New VA CIO orders formation of cybersecurity strategy team
August 03, 2015
The new Enterprise Cybersecurity Strategy Team has 45 days to deliver to Congress an integrated cybersecurity strategy for the Department of Veterans Affairs.
By Lauren Bailey and Peter L. Levin, U.S. Department of Veterans Affairs
Thirty years ago, when clinicians at VA first started building the software components for a “high tech” electronic health record, they stood at the vanguard of patient-centered care. At that time folks weren’t thinking much about plug-and-play modularization, market-based communities of interest, sleek development environments, or interoperable systems.
But thanks to their persistence, creativity, and dedication, today Veterans enjoy among the highest standards of health care, and VA has become a model and benchmark for safety, accessibility, and therapeutic outcomes. This is especially true of our electronic health record (EHR), VistA, which consistently rates among the best of its class, a remarkable achievement for a package furtively born on hijacked equipment and built off-hours and on weekends. Thanks to VistA, instead of slips and clipboards our hospitals are nearly paperless, our workflow is automated, and our patient satisfaction is high.
As well as VistA runs, it is a resource intensive application, and innovation has slowed in recent years. There are a litany of technical reasons for this, but none of them are incurable, and under the leadership of Secretary Eric Shinseki, Under Secretary for Health Robert Petzel, and our CIO Roger Baker, we are embarking on an aggressive path to upgrade and modernize our system. Indeed, in order to better benefit from technological advancements we need VistA to be as flexible, extensible, and as open as the hardware it runs on, while maintaining our highest priorities of safety and information security. The bottom line is that there are electronic tools, software algorithms, and medical devices that our clinicians want and our patients need, and they need to be linked to our EHR.
So, in February we released a Request for Information (RFI) for Open Source VistA.
Open source describes a method of software development and production focused on peer collaboration where the documentation, end-product, and in some cases, source material is available at no cost to the public. Most open source systems are comprised of both free and proprietary components, and all of them have clearly stated rules for building new applications and services. Our RFI for open source VistA explained our three goals, common to most open source environments: accelerated innovation, ease of component integration and societal benefit by market creation. Basically the RFI outlined the whys, the hows and the advantages of open source VistA.
In our proposed open source community, internal and external developers will innovate on the VistA code base. The open source environment will allow for rapid integration of these innovations back into the mainline, and ultimately to VA and other users of VistA. We also believe that open source VistA will create jobs and help our industry partners generate more, and more capable, modular solutions for VistA at lower incremental cost to taxpayers. A successful open source framework will extend the market to vendors and system integrators and would open the aperture for competition in the electronic health record space.
The custodial agent will have a central role in our open source community. It will collect the innovations, test and certify them, and enable rapid deployment across our enterprise . . . and many others. In the diagram, the orange bubbles are the developers and the blue bubbles are the users. Developers will submit code into the repository to be certified by the custodial agent. The custodial agent will certify the code, and create a code base used by VA and, in the future, other Federal Agencies and even for-profit health care providers. It’s a new way of looking at open source governance when the original asset comes from a cabinet department. Our RFI asked for input to fine-tune the way we see the custodial agent and its functions to add value for users, innovators and vendors, and we got it.
Healthcare may the last bastion of resistance in the information revolution, but that isn’t only because of an intrinsic allergy to change. Safety-of-life applications require special care, special tests, and a higher degree of confidence than practically any other infrastructure component. The disruption of a banking mistake or fraudulent transaction is serious, but generally recoverable. But with 13,000 kinds of medical diagnoses, 6,000 medicines, and 4,000 possible procedures, not only does safety demand real and reliable decision support, the possibility of an error is high. And in contrast to financial services, some mistakes are not reversible. In this context, the “go slow” approach is easier to understand.
But go slow doesn’t mean stop, and we believe the time is right to start leveraging the creativity of our clinicians (and yours), ensure cybersecurity by exposing code to large communities of technical reviewers, and enjoy the clinical benefit of open architecture, standards-based, modular systems that are tested, re-tested, and rigorously certified for compliance, safety, and security.
Open source doesn’t mean that every vendor has to give away their work for free—far from it. It means that some will, some won’t, but everybody will be on the same playing field, speaking the same language, and passing the same tests for certification and use. It also means that vendors will have a clear path to the enormous federal healthcare IT market, and may for the first time have an incentive to unbundle their large systems in order to better operate with ours. Indeed, if successfully implemented, this will be a dramatic increase in their total addressable market.
Lauren Bailey is a Special Assistant, and Peter Levin is a Senior Advisor to the Secretary and Chief Technology Officer, in the U.S. Department of Veterans Affairs. The views expressed in this article are their own and do not necessarily represent the views of the U.S. government or the Department of Veterans Affairs.