HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HHS One of Three Departments in Most Critical Need of IT Modernization

The Government Accountability Office (GAO) has published the findings of an audit of all federal government systems that run on legacy systems. The aim of the audit was to determine the extent to which legacy software and systems are in use, and which departments are in most critical need of modernization.

In total, 65 federal agency systems were assessed at 24 different agencies to produce a list of the top ten systems in need of modernization. GAO then assessed the agencies’ plans to update their systems and measured those plans against IT modernization best practices.

The Department of Health and Human Services (HHS) is one of the top three departments in need of modernization, behind the Department of Education (DoE) and the Department of Defense (DoD). Only three departments were deemed to have both high system criticality and a high security risk: HHS, DoE, and the Department of Homeland Security.

The level of modernization required by HHS is considerable. One legacy system is 50 years old yet is still being extensively used to support clinical and patient administrative activities. GAO was unable to get an accurate gauge of the age of the systems in HHS. That unknown contributed to the high security risk rating.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The HHS is still using systems that have been written in C++ and MUMPS, both of which are legacy languages. One of the problems faced by the HHS is finding programmers who can code in MUMPS: A clear sign that modernization is desperately needed.

Th system has been developed to include a further 50 modules and is installed and used on hundreds of computers and are many different configuration variations. The system is invaluable, but cumbersome and difficult to develop and maintain.

GAO notes that the continued use of legacy infrastructure and software invariably involves a greater maintenance cost and the systems are exposed to more cybersecurity risks. Modernization is essential for managing those risks and improving efficiency and the effectiveness of the system.

While there are plans to modernize IT in most government departments, the HHS has yet to document a plan for modernizing IT. “When deciding to modernize a legacy system, [HHS] considers the degree to which core mission functions of the agency or other agencies are dependent on the system.” It is understandable why such an update has been put off.

Until a modernization plan is developed and implemented, which incorporates IT modernization and security best practices, the department “will have an increased risk of cost overruns, schedule delays, and project failure,” wrote GAO.

The HHS has recognized the issues raised by GAO and is keen to update its technical architecture and infrastructure, which continues to present many difficult challenges. A contract has been awarded to a third party to research how the HHS can modernize its systems in stages over the course of a year. Once that report has been received, HHS will develop its modernization plan, which it hopes to implement in 2020.

The HHS has one of the largest IT budgets of any government agency. Modernization has potential to reduce that cost, but GAO noted that the modernization will require a considerable capital investment and it is unclear when and if the modernization will actually lead to cost savings.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.