Originally Broadcast June 8, 2008

Washington, D.C.

Announcer: Welcome to The Business of Government Hour, a conversation about management with a government executive who is changing the way government does business. The Business of Government Hour is produced by The IBM Center for The Business of Government, which was created in 1998 to encourage discussion and research into new approaches to improving government effectiveness. You can find out more about The Center by visiting us on the web at businessofgovernment.org.

And now, The Business of Government Hour.

Mr. Morales: Good morning. This is Albert Morales, your host, and managing partner of The IBM Center for The Business of Government

To quote President Lincoln's promise, "To care for him who shall have borne the battle, and for his widow and his orphan," the Department of Veterans Affairs provides benefits to U.S. military veterans and their families. Though much has changed over the years, VA's mission remains constant: to provide competent and compassionate high-quality health care benefits and memorial services to the country's veterans. The VA has had a long, successful history of using information technology to meet its mission.

With us this morning to discuss VA's efforts in transforming its IT infrastructure and operations is our very special guest, Bob Howard, Assistant Secretary for Information and Technology, and Chief Information Officer at the U.S. Department of Veterans Affairs.

Good morning, Bob.

Mr. Howard: Good morning.

Mr. Morales: Also joining us in our conversation is Tom Romeo, IBM's general government industry leader.

Good morning, Tom.

Mr. Romeo: Good morning, Al.

Mr. Morales: Bob, let's start with some basics. Could you take a few moments to give us an overview of the history and mission of the Department of Veterans Affairs?

Mr. Howard: Sure. A history of providing benefits to American veterans goes back quite a ways. In the very early days, with the Pilgrims, in fact, laws were passed that the colony would support soldiers that happened to be disabled -- you know, some wars with local Indians, in fact. The Continental Congress, 1776, provided pensions for soldiers disabled during the Revolutionary War, but most benefits in those days came from state and local communities.

Over World War I, at that time, disability compensation insurance and that sort of thing were handled by three different federal agencies. This is around the 1920s. The three different federal agencies involved were the Veterans Bureau, the Bureau of Pension of the Interior Department, and the National Home for Disabled Volunteer Soldiers. So that was what happened after World War I.

The Veterans Administration was actually established in 1930. And then in 1973, the Veterans Administration added to their benefit portfolio, if you will, the National Cemetery system. But the Department of Veterans Affairs as we now know it today was established as a cabinet-level agency on the 15th of March 1989. And as probably most people realize, it is now the second-largest cabinet-level department in the United States.

Mr. Morales: So on that note, can you give us a better sense of the scale of the Veterans Administration, how perhaps it's organized, size of its budget, staff, and the geographic footprint?

Mr. Howard: It's a very large agency, over 240,000 employees. The veteran population that is on the roll, so to speak, is about -- I think it's between 7- and 8 million. Visits to our hospitals in a given year is over 5 million. So it's quite massive. We cover all the states, of course, across the country, and even have organizations in other parts of the world -- Puerto Rico, Guam, and the Philippines -- so a very extensive organization.

From an IT standpoint, a couple of years ago, the organization was a typical staff agency, between 3- to 400 people. But now, due to the centralization that has taken place over the last couple of years, our organization is almost 7,000 strong, located all over the country.

And we're organized in five general areas. In fact, these are Deputy Assistant Secretary positions, if you will. Information protection and risk management has of course received very high priority over the last couple years, ever since May of '06, in fact. And it's really a field organization, yet it has security offices that are located in most of the facilities throughout the country.

We have a Strategy, Policy, and Plans Deputy Assistant Secretary who focuses on future kinds of activities. We have one that deals with resource management, managing the budget and the human resources part of information technology. And then we have a rather large organization that focuses on development, almost 1,000 individuals. And these are the folks that put together new development programs, adjustment to commercial off-the-shelf software and whatnot. And then the last very large organization is Operations and Field Development. This is the biggest particular part of our organization, and they're responsible for keeping things humming along at the individual hospitals and regional offices and what have you.

We also have an organizational management activity that at least is in place for a little while as we continue to try to reorganize IT in the VA. You know, we're not quite done on that yet. We have an oversight and compliance capability that's very aggressive, very robust. In fact, we put that together right after the breach that we experienced by in the '06 time frame, and that has been very helpful to us in terms of identifying problem areas and getting some focus on things that need to be fixed.

And then we have an organization that deals with quality and performance, which that's not a big organization, but obviously a very important one.

Budget-wide, the VA budget is approaching $90 billion. And our particular part of it in information and technology, just to give you a feel for it, in our '09 request that is now up there on Capitol Hill, it's about $2.4 billion to support information and technology, both development and operations and any maintenance expenses that need to take place. And that particular amount does include over $700 million to support staffing, and as I mentioned earlier, the staffing is almost 7,000 employees.

A very, very large organization. IT has been centralized over the last couple of years, and again, we are still maturing as an organization.

Mr. Romeo: Bob, can you tell us a little bit more about your specific responsibilities and duties as Assistant Secretary for Information and Technology and the CIO at VA?

Mr. Howard: Well, yes. I mean, I serve as the Chief Information Officer. And there are federal laws that address that particular position, so the responsibilities are quite broad. I advise the Secretary, of course, on all matters pertaining to acquisition and management of IT systems. I'm responsible for overseeing the operation of VA's computer systems to telecommunications networks that support medical, benefit, and cemetery activities.

The very important part of all this is not just computer software, but information protection. You know, that's a really big responsibility of the CIO, cybersecurity and all that. That's a very important part of the CIO's responsibilities.

Mr. Romeo: In regard to your responsibilities and duties, what are the top three challenges that you've faced in your position, and how have you addressed those challenges?

Mr. Howard: I'd say the biggest challenges orient on the human resources part, making sure that we can bring on board and retain high-quality individuals, because one of my first priorities is to establish a high-performing IT organization.

Another area that is tough right now is standardization, and that's another key priority of ours as part of the reorganization is to standardize IT infrastructure and business processes. It's difficult, because one of the unique things about the VA, it's a decentralized organization. And when you have a decentralized organization, it's sometimes very difficult to keep things standardized. It's operated in a decentralized way, quite frankly, deliberately to improve the quality of care. And over the last -- during the '90s, Dr. Kizer was a key individual in turning around the quality of care in the VA. And he did that through decentralization, and holding individuals accountable based on a set of criteria. When we did that, we probably did not pay enough attention to standardizing from an IT standpoint, and we've now recognized that that has created some problems. And that's one of the main reasons why the IT reorganization took place, to try to bring a little more standardization and visibility over financial systems.

And while I'm on the financial part, that's another challenge. Of course, this is expensive business to get adequate funds appropriated from the Congress, not only for software and equipment and what have you, but in order to support the staffing needs that we have. And there are areas where we're concerned about adequate numbers of staff. In fact, we've got a study going on right now to try to determine what is the right staffing mix at the various hospitals, regional offices, and what have you, because it has not been done in the IT arena.

For example, in Veterans Health Administration, they have methodologies to determine how many nurses and how many doctors might be needed for certain sizes of facilities. We don't have anything like that in IT, and we're generating that right now. In fact, helping us in that particular study are individuals who do that for doctors and nurses and what have you, so that'll be very helpful to us.

The last thing I'll say on the challenge side is the IT appropriation. In 2006, Congress established an information and technology appropriation for the VA. I think we're the only government agency that has a separate appropriation, and it's a line item appropriation. And whenever you have a line item appropriation, there's a challenge making sure you get that right up front. We sometimes miss a little bit on that. We've been working with this appropriation now for a couple of years, and it has forced us to plan ahead and to pay much more attention to the intricacies of financing IT.

Mr. Morales: So it sounds like human resources, standardization, financial management, and IT appropriations keep your day pretty busy then.

Mr. Howard: Yes, and also supporting our customers in the field, with the hospital directors and regional offices. You know, when we established organization of IT in the VA, there was a lot of angst out in the field about having their IT staff transferred to a central organization, and that still exists to some degree. So that's a challenge, to make sure we can produce and can -- demonstrated performance is what's going to make the difference, and we're still working on that.

Mr. Morales: Now, Bob, I understand that aside from a 33-year career in the Army, you also spent about 9 years in the private sector. Could you tell us a little bit about how you got started? And more importantly, how have these experiences prepared you for your current role today?

Mr. Howard: Well, first of all, the years in the Army of course were very helpful in terms of almost anything you do, because the Army spends a lot of effort on leader development, training, and education of its officers. In fact, the military does an exceptionally good job on that. And, quite frankly, we're trying to adopt some of those techniques for our own people. The years in the Army, I spent some time in, of course, command assignments and also in operations research kinds of assignments, which dealt with building simulations and that sort of thing, so IT-related.

In the private sector, the company I worked for is the Cubic Corporation, and one of their main areas of focus, if you will, was simulation and information technology, so that was very helpful. A lot of the work that I did when I was with Cubic was in Central and Eastern Europe, helping those countries get into NATO, westernize their methods and what have you, and quite a lot of dealt with information technology.

And then the last, when I came to the VA almost three years ago now, I became the senior advisor to the Deputy Secretary. This was before -- about a year before I took over as the CIO. And in that job assisting the deputy, he had me involved with a lot of IT programs; in fact, modernization of the electronic health record and things like that. So I became pretty familiar with VA IT even before becoming the CIO.

Mr. Morales: That's great.

What about the VA's IT transformation effort? We will ask Bob Howard, Assistant Secretary for Information and Technology, and Chief Information Officer at the U.S. Department of Veterans Affairs, to share with us when the conversation about management continues on The Business of Government Hour.

(Intermission)

Mr. Morales: Welcome back to The Business of Government Hour. I'm your host, Albert Morales, and this morning's conversation is with Bob Howard, Assistant Secretary for Information and Technology, and Chief Information Officer at the U.S. Department of Veterans Affairs.

Also joining us in our conversation is Tom Romeo, IBM's general government industry leader.

Bob, you talked a little bit in the last segment about VA's IT realignment and some of the transformation efforts that you've undertaken. Could you tell us a little bit more about this? And specifically, how does this new model differ from VA's previous mode of operations?

Mr. Howard: The decision to transform the IT management system in the VA was made to correct some longstanding deficiencies in certain areas, and a lot of this came from the Congress. They were very concerned about it. With the decentralized way that the VA was operating as it pertains to IT, they could see different kinds of computer systems and different applications and what have you being used throughout the VA; very difficult to tie some of that together.

The reasons for the reorganization are several. The VA was not maintaining a standardized IT infrastructure. Interoperability of IT systems was a problem. The compatibility of IT programs was also a problem. Also, the financial aspect of it was of some concern to the Congress. It was they were not satisfied with the visibility that they were getting over where the IT money was being spent and that sort of thing. And so a lot of pressure from the Congress to centralize the activity and change from a decentralized way of doing business.

In the past, under a decentralized model -- if you were a hospital director, for example, and you needed some computer application or whatever, you could just go get it, particularly where you didn't have an IT appropriation to worry about. And quite frankly, if any one of us was a hospital director, you'd probably like that, as long as you got the money you needed and what have you. But when you take a look across a large organization, if that kind of modus operandi, if you will, goes on for a period of time, you do begin to lose from the standardization standpoint. And that might have been okay 15 or 20 years ago, but in this day and age, with the web and all of that, it creates problems. So more than anything else, it was a standardization focus, which is why the Secretary finally decided to do that.

And he took it in a couple of bites. First of all, this is under Secretary Nicholson, the previous Secretary of the VA, the first one, he made a decision to consolidate operations and maintenance, the day-to-day functions of running IT. And then several months later, he decided to include the development part of it. And so what we have right now is called a single IT leadership authority for the VA that covers all of the operations and maintenance, the development, all of the security stuff, the handling of the IT appropriation, all of that.

Mr. Morales: So what are some of the key benefits and advantages of moving to this new model? And could you elaborate perhaps on some of the few principal key elements of this new model?

Mr. Howard: Visibility over IT activity throughout the VA is clearly, clearly an advantage. And we are discovering problem areas that need to be fixed. To some degree, we're beginning to solve the problem of the haves and have-nots. For example, in the past, if you were a hospital director or an RO director, you may have spent money on IT infrastructure and kept things up to speed, if you will, and you may not have. I mean, it was sort of up to the individual directors. The IT reorganization is helping now to get visibility over areas that were not adequately resourced in the past and do need to be brought up to speed, so to speak, particularly in the infrastructure arena.

The personnel part, we're putting together a career development program for IT individuals, IT employees. That existed to some degree in the past, but was not very robust. So we believe the reorganization will be helpful to us in that area.

I mentioned the appropriation. Financial visibility is much greater than it was before.

The other advantage that I want to comment on has to do with security. You know, everybody remembers the breach of May of '06. And then we reorganized and began to move down the path towards a central IT leadership authority. That has given us much better capability to mandate security methodologies and what have you throughout the VA. To give you an example, we encrypted all of the VA laptops in 2006. That would have been enormously difficult under the previous decentralized way of doing business.

The final thing I'd like to say on that is, as part of the reorganization, which the studies and the assistance, of course, was provided by IBM, what IBM also did was produce 36 IT processes that we are now implementing. In fact, quite frankly, it's taken us a little longer than we thought because they're very complex. And whereas we wanted to be through with all that by this summer, it'll probably take us a little bit longer because they're very good, but it's just taking longer than we anticipated.

Mr. Morales: So on this note, Bob, this obviously represents a significant transformation for the organization. What are some of the key lessons that you're learning from this transformation, and what advice might you give another federal agency who's perhaps thinking about large-scale change such as this?

Mr. Howard: One of the first -- in fact, the most important is senior leadership commitment. If you don't have that, you can forget it. Because anytime you have to have a change that is so massive and affects so many people, you're going to get resistance. You really are. And that's why the senior leadership commitment is extremely important.

We started out in sort of an incremental path, then realized a full-up transformation is probably a much better way to go. Piecemeal implementation would not really do as well. Aggressive schedule, we feel that speed and intensity is a strategic asset to some degree. That's a mixed bag, because sometimes when your schedule is overly aggressive, you may head in a direction that you really didn't want to go in. We've had a few hiccups along those lines. Aggressiveness and speed does help put things in place.

Performance measures, we are working on that, not only to focus in on what needs to be delivered, so to speak, but to hold our senior leaders accountable for achieving success.

And then the last one I'd suggest is be decisive. You know, develop the plan and stay with it, stay focused. So those were some lessons learned.

I would like to say one thing, though, and it sort of flies in the face of setting an aggressive schedule, and that is, it would have been helpful perhaps for us to have a more in-depth assessment of existing conditions before we actually moved out on this. I think if it's the one thing I would have liked to have seen done, it's that. We probably didn't realize how important it was. But we're finding a lot of issues and problems that we were not aware of, and those would have been uncovered, perhaps. However, that could have slowed things down and it could have stopped the whole initiative, but I'll throw it out there. You know, if it can be done, I think it's -- you need to know what it is you signed up for.

Mr. Romeo: So, Bob, you've talked about a number of processes and lessons learned. IT governance is critical to the success of an effort as encompassing as the VA IT realignment. Could you tell us more about VA's plan to enhance governance through the establishment of a set of governance boards?

Mr. Howard: Yeah, Tom. In fact, the government boards have only recently begun over the last probably six months. It took us a while to put the concept in place. But basically, the procedures we're using, the concept, if you will, is to link in to a very important overall board for the VA that's called the Strategic Management Council, SMC. That's headed by the Deputy Secretary. It includes all of the Assistant Secretaries and the senior officials and what have you.

The SMC always did have an IT component that fed information into that body. And so what we did, we expanded on that particular part of the SMC construct and formed three subordinate boards, and this is the key governance thing now that deals with IT.

The first one, we call the Information Technology Leadership Board. And I chair that one, and equivalent officials, of course, sit on it. That's a high-level IT board. It determines the IT goals and approves the IT budgets and programs and resolves issues of the two subordinate boards that I'm going to talk about next.

And then, so, under the ITLB, under the Leadership Board, is two boards: one of them is the Business Needs and Investment Board -- we call it the BNIB, and the other one is the Planning, Architecture, Technology, and Services Board. We call it the PATS. The basic difference between the two, the BNIB is more a near-term kind of activity; budget formulation, budget execution, that kind of work. That one is chaired by the Principal Deputy Assistant Secretary for IT. And he also has the wherewithal, according to the governance construct, to have other Deputy Assistant Secretaries chair that. So for example, if the BNIB happened to be dealing with an information protection issue, during the whole meeting, he could have the Deputy Assistant Secretary for Information Protection chair that particular meeting. That's a provision that we put in the construct.

The PATS Board deals more with future-type work: architecture, planning. And we've recently begun developing a program process not unlike what goes on in DoD, where you lay programs out of a multiyear period. In fact, we're putting together the first three-year multiyear program for IT, and that particular board is orchestrating it. So they're more future-oriented. Those are the boards.

Now, there are other working groups and what have you that feed those three organizations, so there's other activities at a lower level. But by and large, it's the SMC, the Leadership Board, the BNIB, and the PATS that we use to do our work.

Mr. Romeo: The VA is rightfully proud of its leadership role in health information technology. Would you tell us about the VA's effort to modernize its Veterans Health Information System and Technology Architecture, also known as VistA? What are the goals for the VistA modernization, and how does this modernization effort seek to transform VistA from a hospital-based system to a patient-centered system?

Mr. Howard: There's a lot of activity going on there. Obviously, we want a better continuity of care, where electronic health records can be shared not only within the VA, but with other government agencies, like DoD and what have you.

The VistA system was built quite a while ago. It's an older code. It's written in a MUMPS code. What we want to do is transform that so that it's more Java-based, can be used in a web environment, and also interface a little better with, as I mentioned, other government agencies. It's very, very complex. You know, the work, when you really take a look at VistA itself, it sort of grew up over the years, has a lot of separate applications that are interwoven. It's very difficult to pull it apart so you can build the piece-parts back together. We're trying to use a service-oriented architecture to do our work, building packages that can be used not only to support health care, but benefits as well. An example of that is the identity management component, for example, of the health record could also be used for benefits activities or what have you, and other. That's the SOA approach, the service-oriented architecture.

We are moving to a patient-centric environment, where veteran health information can be shared even easier than it can already. And as you know, we already have a good deal of that, but we want to improve on it and make it seamless, where no matter where the veteran goes, the access to his or her medical information is very easy, to the point where it can actually be accessed by other government agencies, as I mentioned a couple of times now. There's a big effort underway to better link DoD and VA in the electronic health record arena. I think you're probably aware of some of that. The most important aspect of that, by the way, is the standardization of data. It's not so much the application as it is the data that needs to be standardized and that can be used by almost any application.

But with that said, we do have some studies underway to determine what is the best way to try to combine the DoD electronic health record and the VA, and that work is ongoing. It's a very high priority with our current Secretary, General Peake. He's putting a lot of emphasis on that.

We're also trying to better understand the ongoing activity just to keep our current electronic health record healthy and moving along, and at the same time move as rapidly as we can to modernize it. In fact, we've had several large-scale meetings with our people who are very familiar with the electronic health record, trying to lay that out at a master plan, which really does not exist, that ties the current system to intermediate solutions, and then on to the future HealthyeVet environment, which is the future electronic health record.

It's striking how complex this particular area really is. I mean, there are a lot of tentacles, and you have to be careful as you modernize this not to break something and not to forget some key component of an application that is very important to doctors and nurses and what have you.

Mr. Morales: Now, Bob, we hear a lot about collaboration and partnerships among agencies and with the private sector to achieve mission results. I only have a minute left in this segment, but what kinds of partnerships are you developing now to improve IT operations and outcomes at the VA, and how do you see these partnerships changing over time?

Mr. Howard: Yeah. There's quite a bit of activity with DoD. I mean, it's very, very intense, much more so than it was a year ago. That's the big one. Health and Human Services, of course, is very important. We also -- from a data exchange standpoint, Medicare, CMS is a very important activity to us as well.

There are also associations with universities. In fact, that's a very important aspect of the health environment in the VA. We call them "affiliates," where we have very strong linkages to medical schools throughout the country. In fact, you'll notice if you go to a VA hospital, for example, generally they're located right near a civilian university, and sometimes several universities, almost like a complex of medical schools right there together. So those relationships are extremely important. In fact, many of the doctors that work in VA or that work across the country in the private sector got their training linked to VA in some way. So those are very important relationships and partnerships.

And then, of course, there's the private sector, contractors in a number of different areas. In the IT arena, we get a lot of assistance from the private sector in helping us run our electronic health record and fix our infrastructure and what have you. That's an enormously important part of IT. In fact, when you look at the laundry list of contracts that we have, in the IT arena, it's quite extensive. We have over 1,300 in a given year and almost 250 of them are over $1 million, so it's huge -- the contracting activity. So the bottom line is we couldn't operate without a lot of help.

Mr. Morales: What about VA's efforts to secure its IT systems and data?

We will ask Bob Howard, Assistant Secretary for Information and Technology, and Chief Information Officer at the U.S. Department of Veterans Affairs, to share with us when the conversation about management continues on The Business of Government Hour.

(Intermission)

Mr. Morales: Welcome back to The Business of Government Hour. I'm your host, Albert Morales, and this morning's conversation is with Bob Howard, Assistant Secretary for Information and Technology, and Chief Information Officer at the U.S. Department of Veterans Affairs.

Also joining us in our conversation from IBM is Tom Romeo.

Bob, could you tell us a little bit more about data security assessment and the strengthening of controls program, and how it seeks to enhance VA's protection of personal information data security. More specifically, what role does this program play in facilitating the Secretary's priority of making VA the gold standard of data security?

Mr. Howard: That program was actually established very shortly after the breach that we had in May of '06. The intent was to first and foremost conduct a very robust assessment of existing conditions from a security standpoint across the VA. And we had several weeks during which we received various briefings from the various departments and what have you, laying out what their situation was. We also had assessments in the IT arena of data security procedures and what have you. So that was the assessment part. We learned a lot about some of the things that we needed to fix.

And then the strengthening of controls is actually broken down into three areas. We have a technical type of controls, like encryption, and management controls, where you make sure that your policies and directives are properly written and very clear, and then operational kinds of controls, like making sure that procedures are correct and the training is properly executed and what have you. It is in fact the most important overarching program that we have in place to achieve the gold standard. And what it is, it's a massive action plan. There's about 400-plus separate actions. Each one of them contribute in some way to tightening the security throughout the VA.

An example is to improve the way we do background investigations, to improve the way we do identity checks, to improve our access management, to improve the way we conduct patch management and change controls and things like that, to improve on our capability to monitor our networks and to encrypt our products and what have you. So if you can visualize a massive action plan, that's what this is. Not a week goes by that we don't add some other action to it that we realize needs to take place. So it's very important. We spend -- I get briefed on it very often. Every couple of weeks, the folks come in and let me know how they're doing.

Another key component of this particular action plan are all of the IG and GAO deficiencies that have been cited over the years. That's a major subset of this particular action plan. And in fact, we've consolidated those kinds of deficiencies into what we call "champion areas." I've designated by Deputy Assistant Secretaries -- and as you know, I've got five of them -- I've designated each one with responsibilities to oversee the corrective measures associated with the IG deficiencies and the GAO deficiencies.

Mr. Morales: Great. So continuing on this theme, could you elaborate a little bit more on your efforts around the encryption of data, and enhancing the VA's security incident management and monitoring processes?

Mr. Howard: Well, Al, one of the first things we did was to encrypt VA laptops. The mandate was to put full hard drive encryption on all VA laptops. In fact, I believe the number now is almost 18,000. Now, there were some that we ran into where we could not put the encryption, particularly laptops that were part of a medical device, where we actually could not change them because if we did, we'd have to go back through F -- you know, Certification.

And the other areas that we would have liked to encrypt are personal laptops. You know, for example, we have physicians, part-time physicians especially, that are using their own equipment. But what we have mandated is if you are interfacing with sensitive information, you are required to have your equipment protected, so at least we have that provision in place.

We also mandated the use of encrypted thumb drives. We were getting too many instances of individuals losing thumb drives that had fairly large quantities of health records on the thumb drives. So what we did is we outlawed those, said you can't use them on VA in fact, if you try to place an unencrypted thumb drive in a VA computer, in one of the ports, it will not work. We have a suite of encrypted thumb drives, various types, that are FIPS-compliant that will operate with VA equipment, so that's been done. And there's no restriction. In other words, if a supervisor says, yes, this particular employee needs an encrypted thumb drive, we issue him one and we track them, also. So those two initiatives were very important.

We're also mandating the encryption of sensitive information across the board. In fact, there's a key handbook that we published last fall, Handbook 6500, that's got a lot of policies in it pertaining to sensitive information, what you can and cannot do. The protection aspect is very, very high.

Protection of e-mails, we have of course public key infrastructure, PKI. You know, I have my little BlackBerry here and I can send messages that are fully encrypted. We also have other encryption products that are being deployed across the VA.

And the other thing that we've recently begun to deploy is better port monitoring software and network monitoring software. The point that -- we want to get into a posture where we can, if we see a session going on, if somebody seems to be downloading huge amounts of sensitive information, we can peer into that and make some queries and find out what's going on. We can also prohibit the downloading of information from a remote computer. Now, this particular capability is not fully deployed yet because, as you can tell, it can get rather onerous. So we're going through this process very carefully, because what we don't want to do is impact the treatment of veterans or anything in a negative way, so we're trying to be very careful.

And there are other initiatives that we have going on, all focused on creating a very secure environment in the VA, an organization that deals with massive amount of information. You know, we are an information organization, whether it's health information, benefit information, or what have you.

On the incident work, right after the incident happened in May of '06, we put in place a very robust incident management capability. In fact, it's probably one of the best in government. We don't even ask questions. When someone says they may have an incident, we report it right away to the computer emergency response team for the federal government. And so as a result, we see a lot of them. Most of them, fortunately, are not serious, but every once in a while, we do get an incident that is a problem. And we have a capability in place now to deal with those as rapidly as we can, to notify any affected veterans or employees that happen to be at risk, and also offer them credit monitoring. You know, if we believe that their information really is at risk, we do that. We do that as a matter of course. It's a very robust process that's been very helpful.

That particular process is always also helpful to us in increasing awareness of the importance of protecting information. People know this is serious, and they don't hesitate to report if they see something wrong. If an incident has happened, employees report it. It's very good.

Mr. Romeo: Bob, on that vein, a major cybersecurity concern of any company or agency is their employees not thinking about risks, and being careless about personal information and data security. What steps has VA taken to create or cultivate a culture of accountability and protection of sensitive personal information to ensure continued improvements in addressing such security weaknesses?

Mr. Howard: Well, we have improved the training programs that all employees are required to take in two areas: security training and privacy training. Those are mandated training programs for all employees. The other initiative that we've begun, and it's mandated in Handbook 6500, is those rules of behavior. You know, before an employee can have access to sensitive information and to our computer systems, they have to sign a rules of behavior. And those are more extensive than they were before. Now, we're not having employees sign those until they're adequately trained. You know, we're not asking them to sign something that they're really not that familiar with, but that's a very important part of it.

Communication is more extensive than it was in the past in a number of venues, through the Internet announcements and what have you, and publications that go throughout the VA. We also have conferences that are very important. In fact, the annual one we have is InfoSec, Information Security, conference that takes place every year. There are several very good separate training tracks that individuals can go to orient in all aspects of data security.

Mr. Romeo: VA has made some significant progress towards the development of secure interoperable health technologies that support health sharing with the Department of Defense. To that end, could you elaborate on the VA-DoD information sharing effort and its status to-date?

Mr. Howard: Yeah. Actually, it has improved, and VA and DoD right now bi-directionally are sharing clinical-pertinent health data that is available electronically, like for example, laboratory results, medication/prescription data, allergy information, radiology reports, discharge summaries, and other narrative documents that are prepared by physicians in either VA or DoD. It continues to increase. For example, beginning to share information from the theaters and information that's available in either VistA or AHLTA, AHLTA being the DoD electronic health record.

Initiatives in support of wounded warriors, it's very intense in terms of sending scanned images, even of paper, in-patient records between some of the major facilities, like Walter Reed and Brooke Army Medical Center in Bethesda. This is now going on, where images are being shared across the board. A lot of effort here in terms of sharing information, and also ability to view some of this remotely. You know, there is capability within VistA to view information remotely. What we want to ultimately move to is an environment where we have a lot of this information that is computerized and not just image, where you can actually work with the information that's sent.

Mr. Morales: Bob, it's been my experience that initiatives such as these that we've been talking about -- IT transformation, increased efforts around security and privacy -- that they typically encounter a tremendous amount of internal resistance to change, and especially the issues around the IT transformation where you talk about centralization. How has the VA handled these changes and managed any resistance to these efforts?

Mr. Howard: You know there's always resistance to a change as big as the one we're experiencing. We have used some basic principles to help us through that: increased communications, satellite broadcasts, not only from IT, but also getting some of the senior guys involved, like the Secretary and the Deputy and what have you. Communication is absolutely critical not only throughout the IT organization, but to those who we support.

The other complicating factor to this is the IT appropriation, because sometimes there are concerns and complaints from the field that really have less to do with the organization than with the fact that money is much tighter than it was before. So we're trying to make sure those communications take place. But we got a lot more that we need to do in this area, that's for sure.

Mr. Morales: Great.

What does the future hold for the VA and its IT operations? We will ask Bob Howard, Assistant Secretary for Information and Technology, and Chief Information Officer at the U.S. Department of Veterans Affairs, to share with us when the conversation about management continues on The Business of Government Hour.

(Intermission)

Mr. Morales: Welcome back to our final segment of The Business of Government Hour. I'm your host, Albert Morales, and this morning's conversation is with Bob Howard, Assistant Secretary for Information and Technology, and Chief Information Officer at the U.S. Department of Veterans Affairs.

Also joining us in our conversation is Tom Romeo, IBM's general government industry leader.

Bob, given the critical role information technology plays in mission and program delivery, would you give us your view on how the role of the CIO has evolved? But more importantly, what are the characteristics of a successful CIO in the future?

Mr. Howard: As far as being a successful CIO, the ability to lead people and get the most out of your employees I think is very, very critical in any senior position -- whether it's a CIO or a CFO, it simply doesn't matter. That leadership part is absolutely essential, because all of this work gets done by people. People need to be motivated, they need to feel good about what they're doing, they need to be productive and all of that, and that all falls under leadership and the overall management construct.

As far as the characteristics of a CIO, obviously a blend of managerial ability and experience is very, very important, particularly in an organization as complex as the VA; understanding how to deal with all of the various piece-parts and how they're connected together; put systems in place so you're constantly able to monitor all that; and then clearly, as much of a technical background as you can have is clearly beneficial. You know, in my own case, when you look back over my background, I'm really not what you would think of as an IT person. You know, I have sufficient technical background where I'm at least comfortable in the arena. The more a CIO has really good, solid technical credentials, I think you're much better off, providing it doesn't skew so much in that direction that you lose some of the managerial part. It's a good balance. You must have the balance between the technical background and the ability to lead people.

Mr. Romeo: Bob, VA has probably not undergone a change on the scale of the current VA IT realignment since its introduction of the veterans integrated network system, or VISN. With the continued evolution of VA IT, how do you envision VA and its information technology efforts evolving in the next three to five years?

Mr. Howard: Clearly, we need to get the processes I mentioned that we're working on right now. These are very important as we lay those down, and to continue to improve on them. First, put them in place, and we have some in place, but they're not all in place. When they do get firmly embedded, we need to continue to improve on it.

The other thing that we have to continue to improve on are the methods we use to just run and manage our organization. What we basically have with centralization of IT in the VA, we have a very interesting situation from an organizational standpoint. We have people all over the country, and in some cases they're just onesies and twosies -- just small groups of people providing IT support, whether they're in a regional office or a hospital or whatever. Managing those individuals, keeping them current on ongoing initiatives, communicating with them, making sure they know what the procedures are, is very difficult.

Now, we have organized ourselves into regions. You know, we have like regional directors. I just recently established positions, one to handle the Eastern part of the country and one to handle the Western part. So we recognize the span of control issue as a problem, but it'll be difficult to solve that. Continuous communication, ready communication, both up and down, is the key to that. So when I think of how we're going to evolve over the next three to five years, I put that very high on the list.

Obviously, we have a lot of technical initiatives that we have to get finished, and those that really need to get started. We need to upgrade our infrastructure. We've found some problems there that we need to put some focus on. We need to adopt more of a service-oriented architecture in our software development activities.

But more than anything else, we need to improve on the way we communicate with our people in IT as well as our customers, and that's a big challenge right now. It really is. We're using all the methods we can possibly think of to make sure that the folks out there in the field providing IT support on a day-to-day basis know what's going on, know they have ways to communicate with their senior people, and get support when they need it.

Mr. Morales: Now, Bob, you focused a lot on people in our conversation here. And it's been my experience that transformation efforts create new competitive areas and the need for new competencies. To that end, what steps are being taken to attract and maintain a high-quality technical and professional workforce?

Mr. Howard: We have under Development a career development program. In fact, we have an IT career management office underneath my Deputy Assistant Secretary for Resource Management. Recruiting also comes under that particular Deputy Assistant Secretary.

We first began by just trying to outline all of the skill sets that are required in the IT field, and it's quite extensive -- whether it's software development, systems engineering, security, all of that. We have all those skill sets identified, and we're now going through developing particular tracks. What kind of training and education does a person need to move up through a various subfield, if you will. Like take, for example, data security or cybersecurity. You know, what are the things that a young person needs to do to posture his or herself as they move through their career in that area?

We're probably the furthest along in the security arena. We've developed career programs and skill sets. We have a couple of very good training programs, some of which are interactive on the web, others are live training programs. In fact, we've established a training center up in Falling Waters, West Virginia. We've established an intern program in the security arena, where we're hiring young interns to bring them -- because this is a very technical field and an extremely important one.

And the other part about the security area, which is why we've paid a lot of attention to it, the individuals have a difficult job. Sometimes they could be all by themselves at a particular facility in the VA, and so they have to be pretty capable in order to handle themselves in that kind of an environment. So training and education and improving their skill sets is very important, and a lot of work going on in that area.

Mr. Morales: Now, you've clearly had a very successful career within the public service. What advice might you give to someone who's out there thinking about a career in government?

Mr. Howard: Yeah, I would say that quite frankly, the standard approach applies. You know, understand what your job is. Understand who you're doing it for. That's very important, remember who you're working for. In the public service, you may be working for an individual, but you're also working for the American people, because that's what public service is all about.

The other thing that you realize, probably more so in public service, is how our government actually works -- the three branches of government. And particularly, if you're a senior person coming in to the public service for the first time out of maybe the private sector or whatever, you have to have a good understanding of that. In other words, the role of the Congress, the role of the Executive Branch, and how you fit into all of that. Don't get frustrated. These three branches of government were put together deliberately. And democracy is not necessarily an easy kind of government to operate within, but it's sort of like get over it, you know? This is the way our system works. And if you're a senior government official, sometimes you just have to take the heat. But more than anything else, remember that you're responsible to the American people. And from that standpoint, you need to be good stewards of public funds and resources.

A career in public service is rewarding. I will say that, for example, in the VA, you know that we have a very clear mission: to support veterans and all those who have given a great deal to our country. And so -- and I think this is a feeling that is probably universal throughout the VA employees -- that they really do feel a sense of mission in that they're supporting our heroes, American heroes, and there's an awful lot of them, as I mentioned earlier.

Mr. Morales: That's a wonderful perspective, thank you. Unfortunately, we have reached the end of our time. I want to thank you for fitting us into your busy schedule, but more importantly, Tom and I would like to thank you for your dedicated service to our country, especially to our veterans.

Mr. Howard: Well, I really appreciate the opportunity to be here with you today. I will say, just to kind of wrap it up, that we have a very aggressive initiative going on in the VA with IT, robust activity. We've got a lot of high-energy folks engaged in this, all working very hard to make IT within the VA a lot better than it has been in the past. With that said, we've got a lot of work to do, but everybody needs to know they've got some highly dedicated employees, almost 7,000 of them out there, trying to make this work, and some of them with very difficult jobs, but they got a good positive attitude. And again, more than anything else, they know who they're ultimately supporting, and that's the veterans.

Mr. Morales: That's great.

This has been The Business of Government Hour, featuring a conversation with Bob Howard, Assistant Secretary for Information and Technology, and Chief Information Officer at the U.S. Department of Veterans Affairs.

My co host has been Tom Romeo, IBM's general government industry leader.

As you enjoy the rest of your day, please take time to remember the men and women of our armed and civil services abroad who may not be able to hear this morning's show on how we're improving their government, but who deserve our unconditional respect and support.

For The Business of Government Hour, I'm Albert Morales. Thank you for listening.

Announcer: This has been The Business of Government Hour. Be sure to join us every Saturday at 9:00 a.m., and visit us on the web at businessofgovernment.org. There, you can learn more about our programs and get a transcript of today's conversation.

Until next week, it's businessofgovernment.org.

* * * * *