A GAO audit of the federal government legacy systems ranked HHS’ 50-year-old IT system – used for clinical and patient administrative work – as highly critical and is in desperate need of modernization.
A Government Accountability Office audit of all federal government systems running on legacy platforms found the Department of Health and Human Services has one of the most critical in need of modernization.
As the US government intends to spend $90 billion in the next fiscal year on IT to operate and modernize existing systems, GAO assessed 65 federal legacy systems to determine the most critical platforms at 10 different government agencies.
They found HHS has the third-most most critical legacy system among those federal agencies, with a 50-year-old legacy system that supports clinical and patient administrative activities. Further, with its “unknown” status as to the age of its oldest hardware, GAO ranked its criticality and its security risk “high.”
Want to publish your own articles on DistilINFO Publications?
Send us an email, we will get in touch with you.
While seven of the most critical systems had plans to modernize, HHS currently does not have a documented plan to update its system.
“Several agencies stated that they would consider how essential a legacy system is to their agencies’ missions before deciding to modernize it,” GAO officials wrote. “For example, HHS stated that, when deciding to modernize a legacy system, it considers the degree to which core mission functions of the agency or other agencies are dependent on the system.”
“Until the other eight agencies establish complete modernization plans, they will have an increased risk of cost overruns, schedule delays, and project failure,” GAO officials wrote.
What’s more, HHS was listed as one of the 12 federal agencies with the highest planned IT spending for fiscal year 2015, according to the report.
Indian Health Services, an HHS component, uses the IT system to gather, store, and display administrative, clinical, and financial data on patients seen at the health system. There are approximately 20,000 users on its system, which was initially implemented in 1969.
HHS recognized these issues make it imperative to update its legacy system, including its outdated technical architecture and infrastructure, which “has resulted in challenges in developing new capabilities in response to business and regulatory requirements.”
What’s more, one of its systems is coded in C++ and MUMPS, a programming language HHS acknowledged is a legacy language. The agency has found it increasingly difficult to even find programmers able to write code for MUMPS.
HHS officials also explained that more than 50 modules were added to the system over time to address new business requirements and is installed on hundreds of HHS computers, which has led to configuration variations at each site.
“This type of add-on development becomes detrimental over time and eventually requires a complete redesign to improve database design efficiency, process efficiency, workflow integration, and graphical user interfaces,” according to the report.
While there are no current plans to modernize, HHS did award a contract to conduct research on just how HHS can modernize the vulnerable system that will be conducted in stages over the course of the year. Part of that research will examine the current state of health IT across its health facilities.
Once completed, those findings and recommendations will help the agency create a prioritized roadmap for modernization. According to the report, the modernization initiative will take place over the next five years. However, HHS anticipates it may be able to begin an implementation plan as early as 2020.
“With regards to potential cost savings, HHS noted that the modernization will take significant capital investment to complete and it is unknown whether the modernization will lead to cost savings,” GAO officials wrote.
“HHS officials stated that this modernization could improve interoperability with its healthcare partners, the Department of Veterans Affairs and the Department of Defense, and significantly enhance direct patient care,” they added.
This is not the first time an official audit has found severe cybersecurity issues at HHS or its sites. A recent Office of the Inspector General report found vulnerabilities in HHS security controls and detection mechanisms, including configuration management, access controls, and data input controls.
Meanwhile, another GAO audit found HHS has 42 unresolved priority cybersecurity recommendations.
In response to these reports, Sen. Chuck Grassley, R-Iowa, sent a letter to HHS demanding the agency explain its cybersecurity policies, tools, and procedures, after OIG auditors were able to access some devices on HHS’ network and personally identifiable information from thousands of HHS records without being detected.
Date: June 26, 2019
Source: Health IT Security