The Defense Department late Wednesday awarded Reston, Virginia-based Leidos Inc. a 10-year, $4.3 billion deal to begin work on the first phase of the largest government health information technology contract since the troubled rollout of Healthcare.gov.

Pentagon officials briefed reporters just hours before the department announced the contract for the Defense Healthcare Management System Modernization program, which could be worth up to $10 billion over 18 years. Deployment of the new electronic health record system to up to eight initial operation and testing sites is scheduled to begin by the end of 2016.

Leidos, which partnered with EHR developer Cerner and Accenture Federal, prevailed against two other bids offered by IBM, which teamed with Epic Systems, and Computer Sciences Corp., which teamed with HP and EHR developer Allscripts. Leidos’ Health division comprises the companies formerly known as SAIC, Vitalize Consulting Solutions and maxIT Healthcare.

Two years in the making, the contract is “an important step in the acquisition of modern health care in DOD,” Undersecretary of Defense for Acquisition, Technology and Logistics Frank Kendall said in a briefing with reporters. “I have spent more time on this program than any other DOD program, including the F-35 fighter.”

The contract award marks the beginning of a major shift toward commercial software for the Pentagon’s global electronic health record system. It comes after years of struggles to devise a joint system with the Department of Veterans Affairs that ultimately failed due to a combination of bureaucratic turf battles, differing business processes and cost projections surpassing $25 billion.

Christopher Miller, the Pentagon’s program executive officer overseeing the contract, said the selection of Leidos out of an initial pool of six offerers was based on the maturity of the company’s software and the proposed technical architecture.

“Today is just the beginning,” Miller said. “We understand that the hard part is just now going to start. From a program office perspective, our focus is now really shifting toward testing. What you’re going to see over the next few months is an incredible test regime. We’re going to be digging deep into security, we’re going to be really looking at interoperability both with the VA and the private sector, [and] we’re going to have a lot of functional people involved to make sure the workflows they are looking for are delivered,” he said.

Full scale deployment will be a “massive” undertaking, requiring up to seven years to deploy the software to 1,000 sites in support of 9.5 million users. But the system must first get through extensive testing at eight facilities in the Pacific Northwest. After initial testing, the sites will go through extensive user training and begin the technical transition from the old system to the new system. Final operational testing will then ensure the system is reliable and suitable in a realistic environment.

Kendall also emphasized that testing will focus heavily on cybersecurity, which has garnered significant attention at the highest levels of government in the aftermath of several data breaches at major private health care providers as well as the Office of Personnel Management. “We’re going to be scanning all of the code, for example. That’s something that’s not normally done by a commercial buyer,” Kendall said.

Each vendor was required to certify to the department that they scan their software for vulnerabilities and then report all of those vulnerabilities to the Pentagon. “This was an explicit requirement in the request for proposals that was closely evaluated and we have spent a lot of time with the vendors well before” the OPM hack, Miller said.

(iStockphoto)

Pentagon officials insisted that interoperable data standards — a major issue for many critics of the department’s decision not to work with the VA on its EHR, known as the Veterans Health Information Systems and Technology Architecture, or VistA — are a central focus of the Leidos contract moving forward.

Lawmakers on Capitol Hill have been critical of DOD’s and VA’s inability to provide end-to-end EHR interoperability from the time a person joins the military to the time he or she leave the service and requires veterans care. Between 2011 and 2013 alone, they spent more than half a billion dollars on a failed effort to develop a new joint-integrated EHR.

One of the things that will be monitored over the life of the contract is how well the vendor adheres to the national data standards required by the Office of the National Coordinator for Health Information Technology within the Department of Health and Human Services.

“We share more information between the DOD and the VA than any other two large health systems in the world,” Miller said, responding to FedScoop’s questions about long-term interoperability with VA. “I can take any provider today and put them in front of a computer anywhere and I can pull up the entire longitudinal health record between the DOD and a veteran. It is possible and we do it everyday,” he said.

“DOD and VA are interoperable today,” Kendall said. “We send over a million pieces of data per day. We are well into fielding a joint legacy viewer in the VA to view DOD records and vice-versa. So we have interoperability and we’re going to be certifying that to the Congress.”

Dr. Jonathan Woodson, the assistant secretary of defense for health affairs, said the Pentagon’s decision to acquire a commercial EHR system was based on the lessons learned from other large health providers that had initially developed their own homegrown system, the same way VA developed VistA.

“During this process, we’ve gone out to many health systems that previously had homegrown systems and learned the lessons as they transitioned from homegrown systems to commercial products and why they made those decisions,” Woodson said. Moving to a commercial system makes DOD “better, stronger and more relevant.”

The post Pentagon awards massive electronic health record contract appeared first on FedScoop.

Another VA whistleblower

A whistleblower has approached the House Committee on Veterans’ Affairs with another string of outrageous accusations that have Committee Chairman Rep. Jeff Miller, R-Fla., requesting an inspector general investigation.

According to Miller, the whistleblower claims that more than 10,000 health care records at the VA’s Health Eligibility Center in Atlanta have undergone deliberate “purging or deletion.”

“Today’s troubling news highlights VA’s ongoing mismanagement and calls into question VA’s ability to adequately care for our nation’s veterans and I look forward to the OIG’s report so we can address this problem head-on,” Miller said in a statement released Tuesday.

A source close to the investigation tells Inside Scoop that the agency’s IT leaders have been working with the IG on its investigation “for quite some time.”

Meanwhile, the whistleblower also alleges a continued backlog of 600,000 pending benefit enrollment applications and 40,000 unprocessed applications discovered in January 2013.

Federal cyber risk – who’s the enemy?

The massive data breach at the Office of Personnel Management is being called the federal government’s ” Sony moment” and some tell Inside Scoop that a big chill may be coming to government because of it.

“If every chief security officer or director of an agency is fired after a breach there’s going to be a very long line at the unemployment agency,” Cris Thomas, strategist at Tenable Network Security, tells Inside Scoop.

Inside Scoop recently got a chance to ask U.S. Chief Information Officer Tony Scott if it was time for a governmentwide chief information security officer — after all, OPM and other agencies have been reporting vulnerabilities for years without any higher authority in government demanding and or tracking remediation efforts.

“In most agencies, we do have a chief information security officer and that’s where really most of the government work takes place,” Scott said. “I think at the moment I’m not feeling the urgency for [a U.S. federal CISO]. I think we’ve got a pretty good model.”

But Inside Scoop spoke to a senior administration official who’s been involved in national cybersecurity policy for nearly 20 years who has a very different perspective. According to the official, there’s a tremendous reluctance at senior government levels — mostly political appointees — to leverage the Department of Homeland Security and other government-developed cybersecurity tools. “They’re afraid of the NSA,” the official said. “They look at NSA as a signals intelligence agency and they’re more concerned about the NSA listening to their communications than they are the Chinese or the Russians.”

I guess we will see just how much influence Secretary of Homeland Security Jeh Johnson actually has over federal cybersecurity. He recently ordered the deployment of the latest, most advanced version of the Einstein intrusion detection system — known as Einstein 3 Accelerated, or E3A — to all federal civilian agencies by the end of 2015.

VA’s realignment

Inside Scoop has learned that former VA CIO Steph Warren began an initiative in June to adapt the Office of Information and Technology to the new myVA district alignment model. In January, VA announced an effort to realign its many organizational maps into one map with five regions to better serve Veterans. The new regions under the MyVA alignment will allow VA to begin the process of integrating disparate organizational boundaries into a single regional framework to enhance internal agency coordination.

“The team is ready to share the draft plan, but they want your input before finalizing it,” a June 20 email from the OI&T360 Team read. “As OI&T employees, you know better than anyone how to serve our customers well, so please share any ideas you may have for improving this plan.”

Got some Inside Scoop to share? Send it to dan.verton@fedscoop.com or follow me on Twitter @DanielVerton and direct message me.

The post Whistleblowers and risk appeared first on FedScoop.

Released a year ago today by the National Institute of Standards and Technology, the framework provides a set of voluntary guidelines designed to help raise the level of cybersecurity preparedness across the widest possible cross section of industry and government. But cybersecurity experts remain split on the value and substance of the framework and have questioned its impact in light of a string of massive data breaches during the past 18 months.

Intel, on the other hand — a company famous for employing physical and cybersecurity controls that are equal to, if not better than, those found in the most sensitive national security settings — tested the framework at two of its major corporate divisions and found that it provided enough benefit to the company’s risk management process that it plans to expand its use in the coming year.

“We felt that there was a real problem for the past few years with the focus that we’ve had on compliance, and we really needed to try to change the dialogue to risk management,” Kent Landfield, director of standards and technology policy at Intel Security, told FedScoop. The company deployed the framework to its Office and Enterprise divisions and discovered it helped to harmonize the company’s risk management technologies and language, improved visibility into Intel’s risk landscape, helped kick-start informed risk tolerance discussions across the company, and enhanced the ability of executives to set security priorities, develop budgets and deploy security solutions.

The pilot project consisted of four phases: set target scores, assess current status, analyze the results of that assessment, and communicate those results to managers and senior leadership. (Source: Intel)

The pilot project consisted of four phases and cost Intel the equivalent of about 175 full-time employee work hours, Landfield said. It did, however, require some customization to make it work for Intel, but that was to be expected, he said.

One required change was the addition of an ecosystem tier. The framework uses so-called “implementation tiers” to provide context on how an organization views cybersecurity risk and the processes it has in place to manage that risk. “That’s something that we hope NIST will pick up on in a future version of the framework,” Landfield said.

Another area of the framework that Intel had to work on was the threat category. The framework divides its core functions into categories, such as asset management, access control and detection processes. “The categories around threat were really missing,” Landfield said. “And as such, threat and incident response really needed to be beefed up.”

“The nice thing about a framework is it’s very flexible,” he said. “So we were able to make those changes fit nicely into the evaluation process as a whole, and we were able to then pass it on to the folks who were doing the evaluation.”

Intel then identified senior subject matter experts to conduct the independent risk assessment based on the framework. “One of the things that was really important to us was that we wanted to make sure the SMEs were coming at this with a clear mind,” Landfield said. “They did not know what the target scores were, they did not know what we hoped to get of this. They just did the assessment based on the conditions that we were using at the time.”

The success of the pilot project has spurred Intel to consider expanding how they use the framework, both internally in the company’s product life cycle and potentially with business partners, such as suppliers.

“The pilot project resulted in developing tools that we can reuse as we expand the Framework’s use across Intel,” the study states. Those tools included a risk-scoring worksheet, a heat map to quickly identify scores and make a comparison and customized tier definitions for people, process, technology and ecosystem.

Could Intel have discovered these lessons without the framework? Yes, Landfield said. “But the framework was the spark that made the dialogue happen. It’s that dialogue and pulling people from different parts of the organization [that enables] having those conversations about what is the acceptable level of risk in these areas of our business. Without having some spark, sometimes those things don’t happen.”

Intel developed a heat map from charting individual and group scores and their comparisons. Note: The scores given are examples and not the actual scores. (Source: Intel)

The post What Intel learned from the NIST cyber framework appeared first on FedScoop.

The Islamic State, for example, has managed to recruit more than 16,000 new members from half the countries in the world using social media, Assistant Attorney General for National Security John Carlin said Tuesday at a cybersecurity event in Washington, D.C. The drastic uptick in recruitment and the ability of groups like the Islamic State, also known as ISIL or ISIS, and al-Qaida to radicalize young people around the world is leading to tough new questions for social media companies from the government and private experts.

“What more can major social media companies do to stop terrorists from targeting and recruiting children?” Carlin asked. “The solution is going to have to involve a conversation with the companies that provide the social media services to combat this very real threat.”

Any future conversation will undoubtedly have to involve a growing number of social media companies. Terrorist organizations are well known to have made the move to Facebook, Twitter and YouTube. But these same al-Qaida franchises are now beginning to increasingly show up on platforms like Flickr, Instagram, Ask.fm, Friendica, Diaspora, JustPaste.it and SoundCloud.

A new study released Dec. 5 by the Middle East Media Research Institute puts Western social media companies at the heart of al-Qaida and ISIS propaganda and recruitment efforts. Today’s jihadi terrorists have a “total dependence on social media, which is in fact the core that is driving jihad worldwide today,” Steven Stalinsky, executive director of MEMRI, told FedScoop.

“Of the three major social media giants which jihadis use – YouTube, Twitter, and Facebook, and not to mention the many other smaller companies — Facebook is certainly the most proactive and respectable when it comes to removing terrorist content,” Stalinsky said. “However, groups including al-Qaida and ISIS as well as other designated terrorist organizations, such as Hezbollah, Hamas and the Taliban, are all active on Facebook.”

A spokeswoman for Facebook told FedScoop: “We do not permit terrorist groups, such as ISIS, to use our site, and we do not allow any person or group to promote terrorism or share graphic content for sadistic purposes. This has been our policy for more than five years, and something that we take very seriously.”

While Facebook has made progress in taking down pages that promote or support terrorist groups, Twitter seems to have had a tougher time and has been reluctant to talk about its efforts or plans to do so. A Twitter representative declined FedScoop’s request for comment and directed us to the company’s rules, which the representative said includes a “ban on violent threats.”

(Credit: Middle East Media Research Institute study)

MEMRI’s Stalinsky, however, is not impressed. He points to a tweet by Twitter CEO Dick Costolo after the beheading of American journalist James Foley in which Costolo pledged to identify and remove terrorist accounts that were posting beheading videos. The only problem has been that Twitter’s actions have not lived up to its rhetoric, according to Stalinsky. The next four murders carried out by ISIS – that of Steven Sotloff, David Haines, Alan Henning and Peter Kassig – were all announced via Twitter, with more graphic images of the beheadings and their aftermath.

“Terrorists groups have been freely using Twitter for years and nobody at the company would go on the record and give a statement about it when asked,” Stalinsky said. “I would state that most of what these social media companies say publicly is not accurate and is disingenuous. Instead of seriously tackling the issue, they are focused on dealing with bad PR.”

There are now tens of thousands of Twitter accounts operated by radical Islamic terrorist organizations and their supporters, according to MEMRI.
Follow @DanielVerton

The post Are social media companies doing enough to stop terrorist recruitment? appeared first on FedScoop.

The report, NSA’s Civil Liberties and Privacy Protections for Targeted SIGINT Activities Under Executive Order 12333, is the second transparency report released by the NSA since it created the agency’s first Civil Liberties and Privacy Office in January. Although the first report focused on how the NSA carries out its mission in accordance with Section 702 of the Foreign Intelligence Surveillance Act, this latest report focuses on NSA’s signals intelligence collection authorities as defined by Executive Order 12333 and outlines the measures the agency takes to safeguard the privacy and civil liberties of U.S. citizens.

In addition to the funding that supports a compliance staff of more than 300, NSA has initiated several research and development programs that may not only help NSA’s compliance efforts but could also be transferred to the private sector, according to the report.

One of the research efforts is focused on private information retrieval. “This area has the potential to improve data security and privacy protection by cryptographically preventing unauthorized users from accessing protected data,” the report states. Researchers are also developing hardware and software security tools, including “using commercially available microprocessor technology to produce a secure and private computing environment; prototyping systems that validate authorized program execution, querying and auditing; developing tamper-proof hardware and software models; and developing secure failure techniques upon detection of adverse activity.”

NSA is also exploring research opportunities to build upon the many existing capabilities currently deployed in NSA systems for privacy protection. These efforts include tools and techniques to suppress or mask data that constitutes personal information, new cloud architectures with augmented privacy protections and tools for enhancing privacy when analyzing big data.

The report outlines specific areas of concern and risks associated with civil liberties and privacy when it comes to NSA’s SIGINT collection activities. Specifically, the privacy office acknowledges NSA could collect data that is not related to a specific, authorized target; and it could erroneously mark the data as being collected under one authority when it was actually collected under a different authority.

“These potential errors could impact some methods used to control access to SIGINT mission data,” the report states.

To help minimize the chances of these errors occurring, the NSA leverages automated tools that mark the data so the agency can identify the source and authority of the data and access restrictions can be applied. It also uses automated systems to identify when it has collected data it should not have received and automatically deletes the data, according to the report. The transition to newer data repositories in the intelligence community’s emerging cloud infrastructure will enable the agency to improve access controls, the report states.

Roy Snell, CEO of the Society of Corporate Compliance and Ethics, has worked with members of NSA’s compliance team and said the agency’s investment in compliance is substantial.

“NSA’s commitment to compliance both in resources and the quality of their compliance leadership is above average,” Snell told FedScoop. “Not only do they dedicate resources to compliance, they have selected an excellent team of people to lead this effort. In my opinion they have one of the strongest compliance programs of any governmental agency.”

The post Report sheds new light on NSA compliance efforts appeared first on FedScoop.

In a letter sent Monday to McDonald, Rep. Mike Coffman, R-Colo., chairman of the Veterans’ Affairs Subcommittee on Oversight and Investigations, details the findings of a VA inspector general report that uncovered an orchestrated campaign by FedBid executives to “assassinate” the character of Deputy Assistant Secretary for Acquisition and Logistics Jan Frye after he suspended the use of reverse auctions throughout the agency in 2012 and that found that Susan Taylor, VA’s deputy chief procurement officer at the Veterans Health Administration, abused her position and “improperly acted as an agent of FedBid in matters before the government.”

“The sheer extent of the abuse of power undertaken by Ms. Taylor at VA alone should warrant her termination,” Coffman wrote. “It is apparent that Ms. Taylor is the personification of the morally bankrupt and ethically impaired culture that exists within the Department.” Coffman also wrote that the IG report substantiates that FedBid “was actively conspiring to defame an honorable public servant in an attempt to protect a friendly, corrupt bureaucrat and continue pushing a system of contracts that undercut fair competition. When coupling that with FedBid’s engagement in inherently governmental  functions, I would call upon VA to examine whether FedBid remains a ‘responsible contractor.'”

Pressure from Coffman could spell trouble for both Taylor and FedBid. Although Taylor has reportedly been reassigned within VA, McDonald has pegged his tenure as the new VA secretary on a commitment to hold VA employees accountable and remain transparent about the steps the agency takes to ensure clear cases of wrongdoing are punished.

For FedBid, a company backed by powerful financiers and a laundry list of former high-level government officials, the fallout could be even worse. The company supports 17 other federal agencies and departments. Although determinations of nonresponsibility are award-specific, analysts say it could set the stage for a broader look at FedBid Inc.’s business dealings with VA and even other agencies, which could lead to discussion about suspension or debarment for either the company or specific executives.

According to the Congressional Research Service, decisions to exclude a vendor are made by agency heads or their designees “based upon evidence that contractors have committed certain integrity offenses, including any offenses indicating a lack of business integrity or honesty that seriously affect the present responsibility of a contractor.”

A source at the VA Office of the Inspector General told FedScoop that FedBid’s previous statement that its reverse auction services “stimulated competition that resulted in lower prices for VHA” is not supported by the facts presented by another VA IG report issued on the same day as the report detailing the misdeeds of Taylor and other FedBid executives. According to the IG, that companion report, Review of the Veterans Health Administration’s Use of Reverse Auction Acquisitions “addressed the contract itself and found that the cost savings were overstated and may have limited competition.”

Lorraine Campos, a partner in the government contracts & grants team at the Washington, D.C.-based law firm Reed Smith, said federal agencies “ought to proceed with caution in touting savings from reverse auctions” in the wake of the VA IG reports. “While reverse auctions promise dramatic savings, such promises may only be smoke and mirrors,” Campos said. “Once transaction fees are factored in, the actual amount an agency saves may not be as dramatic as anticipated. Moreover, since reverse auctions only consider pricing, rather than value, agencies may not get the ‘bang for the buck’ through these mechanisms.”

The post Congressman demands action on VA-FedBid scandal appeared first on FedScoop.

The Defense Department is poised to issue a final request for proposals later this month for an $11 billion contract to replace its outdated electronic health record system and provide urgently needed improvements in the data-sharing capabilities between DOD and the Department of Veterans Affairs.

The two agencies have spent the better part of the last decade trying to improve interoperability between their distinct electronic health records infrastructures. Between 2011 and 2013 alone, they spent more than half a billion dollars on an effort to develop a new joint-integrated EHR that could serve military personnel from enlistment through retirement and veteran status, only to see extreme bureaucratic infighting and turf battles derail the project.

Today, the agencies are moving down separate modernization paths, with DOD working on its Defense Healthcare Management System Modernization program (DHMSM) and VA planning commercial acquisitions for the next generation of its Veterans Integrated System Technology Architecture, known as VistA. But analysts, including one of the founding developers of VistA, point to years of missed opportunities for DOD to leverage what many consider to be superior existing capabilities in VA’s VistA system — an ecosystem of modular application components that in most cases have become industry standards (VA’s troubled scheduling system notwithstanding).

VA’s underground railroad

Thirty-six years ago, Tom Munnecke sat with a VA colleague at a table in Coffee Dan’s restaurant in Loma Linda, California, and sketched a diagram on a napkin. Although his drawing looked a lot like an onion, it was actually an architecture diagram for a computer network that would go on to fundamentally change the concept of electronic health records at VA for the next four decades.

Known in the annals of VA IT development as the “onion diagram,” Munnecke’s architecture became the seed that would form what is known today as VistA. For the next four years, Munnecke worked as part of a small team of developers at VA known as the “Hardhats.” Their mission was to revolutionize VA’s electronic health record system by replacing the agency’s static mainframe-based architecture with an open, modular and decentralized electronic ecosystem. The effort would also prove to be a major cultural change for VA that the agency’s leadership wasn’t quite ready for.

“We went with minicomputers in the hospitals, but the centralists wanted to do a very top-down, hierarchical system with a big mainframe in Texas,” Munnecke said in an exclusive interview with FedScoop. “The original proposal was for one terminal per hospital. But we wanted to do hundreds of terminals per hospital. And we also wanted to tap into the creative energy of the VA staff. The depth of the medical bench in the VA is enormous and doctors are anxious to share their skills and knowledge. It developed a grassroots flavor.”

But the effort would not last long against a VA leadership structure unwilling to take risks. In 1979, VA disbanded the developers, firing the Hardhats (including Ted O’Neill, the visionary who had brought in the Massachusetts General Hospital Utility Multi-Programming System, the core computing language known as MUMPS, which remains at the heart of VistA today). But Munnecke and the other Hardhats continued their development work on an informal basis, working with hundreds of doctors and nurses to develop the tools they needed to manage VA’s growing medical records challenge. By 1981, the Hardhats had developed a toolkit known as the File Manager as well as the VistA Kernel, both of which supported a core system that could handle admissions, discharges, transfers, pharmacy dealings, scheduling and laboratory orders.

During the same year, when VA Chief Medical Director Donald Custis visited the Washington VA medical center, he was surprised to find hospital administrators and practitioners actively using the unauthorized software the Hardhats had developed. He was so surprised to find a working system, that he is quoted as saying “It looks like we have an underground railroad here.”

Chuck Hagel gets a pass

Munnecke moved quickly to leverage the Custis quote and adopted the “underground railroad” as a calling card for the unauthorized skunkworks software development his small cadre of VA coders had championed. In 1982, he organized the first Underground Railroad Banquet in Washington, D.C., to celebrate the accomplishments of the development team. There were many firsts to applaud, including the introduction of open source development, agile development practices, metadata-driven architectures, email-based messaging and even social media interactions.

To get the message out, Munnecke began handing out business cards and certificates. One of his first certificates for “unlimited free passage on the VA MUMPS Underground Railroad” went to none other than Chuck Hagel, the then VA deputy administrator.

“Chuck played a key role in helping to evolve our early back room prototypes into a VA-wide electronic health record that has won many awards and accolades by physicians,” Munnecke said. Hagel is referred to by many of the original VistA developers as “one of the fathers of VistA.”

Less than two months after his confirmation as the nation’s 24th secretary of defense, Chuck Hagel found himself answering questions from lawmakers about the status of the Defense Department’s electronic health record development work and its ability to share information with VA and VistA.

“I’m not an expert on this issue, but when I was at the VA as deputy administrator in the Reagan administration in 1981 and 1982, I had something to do with actually implementing the first electronic health systems,” Hagel said. “I’m quickly out of my depth I recognize on this, but I have some knowledge of it and some experience and I know it’s difficult.”

“We have strong cooperation with VA on the interoperability, on the integrated records,” Kendall told reporters last year at the Pentagon. “We are not as much in agreement on the best way to modernize. Now, I should mention that VA has a very different situation than we do. Their business equation is fundamentally different than ours, because they already have the installed base of VistA and, as I mentioned earlier, they have the trained people and, if they modernize on the basis of the VistA system, they can evolve that and move forward that way.”

Munnecke noted the wry smile on Hagel’s face as he alluded to his personal role in promoting VistA when he was at VA. “I could tell he was aware of what was going on, but he didn’t want to tell Congress that he was part of an underground railroad,” Munnecke said. “He’s under a lot of political pressure and he’s got 12 advisers selling him one thing.”

Fork in the road

Just as fixing the problems with VA’s scheduling module in VistA is critical to solving VA’s patient backlog, data sharing in the form of an interoperable EHR is critical to DOD’s ability to create electronic medical documents that can be used for everything from treatment to claims processing throughout the entire span of a veteran’s career, from initial enlistment through either retirement or veteran status. The same holds true for veterans’ dependents.

But with so much on the line and high-profile attention from Capitol Hill, why would DOD and VA opt to create two separate modernization programs and all of the complexity that comes with managing concurrent data integration efforts? Some observers say this was an unavoidable outcome.

“This is a classic case of fiefdoms that don’t want to cede ownership or share in a meaningful way,” said Lloyd McCoy, a market intelligence analyst with McLean, Virginia-based immixGroup Inc. The technical issues of achieving true interoperability with VA can be overcome, McCoy said. But the “bureaucratic infighting and territorial wrangling” is another story altogether.

“The first thing they do is clash on bureaucratic turf,” Munnecke said. “Who’s winning and who’s going to lose by cooperating? And the concept of having a patient record that is shared independent of the organization chart is overlooked.”

According to Munnecke, the reluctance of DOD and VA officials to tackle interoperability in a serious way boils down to jobs, security and bureaucratic turf. “Between the DOD and VA, the party that cooperates most loses the most turf,” Munnecke said. “It’s always a bureaucratic crunch between org charts. But the information model doesn’t need to be coupled to the organization chart.”

FedScoop asked the Defense Department if Hagel could provide an explanation for his decision to move the department down a separate modernization and acquisition path rather than work more closely with VA to create a shared plan for an interoperable EHR — an approach specifically called for by the Government Accountability Office. Defense Department spokesperson Maureen Schumann said the department’s modernization and interoperability programs “are distinct efforts” and both have made significant progress. “We have been sharing data elements – in fact 1.5 million per day currently – and that effort will only improve,” Schumann said.

A fact sheet detailing DOD’s work with VA on the Interagency Program Office shows the bulk of the work to date has centered on agreeing to national interoperability standards and ensuring consistency in data terminology, content structure and exchange methods. A contract award for DOD’s new EHR is expected in 2016. However, the agencies’ decision to abandon the joint EHR initiative in favor of separate modernization efforts was not justified, according to a GAO report released in February.

“DOD and VA modernization efforts are moving farther apart,” Munnecke said. “I think it’s a manifestation of these two agencies not wanting to work together. The secretaries will say yes, but the bureaucrats whose turf is being impinged upon want to do their own thing, and they will find lots of ways of diverting things to specificities that inhibit information sharing and protect their turf.”

McCoy agreed with that sentiment. “As a taxpayer, I’m paying for two systems instead of one,” he said. DOD also has concerns about security and being able to access data in denied areas, particularly if the data were decoupled from specific organizational ownership as recommended by Munnecke.

“I wouldn’t say DOD is on board with that recommendation,” McCoy said. “DOD feels the way it is now is how it should be.”

A Defense Department fact sheet on its Defense Healthcare Management Systems Modernization Program. (Source: DOD)

The post Chuck Hagel and the secret war over DOD & VA electronic health records appeared first on FedScoop.

In 2009, I had the good fortune of meeting and interviewing, at length, Robert Wallace, the former director of the CIA’s technical service. For those who might be wondering what the agency’s technical service is, it’s the real-world “Q” from the world of James Bond movies. CIA’s technical service is responsible for developing and designing all of the gadgets that spies use to communicate, record information and conceal their true identities.

In this video episode of Threat Matrix, I talk to Wallace briefly about the CIA’s history using secret high-tech gadgets. But Wallace also breaks out his traveling museum of CIA spying artifacts for a live demo. Everything from the famous Minox camera to tiny code books that were hidden inside of dead rats — it’s all on display in this episode of Threat Matrix.

http://youtu.be/NLogrBTGhwE
Follow @DanielVerton

The post Threat Matrix — Episode 17 (Video): The secret history of CIA spy gadgets appeared first on FedScoop.

Obtained by the Electronic Frontier Foundation under the Freedom of Information Act, the documents, including FBI emails, show the bureau plans to increase the number images in the facial component of the Next Generation Identification system from 16 million to as many as 52 million by next year. And of that number, as many as 4.3 million will be images taken for noncriminal purposes.

According to EFF senior staff attorney Jennifer Lynch, NGI is ushering in several changes to the way the FBI will manage its civil and criminal fingerprint and biographical databases. For example, employers that require fingerprinting or background checks currently send those biometrics to the FBI for storage in its civil print database. The bureau, however, has never stored a photograph with the prints. But NGI will change this, according to Lynch, allowing the FBI to search facial images of innocent people and potentially implicate them in criminal cases.

“This means that even if you have never been arrested for a crime, if your employer requires you to submit a photo as part of your background check, your face image could be searched—and you could be implicated as a criminal suspect—just by virtue of having that image in the noncriminal file,” Lynch wrote in an April 14 EFF analysis of the new documents.

NGI has been under development since 2010, and has been earmarked to replace the bureau’s current national fingerprint repository known as the Integrated Automated Fingerprint Identification System. The IAFIS database contains the fingerprints and criminal histories of 70 million individuals, as well as 34 million civil prints of those employed in sensitive government positions, and 73,000 known or suspected terrorists.

But NGI will significantly expand the capabilities of IAFIS by adding the ability to store and search multiple forms of biometric data, including facial and iris scans, palm prints, and text-based tattoos, scars and other body marks. The FBI also claims the new system will improve search response times from two hours to just 10 minutes in criminal cases, and from 24 hours to 15 minutes in civil cases.

Some of the most recent statistics show that IAFIS, which entered service in 1999, was able to process nearly 63 million ten-print fingerprints last year. At its height in 2010, the system processed more than 300,000 prints in a 24-hour period. Since 2012, IAFIS has averaged about 163,000 fingerprint transactions per day.

According to the new documents obtained by EFF, the NGI system will be capable of processing 55,000 photo enrollments per day.
Follow @DanielVerton

The post Expansion of FBI facial recognition system raises privacy concerns appeared first on FedScoop.

In an effort to prepare the agency for an inevitable post-war drawdown of resources, Stephen Warren, VA’s chief information officer, is overseeing a concerted effort to modernize infrastructure and streamline contracting and acquisition processes to squeeze new efficiencies out of every dollar spent on technology. It is an endeavor that will touch almost every aspect of VA’s $243 million annual investment in voice, data and wireless technology, and could fundamentally alter the way VA interacts with industry and the veterans it serves.

“We are building for the future,” Warren said. “It’s an obsession on detail, it’s an obsession on meeting architecture standards.”

VA has made significant strides in leveraging technology for telehealth, improving the lives of veterans by enabling them to see doctors virtually from their homes and reducing the rate of readmission to hospitals. But this summer, VA plans to also process 100 percent of veterans benefits electronically. Such a massive move to digital services will require more powerful and flexible infrastructure, and a shorter time between identifying user requirements and acquiring technologies from industry, Warren said.

By the end of March, VA’s four gateways will be capable of handling up to 10 gigabytes of throughput based on demand. In addition, the agency has reached out to the Federal Communications Commission for help expanding Internet access to veterans who live in rural areas.

Most of VA’s voice, data and mobile spending will be transitioning to centralized or regional contracts, Warren said. “We’re in many places that other folks aren’t … a lot of rural areas and a lot of areas where [telecommunications] providers are not.”

VA also recently launched a cloud-based enterprise voice pilot project. “We’re moving away from fixed plant at every single medical center and every single site,” Warren said. The agency is studying how to adjust and move that capability based on demand, with three pilot locations this year, and additional locations expected to be added over the next couple of years.

For commodity purchases, such as desktops, laptops, servers, switches, routers, storage services and tablets, VA will be moving away from the General Services Administration schedule and relying more on its Commodity Enterprise Contract, a $5.3 billion deal awarded last March, Warren said.

But some aging pieces of VA’s IT enterprise, such as its electronic health record, known as the Veterans Health Information Systems and Technology Architecture, or VistA, have taken longer to evolve and have fallen behind the technology curve. And open source software will likely play an important role in the system’s future, Warren said.

“It’s time to make some investments in that platform,” Warren said. “We haven’t made those investments in at least 10 years. In the coming year, you will see us doing code in-flight. As we’re developing, we’ll be dropping the code out there so the community can engage.”

VA will be posting the code through GitHub under the VA category.

The potential for success is there. For four years in a row, 80 percent of VA’s IT projects have met their scheduled delivery dates. And only 2 percent of VA IT projects do not deliver. The majority of them deliver within 30 days.

VA currently averages 4.1 months from the time it decides to commit resources to an IT project to the time it can deliver a capability to the end-user. But for the Veterans Benefit Management System, the agency’s $491 million paperless claims processing system, Warren managed to whittle that average time down to 90 days.

“You only do that through a very disciplined, focused approach,” he said. “I would like to go from [specification] on the street and award in seven days.”

VA’s annual voice, data, wireless spending 

Total: $243 million (not including commodity purchases)

$87 million is voice services

$118 million data services

$38 million is wireless

The post VA charts a course for open source, more capable infrastructure appeared first on FedScoop.