House Committee on Veterans' Affairs

News

• Current Press Releases
• 110th Congress Press Releases
• 109th Congress Press Releases

For more information, contact: Brian Lawrence, (202) 225-3527

Washington D.C. — At a House Committee on Veterans’ Affairs hearing today on Department of Veterans Affairs (VA) centralization of information technology (IT) infrastructure in accordance with the Veterans Benefits, Health Care, and Information Technology Act of 2006, signed into law in December, a VA official told members impatient for progress that completion is in sight.

Bob Howard, VA’s chief information officer (CIO), testified that the department is making progress, slowed by customary federal contracting and other requirements.  He said that centralizing VA’s IT systems would be accomplished by July 2008. 

“Mr. Chairman, last Congress you and I worked closely together in a bi-partisan manner towards providing the VA with a centralized IT infrastructure,” said the committee’s ranking member, Steve Buyer (R-Ind.). “We held hearings on VA’s data breach, the largest in federal government history, and worked together in the development of legislation to address the problems of decentralization of IT within the VA. What resulted from our collaboration was Public Law 109-461.” 

In addition to the centralization required by the law, VA Secretary Jim Nicholson, responding on his own to a massive May 2006 data breach over objections among department executives, directed that the department fully centralize, a move commended by the committee.

Buyer’s concern over progress was piqued when he learned recently that VA received an evaluation of incomplete in the 2006 Federal Information Security Management Act report.  Today’s testimony reinforced his resolve to continuing firm oversight on the process.

“I trust this will not occur again for the 2007 reporting period.  I am also concerned about the continuing problems in IT security, which are detailed in the weekly Network and Security Operations Center reports received by the committee,” Buyer said.  He cited the fact that the department’s Veterans Health Administration still has a waiver which allows clinicians not to encrypt data on personal laptops and other portable storage devices. 

Buyer noted that Public Law 109-461 was also intended to allow growth and development of new, improved applications throughout VA.  He said that the new law also brought fiscal discipline to VA IT for the first time.

Committee members, mindful of VA’s sluggish performance in the past, voiced impatience with the department’s progress.

“We all remember the serious security breach last year involving the personal information of 26.5 million veterans,” said Deputy Ranking Member, Cliff Stearns (R-Fla.). “In response, VA Secretary Nicholson issued a directive to centralize the authority over all of the VA’s IT systems, and sought private-sector advice on improving the VA’s IT systems. This realignment is scheduled for July 2008.  VA has only addressed two of the six recommendations that Government Accountability Office (GAO) identified as essential to a successful transformation.

On addition, VA has yet to implement 22 of 26 IT security recommendations of the GAO and the VA IG.

Since its security problems in 2006, the department has experienced an additional $26 million lapse.  Last January, data on more than a million Medicare and Medicaid providers was compromised when a memory device used by a Birmingham, Ala., VA research analyst was unaccounted for.

Stearns asked each of the GAO witnesses if they believe that the VA was still at risk.  Each answered yes.  “IT security is not just a government problem, it is also a serious issue in the private sector,” added Stearns. “General Motors is a massive corporation with an international presence, and it has been able to secure its computer networks.  I urge the VA to study successful efforts and apply those internally.”

 “If the private sector can secure computer information using biometrics, the technology is available,” said Brian Bilbray (R-Calif.), expressing concern about the lack of security on VA laptops, portable hard drives and other storage devices. “VA should use this technology to secure this data.”

###