The Department of Veterans Affairs logged 5.6 million episodes of care for veterans in 2020 and has introduced over 52 new systems in response to COVID-19. Especially with the pivot to increasingly virtual environments, much of this was accomplished using DevSecOps.
“The key to the success we’ve had is speed. The speed to deliver new products and pivot to COVID-19 was critical,” said Daniel McCune, VA’s Acting Associate Deputy Assistant Secretary, Enterprise Program Management Office, during a MeriTalk webinar.
Before the pandemic, VA’s baseline for bringing in new services online was 582 days. Today, the department is able to deliver services in 90 days, McCune said. This efficiency enabled the large pivot in telehealth services, which went from approximately 300,000 visits per year to 9.1 million because of the pandemic.
“Our investments in cloud allowed us to quickly scale up and address the increase in demand,” McCune said. “It’s interesting to see not only how telehealth has impacted IT, but also how it impacted veterans and clinicians.”
The increased developments in cloud prior to the pandemic enabled the agency to quickly pivot around sudden demands like those for telehealth.
“We’ve done a lot of lifting and shifting in the cloud. A large percentage of our applications have been in the cloud, and that paid dividends when we got to telehealth. We were able to scale rapidly, easily and quickly because of the cloud,” McCune said.
These efforts prompted additional capabilities like VEText, which alerts veterans about vaccine availability and helps them schedule appointments. Through this service, VA has scheduled over 22,000 vaccination appointments so far.
With these efforts, security continues to be a focus.
“The lesson learned is you’ve got to be agile, you’ve got to be able to pivot quickly,” McCune said. “While speed is important, safety has to go with that. Veterans have to know that they can trust us with their information.”
There are three strategies that have helped VA release software securely. One is shifting security “left.” McCune said security processes are traditionally added at the end of development, which led to slower launches of new services. By “shifting testing left,” the department has gained greater agility — the core of DevSecOps, McCune said.
VA has also developed custom solutions, with more than 50% of applications being tailored for the department. A few years ago, VA shifted to the “buy before build mentality,” which enabled the department to outsource tech refreshes to keep them updated. This also encouraged improvements in the agency’s approach to customer experience.
“There are a couple of DevOps techniques that we have used to support customer experience,” McCune said. “Modern DevOps practices are really helping us provide safety to our products and to our veterans.”
VA has leveraged blue-green testing, an application release model that gradually transfers user traffic from a previous version of an application to a nearly identical new release, both of which are running in production.
Shifting culture has also been a focus in VA’s DevOps transformation. McCune said that there has to be a “mind share” to foster new ideas and innovation for any organizational transformation. VA recently invested in DevOps Days, a campaign to continually share DevOps best practices and success stories, which became a “drum beat” for the department.
“VA and government agencies are like ships. They turn slowly at first, but I’m getting excited because we’re starting to see that momentum build now,” McCune said.