HHS is in Critical Need of IT Modernization Because of High Security Risk


The Government Accountability Office (GAO) just published the results of an audit involving all federal government systems running on legacy operating systems. The purpose of the audit was to find out the extent of using legacy software programs and systems, and to identify the departments that need modernization the most.

GAO reviewed a total of 65 federal agency systems at 24 agencies and created the top ten list of systems needing modernization. GAO also evaluated the plan of agencies to upgrade their systems and compared those plans alongside IT modernization recommendations.

The top 3 departments that need modernization are the Department of Health and Human Services (HHS), the Department of Defense (DoD) and the Department of Education (DoE). The three departments that have high system criticality and high security risk are HHS, the Department of Homeland security (DHS) and DoE.

HHS needs a considerable level of modernization. It still uses a legacy system that is 50 years old for clinical and patient administrative activities. It’s been rated to have high security risk because GAO was not able to accurately gauge the age of its systems.

The HHS systems are still written in legacy languages, C++ and MUMPS. It’s already difficult to find programmers who know the MUMPS code, indicating the desperate need to modernize.

Th system was developed with 50 more modules and is set up and used on a lot of computers with different configurations. The system is indispensable, yet complicated and hard to develop and sustain.

GAO remarks that prolonged use of legacy systems and software inevitably entails a higher maintenance expense and are prone to far more cybersecurity risks. Modernization is the solution to risk management and improved efficiency of the system.

Although the government is planning to modernize IT in the majority of its departments, there are no documented plan yet for modernizing the IT of HHS. Before deciding to modernize a legacy system, the dependency of the core mission functions of the agency on the system is considered first. That is why upgrades have been put off for so long. Unless an IT modernization plan is created and completed, departments will have more cost overruns, schedule slow downs, and project failure.

The HHS has acknowledged the concerns brought up by GAO and is willing to upgrade its technical designs and infrastructure. A contract with a third party has been awarded to study how to modernize the HHS systems in phases over the span of one year. As soon as the report is obtained, HHS is going to create its modernization plan, which hopefully will be implemented in 2020.

The HHS has a big IT budget among the government agencies. Modernization could lower that cost. But GAO mentioned that the modernization will demand a substantial capital investment and it is uncertain if it will really result in cost savings.