On April 17, the chief information officer of the Veterans Affairs Department, Scott Blackburn, announced his resignation. He served under former VA Secretaries Bob McDonald and David Shulkin, and led a number of health IT projects during his 4-year tenure, including the MyVA transformation.
But what does this mean for the newly appointed acting CIO, Camilo Sandoval? He’s a former director of data operations for the Donald Trump 2016 campaign, Politico reported, and is stepping in at a crucial, and perhaps uncertain, time for IT at VA. For starters, the status of VA’s electronic health record modernization remains unclear.
In an oversight hearing in December, Blackburn discussed Shulkin’s plan to discontinue modernizing the existing Veterans Information Systems and Technology Architecture, or VistA, in order to buy and adopt the same off-the-shelf commercial EHR system the Defense Department is implementing through a contract with Cerner Corp.
So, where does this leave Sandoval, and what challenges does he need to overcome to move the needle on IT?
Data Center Consolidation
The most recent Federal IT Acquisition Reform Act Scorecard 5.0 was released Nov. 14. VA maintained a steady B+ since improving from a C in 2016, but received an F in data center optimization initiative.
According to VA’s "2017 Year in Review" report, it had 376 large data centers around the country that were inefficient, costly and noncompliant with the Office of Management and Budget's Data Center Optimization Initiative memo or FITARA. So, after evaluating its data centers for potential consolidation, VA closed 24 of them in 2017.
VA’s goal is to close 68 more in 2018, to be on track to shutter a total of 92 data centers by fiscal 2018 yearend. So, this may be a continuous challenge and focus area for the CIO going forward.
The most recent Office of Inspector General report of the major management challenges and high-risk areas found VA still struggles to secure its systems and networks holistically and effectively.
VA has reported incidents of lost or stolen sensitive information, and considering the sophistication of cyberthreats and attacks on technologies, cybersecurity is a top concern. The Federal Information Security Management Act requires agencies and their contractors to develop, document and implement organizationwide security programs for their systems and data, and the FY 2016 FISMA report had 31 recommendations to improve VA’s information security program.
Yet, OIG found VA information system security shortfalls and inconsistent implementations of security programs. Specifically, there were control flaws in security management, access controls, configuration management and contingency planning. VA needs to put a proven process in place departmentwide, and address the technical weaknesses in databases, servers and network devices that transmit financial and sensitive data between data centers.
VA said it’s “well positioned” to resolve these risks through a number of Enterprise Cybersecurity Program initiatives expressed in the report, including its continuous monitoring program. But these initiatives remain ongoing, and will most likely require continued oversight and leadership by the CIO.
VA’s FY 2018 − 2024 Strategic Plan
One of VA’s four strategic goals in its plan is to modernize its systems and provide better capabilities to veterans and employees by optimizing IT functions, implementing a proper IT infrastructure and emphasizing analytics to make better, smarter business decisions.
VA lists a number of ways to do this: implement shared services to improve IT deployment, eliminate inefficient legacy systems, use cloud-based analytics through VA’s delivery networks, use agile integration of technology into business operations, outfit VA facilities with the latest technology, and leverage existing commercial capabilities where necessary.