oversight

Veterans Affairs Computer Systems: Action Underway Yet Much Work Remains To Resolve Year 2000 Crisis

Published by the Government Accountability Office on 1997-09-25.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                          United States General Accounting Office

GAO                       Testimony
                          Before the Subcommittee on Oversight and Investigations,
                          Committee on Veterans’ Affairs, House of Representatives




For Release on Delivery
Expected at
9:30 a.m.
                          VETERANS AFFAIRS
Thursday,
September 25, 1997        COMPUTER SYSTEMS

                          Action Underway Yet Much
                          Work Remains To Resolve
                          Year 2000 Crisis
                          Statement of Joel C. Willemssen
                          Director, Information Resources Management
                          Accounting and Information Management Division




GAO/T-AIMD-97-174
                         Mr. Chairman and Members of the Subcommittee:

                         We are pleased to be here today to discuss the progress being made by the
                         federal government and, in particular, the Department of Veterans Affairs
                         (VA), in making sure that its automated information systems are ready for
                         the upcoming century change. As you know, we testified before the
                         Subcommittee earlier this summer, at which time our report was released
                         detailing the activities of one VA component,1 the Veterans Benefits
                         Administration (VBA), to make its systems Year 2000 compliant.2

                         As requested, my testimony today will first summarize federal progress in
                         addressing the Year 2000 problem and will then examine VA and its major
                         components. My statement will discuss action taken by VA as a whole, and
                         steps taken by VBA in response to recommendations contained in our
                         recent report. We have just begun a detailed review of the Veterans Health
                         Administration’s (VHA) Year 2000 activities; consequently, my testimony in
                         this area will be limited to results to date.


                         As we testified in July,3 time is running out for agencies and the pace
Federal Agency           needs to be accelerated if widespread systems problems are to be avoided
Progress: Efforts Must   as the Year 2000 approaches. We stressed in our testimony that the Office
Be Expedited             of Management and Budget (OMB) and key federal agencies need to move
                         with more urgency. Among the other related issues we noted was that
                         increased attention was required on validation and testing of Year 2000
                         solutions, data interfaces and exchanges, and contingency planning.

                         OMB’s most current Year 2000 progress report on the federal government’s
                         efforts, released last week, again demonstrates that although federal
                         agencies are generally making progress toward achieving Year 2000
                         compliance, the overall pace of that progress is too slow.4 Based on
                         individual agency reports, 75 percent of the agencies’ approximately 8,500
                         mission-critical systems remain to be repaired or replaced, and the total

                         1
                         Along with VBA, the other two major VA components are the Veterans Health Administration and the
                         National Cemetery System.
                         2
                         Veterans Benefits Computer Systems: Uninterrupted Delivery of Benefits Depends on Timely
                         Correction of Year-2000 Problems (GAO/T-AIMD-97-114, June 26, 1997) and Veterans Benefits
                         Computer Systems: Risks of VBA’s Year-2000 Efforts (GAO/AIMD-97-79, May 30, 1997).
                         3
                          Year 2000 Computing Crisis: Time Is Running Out for Federal Agencies to Prepare for the New
                         Millennium (GAO/T-AIMD-97-129, July 10, 1997), before the Subcommittee on Government
                         Management, Information and Technology, House Committee on Government Reform and Oversight,
                         and the Subcommittee on Technology, House Committee on Science.
                         4
                          Progress on Year 2000 Conversion, U.S. Office of Management and Budget, August 15, 1997.



                         Page 1                                                                       GAO/T-AIMD-97-174
    cost estimate has risen to $3.8 billion, up $1 billion from the previous
    quarterly report.5

    According to OMB, reports of several of the agencies were disappointing;
    consequently, it placed agencies in one of three categories, depending
    upon evidence of progress. In the first category are four agencies that OMB
    found had “insufficient evidence of progress.”6 For these agencies, OMB
    established a “rebuttable presumption going into the Fiscal Year 1999
    budget formulation process this Fall that we [OMB] will not fund requests
    for information technology investments unless they are directly related to
    fixing the year 2000 problem.”

    OMB’s second category contains 12 other agencies for which it cited
    “evidence of progress but also concerns.” These agencies were put on
    notice that continued funding for information technology investments
    would be contingent on continued progress.7 Finally, for the eight
    remaining agencies that according to OMB, appear to be making
    progress—and this includes VA—funding requests will be handled in the
    usual manner, although progress at all agencies will be reevaluated on the
    basis of their next quarterly reports, due November 15.8

    We are encouraged by OMB’s statements and believe they reflect an
    increased urgency to address the Year 2000 issue. Further, we note that in
    its report, OMB states that it plans to address other issues that we raised in
    our July testimony.9

•   OMB  emphasized that proper validation of changes was critical to success.
    It stated that it planned to meet with agencies over the coming months to
    discuss the adequacy of scheduled timetables for completing validation.
•   OMB said it would discuss with agencies the preparedness of
    communications interfaces with systems external to the federal

    5
      Getting Federal Computers Ready for 2000: Progress Report, U.S. Office of Management and Budget,
    May 15, 1997.
    6
     These are the Departments of Agriculture, Education, and Transportation and the Agency for
    International Development.
    7
     These are the Departments of Commerce, Defense, Energy, Health and Human Services, the Interior,
    Justice, and the Treasury and the Environmental Protection Agency, Federal Emergency Management
    Agency, National Aeronautics and Space Administration, Office of Personnel Management, and Small
    Business Administration.
    8
     Along with VA, this category encompasses the Departments of Housing and Urban Development,
    Labor, and State and the General Services Administration, National Science Foundation, Nuclear
    Regulatory Commission, and Social Security Administration.
    9
     GAO/T-AIMD-97-129.



    Page 2                                                                       GAO/T-AIMD-97-174
                         government, including those of state and local governments and the
                         private sector.
                     •   OMB asked agencies for a summary of the contingency plan for any
                         mission-critical system that was reported behind schedule in two
                         consecutive quarterly reports so that it could summarize such plans in
                         future reports to the Congress.

                         We look forward to implementation of these key activities as we continue
                         monitoring OMB’s leadership of the federal government’s Year 2000 effort.


                         VA is very vulnerable to the impact of the new millennium because of the
VA: The Stakes Are       large number of veterans and their dependents that it serves; this is why it
High                     is so important that VA’s systems be made compliant in time to avoid
                         disruption to the benefits and services on which millions of Americans
                         depend. Our past and current work at VA indicates that the Department
                         recognizes the urgency of its task, and it has made progress. But much
                         remains to be done if it is to avoid the widespread computer failures that
                         unmodified systems could bring. If left uncorrected, the types of possible
                         problems that could occur include but are not limited to late or inaccurate
                         benefits payments, lack of patient scheduling for hospital treatments, and
                         misinterpretation of patient data. The number of areas vulnerable to
                         problems is vast.

                         The Department’s June 1997 Year 2000 plan (VA Year 2000 Solutions)
                         outlines VA’s strategy, activities, and major milestones. According to this
                         plan and in line with OMB guidance, VA’s primary approach is to make its 11
                         existing mission-critical systems compliant; one, in fact, already is. Table 1
                         lists these systems, along with the numbers of applications they serve and
                         the responsible VA component or office.




                         Page 3                                                       GAO/T-AIMD-97-174
Table 1: VA’s Mission-Critical
Computer Systems (11) and Their   Component/office                                                               Number of
Applications (464)                (Number of systems)                       Systems                             applications
                                  Veterans Benefits Administration (6)      •Compensation & Pension                     157
                                                                            •Education
                                                                            •Insurance
                                                                            •Loan Guaranty
                                                                            •Vocational Rehabilitation
                                                                            •Administrative
                                  Veterans Health Administration (2)        •Veterans Health Information                143
                                                                            Systems and Technology
                                                                            Architecture
                                                                            •Veterans Health Administration             160
                                                                            Corporate Systems
                                  National Cemetery System (1)a             •Burial Operations Support                    2
                                                                            System/Automated Monument
                                                                            Application System
                                                                            •Reengineer
                                  Office of Financial Management (2)        •Personnel and Accounting                     1
                                                                            Integrated Data
                                                                            •Financial Management System                  1
                                  a
                                  The only system that VA considers to be fully Year 2000 compliant.

                                  Source: VA.



                                  Responsible for overseeing the Year 2000 problem at VA is its chief
                                  information officer (CIO); he is assisted by the CIOs of both VBA and VHA, by
                                  senior information technology managers in the National Cemetery System,
                                  and by staff offices at VA headquarters. VA has also designated a Year 2000
                                  project manager, responsible for general oversight and monitoring.

                                  According to VA’s August 14, 1997, quarterly report to OMB, the Department
                                  has made progress in addressing the Year 2000 problem. As noted in the
                                  report, 1 of its 11 mission-critical systems—the one serving the National
                                  Cemetery System—is already fully compliant. Of the 10 remaining
                                  mission-critical systems and their applications, 85 percent have been
                                  assessed and 51 percent have been renovated. In addition, VA has updated
                                  its total Year 2000 cost estimate from $144 million (May 1997) to
                                  $162 million; VA’s stated reason for the increase is the need for upgrades to
                                  its commercial off-the-shelf software and hardware and more contractual
                                  support.

                                  Further, VA’s current estimate shows that it expects systems assessment to
                                  be completed by the end of next January, renovation of systems by




                                  Page 4                                                                   GAO/T-AIMD-97-174
                       November 1998, validation by January 1999, and implementation by
                       October 1999—2 months earlier than VA reported in May.


                       As we testified before the Subcommittee in June,10 correcting the Year
VBA Has Begun to       2000 problem is critical to VBA’s mission of providing benefits and services
Implement GAO          to veterans and their dependents. VBA has responded to this challenge by
Recommendations        initiating a number of actions, including developing an agencywide plan
                       and a Year 2000 strategy, and creating a program management
                       organization. However, several substantial risks remain. If VBA is to avert
                       serious disruption to its ability to disseminate benefits, it will need to
                       strengthen its management and oversight of Year 2000-related activities.

                       Our May 30, 1997, report contained 10 specific recommendations to the
                       Secretary of Veterans Affairs on actions that VBA needed to take to address
                       the Year 2000 problem.11 VA concurs with all 10, and is in the process of
                       implementing them. For example, according to VBA:

                   •   To strengthen its Year 2000 program management office, it has assigned
                       oversight and coordination responsibilities for all Year 2000 activities to
                       this office alone.
                   •   It has completed inventories of data interfaces and third-party products
                       (hardware, software, mainframes, minicomputers, operating systems, and
                       utilities). VBA has also determined that most of its third-party products are
                       Year 2000 compliant—98 percent of its personal computers, local area
                       networks, minicomputers, and commercial software; and all of its imaging
                       equipment and associated software.
                   •   It has renovated half of the 157 applications that make up its six
                       mission-critical systems. It plans to renovate the remaining applications by
                       November 1998.

                       While we are encouraged by these positive actions, we understand from
                       discussions with VBA officials that key work schedules have been
                       compressed, creating added pressure. For example, renovation of VBA’s
                       largest and most critical applications—those necessary to the functioning
                       of its Compensation and Pension Service—may not be completed by VBA’s
                       target date of December 1998. Changes to these applications have had to
                       be delayed in order to effect this year’s legislatively mandated changes and
                       cost- of-living increases. Time is similarly short for work on the loan


                       10
                         GAO/T-AIMD-97-114.
                       11
                         GAO/AIMD-97-79.



                       Page 5                                                      GAO/T-AIMD-97-174
guaranty system, for which key phases remain to be completed.12 For
example, the new construction and valuation application is scheduled to
start in early fiscal year 1998, but it has a fail date13 of December 1998.
This leaves VBA only slightly 1 year to design, develop, test, and implement
this application.

A further challenge for VBA is that it has not modified its schedule to take
into account recent problems and delays in its attempts to replace an
education payment system for selected reservists known as chapter 1606.
Such schedules are important to ensuring that all mission-critical
applications are fixed; they therefore need to be modified or updated to
reflect realistic estimations of the difficulty of the work involved.

In addition, although VBA has completed an inventory of 590 internal and
external interfaces, as of July 31, 1997, only 26 percent of the interfaces
had been assessed for compliance. VBA’s Year 2000 project manager
indicated that VBA is encountering problems determining whether its
external interfaces14 are Year 2000 compliant because external sources
have not provided the necessary information.

VBA also has not updated its January 1997 risk assessment to reflect the
recent change in its Year 2000 strategy. Specifically, in response to
concerns raised regarding its initial approach, VBA redirected its Year 2000
strategy by focusing on converting its existing benefits payment systems
rather than replacing the noncompliant systems. Since risk assessment is
an important prerequisite for effectively prioritizing projects and
mitigating potential problems, updating the previous risk assessment to
take this change into account is essential.

An internal VA oversight committee, established to monitor and evaluate
the progress of VBA’s Year 2000 activities, identified concerns similar to
ours. Specifically, according to a member of this committee, little time
remains for VBA to make the necessary modifications to its compensation
and pension and loan guaranty systems, and much work remains in
assessing the external interfaces for compliance.



12
  The key Year 2000 program phases remaining are renovation, validation, and implementation.
13
  The date on which this application will experience the effects of dates on calculations.
14
  An example of an external interface is the exchange of disability compensation information between
the Department of Defense and VBA. Defense currently provides VBA with electronic information on
the amount of disability benefits paid to a veteran by Defense for offset against the amount paid by
VBA to this same veteran. This offset is necessary because, by law, the veteran cannot be paid twice
for the same disability.


Page 6                                                                            GAO/T-AIMD-97-174
                       The Year 2000 challenge for VHA is enormous. As the largest centrally
VHA Has Begun to       directed civilian health care system in the United States, VHA manages
Assess Its Systems     health care delivery to veterans within 22 regional areas geographically
and Related Products   dispersed throughout the country; these areas are known as Veterans
                       Integrated Service Networks (VISNs), and they encompass 173 VA medical
for Compliance         centers, 376 outpatient clinics, 133 nursing homes, and 39 domiciliaries—a
                       total of 721 facilities. These sites utilize a wide range of electronic
                       information systems, biomedical equipment, facilities systems, and other
                       computer-based system products. Accordingly, it is essential that each of
                       these 22 regional health care networks thoroughly assesses and plans for
                       ensuring Year 2000 compliance so that service delivery is not interrupted.

                       Within VHA, the CIO has overall responsibility for planning and managing
                       Year 2000 compliance. The CIO created a VHA Year 2000 project office,
                       empowered to develop compliance guidance. In April 1997, this office
                       developed a VHA plan for addressing the year 2000; the plan was approved
                       by VA’s Under Secretary for Health on May 14 of this year. The CIOs of each
                       of the 22 regional networks, medical facility directors, and managers have
                       ultimate responsibility for preparing and executing their individual Year
                       2000 plans, including all required assessment, renovation,
                       validation/testing, and implementation activities.

                       According to VA’s August 14, 1997, quarterly report to OMB, VHA is in the
                       initial stages of assessing the compliance of its two mission-critical
                       systems—the Veterans Health Information Systems and Technology
                       Architecture (VISTA)15—formerly known as the Decentralized Hospital
                       Computer Program (DHCP)—and the VHA corporate systems. VA also
                       reported that of the two systems’ applications, 17 percent have been
                       assessed and 16 percent renovated. VHA plans to complete this assessment
                       and renovation by the end of January 1998 and July 1998, respectively.

                       According to VA’s Year 2000 readiness review, VHA’s strategy for the
                       national VISTA applications is to assess all 143 applications and recode as
                       necessary. According to VHA, 34 of its 143 applications16 have been
                       assessed; 33 of these 34 were eliminated as a result of the assessment.

                       In order to effectively assess and renovate, it is necessary to understand
                       how local facilities are using the national VISTA applications. One potential

                       15
                        VISTA represents the national health care information applications along with related commercial
                       products, personal computers/workstations, and other items used in VHA health care facilities.
                       16
                         Examples of applications include dietetics, pharmacy/inpatient, health summary, prosthetics, and
                       laboratory.



                       Page 7                                                                         GAO/T-AIMD-97-174
risk is that some local facilities have customized national applications,
according to VA’s Year 2000 readiness review.17 If this is true, it is
important that VHA know where applications have been changed—even in
small ways—so as to ensure that they are Year 2000 compliant. Beyond
customization, local facilities may purchase software add-ons to work with
the national applications; here, too, these must be inventoried and Year
2000 compliance assessed.

An inventory of internal and external VISTA interfaces has not yet been
completed; systems developers plan to identify such interfaces when they
assess each application. Should internal information be corrupted by
exposure to uncorrected external interfaces through network exchanges,
system crashes and/or loss of data could result. VA’s Year 2000 project
manager has expressed concern that this information may not be
obtainable from external sources, who have yet to inform VHA whether
their interfaces are Year 2000 compliant.

As with interfaces, VHA must be assured that the commercial software
products it uses are Year 2000 compliant. It has completed an inventory of
its commercial products, such as personal computer operating systems,
office automation software, and medical applications; according to the
project manager, over 3,000 software products and 1,000 software vendors
have been identified. VHA plans to rely on the General Services
Administration to provide it with a general list of commercial products
that are Year 2000 compliant. For specialized products unique to the
health care industry, VHA plans to contact manufacturers for compliance
information.

Physical facilities are another area of concern. According to VHA’s Year
2000 program manager, VHA has not completed an inventory of
facilities-related systems and equipment such as elevators; heating,
ventilating, and air conditioning equipment; lighting systems; security
systems; and disaster recovery systems. Such elements are vitally
important to VHA’s ability to provide high-quality health care services. VHA
is working with the General Services Administration and manufacturers on
this issue. Since it is often critical that medical services not be interrupted,
VHA is required to have contingency plans in place in case hospital systems
fail. These plans are reviewed and assessed regularly by the Joint
Commission on Accreditation of Healthcare Organizations. However, such
contingency plans are meant to ensure continued operation in the event of

17
 Such customization includes special-purpose programs written by local information resources
management staff or other system users on-site or imported from other VA medical centers. They
generally meet a specific local need or extend the functionality of nationally released software.



Page 8                                                                          GAO/T-AIMD-97-174
                        disaster; such approval does not necessarily ensure that all backup
                        systems are Year 2000 compliant.


                        Health care facilities depend on the reliable operation of a variety of
VHA Is Assessing Year   biomedical devices—equipment that can record, process, analyze, display,
2000 Impact on          or transmit medical data. Examples include computerized nuclear
Medical Devices         magnetic resonance imaging (MRI) systems, cardiac monitoring systems,
                        cardiac defibrillators, and various tools for laboratory analysis. Such
                        devices may depend on a computer for calibration or day-to-day operation.
                        This computer could be either a personal computer that connects to the
                        device from a distance or a microprocessor chip embedded within the
                        device. In either case, the software that controls the operation of the
                        computer may be susceptible to the Year 2000 problem. The impact could
                        range from incorrect formatting of a printout to incorrect operation of the
                        device, having the potential to affect patient care or safety.

                        The risks for a specific medical device depend on the role of the device in
                        the patient’s care and the design of the device. Although medical treatment
                        facilities have the expertise to understand how medical devices are used,
                        they rely on device manufacturers to analyze designs and disclose Year
                        2000 compliance status.

                        As a health care provider and user of medical devices, VHA is a key
                        stakeholder in determining compliance of such tools. Another key player
                        is the Food and Drug Administration (FDA), in its role of protecting the
                        public from unsafe and/or ineffective medical devices.

                        In attempting to ascertain the potential impact of the century change on its
                        biomedical devices, VHA on two separate occasions sent letters to
                        manufacturers. Its first letter was sent over a period of a few days
                        beginning June 23 of this year to equipment manufacturers identified by
                        selected experts within VHA. In the letter, VHA inquired as to steps the
                        manufacturer planned to take to resolve the Year 2000 issue. Out of 118
                        letters, VHA received 32 responses. These responses were reviewed by
                        VHA’s medical device integrated product team, comprising internal experts
                        from a variety of fields.

                        On the basis of the team’s analysis, VHA sent more detailed letters asking
                        specific questions, including whether the manufacturer provided any
                        devices to VA that incorporate a real-time clock; if such devices were
                        provided, whether they are Year 2000 compliant; and, for those that are



                        Page 9                                                     GAO/T-AIMD-97-174
not compliant, asking for model numbers, device names, and the specific
impact the century change would likely have on the device. These letters
were sent to about 1,600 manufacturers on September 9, 1997, with a
request for responses by October 3. According to VHA, 50 responses had
been received as of September 15.

Product team members plan to review responses to ensure that they are
categorized correctly as compliant, noncompliant, or pending; VHA will
maintain a database of the manufacturers and their responses. This
database will be made available to VA medical centers through the VHA
intranet, although key personnel such as biomedical engineers may not
have easy access to the intranet at some medical centers. The information
will also be communicated to VA medical centers through monthly
conference calls among engineers and communications with medical
center directors. We feel that it is imperative that such results be widely
disseminated; if the VHA intranet is insufficient for this task, other means
should be found.

FDA also recently began communicating with manufacturers. According to
officials, FDA sent a letter in early July of this year to about 13,000 such
manufacturers, reminding them of their responsibility to ensure that their
products will not be affected by the century change. In the letter, FDA
reminded manufacturers that, according to section 518 of the Federal
Food, Drug, and Cosmetic Act, they are required to notify users or
purchasers when FDA determines a device presents an unreasonable risk of
substantial harm to public health. Although one response was received,
the acting director of FDA’s Division of Electronics and Computer Science
explained that it was not the agency’s intention to solicit a specific
response because FDA expects manufacturers to report any problems
found through normal reporting channels. FDA plans to disseminate
information on any Year 2000 problems reported by manufacturers to the
public through its reporting systems, such as the Medical Products
Reporting Program (“MedWatch”).

According to the director of FDA’s Cardiovascular Division, the agency’s
strategy for helping to determine whether medical devices are Year 2000
compliant is to rely on the knowledge and experience of its resident
experts. These experts, with backgrounds in electrical engineering,
software engineering, and/or biomedical engineering, have reviewed the
design of selected medical devices to determine whether the devices
would be affected by the century change. In the case of pacemakers, for
example, FDA experts have concluded that no adverse effect will result.



Page 10                                                    GAO/T-AIMD-97-174
           This conclusion was based on the fact that the internal operations of
           pacemakers do not involve dates. The experts further said that although
           pacemaker settings are often changed with the assistance of a computer,
           which often uses dates and may be noncompliant, a trained physician is
           always involved in controlling the settings.

           A federal entity—the Year 2000 Subgroup on Biomedical Equipment—is
           working to coordinate the effort to obtain Year 2000 compliance status
           information from medical device manufacturers. This group plans to
           follow up on nonrespondents to questionnaires sent out by VHA, FDA, and
           other federal health care providers to manufacturers requesting this
           information.


           In closing, Mr. Chairman, I want to stress that while our detailed review of
           the VHA area is just now underway, it is clear that for VA as a whole to have
           all of its mission-critical systems compliant by January 1, 2000, will entail a
           huge, well-coordinated effort.

           This concludes my statement. I would be happy to respond to any
           questions that you or other Members of the Subcommittee may have at
           this time.




(511236)   Page 11                                                      GAO/T-AIMD-97-174
Ordering Information

The first copy of each GAO report and testimony is free.
Additional copies are $2 each. Orders should be sent to the
following address, accompanied by a check or money order
made out to the Superintendent of Documents, when
necessary. VISA and MasterCard credit cards are accepted, also.
Orders for 100 or more copies to be mailed to a single address
are discounted 25 percent.

Orders by mail:

U.S. General Accounting Office
P.O. Box 37050
Washington, DC 20013

or visit:

Room 1100
700 4th St. NW (corner of 4th and G Sts. NW)
U.S. General Accounting Office
Washington, DC

Orders may also be placed by calling (202) 512-6000
or by using fax number (202) 512-6061, or TDD (202) 512-2537.

Each day, GAO issues a list of newly available reports and
testimony. To receive facsimile copies of the daily list or any
list from the past 30 days, please call (202) 512-6000 using a
touchtone phone. A recorded menu will provide information on
how to obtain these lists.

For information on how to access GAO reports on the INTERNET,
send an e-mail message with "info" in the body to:

info@www.gao.gov

or visit GAO’s World Wide Web Home Page at:

http://www.gao.gov




PRINTED ON    RECYCLED PAPER
United States                       Bulk Rate
General Accounting Office      Postage & Fees Paid
Washington, D.C. 20548-0001           GAO
                                 Permit No. G100
Official Business
Penalty for Private Use $300

Address Correction Requested