IT Modernization Required at HHS According to Government Accountability Office

The Government Accountability Office (GAO) has released the findings of an audit of all federal government systems that operate legacy systems. The focus of the audit was to determine the extent to which legacy software and systems are in use, and which departments are in most urgent need of modernization.

Overall, 65 federal agency systems were reviewed at 24 different agencies to produce a list of the top ten systems in need of modernization. GAO then looked over the agencies’ plans to update their systems and measured those plans against IT modernization best practices.

The Department of Health and Human Services (HHS) is one of the top three departments the requires modernization, behind the Department of Education (DoE) and the Department of Defense (DoD). Only three departments were found to have both high system criticality and a high security risk: HHS, DoE, and the Department of Homeland Security.

The level of modernization required by HHS is significant. One legacy system is 50 years old yet is still being widely used to support clinical and patient administrative activities. GAO was unable to get an accurate gauge of the age of the systems in HHS. That unknown added to the high security risk rating.

The HHS is still operating systems that have been written in C++ and MUMPS, both of which are legacy languages. One of the problems that the HHS has to address is finding programmers who can code in MUMPS: A clear sign that modernization is desperately required.

The current system has been developed to include a further 50 modules and is downloaded and used on hundreds of computers and are many separate configuration variations. The system is invaluable, but cumbersome and difficult to develop and run.

GAO notes that the continued use of legacy infrastructure and software usually involves a greater maintenance cost and the systems are exposed to more cybersecurity dangers. Modernization is vital for managing those risks and improving efficiency and the effectiveness of the system.

While there are plans to update IT in most government departments, the HHS has yet to document a plan for modernizing IT. “When deciding to modernize a legacy system, [HHS] considers the degree to which core mission functions of the agency or other agencies are dependent on the system.” It is easy to see why such an update has been put off.

Until a modernization plan is formulated and implemented, which incorporates IT modernization and security best practices, the department “will have an increased risk of cost overruns, schedule delays, and project failure,” wrote GAO.

The HHS has recognized the problems raised by GAO and is keen to update its technical architecture and infrastructure, which continues to pose many difficult challenges. A contract has been awarded to a third party to research how the HHS can update its systems in stages over the course of a year. Once that report has been received, HHS will formulate its modernization plan, which it hopes to put in place in 2020.

The HHS has one of the biggest IT budgets of any government agency. Modernization has potential to reduce that expense, but GAO noted that the modernization will require a significant capital investment and it is unclear when and if the modernization will actually result in cost savings.