Veterans Affairs

House panel presses VA CIO about info security

Shutterstock image (by Maksim Kabakou): pixelated shield, protection concept.

Technology watchdogs in the House of Representatives quizzed Department of Veterans Affairs CIO LaVerne Council about agency modernization and information security at a March 16 hearing, set against the release of yet another disappointing FISMA report from the agency's Office of Inspector General.

"The modernization of the VA's legacy technology is a real concern that is affecting millions of veterans. Systems are unsecure, inefficient and inoperable," said House Oversight and Government Reform IT Subcommittee Chairman Rep. Will Hurd (R-Texas)

The current IT programs at the VA are still exposed to potential performance problems and cost overruns. According to Brent Arronte, the deputy assistant inspector general for audits and evaluations, 57 of the 69 information security recommendations made to the VA still remain open. Out of those, 17 are what he called "repeat recommendations" and 13 are "modified repeat recommendations."

The VA has a history of failing the annual audits required under federal IT law, but Council told lawmakers that things are looking up. Council, who started at VA in July 2015, and was on the job for fewer than two months of the period covered by the FISMA report, said she hoped to close all open information security recommendations by the end of 2017. She described the Office of Information and Technology at VA as a place where "everyone wants to sort of roll their sleeves up and get it right."

"We have made significant progress in improving our cybersecurity posture," Council told the panel.

Some outstanding recommendations include fully implementing two-factor authentication for local and remote access to VA systems; improving security patching to reach all devices; encrypting all sensitive data as it moves across VA networks; and improving access controls and restricting user access to only needed systems.

"We remain concerned that continuing delays in implementing effective corrective actions to address these open recommendations can potentially contribute to reporting an information technology material weakness for this year’s audit of VA’s consolidated financial statements," Arronte wrote in the OIG report.

Vista Question Looms

In previous hearings this year, Council noted that it was time to "take a step back" from VA's planned modernization of its homegrown Vista health record system. That modernization plan, conceived in 2014, has been overtaken by new developments in the VA's health care delivery plan, including increased focus on mobility, security, women's health and connections with private sector providers.

But, some lawmakers remain skeptical of the pause.

"While I certainly appreciate big thinking, especially in government IT, I have to ask whether or not this is another example of the VA taking a U-turn on a substantial IT investment," Hurd asked Council. "We have been down this road before with the effort to make the electronic health records of the DOD and the VA interoperable. Is Vista going to end up in a multi-year investment that never delivers the functionality that the VA's health care providers need?"

Council remained optimistic throughout the hearing but also acknowledged to legislators that that "we must do more," and said VA must continually innovate the digital health platform. 

About the Author

Aisha Chowdhry is a former staff writer for FCW.


  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

  • Cloud
    cloud migration

    DHS cloud push comes with complications

    A pressing data center closure schedule and an ensuing scramble to move applications means that some Homeland Security components might need more than one hop to get to the cloud.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.