Can the Veterans Affairs Department tighten security without stifling a culture of innovation that has fielded some of the best health IT in the world?
The Veterans Health Information Systems and Technology Architecture (VistA) has its roots in a rebellion among software programmers at the Veterans Affairs Department in the 1970s.
VA programmers wanted to computerize medical processes at VA hospitals and were frustrated by the pace of departmental automation. VA executives later embraced VistA, which is still developed on a nonproprietary, open-technology model akin to the one that supports Linux.
An open-technology approach allows a community of developers to continually improve and expand software. Open technologies have two advantages over their proprietary alternatives: They reduce the cost of software development and distribution, and they reduce the time it takes to incorporate innovations.
A U.S. Public Health Service agency initiated and planned VistA in the early 1970s, and throughout the 1980s and 1990s, VistA evolved at VA medical centers and field offices and within the hospitals and clinics of the Indian Health Service and the Defense Department.
The name VistA dates back to the 1990s, according to the Web site of WorldVistA, an organization that seeks to extend the program’s use beyond its original setting. That’s when Dr. Kenneth Kizer, VA’s undersecretary for health at the time, renamed what had previously been known as the Decentralized Hospital Computer Program.
But WorldVistA’s site also points out that the system’s conceptual origins can be traced to President Lyndon Johnson’s signing of the Social Security Amendments of 1965, which created the Medicare and Medicaid programs.
— Peter Buxbaum
In May 2006, the Veterans Affairs Department announced that a laptop PC containing personal information on more than 26 million veterans and active-duty military personnel was stolen from the home of a VA employee. The resulting crisis surrounding the potential misuse of that information spurred VA to develop a strategy to better protect its data.
The result has been an ongoing realignment of VA information technology programs, which is scheduled for completion in July. To secure data and reduce costs, VA and Congress decided to centralize the department’s IT organization. By operating fewer installations and creating a streamlined infrastructure with fewer points of entry into the system, VA’s data would theoretically be more secure.
The centralization effort has also given more authority to the department’s chief information officer and standardized operations and systems development departmentwide. Since undertaking the realignment, VA has transferred 6,000 employees from its administrations and other offices to the CIO’s office.
Few would dispute that central management will likely enhance data security through uniform policies and better enforcement of those policies. Moreover, some experts say the benefits of centralization far outweigh the drawbacks.
CIO at full throttle Others are not so sure. In the health care field, CIOs often must balance the efficiency of a centralized system with the flexibility and responsiveness of a decentralized one. In VA’s case, the dilemma is even more profound because its historically decentralized management and IT structures have created one of the most successful health care systems in the world.
Some software aficionados say VA’s success is largely because of the organic, open development of VA’s core health IT system, the Veterans Health Information Systems and Technology Architecture. They say centralizing the IT infrastructure could compromise VistA’s strengths by constraining creativity and introducing proprietary software into an open system.
“We are taking an evolutionary approach,” said Dr. Paul Tibbits, deputy CIO in VA’s Office of Enterprise Development. “We’re trying to mature the organization by strengthening lots of procedures, practices and skills through the summer of 2008. The changes, tweaks and policy modifications we’re in the middle of right now are designed to create a mature information resource management organization.”
By creating a single IT authority, the realignment has given VA’s CIO more power than other federal CIOs enjoy, Tibbits said. “It constitutes a grand experiment to see how effective a fully empowered CIO can be as a steward of the taxpayers’ dollars,” he added.
The realignment also means that veterans will deal with “only one VA and not three VAs,” said Craig Luigart, CIO at the Veterans Health Administration. Previously, VHA, the Veterans Benefits Administration and the National Cemetery Administration were managed separately, and each had its own business practices and IT organizations.
“Support of business operations now becomes one of the main objectives of the departmental IT organization,” Tibbits said.
A single IT organization is better positioned to recognize common processes that all administrations use, he added. “We will be able to build once and use many times,” he said. “That is going to help us with processes like identity management.”
Impact on VistA Clearly, centralization isn’t the question. Even vociferous opponents of aspects of VA’s program say the approach enhances information security.
“The question is not whether to centralize but where to centralize,” said Fred Trotter, an open-source medical software programmer and consultant at SynSeer. “Centralizing makes a lot of sense from a security standpoint because you can develop centralized security policies and enforcement.”
But he said he is concerned that VA’s new IT bureaucracy might try to manage VistA centrally, thereby stifling it. “That would be a huge mistake,” he said.
Advocates say centralization’s benefits include lower operating costs for infrastructure and less overall risk. It also enables greater consistency in customer service, allows a clearer focus on program missions, and gives an organization the ability to recruit and retain individuals with valuable IT skills.
“Disadvantages are few and usually occur as a result of poor implementation,” said John Kost, a managing vice president at Gartner. “History has shown that highly centralized IT operations can become very monopolistic and often neglect good customer service because they don’t think they have to be responsive.”
Those drawbacks worry John Glaser, vice president and CIO at Partners HealthCare System in Boston, an organization that runs 10 hospitals and employs 7,000 doctors. “Centralizing brings more efficient, standard and uniform systems and processes across the organization,” he said. “But the local IT group that lives in the hospital also brings value because it is responsive and feels accountable to the hospital [chief executive officer] and chief medical officer. This can encourage a rapid turnaround on local issues. The IT staff will work harder if they feel more a part of the situation.”
By the same token, Glaser added, individual hospitals can feel that their clinical or administrative needs are not being met under a standardized system. “There is a failure of business and IT alignment when the central group is not being responsive,” he said. “When hospital CEOs and CMOs feel that way, it is usually because their requests get lost in the central bureaucracy.”
Scoring Bs Glaser strives for a happy medium, but that can be tricky. “You usually see a slowly oscillating pendulum,” he said. “You try to correct some of the deficiencies of decentralization with more centralization” and vice versa over long, multiyear cycles. “You surrender some efficiencies to get a better local response, but you can’t be totally responsive because some things have to be centralized. So you end up scoring a B because you can’t get As across the board.”
Tibbits said he knows centralization is a double-edged sword. “The primary advantage is the clear-cut alignment of responsibilities,” he said. “When programs come in over cost or behind schedule, someone is accountable and it is clear who has to fix it.”
The primary disadvantage, he said, is that “you lose the spirit of innovation.” That is especially true at an organization like VHA, where “a nice idea from Palo Alto can show up everywhere.”
He said his goal is to allow that spirit to continue flourishing but make sure proper security controls are embedded in locally developed software and processes, especially before they are disseminated nationally.
However, Trotter said he remains concerned that VA’s central IT bureaucracy will inhibit the continued collaborative development of VistA and undermine it by introducing proprietary software.
“Historically, each hospital hired programmers to solve that hospital’s needs,” Trotter said. “Other hospitals then adapted those solutions to their own needs. With the centralization process, all VistA programmers will be working for a central bureau. This could stop 30 years of innovation in which the best local innovations were taken national.”
Tibbits said VA is striving to adapt VistA’s history of innovation to the new reality. “We encourage hospital staff previously engaged in local development to continue to do that,” he said. “They don’t need any permission from a central authority. They can go ahead and develop to their heart’s content.”
The difference comes when local innovations are slated for adoption nationwide. “We have created a very low bar to entry for innovation and a reasonably high bar to exit,” Luigart said, adding that to be taken nationwide, VistA innovations must meet mission and security requirements and be centrally tested for conformity to other controls.
Centralization bellwether Trotter’s concerns about proprietary software increased in November 2007 when VA signed a contract with Cerner to acquire its proprietary laboratory system. Cerner Millennium PathNet, the first such software VA acquired, will be integrated into VistA and replace some of its functions.
Cerner’s system will give VA several advantages, said Gary Dickerson, the company’s director of federal programs. For example, it will provide capabilities in several areas VistA does not support, including microbiology and anatomical pathology, and offer a more intuitive user interface.
“We will integrate with VistA through a standard interface,” Dickerson said. “Our technology will receive test orders from VistA, and we will send back the results of tests. Interfacing is something we do in every implementation.”
Deploying Cerner’s software marks the beginning of VA’s centralization effort. “Today VistA is deployed at 130 regional data centers,” Dickerson said. “The Cerner lab system will be installed in four data centers, and those four will serve the entire VA health system.”
“VistA is a workhorse,” Tibbits said. “It is our legacy system and is meeting a great deal of our short-term business needs. It will require continued care and feeding and tweaking to keep up with our short-term needs. But at another level, we recognize that we need a new architecture paradigm for the system of the future.”
In other words, the era of spontaneous and open software development is likely to go the way of the decentralized management structure. Department officials have decided they will adopt newer technology that will subsume VistA, and the Cerner software is just the beginning.
The Cerner deal also embodies the trade-offs inherent in the course VA is pursuing. The consolidation of the department’s IT infrastructure will save money, but the acquisition of proprietary software will be more expensive than the open technology development associated with VistA.
Centralization of IT employees and processes could also save money, but how will that affect the services provided to veterans? The answer to that question will require the same level of ingenuity from VA’s new regime that the old regime exhibited.
Government Health IT presents Rick Friedman, director of the division of state systems for the Center for Medicaid and State Operations with the U.S. Department of Health and Human Services, in this recent eSeminar regarding how the federal Centers of Medicare and Medicaid Services is partnering with state Medicaid and health and human services officials to bring Medicaid into the digital age. Paul McCloskey, Government Health IT editor, moderates.
