Subscribe to our daily newsletter.
Subscribe

VA electronic health record system hit with further outages at Walla Walla site

The Department of Veterans Affairs’ electronic health record system has suffered two further outages.

VA and Cerner executives told lawmakers Tuesday that the EHR system went down Monday for about 127 minutes and said they were continuing to investigate the cause of a second incident that took place today.

“There was an outage today at Walla Walla … and an outage yesterday for 127 minutes due to load imbalance,” said Laura Prietula, VA’s deputy chief information officer for electronic health record modernization.

General Manager of Cerner Government Services Pat Sargent added that the Monday outage was caused by a system update sent out at around lunchtime.

The executives testified at a congressional hearing held by the House Committee on Veterans’ Affairs to examine the future of the VA’s electronic health record modernization program.

The two outages are the latest examples of issues to hit Cerner’s Electronic Health Records system, which went live at the Jonathan M. Wainwright Memorial VA Medical Center in Walla Walla, Washington earlier this month. The entire platform, which serves users across the Department of Veterans Affairs, Department of Defense and the U.S. Coast Guard went down for a two-hour period on April 6.

The outages come amid heightened scrutiny of the program from lawmakers over the potential impact of the EHR program rollout on the delivery of healthcare to veterans.

On Monday, Deputy Secretary of the Department of Veterans Affairs Donald Remy visited the department’s medical center at Spokane and was told that on at least two occasions local veterans had their medications mistakenly stopped due to a problem with health records.

That same day, VA Secretary Denis McDonough said his agency would not need to request more money from Congress to complete the nationwide rollout of the computer system, which is projected to cost at least $16 billion.

The secretary’s remarks followed a report from the VA’s watchdog, which found that the department did not comply with the Federal Acquisition Regulation in at one instance when it paid Cerner for work carried out as part of the contract, and said the program is likely to cost about $2 billion extra for each year it runs behind schedule.

CDC expands Palantir’s non-COVID disease surveillance contract again

The Centers for Disease Control and Prevention once again extended and expanded a contract with Palantir Technologies to apply its outbreak response and disease surveillance solution to more respiratory diseases.

Palantir will continue to modernize the Data Collation and Integration for Public Health Event Response (DCIPHER) environment, built on its Foundry platform, to ensure CDC has the infrastructure necessary to perform genomic sequencing of variants and track them and their outcomes.

DCIPHER is one of Palantir’s longest-running public health software partnerships, having run more than a decade, and influenced its COVID-19 pandemic response support — despite being a separate initiative encompassing food-borne outbreaks, Ebola, anthrax management and bacterial special pathogens.

“Beyond COVID, by incorporating innovative genomic workflows into traditional public health surveillance, CDC is building upon its foundational investments in a modernized technology infrastructure,” said Dr. William Kassler, chief medical officer for U.S. government at Palantir, in an April 15 announcement.

The CDC is increasingly investing in modular technology that can apply COVID-19 use cases to other diseases and incorporate granular demographic data from multiple sources to help improve health equity in underserved communities, according to a person with knowledge of the contract.

Palantir declined to disclose the length or value of the contract extension, but it builds on the tech company’s wastewater surveillance work with CDC, which provides a picture of diseases affecting particular communities.

DCIPHER is currently used by the System for Enteric Disease Response, Investigation and Coordination; National Center for Immunization and Respiratory Diseases; and National Wastewater Surveillance System within the CDC’s Division of Foodborne, Waterborne and Environmental Diseases. The Department of Health and Human Services, National Institutes of Health and Food and Drug Administration also use DCIPHER, as did several military branches to mitigate COVID-19’s impact.

Industry still faces ‘a lot of ambiguity’ around CMMC implementation

Federal contractors still face a lot of unknowns about how the Pentagon’s controversial Cybersecurity Maturity Model Certification program will be implemented, the head of a leading trade association told lawmakers Tuesday.

The CMMC program is an effort to prod the defense industrial base to improve their cybersecurity with new certification-based standards and better protect controlled unclassified information from adversaries.

After receiving major pushback from contractors about the burdens and cost of implementation and conducting an internal review, the Department of Defense in November announced that it was revamping its plans and would eventually implement what it called CMMC 2.0.

Additionally, earlier this year Deputy Defense Secretary Kathleen Hicks moved responsibility for the program from the Pentagon’s acquisition and sustainment office to the Office of the CIO.

“The requirements are in the early stages of the rulemaking process. And so we anticipate a revised Defense Federal Acquisition Regulation Supplement to … come out. We’ve heard various estimates that it could be as early as late this spring or as late as a year from now,” David Berteau, president and CEO of the Professional Services Council, said during a Senate Armed Services Committee hearing on the health of the defense industrial base.

He continued: “What we don’t know is, what’s the next standard we’re gonna have to comply with? What’s the timeline in which the flag will go down and you’ve got to be in compliance? And what can you do now to be ready for that when you don’t know … what standards you’re gonna have to meet? So, there’s still a lot of ambiguity there.”

Delays in the program have implications for cybersecurity, he noted.

“One of the problems or concerns that we’ve raised from the beginning is the threat is not waiting for this implementation, if you will, and every day that threat grows,” he said. “The real question is, do those standards go far enough in order to protect us against the evolving threat? And nobody really knows the answer to that.”

CMMC 2.0 is intended to simplify the standards, minimize barriers to compliance, provide additional clarity on regulatory, policy and contracting requirements, increase department oversight of “professional and ethical standards in the assessment ecosystem,” and improve the overall ease of execution, according to a DOD press release issued in November.

Key changes include a reduction in the number of security compliance levels from five to three, and a reduction in the number of contractors that will be required to get third-party verification of their compliance.

The DOD plans to specify a baseline number of requirements that must be achieved by contractors prior to contract award.

CMMC won’t be implemented until after the completion of the rulemaking process for the Code of Federal Regulations and the Defense Federal Acquisition Regulation Supplement.

However, the Pentagon has encouraged contractors to beef up their cybersecurity while the rulemaking is underway.

Berteau noted that many contractors are already moving to come into compliance with the cybersecurity standards laid out in National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171), which are expected to inform CMMC.

“Almost every company I know and that participates in the defense business today at the prime contractor level, whether large, medium or small, is already investing and has a plan on record for compliance with and meeting those standards,” Berteau said. “It’s not being incorporated into contracts [now as part of CMMC] … but a lot of people are moving forward anyway.”

Drivers for on-prem vs. cloud investments

Federal agencies have gained new insights into the pros and cons of moving their workloads to the cloud over the past two years. At the same time, the rapid evolution of modern server technology has prompted leaders to reevaluate their IT spending plans for on-premises data centers, edge computing and cloud services.

A new report presented by FedScoop and underwritten by ThunderCat Technologies and Dell Technologies highlights the government leaders’ perceptions about the benefits and challenges of modernizing on-premises data centers and edge computing capabilities — relative to deploying workloads to the cloud.

Read the report.

The report, “Modernizing Federal IT,” found that agencies still rely on multiple IT environments for executing, storing and backing up critical computing workloads. But more federal officials now run most of those workloads in government-approved clouds than in their own agency-operated data centers. According to the report, the reliance on cloud services is gaining momentum; federal officials said critical computing workloads grew fastest on government-approved cloud platforms over the past 12-18 months. Key factors driving their infrastructure investment decisions over the next three years include the need to secure data moving across multiple environments, the anticipated growth of agency data and the need to analyze data in real time.

Differing perspectives, however, can lead to delays in modernizing, making it essential for program and IT leaders to share a clear and common understanding of advancing technology capabilities.

Download the report to learn more about what is driving federal IT spending.

This article was produced by Scoop News Group for FedScoop and underwritten by ThunderCat Technology and Dell Technologies.

Watchdog says VA violated Federal Acquisition Regulation with electronic health records contract payments

The Department of Veterans Affairs did not comply with the Federal Acquisition Regulation in at least one instance when it paid Cerner for work carried out as part of its electronic health records modernization program, according to the agency’s inspector general.

In a report published Monday, the agency’s IG identified a task order for scheduling work undertaken that was paid without any verification of contract deliverables. Cerner and Booz Allen Hamilton are two of the key federal contractors carrying out work as part of the modernization program.

“The OIG reviewed all IMS-related invoices paid through August 30, 2021 and found that for one of the two task orders, OEHRM [Office of Electronic Health Record Modernization] did not take the necessary steps to allow ‘acceptance’ of multiple IMS deliverables (that is, review their compliance with contract requirements) until after the related invoices were paid – even though these deliverables were critical to monitoring program progress,” the watchdog said.

In one case the department paid an invoice 10 months before accepting the relevant deliverable, according to VA’s IG. In its report, the watchdog said the error occurred in part because the integrated master schedule deliverables were not separately priced, and VA did not provide staff with training on how to review and accept such deliverables.

Under the Federal Acquisition Regulation, agencies must accept the delivery of services or goods before making payments to contractors.

The findings are part of a wide-ranging investigation into the electronic health record’s integrated master schedule, which is used to set out the order of connected and detailed tasks and is especially crucial for the delivery of large, multi-billion dollar federal government contracts.

Among the watchdog’s conclusions are that VA did not have a high-quality, reliable master schedule and that it lacked clearly defined contract requirements. It said also that VA should improve stakeholder communication, ensure consistency between contract language and office plans and ensure that it complies with each aspect of the Federal Acquisition Regulation.

The investigation is one of a slew of recent reports looking at failures within the modernization project. Last month the VA’s Office of Inspector General last week published a trio of reports that identified major concerns about care coordinationticketing and medication management associated with the EHR program launch.

These came after it in February detailed the Department of Veterans Affairs‘ failure to ensure that data transferred during the rollout of its new electronic health record (EHR) modernization platform met clinicians’ needs.

The executive director of the EHRM Integration Office at the VA concurred with the watchdog’s six latest recommendations and provided responsive action plans. VA has target completion dates to implement recommendations from May through December.

At a subcommittee hearing later today, leaders of the VA and Cerner will answer questions from members of the House Committee on Veterans Affairs about the future of the IT modernization program.

Cerner declined to comment.

HHS puts $90M toward improving health center data collection

The Department of Health and Human Services launched a $90 million initiative to get its health centers the data they need to reduce health disparities using remaining American Rescue Plan Act funds.

A modernized data collection and reporting initiative, called Uniform Data System Patient-Level Submission (UDS+), will fund Health Resources and Services Administration-designated health centers’ efforts to gather more and better information on social determinants of health.

The $90 million funding was left over from $1 billion HRSA made available through the American Rescue Plan-Capital funding opportunity in April 2021. Slightly more than $950 million was awarded at the time for health center construction.

USD+ comes as the White House’s Equitable Data Working Group releases recommendations on advancing the use of such information governmentwide and targets health centers in medically underserved communities — often disproportionately affected by the COVID-19 pandemic.

“Health centers are vital to increasing equitable access to primary health care,” said HHS Secretary Xavier Becerra in Thursday’s announcement. “The Biden-Harris administration has made historic investments in health centers, and this funding from President Biden’s American Rescue Plan will further enable health centers to utilize data to meet the needs of their community and help reduce gaps in care.”

USD+ will further streamline health centers’ data quality reporting and help them better target community needs with funding available for COVID-19 efforts, as well as improving health IT, data collection and related training. HRSA currently plans to award about $60,000 per awardee around August 1, 2022.

New health center enhancements will boost patient-level reporting and investigations into disparities in health care use and outcomes by race, ethnicity, age and other demographics. Data standardization will help health centers identify the most at-risk populations and necessary clinical interventions and participate in disease surveillance during future outbreaks.

Health centers have until 5 p.m. ET on May 23, 2022 to apply for the supplemental funding.

HRSA has awarded about $6 billion to expand COVID-19 testing, vaccinations and treatment for high-risk populations; $1 billion to increase access through construction; and $32 million to provide COVID-19-related training and technical assistance at health centers since March 2021. More than 90% of HRSA health centers’ patients live at or below 200% of Federal Poverty Guidelines, and nearly 63% are racial or ethnic minorities.

Combatant commander tasked with homeland defense warns of shortage of AI capabilities

U.S. Northern Command and North American Aerospace Defense Command don’t have sufficient artificial intelligence and machine learning capabilities, the dual-hatted chief of both organizations warned Monday.

The Pentagon is pursuing new space-based sensors, communications systems and other capabilities to improve situational awareness. But it needs AI to better crunch and share the data it collects.

“This year’s budget, I think, moves the ball down the field with regards to domain awareness. We’ll be able to hopefully field over-the-horizon capabilities, which will give us more standoff distance than what we currently have today. But we also need to take that domain awareness — the sensors that we have today and any potential new sensors — and share that data and information, and utilize artificial intelligence and machine learning to make that data and information available sooner than we have in the past to decision-makers,” Gen. Glen VanHerck, commander of U.S. Northern Command (Northcom) and North American Aerospace Defense Command (NORAD), told the Defense Writers Group.

Northcom is an American combatant command whose area of responsibility encompasses North America.

NORAD is a joint U.S.-Canadian organization tasked with aerospace warning, aerospace control and maritime warning for North America, including the detection, validation, and warning of attack against North America by aircraft, missiles, or space vehicles.

“I don’t have what I need as far as artificial intelligence and machine learning to give the [needed] decision space to the president, the secretary of defense, the chief of the defense staff in Canada, the minister of defense and the prime minister in Canada,” VanHerck said.

AI and ML are needed to create more deterrence options and enable “decision superiority,” he said.

The U.S. homeland faces growing threats including from hypersonics and cruise missiles that could be launched from Russian or Chinese ships and aircraft. In the future, adversaries could even base cruise missiles on container ships disguised as civilian vessels, he said.

“The urgency is there in my mind,” VanHerck said.

NORAD has a “pathfinder” program that aims to better use information that’s available today through radars that are part of the North Warning System that stretches across Canada and Alaska.

“We only process about 2% of the data [but] the system actually has capability to give you a lot more domain awareness. And so what we’re doing with the Pathfinder program is … we’re taking the raw data — 100% of the information — and fusing that and using artificial intelligence and machine learning and distributing that information to gain time and space, if you will,” for decision-makers, he said.

But that’s not sufficient, according to VanHerck.

“What I’m focusing on is a global look across all domains and fusing data and information,” he said.

NORAD, Northcom and the other combatant commands have been conducting a Global Information Dominance Experiment (GIDE) to demonstrate the benefits of using AI to enhance global collaboration among U.S. forces. Four such experiments have already been held.

The experiments demonstrated that artificial intelligence and machine learning technology can detect changes in an adversary’s military posture — such as the movement of platforms or weapons — fuse that information and alert U.S. forces, according to VanHerck.

“We’re not creating new data. We’re taking machines that can take existing data, analyze it faster, and alert you to it so you can create deterrence and defense options if you need to,” he said.

Now that the four GIDE experiments have wrapped up, VanHerck hopes that Pentagon leaders will grab the baton and forge ahead with the technology.

“Candidly, we’re not moving fast enough for me. We can’t apply what I say are industrial age, industrial base processes to software-driven capabilities. In today’s environment, the department has to change to fundamentally go faster,” he said. “We can’t utilize what I would say are legacy development processes where we do everything in serial.”

He continued: “I think we’re ready to field some of these capabilities, specifically when you’re focused at the operational to strategic level where what we’re trying to do is give increased decision space to our nation’s most senior leaders” so that they have more time to take action to deter adversaries or defeat their attacks.

Providing those capabilities would reduce the probability of a successful attack on the U.S. homeland and strategic deterrence failure, he said.

“This is something I’m very passionate about and something that we have to move forward with sooner than later,” VanHerck said.

Pentagon hires first chief digital and AI officer from Lyft

Craig Martell has left his role as head of machine learning for Silicon Valley rideshare company Lyft to be the Pentagon’s first chief digital and artificial intelligence officer, the Department of Defense announced Monday.

Martell has also held machine learning and AI roles at Dropbox and Linkedin. His professional experience with the U.S. military is limited to his service as a tenured computer science professor at the Naval Postgraduate School specializing in natural language processing.

“Advances in AI and machine learning are critical to delivering the capabilities we need to address key challenges both today and into the future,” said Deputy Secretary of Defense Kathleen Hicks. “With Craig’s appointment, we hope to see the department increase the speed at which we develop and field advances in AI, data analytics, and machine-learning technology. He brings cutting-edge industry experience to apply to our unique mission set.” 

The Department of Defense announced the creation of the Chief Digital and AI Office last December to centralize oversight of data and AI initiatives under one official at the highest levels of the Pentagon. The CDAO reports directly to the deputy secretary of Defense.

The CDAO launched with initial operational capability Feb. 1 and plans to reach full operational capability by June.

The Pentagon office of the Chief Information Officer transferred the Joint AI Center to the CDAO’s leadership. The new office will also oversee the Pentagon’s Defense Digital Service and the chief data officer units.

Last month, the Department of Defense announced Margaret Palmieri as deputy chief digital and artificial intelligence officer. Palmieri was special assistant to the vice chief of naval operations and previously founded and directed the Navy Digital Warfare Office.

While the CDAO sits separately from the office of the CIO in the Pentagon’s reporting structure, the two offices will operate closely together to support the DOD’s core IT and digital mission sets.

CIO John Sherman has been serving as interim CDAO since February. He told FedScoop last month that the job of the incoming CDAO will be to “raise the waterline” for AI and digital development across the military services and commands. That will require “tapping into all of the department’s data and then leveraging that for really at-speed analytics to be able to give commanders, decision makers — all the way from Secretary [of Defense Lloyd] Austin to a combatant commander to a leader in the field” — the capabilities needed to stay ahead of China, which is the Pentagon’s “pacing challenge,” Sherman said.

Quantum cyber legislation recognizes difficult transition lies ahead

Proposed legislation that would give agencies a year to begin migration to post-quantum cryptography is a recognition transitioning from legacy to new algorithms will require significant planning and funding, say industry experts.

The Quantum Cybersecurity Preparedness Act would give the Office of Management and Budget a year from the day the National Institute of Standards and Technology issues post-quantum cryptography standards to prioritize the migration of agencies’ IT systems based on cybersecurity risk. Reps. Nancy Mace, R-S.C.; Ro Khanna, D-Calif.; and Gerry Connolly, D-Va., introduced the bill.

While quantum computers are thought to be a decade or more off, foreign adversaries plan to use the technology to crack encrypted data they’ve already exfiltrated from U.S. systems.

“What I like about this act is it’s recognizing the risk of the hack now, decrypt later threat,” Duncan Jones, head of cybersecurity at Quantinuum, told FedScoop. “And I think that’s really important to focus on.”

Assuming the data China exfiltrated in the 2015 Office of Personnel Management breach was encrypted with traditional, public key encryption, those files will be vulnerable to quantum computers once the nation-state develops them.

Quantinuum was one of six tech companies to endorse the legislation, despite its work developing quantum-powered technology to address global challenges across a number of disciplines, because it recognizes the risk quantum computers pose to public key encryption, Jones said.

That’s a threat that needs to be taken “very seriously” considering the amount of money foreign adversaries like China are spending to beat the U.S. to quantum computers, said Eddy Zervigon, CEO of quantum-safe security company Quantum Xchange.

He added: “They’re also much more pronounced in terms of their successes, [for example] you can look at some of the stuff they’ve done in space with their satellite QKD system.”

According to Zervigon, the government’s lack of quantum-resistant ways to deliver data is a particularly pressing issue for public and private satellite operators that need cryptography to protect telemetry, tracking and control and data in transit.

NIST’s forthcoming algorithms will be quantum resistant, and the Quantum Cybersecurity Preparedness Act would give OMB a year to provide Congress with its strategy for protecting agencies’ vulnerable IT systems by migrating to those standards, the cost of the effort and its analysis of ongoing efforts around post-quantum cryptography. OMB would also be required to report annually on the state of the governmentwide transition.

“These algorithms that are being standardized right now by NIST, it’s not too long before those are ready,” Jones said. “That’s not the moment to start acting.”

The proposed legislation builds on National Security Memorandum-8 issued in January, which required agencies to identify all instances of encryption that wasn’t quantum resistant but also allowed them to obtain waivers for such systems.

A governmentwide approach to post-quantum cryptography should involve developing not only algorithms but agile hardware and software, according to the bill text.

The only thing the legislation lacks is “real hammers” around migration and technology adoption deadlines for agencies to ensure there are consequences for not having post-quantum cryptography in place, Zervigon said.

“This is going to be the greatest cryptographic migration in history,” he said. “So let’s make sure the architecture, the foundation is set right before we start applying all these different new technologies and products onto something that might not be able to support what we’re trying to do here over the long haul.”

Army’s futuristic IVAS headset could be a waste of $22B without user acceptance, IG warns

The Army is at risk of wasting up to $21.88 billion in taxpayer funds to procure its futuristic augmented reality headset because the requirements for user acceptance are not clear, according to the service’s inspector general.

During a recent audit, the Army Inspector General discovered that the service hadn’t set minimum user acceptance levels for the forthcoming Integrated Visual Augmentation System (IVAS), which it says are necessary to determine if the Microsoft-developed AR headset will meet users’ needs.

The IVAS headset is a ruggedized augmented reality and heads-up display system based on Microsoft’s HolonLens 2 device. The Army issued the roughly $22 billion contract to Microsoft for 120,000 headsets last March after successful prototype testing of the platform, which it says “improves soldier sensing, decision making, target acquisition, and target engagement.”

In the highly redacted report on the findings of its audit, the IG established that while the service did take user feedback into account to develop IVAS, the service “did not define clear measures of user acceptance levels to determine whether IVAS would meet user needs.”

“Defining suitable user acceptance levels to determine whether IVAS meets user needs will help ensure that the Army only procures systems that close combat forces will use and will assist the Army in providing a reliable report to DoD leadership and Congress relating to communications, lethality, mobility, protection, situational awareness, and survivability,” the report reads. “According to program officials, IVAS has the potential to change how Soldiers execute missions in close combat. Obtaining Soldier acceptance will help ensure IVAS meets Soldier requirements and optimize the system’s operational benefits at the start of the IVAS distribution.”

Appropriators on Capitol Hill have been similarly wary of the success of the IVAS headset. As part of the 2022 Consolidated Appropriations Act passed in March, Congress put a hold on $349 million in funding for IVAS until the platform makes it through initial operational testing and the Program Executive Office Soldier team in charge briefs appropriators on developments.

That came after the Army, in October 2021, announced delays in bringing IVAS into operation testing until May and launching it into the field until this September after discovering issues with the headset’s field of view.

Responding to the findings of the IG, Army leaders explained that it would be “misleading” to believe the service could waste nearly $22 billion on the procurement, even in a worst-case scenario regarding user adoption, and called the thesis “inflammatory” as the contract’s ceiling is spread over a 10‑year period, including all possible sales to other services and foreign militaries.

On top of this, the service feels that while user feedback is “useful in the requirements development process and prototyping when Soldier‑centered design is most impactful,” it’s not objectively measurable because “Soldier acceptance can be impacted by subjective forces such as fatigue, weather, experience, bias, and familiarity with the legacy system.”

However, Army officials confirmed that IVAS will be required to meet performance measure criteria prior to operational testing, which will include user acceptance.