IT weaknesses dating to 2005 at heart of VA wait list scandal
The so-called “secret wait lists” that may have led to dozens of deaths at a growing number of Department of Veterans Affairs hospitals around the country have their roots in an insecure web of IT systems that have allowed the practice of creating informal waiting lists to go on for nearly a decade, a FedScoop investigation has revealed.
Recent media reports have highlighted claims from whistleblowers that VA officials have falsified records and created secret wait lists that may have contributed to the deaths of some veterans. So far, VA’s inspector general has not found any direct evidence linking the wait lists to any deaths.
But a FedScoop investigation shows the practice of maintaining informal waiting lists is a nationwide problem for VA hospitals that has been hiding in plain site for nearly 10 years. And a lack of IT security controls may have allowed system users to manipulate scheduling data without being detected.
In 2005, VA’s inspector general interviewed 247 patient schedulers from eight major VA hospitals and electronically surveyed another 15,750 schedulers about the procedures for setting up appointments for veterans in need of medical care. Seven percent of those interviewed said they “maintained informal waiting lists (a list other than the electronic list) of veterans who needed appointments,” according to the IG report.
“In some cases, supervisors instructed schedulers to create appointments contrary to established scheduling procedures,” the report states. “This resulted in medical facility managers understating reported waiting times for appointments and under reporting the number of service-connected veterans with waiting times longer than 30 days.”
For example, on March 11, 2003, a mental health clinic in the VA Boston Healthcare System made a consult referral to a primary care clinic. On May 4, 2004, the scheduler created a primary care appointment for June 25, 2004. But because the scheduler used the menu option “not next available” with a desired date of June 25, 2004, VA was able to report a waiting time of zero days (June 25–June 25). However, the veteran actually waited 472 days from the date of the consult referral until the date of the appointment, according to the IG report.
Twenty-seven percent of VA schedulers surveyed in 2005 said they “were directed to never use the next available appointment option” and another 10 percent said they “believed that their leadership pressured them to keep waiting lists short, causing them to circumvent established procedures for scheduling appointments.”
A significant majority of the survey respondents — 81 percent — told the IG they had received no training on the use of the electronic waiting list and only 45 percent said they had received any formal training on the use of the scheduling module within the Veterans Health Information Systems and Technology Architecture, or VistA, the backbone of VA’s electronic health record and scheduling system.
Now new questions are emerging about the security of the VistA system and its vulnerability to insider manipulation.
“Everybody is going to blame those hospital administrators for the secret wait lists…and that really, really bothers me,” said a former senior IT security official at VA, who spoke to FedScoop on condition of anonymity. The real blame, the former official said, should go to the agency chief information officer.
According to the former VA security official, security certifications for hundreds of IT systems were rushed through the process or received so-called risk-based decision memorandums to allow their use without fixing identified shortcomings or security vulnerabilities. As late as 2012, VA had 4,000 security Plans of Action and Milestones still open.
FedScoop reached out to VA for comment, but did not receive a response by publication.
Significant weaknesses in VA’s internal identity management and access controls have been a long-standing problem for VA cybersecurity. The agency’s latest Federal Information Security Management Act audit report, published in June 2013, described the significant problems VA continues to have with its internal access control and monitoring.
“User access requests were not consistently reviewed to eliminate conflicting roles and enforce segregation of duties principles,” according to the report. “Additionally, we noted inconsistent monitoring of access in production environments for individuals with excessive application privileges within major applications.”
This is a central issue for VistA security and for the current investigation into falsified wait times, the former VA official said. “Integrity of data is a huge insider threat,” the official said. “And that’s what this [scandal] really is. It’s an insider threat.”
FedScoop reviewed software user documentation for the scheduling and consultation modules of VistA. Many of the manuals haven’t been updated in years. But the user guide for the scheduling module shows that certain users with the appropriate security key are allowed to “overbook” patients for clinic appointments, even when there is no room on the schedule.
“If I were a doctor in Phoenix or one of the other facilities, I would be pointing the finger directly at IT,” the former VA official said. “Who is allowed to grant access to VistA and why isn’t there a second level of approval? Centralized IT at VA is a disaster.”