
make progress toward implementing a modernized platform. 
Chairman AKAKA. Well, I want you to know that I really appreciate 
your responses and, of course, your testimony to begin with. 
You know that we are doing this to try to look for better ways of 
improving VA's IT system. So once again, I would like to thank all 
of our witnesses for joining us today. 
Veterans rely upon VA's information technology programs on a 
daily basis for the delivery of their benefits and services. For their 
sake, we need to ensure that these programs are effectively managed 
and that they work as intended. 
I want you to know that the hearing record will remain open for 
3 weeks to provide time for any additional views. I thank you for 
being so patient. 
This hearing is adjourned. 
[Whereupon, at 12:07 p.m., the Committee was adjourned.] 


