LaVerne Council drills in on her to-do list

This interview ran in the May 15 print edition of FCW

When Robert McDonald was named secretary of the Department of Veterans Affairs, all eyes were on his choice for a top technology leader. The assistant secretary for information and technology at VA leads a $4 billion enterprise, one of the largest in civilian government. The post is one of only a handful of agency CIOs jobs that are subject to Senate confirmation. And it was well known that when McDonald was CEO of consumer goods giant Procter and Gamble, he relied heavily on his CIO Filippo Passerini.

About a year ago, after her Senate confirmation hearing to become VA's CIO, LaVerne Council said she suspected Passerini had suggested her for the job. "He knows I like hairy problems," Council told FCW at the time.

It's hard to imagine a hairier problem in government than running the IT shop at VA. Council is responsible for delivering technology to a workforce of about 345,000 employees. The Office of Information and Technology manages some 450,000 computers and 16,000 servers and is responsible for defending a nationwide network that spans major hospital centers and local clinics and offices.

VA also manages medical care for 9.2 million veterans, making it the largest integrated system in the United States. VA tracks patient data on its homegrown, open-source electronic health record system VistA, a program that has struggled to connect and share data with Defense Department systems and those in the private sector.

Council stepped into a department that had been under the management of acting CIO Steph Warren for two-and-a-half years. She moved quickly to fill key leadership roles and address some of the most pressing issues, including tackling dozens of long-standing security weaknesses identified by the agency's inspector general and meeting the requirements of the fiscal 2014 National Defense Authorization Act that the VistA system be certified as interoperable with DOD systems.

That hasn't left time for much else, but Council said she plans to go the distance. "When the president leaves, that will be my last day as well," Council said in an April 6 interview. "That was my commitment. I will keep it."

This is a transcript of that conversation; it has been edited for length and clarity.

Cloud

VA's April 4 cloud procurement request for information seems like a big deal. What's cloud going to do for VA?

The RFI went out because this is part of our new strategy of "buy first," in particular to reduce our complexity. As you may or may not be aware, we have over 365 data centers within the VA and 800-plus custom applications. The amount of data storage, the locations of those things, all those things say: "Wow, we need to simplify, and we also need to secure." We are looking at the cloud as our way of bringing on some new [buying] capability.

Productivity tools are moving us away from this aligned service structure to more of a virtual capability. The cloud is one of the ways that we will get there. We also are really interested, as much as we can, to partner with other agencies within the federal government.

Our requirements may be a little more extreme than some, but certainly, if there's an opportunity where we can [partner], we will. We think that our buying power helps everybody.

One of the big traps in government is paying for modernization because you've got to run the old stuff while you spin up the new stuff. How are you addressing that with cloud?

It's always interesting because there is that tight line on sustainment, and so one of the strategies that I have my principal deputy, Ron Thompson, working on is what are the right things to go first, second, third and fourth that could give us the savings, which could then go into parlaying the pay-for.

That's how the priority is being looked at, looking at those things that are less risk, easier to do, proven to do. And that, frankly, will help not only the workforce within the VA, but also help us move forward as we look at our material weaknesses and [how to eliminate] them.

Future of VistA

You were asked on Capitol Hill recently about your decision to tap the brakes on VistA modernization. Why did you decide to do that, and how is it going? Has a group been tasked with looking more widely at potential solutions?

Everyone says it's like tapping the brakes. That's not how we see it. VistA Evolution is still going. VistA Evolution was four core parts, and the team is now working on VistA Four. VistA Four was to be completed in 2018. There has been really no change in what VistA Four was going to do.

Dr. [David] Shulkin, who heads up the [Veterans Health Administration], and myself, after reviewing our business case and also after seeing a number of changes that are happening in the environment around women veterans, about care in the community and transformation in technology…we wanted to leave the organization with a strategy for the future beyond 2018. That's really what we're doing.

My organization, under my leadership, is really coming up with the next digital health platform. Working with Dr. Shulkin and his team, they're looking at it and understanding the viability, what would make sense for them [and] how far, with the different options that we've laid out, they would want to consider [going]. Then based on that, we would put forward what the change strategy would be for the organization.

It doesn't necessarily say there will be no such thing as VistA because you always have to have an [electronic health record] as a component. It does say that we are moving to or thinking about health as a platform and thinking about all the things that you need to do to provide good health care.

Is there a path — and is it a desirable one — to get to the point where you have just one instance of VistA? Even as far back as your confirmation hearing, data interoperability was a big issue for you. It seems you wouldn't choose to build it from scratch.

Right, and frankly, that's the look that Dr. Shulkin and I wanted to have. If we didn't have limitations, what would we do? The need to have semantic interoperability is real. That's what we've got to really reach for. How do we do that?

The instance issue itself is always hard because we are the largest integrated health system…. No one scales to that level. The question is: How well does the data work? How well does the data flow? That's really being addressed with our [joint DOD/VA interoperability program office] currently [and] our interoperability plan, which will state that we will be interoperable [by the end of April].

Then moving on with what we call eHMP [Enterprise Health Management Platform], which gives us some flexibility and views of data very differently, getting a soft launch in August of this year, with full rollout next year. I think the real question for us is functionality and thinking about how we provide holistic health care for our veterans.

How do we ensure care in the community? [How do we ensure] that we have an accurate electronic health record? How do we also ensure that it's a secure health record and that a veteran can get care anywhere at any time? Those are the key drivers, in addition [to], as we said, the number of women veterans, ensuring that the care is there.

What's your role in making sure that VA can work with DOD's new system? What activity is taking place at VA to accommodate that?

The [joint interoperability program office] was set up to really drive this link between the DOD and the VA. It was purposely set up to create really a flow of data. A flow of data requires a lot of things. It requires that you're using the same expectation and definition for the data. It requires that we've all agreed as to what the dataset is — all these things. That's what the IPO was set up to do: to ensure a holistic record.

Is the current work on interoperability going to pay off when the Pentagon switches to its new commercial system? Or will that work be lost?

It's not lost. It totally feeds. What we've got to do is ensure what we're doing with eHMP and what we do in the next generation will also continue to keep that feed and that we take advantage of technology.

The veteran to us and the veteran data is not just health data. It's the holistic set of all the things that they have rights and that their family has rights to. People forget that. All of those things really make up the veteran's information, not just the health care side.

For the first time, there are things that just aren't health-related that will be flowing in to create this holistic record. That to me is ultimate legacy. That's where I get excited.

Coping with Congress

What would you tell a private-sector colleague who is interested in moving into government about how to deal with congressional oversight?

Most people who have been in C-suite jobs in corporate America are used to oversight. It's called a board. Then it's called your boss, and there are auditors. Much of the oversight that's here is very similar except for the political element of it.

I would say...that I'm probably a little...I don't want to say unaffected by it, but I'm not hair-on-fire about it. They have constituents that we touch. My objective is to make sure they have the most accurate information probable and possible.

I would tell any other private person to realize this is just keeping another constituent up-to-date as to what you're doing and being open about it.

The political aspect is different, though.

It's funny. I can clearly say that, when I put the staffers and everyone in the same room, I can't tell what political party they're associated with. I really can't. Maybe I don't want to [laughs], or maybe it's not as important to me as sharing the information. That's probably it. I really try to make sure they understand what our strategy is.

I really want them to understand what it means to the people, to the process, to what kind of technology we're using. I want them to understand how we're leveraging the resources that they've been willing to advocate on our behalf for. They generally want to know what they can do to help.

Do you think you are getting what you need from Congress?

At this point, yes. When they ask, I do tell them what I think. I think there needs to be some different flexibility and some different ways to hire, to engage and to compensate for some of the skills that we're asking for. The competitive landscape in IT is aggressive, and we need to be able to compete on some levels. It's hard — harder than it should be. They understand that.

What about the lawmakers or staffers who are not necessarily as tech-savvy? Does that make your job harder?

The majority of the time, because I consider myself a business leader who represents technology, I talk about technology in a business way. That way I can communicate with you. If I start talking bits and bytes, what's the point? That's not really what they're interested in. What they're interested in is the outcome.

If I'm talking technology to you, I'm not doing my job. This is really a business process just like every other business process that happens to leverage technology.

Cybersecurity

The first Federal Information Security Management Act report of your tenure came out recently. The headline is, "Material Weaknesses Remain." What are your next steps?

The FISMA report wrapped in May, about two months before I was confirmed. But the big thing that I always look for in any kind of audit like that is repeat issues. The conversation I'm having with the team and the leadership as we go through this next cycle of audit is, "Guys, come on. We can't have repeat issues. Why are these repeat issues? Why aren't we addressing [them]? What's going on? Is it funds? Is it scale? What is the issue?"

We're really going head-on at it. I think with the five new leaders who have been added, they're putting fresh eyes on it. They have expectations that are the same if not more [focused] than mine, and I think we're going to see some differences this year. We have to. This is a serious matter, and we take it that way. I wish there were some surprises that were positive, but everything that was [listed among the security weaknesses] we had in our cyber strategy and more so.

Thirty percent of our material weaknesses will be closed this year, 2016 [and] the rest by the end of 2017. We're going to stay focused. The entire team has this as a core goal. Every single leader has this as a core goal. We're going to do what we have to do to change it. It's not just changing it for the report's sake. It's changing it for security's sake. We've got to do it.

On the funding front, are you getting what you need?

The thing that I know having done cybersecurity now for almost 20 years is that you can't always be sure you've got it exactly right until you go through an execution cycle. What I mean by that is upgrading the things you really need to upgrade, figuring out what is causing some pain that has sometimes nothing to do with security but could be an input or could be something you want someone to have.

In our case, [consider] two-factor authentication and really driving the use of the [personal identity verification] card. To use the PIV card, you've got to have good processes. You've got to have good application software to do that. You've got to have good background technology to do that.

We look at these dollars as ways to help to make sure that all those things are happening, not just what you would call normal cyber, but all the things that give you good health, what I call good housekeeping as it relates to security.

As it stands right now, I figure the cost of this is enough, but if it's not, we will adjust when we get our second bite on the fiscal 2018 budget. But I see this investment as something where you go up and sort of level out. [The current requested increase] is our going up to level out. If we have to continue year over year over year to ask for the same amount, you've got to ask a tough question: What's happening outside of us, or what aren't we doing?