[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]
LEGISLATIVE HEARING ON H.R. 571, H.R. 593, H.R. 1015, H.R. 1016, H.R.
1017, H.R. 1128, AND H.R. 1129
=======================================================================
HEARING
before the
SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS
of the
COMMITTEE ON VETERANS' AFFAIRS
U.S. HOUSE OF REPRESENTATIVES
ONE HUNDRED FOURTEENTH CONGRESS
FIRST SESSION
__________
THURSDAY, MARCH 19, 2015
__________
Serial No. 114-11
__________
Printed for the use of the Committee on Veterans' Affairs
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
______
U.S. GOVERNMENT PUBLISHING OFFICE
98-628 WASHINGTON : 2016
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800;
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC,
Washington, DC 20402-0001
COMMITTEE ON VETERANS' AFFAIRS
JEFF MILLER, Florida, Chairman
DOUG LAMBORN, Colorado CORRINE BROWN, Florida, Ranking
GUS M. BILIRAKIS, Florida, Vice- Minority Member
Chairman MARK TAKANO, California
DAVID P. ROE, Tennessee JULIA BROWNLEY, California
DAN BENISHEK, Michigan DINA TITUS, Nevada
TIM HUELSKAMP, Kansas RAUL RUIZ, California
MIKE COFFMAN, Colorado ANN M. KUSTER, New Hampshire
BRAD R. WENSTRUP, Ohio BETO O'ROURKE, Texas
JACKIE WALORSKI, Indiana KATHLEEN RICE, New York
RALPH ABRAHAM, Louisiana TIMOTHY J. WALZ, Minnesota
LEE ZELDIN, New York JERRY McNERNEY, California
RYAN COSTELLO, Pennsylvania
AMATA COLEMAN RADEWAGEN, American
Samoa
MIKE BOST, Illinois
Jon Towers, Staff Director
Don Phillips, Democratic Staff Director
SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATION
MIKE COFFMAN, Colorado, Chairman
DOUG LAMBORN, Colorado ANN M. KUSTER, New Hampshire,
DAVID P. ROE, Tennessee Ranking Member
DAN BENISHEK, Michigan BETO O'ROURKE, Texas
TIM HUELSKAMP, Kansas KATHLEEN RICE, New York
JACKIE WALORSKI, Indiana TIMOTHY J. WALZ, Minnesota
Pursuant to clause 2(e)(4) of Rule XI of the Rules of the House, public
hearing records of the Committee on Veterans' Affairs are also
published in electronic form. The printed hearing record remains the
official version. Because electronic submissions are used to prepare
both printed and electronic versions of the hearing record, the process
of converting between various electronic formats may introduce
unintentional errors or omissions. Such occurrences are inherent in the
current publication process and should diminish as the process is
further refined.
C O N T E N T S
----------
Thursday, March 19, 2015
Page
Legislative Hearing on H.R. 571, H.R. 593, H.R. 1015, H.R. 1016,
H.R. 1017, H.R. 1128, and H.R. 1129............................ 1
OPENING STATEMENTS
Mike Coffman, Chairman........................................... 1
Prepared Statement........................................... 36
Ann Kuster, Ranking Member....................................... 3
Jeff Miller, Chairman of the Full Committee...................... 4
Prepared Statement........................................... 37
WITNESSES
Ms. Meghan Flanz, Director, Office of Accountability Review
Department of Veterans Affairs................................. 11
Prepared Statement........................................... 38
Accompanied by:
Dr. Michael Icardi, National Director of Pathology and
Laboratory Medicine Services, VHA
Mr. Stanley Lowe, Deputy Assistant Secretary for
Information Security and Chief Information Security
Officer, Department of Veteran Affairs
Mr. Dennis Moisten, CC, Associate Executive Director,
Office of Operations, Office of Construction and
Facilities Management, Department of Veterans Affairs
Ms. Diane Zumatto, National Legislative Director, AMVETS......... 26
Prepared Statement........................................... 52
Mr. Frank Wilton, Chief Executive Officer, American Association
of Tissue Banks................................................ 28
Prepared Statement........................................... 58
Mr. Daimon E. Geopfert, National Leader, Security and Privacy
Consulting, McGladrey, LLP..................................... 29
Prepared Statement........................................... 62
STATEMENT FOR THE RECORD
American Legion.................................................. 71
LEGISLATIVE HEARING ON H.R. 571, H.R. 593, H.R. 1015, H.R. 1016, H.R.
1017, H.R. 1128, AND H.R. 1129
----------
Thursday, March 19, 2015
U.S. House of Representatives,
Committee on Veterans' Affairs,
Subcommittee on Oversight and Investigation,
Washington, D.C.
The committee met, pursuant to notice, at 8:10 a.m., in
Room 334, Cannon House Office Building, Hon. Mike Coffman
[chairman of the committee] presiding.
Present: Representatives Kuster, Lamborn, Roe, Benishek,
Huelskamp, Walorski, O'Rourke, Rice, Walz, Miller, and
Kirkpatrick.
OPENING STATEMENT OF CHAIRMAN MIKE COFFMAN
Mr. Coffman. Good morning. This hearing will come to order.
I want to welcome everyone to today's legislative hearing
on H.R. 571, H.R. 593, H.R. 1015, H.R. 1016, H.R. 1017, H.R.
1128, and H.R. 1129. The latter two, H.R. 1128 and 1129, are
bills suggested for this hearing by the minority. So I will ask
Ranking Member Kuster to address them in her opening remarks.
I also welcome full committee Chairman Jeff Miller and ask
unanimous consent that Ann Kirkpatrick, the previous Ranking
Member of this subcommittee, be allowed to join us at the dais.
Ms. Kuster. No objection.
Mr. Coffman. Okay. While we are at it, I would also like to
ask unanimous consent that a statement from the American Legion
be entered into the hearing record.
Hearing no objection, so ordered.
[The information follows:]
Mr. Coffman. Today we will address H.R. 571, the Veterans
Affairs Retaliation Prevention Act of 2015, which was
introduced by full committee Chairman Jeff Miller.
This bill will improve the treatment of whistleblower
complaints by the VA by defining a set process for
whistleblowers, to help correct problems at the lowest level
possible, while creating necessary penalties for supervisors
who retaliate against whistleblowers.
Second, H.R. 593, the Aurora VA Hospital Refinancing
Construction Reform Act of 2015. It is a bipartisan bill I
introduced along with the rest of the Colorado delegation. H.R.
593 would increase the authorization cap to help the VA to
finally finish the Aurora Medical Center with the much-needed
help of the Army Corps of Engineers, in order to give Colorado
veterans the state-of-the-art medical facility they deserve.
Since this bill's introduction, the VA has announced that the
Aurora project will cost at least $1.73 billion, a full $1.4
billion over the original costs found in GAO's report. This is
simply outrageous and could very well make the hospital the
most expensive in our nation's history.
Notably, according to GAO, the New Orleans VA Hospital
construction project will top $1 billion as well. So
mismanagement, cost overruns and delays are the norm of VA's
construction program. For that reason, I question whether the
VA should conduct its own major construction at all. While it
is my top priority to get this hospital built so that Colorado
veterans get the service they deserve, we simply cannot
authorize the nearly $1 billion authorization cap increase
without VA presenting the options it has to correct its own
poor decisions with only half of a hospital to show for it.
The VA has reprogrammed a portion of the funds needed to
finish the Aurora construction project, but it cannot continue
to pull money from other projects, thereby robbing other
veterans around the country of a timely completion of their
hospital. Perhaps we could use VA bonuses to provide funding
for this grossly mismanaged project.
But what is absolutely clear is that before any money is
given to the VA to bail them out of this mess they created in
Aurora, VA construction officials responsible for this travesty
must be held accountable. These individuals should not be
simply taken out of the chain of command for VA construction,
they should be fired. If anyone in the private sector allowed a
project under its supervision to get $1 billion over budget,
the decision to fire them would be simple. That should happen
here and I look forward to our discussion today with VA on ways
forward.
Third, we will address H.R. 1015, the Protection of
Business Opportunities for Veterans Act of 2015, sponsored by
the Honorable Tim Huelskamp of Kansas.
H.R. 1015 will make tremendous strides at holding
accountable the bad actors that attempt to defraud veteran-
owned small businesses of crucial set-asides they receive in
business.
Fourth, we will discuss H.R. 1016, the Biological Impact
Tracking and Veterans' Safety Act of 2015, introduced by the
Honorable Phil Roe of Tennessee.
This legislation requires the VA to implement a standard
identification protocol for biological implants consistent with
the FDA's system, which would improve VA's ability to prevent
implantation of contaminated tissue, and also to notify
veterans in cases of recalls.
Fifth, we will hear about H.R. 1017, the Veterans
Information and Security Improvement Act, which was sponsored
by the Honorable Jackie Walorski from Indiana.
This IT security directive is designed to assist VA in
mitigating known weaknesses by identifying detailed actions
that should be taken to address its longstanding information
security challenges.
Once again, I would like to thank all those in attendance
for joining us in our discussion today. And I now recognize
Ranking Member Kuster for five minutes to issue her opening
statement.
[The prepared statement of Chairman Mike Coffman appears in
the Appendix]
OPENING STATEMENT OF RANKING MEMBER ANN KUSTER
Ms. Kuster. Thank you very much, Mr. Chair. And I want to
say at the outset, I am delighted to be here with you and I
look forward to our work together on the Oversight and
Investigations Subcommittee.
Welcome our panel this morning. The subcommittee will hear
the views of the VA and our witnesses regarding seven bills
before us, as outlined by our chair. These bills address
concerns over the VA's whistleblower protections, cyber
security measures, tracking biological implants, and other
important matters.
These legislative hearings are vital as the subcommittee
begins our work to ensure that the important legislation moves
forward, that requirements are measured, and ultimately that we
are working to fix and improve the problems discussed today.
None of us have all the answers. By hearing the opinions of
many, we can better ensure that we are effectively addressing
these problems at the VA that lend themselves to oversight and
legislative fixes.
I thank the Chairman for including two measures introduced
by my predecessor as ranking member on this subcommittee,
Representative Ann Kirkpatrick, who will be with us this
morning.
H.R. 1129 addresses the manner in which the VA investigates
the complaints of whistleblowers, while ensuring cooperation
and coordination with the Office of Special Counsel and the VA
Inspector General. The VA has made great strides in setting up
the Office of Accountability Review, but I am interested in
exploring whether more needs to be done and whether the office
primarily responsible for handling investigations outside the
scope of the OSC or IG is better positioned outside the VHA. I
am also interested in exploring whether the idea of
centralizing complaints in a specific office could lead to
better VA-wide accountability and responsiveness for our
veterans.
H.R. 1128 is a response to cyber security concerns within
the VA and how best to balance the competing interests of
ensuring that the VA has the proper tools to fulfill its
mission, while also ensuring that information is kept as secure
as possible. Cyber security is an ever growing threat and
problem and new tools and tactics are developed daily, both by
those intent on improperly collecting information and the
efforts of the Federal Government and the private sector to
protect our information.
I look forward to working with the chairman and my
colleagues as we look at these bills before us today and begin
the process of matching solutions to problems in the most
effective manner possible.
Ms. Kuster. Thank you, and I yield back.
Mr. Coffman. Thank you, Ranking Member Kuster.
We will now hear from Chairman Jeff Miller from the State
of Florida, who will be speaking in support of H.R. 571, the
Veterans Affairs Retaliation Prevention Act of 2015.
OPENING STATEMENT OF CHAIRMAN JEFF MILLER OF THE FULL COMMITTEE
Chairman Miller.
Mr. Miller. Thank you for the recognition, Mr. Chairman. It
is a pleasure to be with you.
I want to echo your comments in your opening statement as
it relates to the fiasco at the Aurora facility. Your Denver
Post yesterday aptly headlined an editorial, ``Still No
Accountability,'' and I don't see any on the horizon. To think
that this Congress would raise an existing legislative cap of
$800 million by almost a billion more without a plan and a way
ahead is absolutely ludicrous.
And we as a committee, both Republicans and Democrats, have
been asking for an answer from VA for really months now, but
the investigation, as you well know--and I salute you, your
current ranking member and your former ranking member for
delving into it deeply to try to get a solution out in front of
the VA and, unfortunately, they did not heed many of the
warnings that were given. Unfortunately, the individuals that
were in charge are still employed by the VA, several of them
receiving very generous bonuses for their ineptitude and their
incompetence. And to still be employed by the taxpayers after
this debacle is egregious. So I want to thank you for your
diligence and the entire Colorado delegation in staying on top
of the issue.
I want to talk about H.R. 571, which is the Veterans
Affairs Retaliation Prevention Act of 2015. You know, we could
name it anything, the Whistleblower Protection Act, whatever it
may happen to be. But you all know during 2014 when the scandal
erupted basically around Phoenix we found it was much more
systemic, that retaliation and bureaucrat corruption really
gripped the VA because people were fearful, but there were
whistleblowers that were trying to come forward and do the
right thing and let people know that there were problems that
existed within the VA. And the hallmark of the culture that
existed there remains really rampant today within the VA
against VA employees who speak up to try to fix problems that
exist within the agency.
So these problems were so widespread in 2014 that the
Office of Special Counsel was inundated with more whistleblower
complaints than all the other federal government agencies
combined. Unfortunately, despite promises from the leadership
at VA at that time that whistleblower retaliation would no
longer be tolerated, occurrences continue within the agency and
a lack of any meaningful accountability shows that it is really
not the case. Proper oversight of any federal agency cannot be
done effectively without employees within that agency informing
the Congress and other oversight bodies of what is going on.
Over the years, numerous federal statutes have been passed to
provide added protection to whistleblowers, but many VA
supervisors have found a way to really circumvent the law that
is there to protect these individuals and hopefully encourage
them to come forward and bring information to the bodies that
need them to do their oversight. And this bill intends to put
an end to the retribution and the repercussions.
Specifically, H.R. 571 would provide VA employees who seek
to report potential government waste, criminal behavior or
compromised healthcare services within the VA a set process to
fix problems at the lower level possible while affording them
improved protection from retaliation. This legislation will
also prohibit superiors from retaliating against employees who
report or assist in reporting problems to the VA, to the
Inspector General, to Congress, or the GAO. Employees who serve
as a witness in investigations and those who refuse to perform
illegal acts in the course of their employment will also be
protected. To ensure accountability, this bill will provide
meaningful penalties to VA employees who are found to have
retaliated against another employee for filing, simply filing a
whistleblower complaint.
Specifically, the retaliating employee should receive a
suspension or removal from federal service, a fine to repay the
expense borne by the Federal Government in defending their
retaliatory behavior, a forfeiture of bonuses received while
the retaliation occurred, and a prohibition of receiving future
bonuses for a one-year period.
Finally, this legislation requires improved training to be
provided to all VA employees on the protections that are
afforded to employees that are making complaints and the
repercussions that retaliating employees will face if they seek
to suppress positive change.
Look, our American veterans deserve no more than the
quality services that VA provides and those benefits that they
have earned. So improvements of those services often come in
the form of suggested fixes by employees. And this commonsense
legislation, we all do commonsense legislation, this bill
certainly is one of them, would provide the process to safely
suggest these fixes while giving Secretary McDonald and all
secretaries in the future the tools to hold accountable
employees who seek to prevent change within their agency.
So I look forward to working with this subcommittee, our
veterans service organization partners in the VA and other
stakeholders on this bill, because protecting the conscientious
VA employees who report waste and wrongdoing within VA must be
among our constant priorities.
I appreciate you, Mr. Chairman, to the ranking member, Ms.
Kuster, for holding this hearing and for your hard work and
leadership on this Subcommittee on Oversight and Investigation.
I appreciate really the opportunity to be with you this
morning.
[The prepared statement of Chairman Jeff Miller of the Full
Committee appears in the Appendix]
Mr. Miller. I yield back.
Mr. Coffman. Thank you, Chairman Miller.
Now we will hear from the Honorable Tim Huelskamp from the
State of Kansas, who will discuss his bill, H.R. 1015, the
Protecting Business Opportunities for Veterans Act of 2015.
Dr. Huelskamp. Thank you, Mr. Chairman, for the opportunity
to testify in support of H.R. 1015, the Protecting Business
Opportunities for Veterans Act.
Over the years, this committee has received testimony,
Inspector General's reports and other reports of numerous
entities who illicitly took advantage of set-asides rightly
reserved for service-disabled-veteran-owned small businesses.
As a member of this subcommittee, as well as the House Small
Business Committee, I am very concerned about the fraud and
abuse of these programs, and I think they need stricter
oversight and enforcement. This act would apply to those small
business concerns owned and controlled by a veteran with a
service disability, as well as small businesses controlled by
veterans who received federal contracts from the VA.
The bill is fairly simply. It requires that as part of the
contract, the VA must obtain a certification the business will
comply with the requirements already written into the law, and
it will specifically specify how they intend to meet the
requirement 50 percent of the contracted service work be
performed by a veteran-owned business or a service-disabled-
veteran-owned business with this certification, as well as a
requirement that the Office of Small Business and Disadvantaged
Business Utilization and the VA's Chief Acquisition Officer
will implement a process that will allow better oversight and
enforcement of what we all intended in the law and that is to
make certain these set-asides go to veterans.
With these changes, law enforcement will have the necessary
tools to crack down on corrupt contractors who use these pass-
throughs and other methods to take advantage of set-asides that
should be and are lawfully reserved for veterans. I think the
bill is necessary to direct the office and the VA chief
acquisition officer to do what they should have been doing all
along, and that is to monitor and enforce compliance.
We have had a hearing on this last year and moved this
through the committee, and I am bringing it back forward
because, again, I want to make sure these contracts are
accessed and are taken advantage by deserving veterans and not
some of these illicit contracts, Mr. Chairman. So I appreciate
the opportunity to visit very quickly about it. Again, we have
discussed this before and hopefully we can move forward again.
I yield back.
Mr. Coffman. Thank you, Dr. Huelskamp.
We will now hear from the Honorable Phil Roe from the State
of Tennessee, who will be speaking in support of his bill, H.R.
1016, the Biological Implant Tracking and Veterans' Safety Act
of 2015.
Dr. Roe.
Dr. Roe. Thank you and the ranking member for allowing me
to be here this morning and speak.
And just to reiterate what the Chairman said in the Aurora,
I didn't think it was possible to make politicians speechless,
but they have succeeded beyond my wildest expectations. And I
look at a billion dollars at how much veterans' healthcare you
can provide, physical therapy, medications, cancer surgery,
whatever the therapy may be that is not available in a limited
budget.
And I looked at this and, having helped run hospitals and
medical practices, the interest payments alone on this if you
were in the private world would be over $70 million a year.
That is not paying it off. You would have to cash-flow that,
your operating expenses, your salaries, your depreciation, all
of those things. There is no way that this could possibly
function. And I am one vote, but I am not going to vote for
another penny until I go visit that place and I have some
assurances that the veterans are going to get what they are
paying--the taxpayers are going to get what they are paying
for. I mean, I think we have to do that as a committee.
And I certainly commend you all for keeping an eye on this,
Mr. Chairman, and I thank you for that. And, Doug, you too. I
know you are frustrated and I am too, I share your frustration.
But thank you all and it is a pleasure to present H.R. 1016,
the Biological Implant Tracking and Veterans' Safety Act,
before this committee for consideration.
A frightening GAO report in January of 2014 found that the
VA does not use a standardized process for tracking biological
tissue from cadaver donor to living veteran recipients. In the
event of a recall, it would be virtually impossible to track
down which patient had received the contaminated tissue. The
same GAO report detailed that the Veterans Health
Administration does not always ensure they are purchasing
tissue from biological implant vendors that have registered
with the FDA and does not maintain an inventory system to keep
the expired tissues from remaining in storage alongside
unexpired tissues.
This GAO report and our VA committee staff had discovered
that the VA often uses a loophole in Title 38 of the U.S. Code
8123 that allows it to buy biological implants on the open,
unregulated market, which it does in 57 percent of its
biological implant purchases. H.R. 1016 would require the
procurement of biological implants from vendors on the federal
supply schedules which have been appropriately vetted for
biological implants not on the federal supply schedule but
requested by clinicians. My bill requires justification and
approval of open-market purchases under the federal
acquisitions regulation on a case-by-case basis, rather than
simply granting a blanket waiver as provided in Title 38.
H.R. 1016 would direct the Secretary of Veterans Affairs to
adopt the FDA's unique device identification system for
labeling of all biological implant tissue and implement an
automated inventory system to track the tissue from donor to
implant recipient. This legislation would also require all
biological implant tissue to be procured through vendors that
are registered with the FDA, accredited by the American
Association of Tissue Banks, and use FDA's unique device
identification system.
Mr. Chairman, the six million veterans served annually by
VHA deserve the high standard of patient care in the nation.
Implementation of H.R. 1016 would help establish the VA as an
industry leader in biological implant safety and
accountability.
I want to thank the Oversight and Investigation
subcommittee staff for their help in developing this
legislation, which truly puts veterans patients first.
Thank you, Mr. Chairman, and I yield back.
Mr. Coffman. Thank you, Dr. Roe.
We will now hear from the Honorable Jackie Walorski from
Indiana, who will be speaking about her directive, the Veterans
Information and Security Improvement Act.
Ms. Walorski.
Ms. Walorski. Thank you very much, Mr. Chairman. Good
morning to all my fellow colleagues.
This H.R. 1017 comes from feedback the committee received
at a members-only briefing in December of 2013, which the VA,
the VA's Office of Inspector General and the Government
Accountability Office all attended. At this briefing, the
committee provided an overview of VA's information security
vulnerabilities using VA's own internal documents and previous
testimony from VA's IG.
The committee has had numerous meetings, sent letters and
held a hearing in November of 2014 to address IT security
weaknesses. Unfortunately, VA's lack of cooperation has been a
longstanding issue that continues to this day. Independent
information security experts verified HVAC's findings about the
VA's critical network vulnerabilities, including the following.
Within VA's 420,000 computers, there are five
vulnerabilities on 95 percent of those computers. VA employs
tens of thousands of outdated operating units. Because of
VISTA's vulnerabilities, VA stated that a data breach to
financial, medical and personal veteran and employee
information will occur with no way of tracking the source of
the breach. VA's network has been compromised at least ten
times since March, 2010.
And finally, and probably most troubling, is that the VA
recently proclaimed they had a clean bill of health on network
security. However, the committee found that a state actor had
penetrated VA's network around September of 2014. This was
substantiated by another government entity, after which the
committee briefed Secretary McDonald. VA was not aware of the
intrusion, which by all accounts was then not detected by VA's
CRISP Einstein 3 or by any active review being conducted by a
third-party contractor.
Over the past 20 years, VA's independent auditor, the IG
and the GAO have all reported numerous persistent weaknesses in
the VA's security, placing veterans' personal information at
risk. Despite the GAO's and IG's testimony and the committee's
evidence that came from the VA itself, VA officials did not
agree with our findings from the briefing. They will not
acknowledge that critical security vulnerabilities exist.
It is important to understand the critical nature of the
security failures we are discussing today. These failures are
not due to a lack of resources, they are due to a lack of
priorities, leadership and proper federal guidance. We need
stronger, more focused action to ensure the VA fully implements
a robust security program. That is why we need this bill.
I am confident this directive will provide VA with a clear
IT roadmap and take away any guesswork in order to achieve a
risk-based approach to addressing these challenges. GAO and a
number of private sector companies also agreed and stated that
if the directive is implemented it will allow VA to refocus its
efforts on steps needed to improve the security of its systems
and information.
This bill establishes an explicit plan of action to resolve
VA's IT security weakness identified by the committee and
others. The plan is taken from common federal and industry best
practices.
Specifically, the bill directs the secretary to do the
following. Reclaim, secure and safeguard VA's network; defend
the work stations from critical security vulnerabilities;
upgrade or phase out unsupported and outdated operating
systems; secure Web applications from vital vulnerabilities;
protect VISTA from anonymous user access; and comply with
federal information security laws, OMB guidance and NIST
standards.
To improve transparency and accountability, the bill also
directs the secretary to submit to the committee a biannual
report, including a description of the actions taken by the
secretary to implement and comply with this directive. The IG
will also be required to submit to the committee an annual
report that includes a comprehensive review of VA's execution
of this directive.
Finally, on a monthly basis the secretary will submit to
the committee reports on any discovered security weaknesses.
Thank you, Mr. Chairman. I yield back.
Mr. Coffman. Thank you, Ms. Walorski.
We will now hear from the Honorable Ann Kirkpatrick from
Arizona, who will discuss her bills, H.R. 1128, the Department
of Veterans Affairs Cyber Security Protection Act, and H.R.
1129, the Veterans Whistleblower and Patient Protection Act of
2015.
Ms. Kirkpatrick. Thank you, Chairman Coffman and Ranking
Member Kuster. Members of the committee and staff, it is nice
to see you this morning. And I really thank you for all you are
doing for our veterans and I appreciate that you included my
two bills in this hearing. So thank you very much.
H.R. 1128, the Department of Veterans Affairs Cyber
Security Protection Act, and H.R. 1129, the Veterans
Whistleblower and Patient Protection Act of 2015, are two bills
that will improve the lives of veterans. They will bring much
needed accountability to the VA and protect VA employees and
patients who report wrongdoing.
The Cyber Security Protection Act aims to protect veterans'
personal information and improve VA information security
without compromising the VA's mission to provide healthcare
benefits and services to veterans.
After reported VA network compromises in a GAO report last
year that found VA IT networks were vulnerable to security
breaches, I believe legislation is necessary to ensure the VA
takes appropriate measures to safeguard veterans' personal
information. This bill offers commonsense steps to do just
that.
First, it requires the VA to report quarterly to Congress
on actions and plans to address known information security
vulnerabilities and provide a timetable for addressing them.
Second, it mandates a report on VA actions to hold
employees accountable for data breaches. The report would
include VA's proposed reorganization of its information
security infrastructure.
Third, it requires the VA to develop an information
security strategic plan that protects veterans' information and
anticipates future cyber security threats. It requires the VA
to recruit and train employees with skills and expertise in
information security, and to update VA information technology.
This bill is not creating requirements that are so rigid
that the VA is unable to perform vital services such as
referring patients to other healthcare providers or granting
veterans and families the benefits they deserve. I urge all of
you to support this bill.
As a member of the House Veterans' Affairs Committee in the
previous congress, I sat through hearing after hearing with
many of you after whistleblowers at the Phoenix VA and other VA
medical facilities exposed a VA-wide patient access crisis and
the manipulation of patient access data. Last month I heard
from two whistleblowers at the Phoenix VA, who reported
mismanagement of the Phoenix VA's suicide prevention and
substance abuse treatment program.
If not for the courage of these whistleblowers, it is
unknown how long these practices would continue to persist.
Unfortunately, many VA employees or patients who attempt to
report wrongdoing face retaliation.
The Veterans Whistleblower and Patient Protection Act of
2015 would encourage those who wish to report wrongdoing to
come forward without fear of retaliation. This bill would
ensure that the whistleblower retaliation reports and patient
complaints are handled at the highest level in the office of
the VA secretary. This ensures that anyone reporting wrongdoing
does not risk retaliation from local supervisors who refuse to
act.
This office of whistleblower and patient protection would
equip the secretary with an investigatory arm to take action on
allegations. The office would create one national hotline for
VA employees and patients to anonymously report whistleblower
retaliation or patient safety and treatment complaints,
investigate patient claims, and serve as the only VA office
permitted to investigate whistleblower retaliation complaints.
It would report the results of its investigations and recommend
actions to the VA secretary, and coordinate efforts between the
VA Office of Inspector General and the Office of Special
Counsel to ensure complaints are thoroughly investigated and to
prevent duplicate investigations.
We can continue writing letter after letter to the VA
secretary asking for the protection of VA whistleblowers'
rights as more of our constituents come forward or we can pass
legislation that will address this issue.
Again, I urge the members of the committee to support the
bill. I know that many of you on the committee have similar
legislation and I just want to say I look forward to working
with you, so that we can merge this legislation into one good
bill that we can pass out of the House of Representatives and
really make a difference for our veterans. So thank you very
much.
I yield back.
Mr. Coffman. Thank you, Ms. Kirkpatrick.
On our first panel, we will hear from Ms. Meghan Flanz,
Director of the VA's Office of Accountability Review. She is
accompanied by Dr. Michael Icardi, the National Director of
Pathology and Laboratory Medicine Services for the Veterans
Health Administration; Mr. Stanley Lowe, Deputy Assistant
Secretary for Information Security and VA Chief Information
Security Officer; Mr. Dennis Milsten, Associate Executive
Director for the Office of Operations, Office of Construction
and Facilities Management for the Department of Veterans
Affairs.
Ms. Flanz, you are now recognized for five minutes to
provide your opening remarks.
STATEMENT OF MEGHAN FLANZ, DIRECTOR, OFFICE OF ACCOUNTABILITY
REVIEW, DEPARTMENT OF VETERANS AFFAIRS. ACCOMPANIED BY: DR.
MICHAEL ICARDI, NATIONAL DIRECTOR OF PATHOLOGY AND LABORATORY
MEDICINE SERVICES, VETERANS HEALTH ADMINISTRATION; STANLEY
LOWE, DEPUTY ASSISTANT SECRETARY AND CHIEF INFORMATION SECURITY
OFFICER, DEPARTMENT OF VETERANS AFFAIRS; DENNIS MILSTEN,
ASSOCIATE EXECUTIVE DIRECTOR, OFFICE OF OPERATIONS, OFFICE OF
CONSTRUCTION AND FACILITIES MANAGEMENT, DEPARTMENT OF VETERANS
AFFAIRS
STATEMENT OF MEGHAN FLANZ
Ms. Flanz. Good morning and thank you, Mr. Chairman,
Ranking Member Kuster, and other members of the subcommittee.
We appreciate the opportunity to be here today to discuss
VA's views on the seven bills that do cover a wide range of
topics, whistleblower protection, how VHA handles biological
implants, information technology, small business contracting,
and VA's Denver hospital project.
Because the committee has our detailed written statement on
the bills in hand, I will limit my remarks to our brief
observations on each bill, so we can then focus our time on
answering your questions.
Two of the bills today concern whistleblower rights and
protections. VA has certainly had and continues to have
problems ensuring that whistleblower disclosures receive prompt
and effective attention, and that whistleblowers themselves are
protected from retaliation. It is critical that all VA
employees and supervisors share trust and mutual respect as
they share information, especially if an employee is seeing
something that is not working for the benefit of our veterans,
something that is against the law, or something that is just
not right.
VA is absolutely committed to ensuring fair treatment for
employees who bring these deficiencies to light. We are
collaborating closely with the Office of Special Counsel, the
independent office responsible for overseeing whistleblower
disclosures and retaliation claims, to ensure that all VA
supervisors understand their roles and responsibilities and to
speed assistance to any employee who may be experiencing
retaliation.
Mr. Chairman, we believe strong leadership, effective
training and close collaboration with OSC and with this
committee are the keys to the cultural change the department
requires. Our employees and the veterans we serve depend on the
work you and our other stakeholders are doing to address our
deficiencies head on. And of course we are eager to discuss
these efforts with you and to get the benefit of your insights.
VA understands the urge toward legislative action in the
wake of reports of troubling individual VA whistleblower cases.
However, as we have detailed in our written testimony, we are
concerned that some aspects of H.R. 571 would be unworkable in
practice and could lead to unintended negative consequences. We
are particularly concerned that the bill adopts a one-size-
fits-all rule that would impose the same investigative,
reporting and disciplinary requirements on all VA supervisors
regardless of their grade or function.
It is important to note that VA has more than 30,000
supervisors, fewer than 500 of whom are senior executives. Many
of our first-level supervisors have only minimal education and
are at relatively low pay grades. While of course all
supervisors must respond appropriately to employees'
disclosures and all must protect employees from retaliation, we
believe the processes by which supervisors respond to employee
disclosures must be calibrated to different supervisors'
capabilities and roles. We also want to protect the trusting,
well-balanced supervisor-subordinate relationships that do
exist in many VA work units while correcting relationships that
are out of balance or otherwise not working well.
H.R. 1129 focuses on a centralized process for
investigation of disclosures. We are concerned that this bill
might unnecessarily duplicate or replace existing functions now
belonging to OSC, to VA's reconfigured Office of the Medical
Inspector, or to the Office of the Inspector General.
Also on the agenda today is H.R. 593, which would extend
the authorization for the replacement major medical facility in
Denver and set out requirements for an agreement with the Army
Corps of Engineers to carry that project to conclusion.
Needless to say, VA is determined to overcome earlier setbacks
in this project to put it on the best track for success for
Colorado veterans. We understand that the committee has
questions and concerns about that project and Mr. Milsten is
prepared to address those in detail.
Also on the agenda are two bills regarding information
technology, particularly information security. We appreciate
the goals of H.R. 1017, but as we have stated, we are concerned
that detailed statutory requirements for management of IT
operations might prove too inflexible for VA to respond
effectively to the constantly evolving cyber security
landscape.
H.R. 1128 does use a less prescriptive approach. VA
appreciates and supports the goals of the bill and has no
objection to some of the reporting requirements, but is
concerned that some requirements might be quite onerous
relative to the benefits they would yield. VA will be glad to
work with the committee on those aspects of H.R. 1128 that
appear problematic.
H.R. 1016 would require VA to adopt specific systems and
protocols for the procurement and tracking of biological
implants, and would set requirements for inspections and
audits. As our written testimony has stated, VA agrees with the
general purpose of the bill, but has concerns about some
specifics. Dr. Icardi can address those matters in detail.
Finally, VA has reviewed H.R. 1015, the Protecting Business
Opportunities for Veterans Act of 2015. While we support the
goal of the bill, we would like to clarify some technical
issues and ambiguities before we set out a position on it. I
know VA's small business program and procurement specialists
will be glad to follow up with the committee on that bill.
Mr. Chairman, thank you again for the opportunity to
testify. We are now glad to answer questions the members of the
committee may have.
[The prepared statement of Meghan Flanz appears in the
Appendix]
Mr. Coffman. Thank you, Ms. Flanz.
Mr. Milsten, yesterday the VA issued a new cost estimate to
complete the new VA hospital in Aurora, Colorado now at $1.73
billion. As the Associate Executive Director of the Office of
Construction and Facilities Management, please explain how VA
went from a cost not too long ago, actually last year the
estimate was $604 million and now we are at $1.73 billion. How
did we get here?
Mr. Milsten. In my opinion, we got here by not getting
those requirements right the first time that we started this
project back in 2004 when noted the project that was a joint
facility with the University of Colorado and DoD. As this
project continued to grow through its processes, it did not
have the benefit of a good, rigorous requirements development
program and a good, rigorous program to control requirements
growth as it went through the design process.
As we entered into the construction contract with the
contractor, we established a ceiling and we rushed to get to a
firm target price with the contractor as we saw the market in
Denver continuing to escalate. The problem we had at that point
was the design was not complete. The design continued to evolve
and now we find ourselves at this crossroads.
Mr. Coffman. I think that probably an easier explanation
would be pure incompetence, pure incompetence.
Mr. Milsten, what are the funding options VA is considering
to finally complete the Aurora construction project for
Colorado veterans?
Mr. Milsten. VA has considered many different funding
options, including transfer authority, looking at where we can
take it from other options within the department, and we are
committed to working with Congress to find the funding
available for this project.
Mr. Coffman. Mr. Milsten, when will VA hit the
authorization cap on the project?
Mr. Milsten. We expect to hit the authorization cap of 880,
which is ten percent above the 800, mid-May of 2015, this year.
Mr. Coffman. What is the updated completion date of the
Aurora construction project now?
Mr. Milsten. In a meeting yesterday with both KT and the
Corps there was a discussion about late summer of `17, if we
can continue and get to a construction contract between the
Corps of Engineers and KT this summer. So that would be about
24 to 30 months after that.
Mr. Coffman. Will VA seek funding again in fiscal year
2016?
Mr. Milsten. I know that the `16 President's budget has
already appeared and the opportunity to amend that I am not
prepared to talk about.
Mr. Coffman. Okay. After the gross mismanagement that
occurred in Aurora, why shouldn't the Army Corps of Engineers
or someone else build all major construction projects for VA? I
mean, I think that the personnel involved in this project, you
being one of them, simply in my view, let me use a Marine Corps
phrase of couldn't lead starving troops to a chow hall. And
there is no way that the American taxpayers should have any
confidence in you, the veterans of this country should have any
confidence in you.
At this point in time, are you prepared to relinquish that
authority or at least is VA taking a position that somebody
else, the Army Corps of Engineers or some other qualified
entity, ought to be taking over these major construction
projects from the Department of Veterans Affairs?
Mr. Milsten. We are committed to looking at the
opportunities that exist with using somebody like the Corps of
Engineers as the construction agent. We have convened and asked
the Corps to come in and study our processes, our procedures,
to see what improvements can be made, and to offer an opinion
on whether it is the appropriate process to go forward or look
at other options. We as a department have not ruled out the
possibility of turning construction management over to the
Corps of Engineers, especially where it is appropriate, and we
are doing that in the Denver project.
Mr. Coffman. Ranking Member Kuster.
Ms. Kuster. Thank you, Mr. Chairman.
First let me say that I share across the aisle here the
shock and on behalf of all of the veterans and all of the
taxpayers outside of the great state of Colorado, not only is
this a tragedy because of the request that you are coming
forward to ask for a billion dollars and I join Dr. Roe in what
that money could be used for. We like to say in the Granite
State, we are frugal Yankees, we don't throw taxpayer money
around. But what I am most concerned about is that these are
facilities that can't be built elsewhere. There are lots and
lots of veterans in need all across our country.
And so I want to get at a more basic question, which is
whether or not the VA is up to the task or has the capacity to
take on these modern-day facilities and whether we shouldn't
revamp--because this is not the first example. I mean, this is,
I have to say, the most shocking example, but I can remember in
my first term these were the most troubling hearings we
attended talking about facilities in other parts of the
country. And I would like your comment, if you would, candidly,
about whether it makes any sense at all for the VA to try to be
building these facilities.
I can't imagine this kind of money in the private sector. I
mean, Dr. Roe has more experience with hospitals, but I know
what hospitals cost in New Hampshire, it is not a billion
dollars and it is certainly not--you are going to get up to
close to $2 billion here by the time you are done.
So I would welcome your comments on that.
Mr. Milsten. As I stated earlier, the department is
committed to looking at whether it is appropriate for us to
continue. That is why we have asked the Corps of Engineers to
come in and conduct a study of our processes and procedures,
and to come back and offer an opinion. And I know that the
leadership of the department is committed too if it makes sense
for the Corps of Engineers or some other federal agency to
become our construction execution agent, we will be prepared to
execute that.
Ms. Kuster. Well, I guess my question goes beyond that, and
maybe this is for another day and maybe meetings with Secretary
McDonald. I am not talking about bringing the Army Corps in on
this project, I am talking about whether the VA should be in
the business of building hospitals at all.
But let me ask a different question, because my time is
limited. My question goes to, you used the term, transfer
authority. Has there been any discussion at all with either the
University of Colorado or the Department of Defense taking over
the construction of this facility, owning this facility, you
selling this facility?
I just feel like, with all due respect and it is not that
people haven't tried, I just feel like people are out of their
league here. Is there somebody else in Denver--and I am not as
familiar with this situation obviously as my chair--has there
been discussion about simply the VA not being the party that
owns this facility?
Mr. Milsten. There have not currently been any discussions.
There was discussions early on about a shared facility between
DoD and the University of Colorado Hospital System, that was
back in----
Ms. Kuster. And is that no longer happening? That is no
longer the----
Mr. Milsten. Back during that period, it was deemed that
the voice from veterans that wanted veteran identity, because
one of the things about our hospitals is that it is more than
the treatment of our veterans, it is a place they go for their
camaraderie. And the other issue was the issue of shared
governance of a facility and that caused----
Ms. Kuster. And I certainly do appreciate and I have heard
from my own veterans in New Hampshire about veteran-centered
care and all of that.
I guess I would just close by saying, on behalf of the
taxpayer, I feel that we can do better by our veterans without
building the Taj Mahal, and with all due respect to Aurora,
Colorado.
So I yield back.
Mr. Coffman. Thank you, Ranking Member Kuster.
Mr. Lamborn of Colorado.
Mr. Lamborn. Thank you, Mr. Chairman. And I will be very
brief, because I am just still stunned by the news that this
was going to cost so much over what the original cost was--not
just the time delay, but the cost increase. So I will just say
I back up my Chairman's position a hundred percent. I am still
staggered and stunned by what is going on.
And there has to be accountability, we have to change the
way things are done in the future. Somehow we have to find the
money, who knows where, to finish a decent facility. Maybe not
everything that was on the drawing board, but a decent facility
so that veterans can start getting their care, without
sacrificing the facilities around the country. You know, they
have legitimate needs also and that money is going to hurt
someone else's project. That is not good. We are just in an
impossible situation here and it is extremely frustrating and
angering.
Mr. Chairman, I yield back.
Mr. Coffman. Thank you.
Mr. Walz.
Mr. Walz. Well, thank you, Mr. Chairman, and thank you all
for being here.
Again, I am not going to pile on this, but I am going to
express, I think you get it. Today as we sit here, tens of
thousands of veterans are going to be treated with the highest
quality professional care, get what this country promised them,
what they have earned and deserve, and that is going to be
distracted by what is absolutely indefensible.
And I am going to answer the question for them. The answer
is no, you cannot do the construction. My concern--and I am not
going to argue this point, I don't think we should be in a
double-wide trailer and I do believe an atrium is a gathering
space. And my question is, that could have been incorporated
into the original design and pay for it what we pay for it. You
don't need to overrun it to get the aesthetics, we have proved
that time and time again.
And my concern now starts to be is because I understand
this, construction of medical facilities is very specific and
involves the involvement especially of the practitioners. So my
question is, if these things are botched, what do the operating
suites look like? When are we done? Are the walls too close?
Does the gurney not come out? We have seen these things happen
in some of our facilities.
And then I am back to this point--and I know this is all of
you, you are getting the brunt of a lot of frustration that is
coming on this, now we are caught in this conundrum much like
IT. We have time and time and time again allocated money to IT
that is absolutely necessary, absolutely critical and
absolutely needs to be done. And when you come and testify and
say there are gaps in our IT, I believe you. Our problem is
this now, we are caught in a half-finished project that has us
so frustrated and we are going to be asked to give more money.
And I am in the same point as many of them, I have said this
about IT, not one damn penny until you prove that you can use
it wisely. And I am in that same boat with this and it is
frustrating.
So if there is anything all of you can do to convey that. I
know there is reasons, but there is no excuse for this. And at
this point in time, I think what you are seeing on this is you
are no longer going to get to decide whether you build
hospitals or not, that is where this is headed. So what we need
is your help in how do we transition this, how do we get the
best practices, how do we move to make sure that happens?
I want to move to just one other subject before I go back.
Mr. Miller's bill. I think all of us feel very strongly about
the ability of employees to be able to speak freely, the
ability to be able if there is a problem to come forward, and I
think whistleblower protection is absolutely crucial. I am
concerned and I ask your opinion on this. I know sometimes when
you do this, though, is there a chance we are going in creating
an atmosphere of fear, of mistrust amongst employees? Is the
best laid plan and intentions actually going to have another
chilling effect on how this happens?
Ms. Flanz, it is a somewhat subjective question, but if you
could help me understand what it will do to the culture.
Ms. Flanz. I would certainly like to try. Thank you.
The underlying purpose of all of the whistleblower
protection laws and schemes is to encourage the candid
disclosure of information. And there also over the years have
needed to be added to that a process for penalizing those who
retaliate against individuals who do bring something forward.
Our concern is about balancing the punitive measures in such a
way that the entire structure doesn't actually act contrary to
the underlying purpose.
And our concern with this particular bill is mostly about
the relationship between the front-line staff and that first-
level supervisor. That relationship is often carried out right
in the middle of patient care, right in the middle of providing
memorial services. It is where our veterans are, where our
mission is carried out is right there.
Our concern is in creating a relationship through a process
that may be necessary to ensure retaliation doesn't take place.
We don't want to create a relationship where we are
transferring the fear maybe from that front-line staffer to the
first-level supervisor who may be so concerned about, oh, my
goodness, I am now going to need to create this record to go
back to this person who has made a disclosure, I have got a
two-day window to do that, what if I don't do that right. What
if later I am in the course of supervising this individual, I
do something that causes the individual to believe he or she
has been retaliated against. There becomes a different culture
and relationship around that supervisor-subordinate exchange
that may not actually be as supportive of the free flow of
information as we would like to see those relationships be.
Mr. Walz. Well, I think that is a valid point. I would be
interested in seeing if there are some suggestions on this,
because this is that touchy balance between due process and
protecting that whistleblower's right, and I would say
encouraging them to be able to come forward. And it is deep, it
is cultural, it is about trust, and we want to make sure we get
those pieces right.
Thank you, Chairman. I yield back.
Mr. Coffman. Thank you, Mr. Walz.
Dr. Phil Roe.
Dr. Roe. Thank you, Mr. Chairman.
Just to dovetail off what Mr. Walz was saying. In my office
at home, we have a bulletin board full of requirements that we
have to put up with. Wage and hour requirements, OSHA, on and
on and on. And all of those federal regulations and rules, I
can't get away with the excuse of, well, I have 30,000 people
who are not as well paid and they are not all this or not all
that, I have to comply. And I don't see why you can use that as
an excuse when you expect the private sector to comply--not
you, but we the government, we the Congress, expect the private
sector to comply with these things.
So I don't think that is a valid reason. I understand it is
hard, I do get that. As an employer for 30 years, I got that,
but we have to do that. And we expect the VA to do the same
thing that the private sector is doing.
Now, just a quick comment. The VA does a lot of things
extremely well, there is no question about that. I got a letter
from a lieutenant colonel yesterday who was very appreciative.
He is a Korean War veteran and a Vietnam veteran, he said he
survived both. He was actually thanking the VA and the
government for his care. And I am writing him a letter back
thanking him for his service. We should be thanking him, not
the other way around. Building hospitals ain't one of them that
they do well. And I said this at a hearing not long ago, I
don't think the VA ought to be allowed to build another
hospital.
I look at $930 million, my Lord, I could build a palace in
Tennessee for that, I could build two palaces for that, maybe
three for that much money. And that would be to put places--we
go out where we live to try to find places that save the
government money. I have got a CBOC at home that pays $1 a year
in rent, $1. We have hunted out trying to save that. And it is
not just it is harming veterans in Colorado and veterans who
may move to Colorado, it is harming veterans in Tennessee and
Kansas and Indiana and all around--New Hampshire and around the
country. So I think we have got to look at that.
I want to get to my bill just a little bit and, Dr. Icardi,
if you would help me a little bit. Are there any issues with
that bill that you can see from a VA standpoint that would be
unreasonable to be able to take a piece of tissue that is
implanted into a person, a patient, and then be able to follow
that in case there is a recall, an infection with it?
And one of the reasons that we brought this up was that I
saw what a poor job the VA did in notifying the veterans based
on what happened with colonoscopies. And this was I guess five,
four or five years ago. And other issues where notification
didn't take place. If you don't have a tracking system, that
veteran, that patient may never know and we may never be able
to find them, that individual that got that specific piece of
tissue.
So do you see any problem with this? Just implementing a
tracking system so you can notify people, you get it from a
certified tissue bank, any problems there?
Dr. Icardi. Yes. First, Doctor, I want to thank you for
bringing this up again, because this is an important issue and
by bringing this bill up you have kept it in the limelight and
I want to personally thank you for that.
One of the major issues that you have with tracking
something is how do you identify it and, unfortunately, for
tissue right now there is not a really uniform identifier that
will follow the tissue from the donor to the final disposition.
And there is a large number of steps that go through there. In
the previous bill that we had, we were waiting to hear what the
FDA was going to do with the UDI and now we have what the FDA
wants to do with the UDI, and that doesn't quite allow us to do
the level of tracking that we were looking for.
Dr. Roe. I guess is the problem, I mean, if you get my
cornea or whatever it may be as I--and there probably is
nothing on me worth using, but if there is they can use it and,
if there is anything that is worth using, you are welcome to
it. But when you transfer it, there is a way to do that and to
transfer where that tissue came from, where it goes to and who
it goes to. Isn't that available now?
Dr. Icardi. There is, but what happens is the way it is
identified can change on each leg of the journey. So what that
means is, the way the UDI is set up, that is a number that gets
used by the manufacturer. It may go to a distributor, that
distributor may need to assign a different number to it. It
could then go to a secondary distributor. It may then go out to
a hospital, which then sends it out to a CBOC or that kind of
thing. And the UDI is really specific for one small leg, it is
not specific for the entire process. So what can happen is--and
a great example is what happened during the first Gulf War with
blood, where the blood supply was mobilized, you had units come
in from all over the country each with their own unique
identifiers, but there was no commonality between them. And
that actually leaves that sometimes you can actually have a
number that is the same from one collection facility as with
what is in another collection facility, so you can't really
identify it by that. You are then going to have to do some sort
of re-labeling or some sort of a reassignment of a number to
track it through the system.
Dr. Roe. But for patient protection, isn't that important?
I mean, I would think if I had an implant of some kind--well,
actually I do have lens implants--that we should be able to--
that is why I can see you, I had both lenses implanted--and I
think if there were a recall on that, I would like to know what
the problem is and my doctor or his clinic be able to identify
that and to let me know. We should be able to do that for
patients.
Dr. Icardi. I agree 100 percent with that. We should be
able to do that and we shouldn't have to go through a process
where you have to trace things back link by link and take in
some cases six months from when a problem is actually
identified to track all those parts down by this system, which
is inefficient.
Dr. Roe. I am going to yield, because I am over time. But
the fact that it is hard doesn't mean we shouldn't do it.
Dr. Icardi. And I agree as well. And that is why what we
have been doing for the VA is looking at this, this is not just
a VA problem, this is a national problem with the entire
system. And for us to be able to fix it for the VA, we need to
fix it for the nation. And so we have been working with Health
and Human Services, FDA, DoD, and the other agencies, and there
will be a conference on this in April that we will look to try
and push this forward.
Dr. Roe. Okay.
Dr. Icardi. But there is a solution.
Dr. Roe. I would like to continue our conversation. My time
is expired.
Mr. Coffman. Thank you, Dr. Roe.
Ms. Rice, you are now recognized for five minutes.
Ms. Rice. Thank you, Mr. Chairman.
So, Ms. Flanz, I would just like to go back to the comments
that some people were making about the whistleblowers. I mean,
it is clear that the VA is not protecting whistleblowers to the
extent that they need to at this point. And while I may agree
that maybe a two-day investigative period, given the time
constraint and the other responsibilities that that supervisor
might have might be something that we need to tweak, I really
hope that you would be willing to sign off on however we revamp
this bill, because if you can't--I mean, clearly the VA has not
been able to protect whistleblowers and you should want to be
able to do that.
And I know that it is not just putting that responsibility
on supervisors, it is an appropriate training program so that
people understand exactly what the parameters are. So I hope
that you would agree to be open to some changes that would
require an internal system to ensure the protection of a
whistleblower for a real problem that needs to be addressed.
Ms. Flanz. I couldn't agree more. I know the secretary
agrees as well. This is a matter of great interest, it is a top
priority for the secretary and the deputy secretary. And we
have been working in unprecedented collaboration with the
Office of Special Counsel on a number of things.
Fundamentally, it is a leadership issue. Leadership must
set the tone that disclosures need to be immediately addressed.
Supervisors in a good, healthy work environment will welcome
the information, because that is what leads to process
improvement. That is how we ensure that veterans are treated
safely, that our processes are efficient and are compliant with
the law. Only good things flow from that exchange of
information. When we get into trouble is when supervisors
either don't know the rules or react inappropriately, because
they haven't seen appropriately modeled to them the right
behavior.
So we absolutely are open. We have been working very
closely with members of this committee and staff on issues with
respect to individual whistleblowers and to the process we are
using across the board to make the changes that really are
critical. So absolutely, we are open to and need your help.
Ms. Rice. Well, I agree that the best chance that we have
is with Secretary McDonald, who has shown an interest in
ensuring the protection of whistleblowers. And coming from
someone who has run a DA's office, you are right, the tone is
set from the top. And if people feel that by complaining they
are going to be penalized, no one is going to complain. And
that is where the neglect or the abuses become more insidious.
So I just--and this might be a repetitive question, maybe I
didn't understand, I just want to go back to Mr. Milsten. So
you are coming and asking for a lot more money. My question is
really, I think it is simple. Maybe it was asked before and I
wasn't here, I don't know, or I didn't hear it in your
explanation before. I would like specifics as to why $800
million, the initial estimate, was not enough to finish this
project--or 600--is that what it was, 600? Sorry. I gave you a
$200 million cushion there I didn't mean to give. What happened
that made this project incapable of being completed?
So I want specifics about people, about who didn't do what
they were supposed to do, about inaccurate estimates, specifics
that we know going forward how is this not going to happen
again with the other billion dollars that you are asking for.
Because there is no way this government, at least I am not in
the business of throwing good money after bad and it seems like
that initial $600 million, as well intentioned as it may have
been, is falling under that category.
So please make the case. And I have to say that I also
don't think that the VA should be in the business of building
hospitals, but that is really an issue that we as a committee
will have to discuss. If you can just lay out with real
specificity what happened and how it is not going to happen
again.
Mr. Milsten. Okay. I will be happy to attempt that.
First of all, the VA owns this, we own this fiasco that we
created. It is nobody else's fault, but I am going to tell you
that there are some other people that played a part in it. And
I can tell you that we are looking at our role of oversight of
those processes to figure out how and why they broke down.
Number one, we hire a designer who is responsible for
designing a facility to meet the requirements that we set
forth. Early on, we develop some programmatic estimates in-
house, and then we rely on the designer to design the project
to the budget that we have told him that we have. So in this
case we had a designer we charged with delivering a design that
could be built for just under $600 million. That designer
provided us with estimates of how that could happen. And I can
tell you that our breakdown was that we did not do the proper
amount of due diligence on that estimate, we did not dig in far
enough detail to actually go in and figure out that it could or
couldn't be done. We relied on that and we moved forward. When
we got advice from our construction contractor that the budget
may not be billable, we chose unfortunately to listen to the
designer.
And these are changes that we are making in our process
now. We are bringing in independent construction management
firms to help us review estimates, to review schedules. Not
just relying on the word of one firm representing what the
requirements will cost, but relying on multiple firms to make
sure that we get the best and correct answer.
And we are also looking at how we change our culture to say
that construction contractors are not always the enemy, if you
will. Too often we engage in siding, if you will, with the
designer and not listening to our sound advice from the actual
builders of the facility.
Ms. Rice. So if I can just say, that is exactly why the VA
should understand their strengths and their weaknesses. And
because you shouldn't be in the business of building hospitals,
that should be left to an expert. That may be why that
oversight was not as robust as it should have been. No offense
to you.
But if I could just ask you, because what I think that we
need is a very detailed report of exactly what went wrong, when
it went wrong, and who you hold responsible for those mishaps
and miscalculations and all of those kind of things. I mean,
you are coming and asking for money and that I think has to be
laid out, not so much in this forum, because we have limited
time, but if you could by next week prepare a document that
details exactly what the shortcomings were, so that we can
understand what happened, that would be----
Mr. Milsten. The department has seated an administrative
investigation board, that is their sole responsibility to go
through these details and find the accountability. It looks at
the mismanagement potentials and misbehavior potentials for
people involved in the project. And I will turn it back over
to----
Ms. Rice. So there is a report that exists?
Mr. Milsten. No, ma'am. A panel has been set. I am going to
turn it over to Meghan to talk about the outcome, the expected
outcome and time frame for that.
Ms. Flanz. Very quickly. There are two ongoing processes
and I will do my best to outline both very quickly. I know that
the deputy secretary had phone calls with a number of members
of this committee within the last couple of days, so I
apologize if I am covering for you ground that has already been
covered.
But we have an administrative board of investigation, which
that is an activity that my office owns. That group looks at
individual accountability, who did what or failed to do what
that needed to happen. At the leadership level, who knew and
acquiesced in either actions or omissions by people below them.
So that board looks at who is responsible for what error or
omission that may have led us here.
The second and equally important piece of VA's process of
understanding what happened is the study that the Army Corps of
Engineers is leading for us that is bigger than Denver, that
is, really gets I think at some of the fundamental issues. Does
VA have the expertise and the capability to continue to build
hospitals? What are some of the systemic issues that have led
to cost overruns or delays in projects, to include Denver, but
not exclusive to Denver. Those two processes are ongoing. We
absolutely share the frustration and the sense of urgency that
I hear in the members today. We need these answers now, we
needed them before the project went the way that it did.
Having said that, the process of collecting evidence about
decisions made over the course of a many-year program takes
time. So I hear the request for a written report next week. The
process that my team is working on will take more like a month
than a week, but we are working to get those answers just as
soon as we can pull the evidence together.
Ms. Rice. The problem is if the money runs out in May of
2015.
Thank you, Mr. Chairman.
Mr. Coffman. Thank you, Ms. Rice. Dr. Huelskamp, you are
now recognized for five minutes.
Dr. Huelskamp. Thank you, Mr. Chairman. I guess you used up
my five minutes. I guess I am done, so I--just kidding. Thank
you, Mr. Chairman, and I will note I appreciate the questions
on Aurora and that situation. Actually, it might not seem
pertinent to Kansans, but that would be the closest VA facility
for a large share of the northwestern corner of my district. It
is only 188 miles from Kansas. Do not forget it is 200, 300, or
400 miles the other way for some of mine, so I watch this very
closely, because I will have Kansans traveling, hopefully one
day, to this facility.
I have a couple questions. First, Ms. Flanz, on my bill, I
understand that you support the concept, but are you willing to
work with my staff, Subcommittee staff, to fix a few of the
technical issues that you have expressed?
Ms. Flanz. Absolutely, it is my understanding that our
folks have already reached out to your staffers to set up a
conversation to do exactly that.
Dr. Huelskamp. Absolutely. You want to make certain that
these set-asides obviously go to those veterans that should be
qualifying for these particular contracts. So thank you for
that commitment. We will continue to move forward and hopefully
we will fix a few of those technical issues.
I do have a few other questions on the other bills or some
of the statements here. First, for Mr. Lowe, in reference to
the IT--and I appreciate my colleague from Indiana and her work
on this, and I was in some of these hearings--do you believe
that the IT system at the VA is secure today?
Mr. Lowe. Congressman, it is as secure as we can possibly
make it. There is nobody in any position that--or anybody that
sits in my position that can definitively state that their
system is completely secure, because there are just too many
unknowns. But based upon the information that I have today, I
have to say that we are as secure as we can be.
Dr. Huelskamp. Is there any independent assessment outside
the VA that can----
Mr. Lowe. Well, you know, the IG conducted an independent
assessment. GAO conducts an independent assessment. You
remember hearing in----
Dr. Huelskamp. Yeah, and their assessment was not very good
the last I saw. My question is, outside of the VA, outside of
the government, have you brought in any independent----
Mr. Lowe. Oh, yes, we----
Dr. Huelskamp [continuing]. Contractors saying, ``Yes, this
system is secure at a standard for the industry that we believe
is''----
Mr. Lowe. We had an independent assessment come in and take
a look at the domain controllers, which we briefed the staff
on, and it was specific to the domain controllers. And they did
not--and that was specific to the instance that the Committee
was concerned about that happened in 2010, and they found that,
you know, the remediation activities that took place in 2010
were effective.
Dr. Huelskamp. All right. Well, I appreciate that and look
forward to that information as we move forward ahead.
And one other question on the issue of whistleblowers, and
I know I speak for all the committee members that we have been
stunned and shocked, particularly by the response from the
Department at differing levels. We have had a series of
secretaries that have promised to make certain whistleblowers
were never retaliated against, and somehow that did not get
down to other 320,000 folks working in the Department. How many
outstanding cases of alleged whistleblower retaliation are
still ongoing?
Ms. Flanz. I do not have a number at hand. The Office of
Special Counsel sends those cases to us in kind of two
different batches, two levels of priority. We did work out with
them last summer an agreement that if they prioritize a
particular case because an individual employee who claims to be
subject to whistleblower retaliation has a pending personnel
action, something adverse is happening, those come over on an
expedited basis. Our attorneys work with the supervisors and
managers of those people to ensure that those--whatever adverse
action is going on is stayed.
Then there is another larger group of cases where the
Office of Special Counsel hears from an individual who believes
that he or she is the subject of retaliation, but there is
either nothing immediate pending or the Office of Special
Counsel is not as convinced based on the evidentiary record
that they have that retaliation has, in fact, taken place. So
those take a little bit longer.
Dr. Huelskamp. So in order, though--I just have a few
seconds left--in order to determine whether we have made
progress or not--whether you have made progress or not--do you
have any comparison baseline of what it was, maybe before you
came on board, where it was three years ago? Can you provide
those numbers to the Committee, so we can get a sense are we
making progress?
Ms. Flanz. Certainly. I will be happy to provide specific
numbers, and I can tell you that we had an expectation when we
entered into that agreement for this expedited process that the
number of complaints that would be sent through that process
would be quite high. It has actually been lower than I think
either the Office of Special Counsel or our staff----
Dr. Huelskamp. It is low, but you do not know what the
number is today?
Ms. Flanz. It is----
Dr. Huelskamp. It is my understanding it is over 100
outstanding cases of alleged retaliation. Is that in the
ballpark?
Ms. Flanz. That was the number that we were given at the
time we entered into the agreement last summer. I think it is a
much smaller number, more on the order of closer to ten that
has come through the expedited process. But I would--I will be
happy to get you precise numbers, so we can begin to have that
kind of trend analysis.
Dr. Huelskamp. Okay. Thank you, Mr. Chairman, I yield back.
Mr. Coffman. Thank you, Dr. Huelskamp. Ms. Walorski.
Ms. Walorski. Thank you, Mr. Chairman. Mr. Lowe, in your
written statement you quote the following from the GAO that you
were just speaking about, ``In a dynamic environment, where
innovations and technology and business practices supplant the
status quo, control activities that may work today may not work
in the future.'' Are you aware the GAO actually supports this
bill, and they actually worked with us in adding Section 10 to
the bill on flexibility?
Mr. Lowe. No, ma'am, I am not.
Ms. Walorski. And in another statement you talk about--you
point out that, ``A review must be performed on any patches to
ensure the operability of the particular application or system
to ensure the patch does not have a harmful impact to services
that VA provides. My legislation instructs VA to perform the
risk assessments and to also test patches within two days of
availability.'' How long of an evaluation period would you
need?
Mr. Lowe. That is a technical question. I will have to ask
the operational guys. I would be happy to get back to you on
that.
Ms. Walorski. Okay.
Mr. Lowe. And, you know, we really--we have a unique
opportunity now to actually drive what the nation is doing. I
mean, legislating operations is problematic, because it does
take away some of the flexibility. But I think we have all got
the right idea, and we have got--we are all after the same
endpoint, but there are a number of bills going through
Congress right now that I think that we could probably squeeze
all this together and come up with one legislation, so we are
not having to deal with 20 or, you know, so different pieces of
legislation that are coming out, not just specific to the VA,
but specific to the government-wide. And I think that we have a
really unique opportunity in time right now to be able to
affect what the rest of the government does and what the rest
of the nation does.
And I would be happy to work with your folks to be able to
come up with an awesome bill that not only this Committee could
support, but the entire Congress and the Senate and the rest of
the federal government can support.
Ms. Walorski. And I appreciate that, and I would hope so as
well. I just--if you are going to get back to me on the
evaluation period of the assessments on the patches, could you
also add to that? You talked about VA cannot phase out outdated
or unsupported systems, because they would impact physicians at
the point of care. My bill provides VA 90 days to come up with
a migration transition plan to move to secure operating
systems. If you could just add to the list how much more time
would the VA need.
Mr. Lowe. Sure. A lot of those operating systems are
attached to medical devices, so we would actually have to, you
know, a large number of the medical devices that are currently
produced by manufacturers. And I think Dr. Roe probably knows a
little bit more about this than I do, is the, you know, most of
the medical devices that are in use, and most facilities today
are running off of Windows XP. And so they had that FDA
certification around that particular image.
So I, you know, working with medical device manufacturers
and replacing all that and upgrading those, whether or not the
systems, actually themselves, that the operating can run it,
that will be a long--I will--we will actually have to have a
long conversation about how we do that, because we are going to
have to work with not only the FDA, but the medical device
equipment manufacturers.
Ms. Walorski. That is fine. And if you could just add that
to the list of--just sending it back at some point.
Mr. Lowe. Absolutely.
Ms. Walorski. And then I just want to, in response to your
suggestion, I can tell you, I would hope so, that we can find a
way to move this bill and to move actual verifiable
accountability into the issue of the IT with the VA.
And, you know, I am only starting my third year here, and
from day one when I got here and we started talking about IT,
and it all started back in the day when we talked about why
cannot we get a electronic medical record and connect the DoD
to the VA, and I sat in a subcommittee hearing even then with
these same issues of domain controllers, of outside entities on
domain controllers. And, you know, my concern was the breaches
that have taken place with our veterans nationwide. And, you
know, money has never been an issue. And when we talked about
issues before with some of the--I do not know if they work for
you, around you, I do not know how your whole group flows, the
folks who have been in here testifying on it--but the reason I
am pursuing it is because veterans' information is so critical,
and the bad actors that have been embedded and have been
impacted inside of this domain controller--and we might have to
just agree to disagree--but not only are they--not only is just
their personal information available, but when these bad actors
get in and disallow us from connecting to the DoD because of VA
not having a secure website, you know, what happens if a bad
actor gets in there and scrambles medical records?
What happens if, you know, they just decide to go in and
look at 30 million veterans and say, ``How can we completely
mess up this system?'' And I think every veteran that served
not only deserves the best of everything they were promised,
but when they come back from fighting and they come back into
our country, especially in my state, in the State of Indiana
where we are over the top patriotic and we are over the top in
sending folks to fight, they--I just am fighting for them to
say at some point, ``Let's get beyond this.''
And so I just wanted to make sure that we have some kind of
level of understanding of House bill--of our bill 1017. I
appreciate your comments in writing in the coming days. Thank
you. I yield back my time.
Mr. Coffman. Thank you. Mr. O'Rourke, you are recognized
for five minutes.
(No response.)
Mr. Coffman. Mr. O'Rourke passes. I would like to thank the
panel for your testimony. You are now dismissed. I now welcome
our second and final panel to the witness table. On this panel,
we will hear from Ms. Diane Zumatto, National Legislative
Director of AMVETS; Mr. Frank Wilton, Chief Executive Officer
of the American Association of Tissue Banks; Mr. Daimon E.
Geopfert, National Leader, Security and Privacy Consulting for
McGladrey, LLP. All of your complete written statements will be
made a part of the hearing record. Ms. Zumatto, you are now
recognized for five minutes.
STATEMENT OF DIANE ZUMATTO
Ms. Zumatto. Thank you, Mr. Chairman and distinguished
Committee Members. I am pleased to have this opportunity to sit
before you today to share our comments on pending veteran
legislation. Before I get into our specific positions on these
bills being considered, I would like to share a few general
introductory remarks.
AMVETS is, in general, a fiscally conservative organization
which supports the interests of our veterans and military men
and women. Our members want to see a balanced federal budget,
and I have major concerns surrounding the ever-increasing
federal deficit. Additionally, our membership would like to see
an increase in federal accountability, especially within the
Department of Veterans Affairs, as well as a decrease in
government bureaucracy.
AMVETS does not support the concept of indiscriminately
throwing money at problems. While some of our colleagues are
shocked by this notion, AMVETS acknowledges that there are
certainly programs that would benefit from increased funding.
However, we believe that before those increases are made, they
should first be fully justified and only come after a thorough
review of the organizational structure of each program or
agency with an eye to identifying system efficiencies,
maximizing all current resources, both human and financial,
minimizing waste, and eliminating redundancies.
And as far as legislation today, AMVETS supports H.R. 571,
which would provide whistleblower protection for folks within
the VA. If we expect employees to be willing to take actions to
prevent fraud, illegal acts, et cetera, then those employees
are going to have to feel confident that if they do step
forward, they will be safe from any form of retaliation, either
personal or professional, that the information they provide
will be acted on in a confidential and appropriate manner, that
the information will also be handled in a timely manner.
AMVETS applauds Chairman Miller's continued efforts to
ensure that VA employees, many of whom are veterans, have an
equitable and safe environment within which to better serve all
American veterans.
AMVETS supports H.R. 593. There has been a lot of
discussion about that this morning, and there is really not
much more I think that needs to be added. Something needs to be
done. It is obvious that the status quo is not adequate. So we
do support H.R. 593.
We also support H.R. 1015. It is a pretty simple and
straightforward solution. And there, you know again, I do not
really have too much to say to this. I do realize that there is
some monitoring that is going on. And I am aware also that the
IG, you know, finds cases of abuse almost daily, so we know
that there is a problem. And I think this is a pretty simple
way to rein that in.
We support 1016, which, you know, would require the VA to
adopt and implement a standard identification protocol. And I
have listened to the testimony all morning, and I understand
that there are a lot of difficulties, but this does not seem
like an insurmountable problem. It is a matter of logistics,
and I would really encourage the VA to--if every provision in
this bill does not work for whatever reason, I would hope that
they would be willing to work towards a solution.
We also are supportive of H.R. 1017 and 1128, both of which
are related to information security. As a veteran, I shudder to
think about the vulnerability of the VA system. I know they are
aware of the problem, and I think there has been plenty of
beating up on the VA lately. I just would really stress that
this is critically important to AMVETS that this problem be
taken care of. I would also like to applaud Representatives
Walorski and Kirkpatrick for their efforts in this area.
AMVETS also--I hesitate on 1129, even though it is also a
whistleblower bill. And we hesitate only because of my
introductory remarks. We hesitate to condone an increase in
bureaucracy. My read of this is that there is going to be the
creation of a new agency that would handle this problem, and we
think that there is already probably enough between the IG and
the Office of Special Counsel that there is probably no need to
create another agency.
That concludes my testimony at this time, and I yield back.
[The prepared statement of Diane Zumatto appears in the
Appendix]
Mr. Coffman. Thank you, Ms. Zumatto. Mr. Wilton, you are
now recognized for five minutes.
STATEMENT OF FRANK WILTON
Mr. Wilton. Thank you, Subcommittee Chairman Coffman, Mr.
O'Rourke, distinguished Members. Thank you for the opportunity
to come before you today in support of H.R. 1016, the
Biological Implant Tracking and Veterans Safety Act of 2015.
For those who are unfamiliar with my organization, the
American Association of Tissue Banks is a professional, not-
for-profit scientific and educational organization. It is the
only national tissue banking organization in the United States,
and its membership totals more than 125 accredited tissue banks
and approximately 850 individual members. These banks recover
tissue from more than 30,000 donors annually and distribute in
excess of two and a half million allografts for more than one
million tissue transplants performed in this country annually.
The association was founded in 1976 by a group of doctors and
scientists, who had started in 1949 our nation's first tissue
bank, the United States Navy Tissue Bank.
H.R. 1016 directs the Secretary of Veterans Affairs to
adopt a standard identification system for use in the
procurement of biological implants by the Department of
Veterans Affairs. By building upon the success of the
implementation of the unique device identifier, or UDI, this
legislation will ensure that biological implants used within
the Department can be appropriately tracked from human tissue
donor all the way to recipient. This critical capability for
track-and-trace efforts will enhance patient safety, expedite
product recalls when necessary, assist with inventory
management, and improve overall efficiencies.
This legislation takes a bold step to expand the UDI to all
tissue products. In addition to human tissue devices which are
already covered by the UDI, the legislation adds another
product category--certain biological implants, or as termed by
the Food and Drug Administration, 361 human cells, tissues, and
cellular and tissue-based products, or HCTIPs. While many of
the biological implants do have company-specific barcoding
information by requiring a standardized format for those
barcodes as outlined in this legislation, it will be easier for
the Department of Veterans Affairs' medical facilities to
utilize the universal barcoding conventions and to realize the
full benefit of the unique identification system.
Finally, by applying a system that has been developed for
devices to biological implants, such a solution would also be
applicable to other healthcare settings and other healthcare
systems such as the Department of Defense healthcare system or
the private sector.
While I understand your skepticism in requesting the VHA
attempt a VITAS-like enterprise in this legislation after
failing to do so before, I would note that a lot has changed
since 2008 when the VHA first envisioned VITAS. First, there is
now a UDI benchmark, which allows those developing the
necessary software for data capture to move from a design
incorporating dozens of different barcoding technologies to
only three different ones.
In addition, the VHA is not alone in trying to develop a
system for integrating the UDI-like information directly into
the medical record. For instance, the Office of the National
Coordinator for Health Information Technology is currently
focused on ways in which UDI can be better operationalized to
ensure its adoption into key standards. As part of those
efforts, ONC is initially focused on implantables, the very
focus of the legislation that we are discussing today.
Therefore, the VHA will not be attempting to establish the
system alone, but can partner with other governmental entities
to ensure its success.
In addition, AATB is pleased that the language, as
introduced, ensures that our veterans receive the high quality
implants by requiring that biological implants only be sourced
from tissue processors accredited by the AATB or similar
national accreditation organizations. With this change, the VHA
will be joining the ranks of leading medical centers of
excellence which currently require all tissue to be sourced
from AATB-accredited banks.
AATB is also pleased that the introduced language clarifies
that human tissue procured by the VHA can be labeled with any
of the three systems already identified by the Food and Drug
Administration to be appropriate for biological implants. Under
the UDI final rule, FDA has done just that by providing for
multiple entities called issuing agencies.
At this time, FDA has provided for three different issuing
agencies, GS1, the Health Industry Business Communications
Counsel, or HIBCC, and ICCBBA. By maintaining this appropriate
flexibility, the VHA will ensure a more competitive
marketplace. AATB strongly supports this legislation and urges
you to favorably report it out of the Subcommittee. I welcome
your questions and yield back the remainder of my time.
[The prepared statement of Frank Wilton appears in the
Appendix]
Mr. Coffman. Thank you, Mr. Wilton. Mr. Geopfert, you are
now recognized for five minutes.
STATEMENT OF DAIMON E. GEOPFERT
Mr. Geopfert. Thank you. First, Chairman and Members of the
Committee, thank you for the opportunity to discuss the
Department of Veterans Affairs Information Security Programs.
My name is Daimon Geopfert, and I was asked to speak today
as a veteran and as a security expert with experience in both
the government and corporate worlds. I served the United States
Air Force Office of Special Investigations as a computer crimes
investigator, the Air Intelligence Agency, three years as a DoD
contractor, and now eight years as a security consultant within
the corporate world.
Also, like many of my peers, I have also received a letter
from the VA stating that they failed to protect my personal
information. I am here today quite simply for a call to
accountability. Men and women in the armed services are held to
account for every action they perform or fail to perform. And
they expect that same mentality to be applied to the entities
that control their sensitive personal and medical data.
However, all indications are that the VA has failed in this
duty.
What is most frustrating to the veterans is this is not a
singular failure but rather a long-running, repeated systemic
series of failures. Passing legislation such as H.R. 1017 would
provide a detailed roadmap for the VA to follow in addressing
these issues. The VA has a widely reported history of non-
compliance with a variety of regulations. We recently learned
that for the 16th year in a row, they failed a major security
audit.
The VA's own internal risk assessments, using their exact
terms, state that a data breach of its primary VISTA system is
practically unavoidable. It would result in a exposure of
financial, medical, and personal data with no way of tracking
the source of the breach. The VA has stated that physical loss
of data and user error is their primary risk and accounts for
98 percent of the known incidents.
However, extensive reporting and the consistent theme of
the audits indicates that the VA mostly likely does not have
the capability to know, or prove, that data was not taken by
hackers.
A specific example involved foreign infiltrators known to
have extracted materials out of the VA environment, but because
of the lack of logging and monitoring by the VA and use of
encryption by the foreign party, it will never be known what
the contents of that data were. Scenarios such as this allow
the VA to continue to state that the organization is unaware of
any major data loss as a result of hackers. But this is likely
a factor of the failure and lack of capabilities of their
monitoring, rather than success of any preventative controls.
These widely known and extensively reported issues simply
would not be tolerated in the corporate world, largely because
of the existence and enforcement of explicit legislation and
industry standards. If examinations of a private sector
organization produced similar results as those identified
within the VA, that entity would face substantial fines and
penalties. There is little doubt that the officers and
directors of such an organization would face serious personal
consequences. The VA, for all practical purposes, is exempt
from any of the legal penalties that force its corporate peers
into compliance, and the results of that situation is self-
evident.
H.R. 1017 provides the VA with clear detailed technical
requirements and governs mechanisms to address this issue. The
FFIEC would not tolerate this of a bank. The SEC would not
tolerate this of a broker/dealer. State attorneys general would
not tolerate this under anybody within their purview without
very harsh criminal and civil repercussions. The veteran
community is reasonably curious why the VA is held to such a
drastically different standard.
It cannot be forgotten that the true risk in this scenario
is the health and well being of the generations of veterans the
VA serves. The most obvious risk is identity theft, which
results in additional stress within a population already
dealing with a variety of significant physical, emotional, and
financial pressures. While this is the most obvious risk, it is
not the exclusive one.
What if beyond identity theft, some actor managed to
perform a mass alteration or destruction of medical records out
of sheer malice? Do you think this would beyond the pale for a
variety of hacking groups, or hacktivists, that align
themselves with rogue nations or terrorist groups? It could
conceivably disable the entire VA infrastructure, interrupting
services to millions of veterans. It would be a direct, highly
visible strike against the veterans that fought them. The men
and women who have served our country, as well as their
dependents, deserve and expect to have their welfare protected
by organizations like the VA that play such a vital role in
their lives.
This legislation is sorely needed and would be one of the
first of its kind to provide such detailed prescriptive
guidance. The protection of the personal information of
veterans should be a bipartisan issue. So our community hopes
that this will be quickly passed and enforced. Targeted
appropriate legislation is needed to force compliance and
provide veterans and their families with the security they
deserve.
This legislation should explicitly require proper
preventative, detective, and corrective controls along with
required oversight and reporting. The VA, and the bodies that
oversee it, have an obligation to Veterans to finally take
decisive actions demonstrating the resolve to do the right
thing. And, Mr. Chairman, that concludes my statements.
[The prepared statement of Daimon Geopfert appears in the
Appendix]
Mr. Coffman. Thank you, Mr. Geopfert. Let me do a question
for you. There has been concern that the IT security directive
is too detailed. It might not be applicable in the coming years
due to the inherent changing nature of technology. What is your
view regarding this potential issue?
Mr. Geopfert. I think it is a very limited view. The drift
in the corporate world has been from generalist regulation and
oversight to very prescriptive, simply because the generalist
style of guidance has proven to be very ineffective. The other
style, the competing bill that is very generalist in nature,
essentially puts another wrap around a lot of items that the VA
is already supposed to be doing but has failed to do. What is
viewed as prescriptive in this bill is interesting, because
most of this is what they are required to be doing already. It
is just basically done in a more regimented manner. This is
already an existing legislation in the corporate world. So the
idea that it is too prescriptive to be effective is a bit
misleading. Obviously, there can be tweaks made if there are
specific points.
Mr. Coffman. Okay. Mr. Wilton, VA has indicated that it
wants to limit the issuing agencies solely to ISBT 128. Is that
a good idea?
Mr. Wilton. We do not think it is, Mr. Chairman, for a
couple of simple reasons. First and foremost, the FDA has
looked at this fairly closely and recommended that all three
systems be used.
Secondarily, we would be concerned if the VA limited it to
one system. There may well be tissue banks who decide to align
themself with another system, and therefore would not be in a
position to bid on business with the VA, which we think could
limit the ability for the VA to source the best tissue for our
veterans.
So the FDA has ruled on this and, you know, in talking with
our accredited banks, there does not seem to be a unanimity in
terms of which system they are going to go with, so we do not
think it is a good idea for the VA to limit that.
Mr. Coffman. Ms. Zumatto, can you give us an example of
something that could be a reform that could be done to the
Veterans Administration to make it more efficient with respect
to both the taxpayers and veterans?
Ms. Zumatto. Wow.
Mr. Coffman. What would be your top concern?
Ms. Zumatto. Honestly, from both being a person who is an
advocate for veterans' issues and being in the VA system, I
think the biggest problem is that veterans actually do not come
first in the system. It does not feel that way when I am at the
VA Medical Center.
And if there was a way--and I understand the new Secretary
says, you know, ``Veterans first.'' And that's the motto
essentially, ``We care for veterans.'' But it does not actually
feel that way to me personally. So if there was a way to change
that so that it really is about veterans first, and about VA
and VA employees and contractors and everybody else
secondarily, I think that would go a long way to making some
positive changes. And I do not think that--if those changes--
they have to be modeled at the top. But if it does not drift
down to every single layer, and there are many layers, then
nothing is really going to change, unfortunately.
Mr. Coffman. Thank you for your answer. Mr. O'Rourke, five
minutes.
Mr. O'Rourke. Thank you, Mr. Chairman. I want to thank the
witnesses for their testimony today. To have the perspective of
a veteran service organization and then the subject matter
experts on two issues that I do not have a lot grounding in, I
think is very helpful, and I think helpful for the committee,
as well.
And I think you have also touched on what I think is the
core issue that we need to resolve within the VA, which is
accountability. And I think each of these pieces of
legislation, to some degree, tries to correct that, and I want
to thank the committee members and the staff who have worked on
these bills and you all for your feedback on these.
You know, Ms. Zumatto, when we talk about throwing money at
problems, which, you know, we couldn't agree more with you
that, that is not the solution. We are glad that, that is your
position and that of your organization.
You have to conclude that if Aurora were to have taken
place within a private hospital corporation like HCA or Tenet,
that there would be consequences, or that that would not even
happen in the first place, because at some point, that would
have been caught and fixed. And to go from 600 million to 800
or 900 to 1.1 to maybe 1.7, to me is just unconscionable and
completely out of line with what we would expect to see in the
private sector.
And Mr. Geopfert, you mentioned that the IT protocols and
the data and information security that we have within the VA
today, at least by your description, does not track with what
we would expect from the private sector. And you mentioned that
there is legislation and industry standards that, you know,
most corporations hue to, to ensure that they protect the data
of their customers and clients. It is not always completely
successful, but you are making a case for a higher standard
that the VA does not adhere to.
Mr. Wilton, from your testimony, it was not completely
clear to me whether or not the VA in tracking biological
implants and this issue of--the other issues that you raised--
is so far out of track from what the national standard is, but
it may be that I don't completely understand the issue, so I
just want to give you a minute or two to elaborate on that and
talk about the difference between the VA standard and the
national standard.
Mr. Wilton. Yes. So this is an evolving issue, Congressman.
But it is one that we see the VA actually taking a leadership
role on. One of the very important things about all tissue is
it is recovered and tracked from the donor through the
distribution. Once it gets to the final location, the hospital,
the doctor, then sometimes that chain is broken, and we want to
work with the VA so that they can maybe take a leadership role
in this and then, as I mentioned, we can take it out to the
Department of Defense, to the private sector.
We think this is something that can be done. We look
forward to working with the VA on any challenges they might
have. But we think this is just, quite frankly, the best way to
do it, and I think our veterans deserve the best. And, you
know, God forbid there is an incident of a recall or something
like that, we should be able to get back to them in a timely
fashion, and we think that this type of system will do that.
Mr. O'Rourke. So this is potentially a positive point
coming out of today's testimony and the issues that are here in
terms of an opportunity for the VA not just to catch up to the
rest of the country and other sectors, but actually potentially
to lead, innovate, and set the standard for others?
Mr. Wilton. Absolutely. And we commend Dr. Roe for
introducing the legislation. We look forward to working with
all the parties to make this happen.
Mr. O'Rourke. Yeah. For Mr. Geopfert, I want to make sure I
understand that legislation that the private sector must adhere
to and those industry standards--and I realize we cannot get
into detail--but is it simply a matter of the VA matching
those? Or are there some intrinsic differences in our systems,
in our customers and clients, that should allow for some
difference or distinction between the two systems? Or is it
simply a matter of the VA just admitting that it needs to catch
up to the rest of the country and follow that law?
Mr. Geopfert. It does not repeat, but it rhymes. A lot of
the industry standards are going to have their own names, and
norms and references to how they do security, but they are
very, very similar. You are probably 80 to 90 percent similar
across all industries. And what is in the bill essentially
captures that. Again, a lot of this, while they viewed it as
prescriptive, is considered best practice and normal network
hygiene in many other industries.
There is going to be tweaks simply based on the size,
composition, legacy systems, how they interact with others.
There needs to be some give and take in there around risk and
how they do specific things, but the vast majority of what is
going on in private industry would directly translate to what
they are doing. And they simply are just not being held to
account to that right now.
Mr. O'Rourke. Thank you. Thank you each. I will yield back.
Mr. Coffman. Thank you, Mr. O'Rourke. Ms. Walorski.
Ms. Walorski. Thank you, Mr. Chairman, and thank you to all
of you for being here today. We appreciate it. Mr. Geopfert, do
you believe this bill allows for flexibility and that Section
10 does allow a risk-based approach?
Mr. Geopfert. I believe there can be some clarification in
the language. Based on their earlier testimony, they were
specifically calling out two points----
Ms. Walorski. Yes.
Mr. Geopfert [continuing]. Around patching and legacy
systems. In the bill as it is right now, there is a caveat
around doing risk assessments. I think their comment that they
might take some additional time--your point that is in there
now is two days--48 hours is a very common norm for critical,
high-risk patches.
Ms. Walorski. Okay.
Mr. Geopfert. Stuff that is rated lower might be 15, 30, 90
days, depending on what it is. Legacy systems, they have a
valid point. We work in a variety of industries where it is the
norm to have legacy unsupported systems that they have to
maintain for some reason, similar to the VA. But they have to
document why they are still on the network. They have to put in
compensating controls to limit the risk. They have to isolate
the system, and they have to begin planning on when and, if
possible, they are going to remove them out of the environment.
They do not just say we have to deal with them, so they are
there.
Ms. Walorski. Sure. Do you think it is safe for VA to be
running on all these outdated operating systems? And then
secondarily, how big of a risk would it be to have isolated
computers on the network running on unsupported and outdated
operating systems?
Mr. Geopfert. The safest, obviously, would to get rid of
it, but it might not be feasible. Their comment is very common
in the industry around a lot of the legacy systems are medical
devices. They have no direct control over those. Those come
from vendors.
But the point still states, if it is a legacy system,
meaning it is not maintainable anymore, any exploit that comes
out from here going forward, that system will be vulnerable
to--you are basically embedding a permanent vulnerability on
the environment. If it needs to be there, it needs to be
isolated. It is going to be a minor risk. But you are treating
it essentially as infected, a radioactive. You are isolating it
as far as it can be, and still be operational. There are ways
to go about it. I guess I will put it that way.
Ms. Walorski. Okay. And then given the current information
security requirements already in place, would you say that the
directive duplicates existing federal guidance?
Mr. Geopfert. I do not. A lot of the federal guidance out
there is laid out as almost a recommendation style.
Ms. Walorski. Okay.
Mr. Geopfert. And it is very high level. And as noted
earlier, in the private sector there is a very heavy trend
towards much more prescriptive guidance, because they have
years of incidents demonstrating that the statements generally
go be secure, and here is some recommendation. It just does not
work.
And so while the VA is going to say is that is onerous for
them, all the other industries are saying the same thing. It
does not matter. They are being held to account. And it is a
little bit of an oddity that the private sector is expected to
comply with no question whatsoever, and no excuses. And for
someone in a government entity to say it is onerous, so
therefore I don't want to do it.
Ms. Walorski. Okay. I appreciate it. And thanks. And I am
just thankful for your support and, ma'am, for yours, as well.
I yield back my time, Mr. Chairman. Thank you.
Mr. Coffman. Thank you, Ms. Walorski. I would like to thank
the panel for your testimony. You are now excused. And I did
want to thank everyone for their participation today. The input
and feedback provided today is an important contribution as the
subcommittee crafts legislation to improve the quality of
service VA provides to our nation's veterans. With that, I ask
unanimous consent that all members have five legislative days
to revise and extend their remarks and include extraneous
materials. Without objection, so ordered. This hearing is now
adjourned. Thank you.
[Whereupon, at 9:51 a.m., the subcommittee was adjourned.]
APPENDIX
Prepared Statement of Chairman Mike Coffman
Good morning. This hearing will come to order.
I want to welcome everyone to today's legislative hearing on: H.R.
571; H.R. 593; H.R. 1015; H.R. 1016; H.R. 1017; H.R. 1128; and H.R.
1129.
The latter two, H.R. 1128 and 1129, are bills suggested for this
hearing by the Minority, so I will ask Ranking Member Kuster to address
them in her opening remarks. I also welcome Full Committee Chairman
Jeff Miller and ask unanimous consent that the Honorable Ann
Kirkpatrick, the previous Ranking Member of this Subcommittee, be
allowed to join us on the dais. While we are at it, I would also like
to ask unanimous consent that a statement from the American Legion be
entered into the hearing record. Hearing no objection, so ordered.
Today, we will address H.R. 571--The Veterans Affairs Retaliation
Prevention Act of 2015, which was introduced by Full Committee Chairman
Jeff Miller. This bill will improve the treatment of whistleblower
complaints by the VA by defining a set process for whistleblowers help
correct problems at the lowest level possible, while creating necessary
penalties for supervisors who retaliate against whistleblowers.
Second, H.R. 593--The Aurora VA Hospital Financing and Construction
Reform Act of 2015 is a bipartisan bill I introduced along with the
rest of the Colorado delegation. H.R. 593 would increase the
authorization cap to help the VA to finally finish the Aurora Medical
Center, with the much-needed help of the Army Corps of Engineers, in
order to give Colorado veterans the state-of-the-art medical facility
they deserve. Since this bill's introduction, the VA has announced that
the Aurora project will cost at least $1.73 billion, a full $1.4
billion over the original cost found in GAO's report. This is simply
outrageous and could very well make this hospital the most expensive in
our nation's history. Notably, according to GAO, the New Orleans VA
hospital construction project will top $1 billion as well, so
mismanagement, cost overruns, and delays are the norm for VA's
construction program. For that reason, I question whether VA should
conduct its own major construction at all.
While it is my top priority to get this hospital built so that
Colorado veterans get the service they deserve, we simply cannot
authorize a nearly $1 billion authorization cap increase without VA
presenting the options it has to correct its own poor decisions with
only half of a hospital to show for it. VA has reprogrammed a portion
of the funds needed to finish the Aurora construction, but it cannot
continue to pull money from other projects thereby robbing other
veterans around the country of a timely completion of their hospital.
Perhaps we could use VA bonuses to provide funding for this grossly
mismanaged project. Perhaps we could amend the Choice Act so that some
of the $5 billion authorized for minor construction could be used to
finish this project.
But, what is absolutely clear is that before any money is given to
the VA to bail them out of the mess they created in Aurora, VA
construction officials responsible for this travesty must be held
accountable. These individuals should not be simply taken out of the
chain of command for VA construction; they should be FIRED. If anyone
in the private sector allowed a project under their supervision to get
$1 billion over budget, the decision to fire them would be simple. That
should happen here and I look forward to our discussion today with VA
on ways forward.
Third, we will address H.R. 1015--The Protecting Business
Opportunities for Veterans Act of 2015 sponsored by the Honorable Tim
Huelskamp of Kansas.
H.R. 1015 will make tremendous strides at holding accountable the
bad actors that attempt to defraud Veteran Owned Small Businesses of
crucial set asides they receive in business.
Fourth, we will discuss H.R. 1016--The Biological Implant Tracking
and Veteran Safety Act of 2015 introduced by the Honorable Phil Roe of
Tennessee. This legislation requires the VA to implement a standard
identification protocol for biological implants, consistent with the
FDA's system, which would improve VA's ability to prevent implantation
of contaminated tissue and also to notify veterans in cases of recalls.
Fifth, we will hear about H.R. 1017, The Veteran Information
Security Improvement Act, which was sponsored by the Honorable Jackie
Walorski from Indiana. This IT Security directive is designed to assist
VA in mitigating known weaknesses by identifying detailed actions that
should be taken to address its longstanding information security
challenges.
Once again, I would like to thank all those in attendance for
joining us in our discussion today, and I now recognize Ranking Member
Kuster for five minutes to issue her opening statement.
Prepared Statement of Chairman Jeff Miller of the Full Committee
Thank you, Chairman Coffman.
It is a pleasure to be here today with you to discuss my bill, H.R.
571, the Veterans Affairs Retaliation Prevention Act of 2015. During
the 2014 VA scandal that this Committee uncovered, a culture of
retaliation and bureaucratic corruption gripped the department. The
hallmark of that culture was and remains the rampant retaliation
against VA employees who speak up to fix problems within the VA.
These problems were so widespread that, in 2014, the Office of
Special Counsel became inundated with more whistleblower complaints
than all other agencies in the federal government combined.
Unfortunately, despite promises from VA leadership that whistleblower
retaliation will no longer be tolerated, continued occurrences of
retaliation and the lack of any meaningful accountability show that is
not the case. Proper oversight of any federal agency simply cannot be
done effectively without employees within that agency informing the
congress and other oversight bodies of specific problems.
Over the years, numerous federal statutes have been passed to
provide added protections to whistleblowers, but many VA supervisors
have managed to consistently circumvent these laws, without
repercussion, to the detriment of good employees. My bill seeks to put
an end to that.
Specifically, H.R. 571 would provide VA employees who seek to
report potential government waste, criminal behavior, or compromised
healthcare services within the VA a set process to fix problems at the
lowest level possible while affording them improved protection from
retaliation. This legislation will also prohibit superiors from
retaliating against employees who report or assist in reporting
problems to the VA, the Inspector General, Congress, or the GAO.
Employees who serve as a witness in investigations and those who
refuse to perform illegal acts in the course of their employment will
also be protected. To ensure accountability, H.R. 571 will provide
meaningful penalties to VA employees who are found to have retaliated
against another employee for filing a whistleblower complaint.
Specifically, the retaliating employee would receive: A suspension
or removal from federal service; a fine to repay the expense borne by
the federal government in defending their retaliatory behavior; a
forfeiture of bonuses received while the retaliation occurred; and a
prohibition of receiving future bonuses for a one year period.
Finally, this legislation requires improved training to be provided
to all VA employees on the protections afforded to employees making
complaints and the repercussions that retaliating employees will face
if they seek to suppress positive change. America's veterans deserve
the highest quality services provided by the VA. Improvements to those
services often come in the form of suggested fixes by its employees.
This commonsense legislation would provide the process to safely
suggest those fixes while giving Secretary McDonald, and all
secretaries in the future, the tools to hold accountable employees who
seek to prevent change.
I look forward to working with Committee members, our VSO partners,
the VA, and other stakeholders on this bill, because protecting the
conscientious VA employees who report waste and wrongdoing within VA
must be among our constant priorities.
Thank you once again, Chairman Coffman, for holding this hearing
and for your hard work and leadership of the subcommittee on oversight
and investigations. I appreciate the opportunity to be with you all
today.
With that, I yield back.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
[all]