IT Modernization Required at HHS According to Government Accountability Office

by | Jun 15, 2019

The Government Accountability Office (GAO) has released the findings of an audit of all federal government systems that operate legacy systems. The focus of the audit was to determine the extent to which legacy software and systems are in use, and which departments are in most urgent need of modernization.

Overall, 65 federal agency systems were reviewed at 24 different agencies to produce a list of the top ten systems in need of modernization. GAO then looked over the agencies’ plans to update their systems and measured those plans against IT modernization best practices.

The Department of Health and Human Services (HHS) is one of the top three departments the requires modernization, behind the Department of Education (DoE) and the Department of Defense (DoD). Only three departments were found to have both high system criticality and a high security risk: HHS, DoE, and the Department of Homeland Security.

The level of modernization required by HHS is significant. One legacy system is 50 years old yet is still being widely used to support clinical and patient administrative activities. GAO was unable to get an accurate gauge of the age of the systems in HHS. That unknown added to the high security risk rating.

The HHS is still operating systems that have been written in C++ and MUMPS, both of which are legacy languages. One of the problems that the HHS has to address is finding programmers who can code in MUMPS: A clear sign that modernization is desperately required.

The current system has been developed to include a further 50 modules and is downloaded and used on hundreds of computers and are many separate configuration variations. The system is invaluable, but cumbersome and difficult to develop and run.

GAO notes that the continued use of legacy infrastructure and software usually involves a greater maintenance cost and the systems are exposed to more cybersecurity dangers. Modernization is vital for managing those risks and improving efficiency and the effectiveness of the system.

While there are plans to update IT in most government departments, the HHS has yet to document a plan for modernizing IT. “When deciding to modernize a legacy system, [HHS] considers the degree to which core mission functions of the agency or other agencies are dependent on the system.” It is easy to see why such an update has been put off.

Until a modernization plan is formulated and implemented, which incorporates IT modernization and security best practices, the department “will have an increased risk of cost overruns, schedule delays, and project failure,” wrote GAO.

The HHS has recognized the problems raised by GAO and is keen to update its technical architecture and infrastructure, which continues to pose many difficult challenges. A contract has been awarded to a third party to research how the HHS can update its systems in stages over the course of a year. Once that report has been received, HHS will formulate its modernization plan, which it hopes to put in place in 2020.

The HHS has one of the biggest IT budgets of any government agency. Modernization has potential to reduce that expense, but GAO noted that the modernization will require a significant capital investment and it is unclear when and if the modernization will actually result in cost savings.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy