Tighter Security, Internet Efforts: Drive HHS Goals

By Ed McKennaLike many other federal agencies trying to keep pace with the rapidly changing information technology landscape, the Department of Health and Human Services plans to leverage Internet technology in 2000 to deliver more information to the public and to improve communications among its operating divisions and headquarters. It also will press ahead with efforts to improve information management and security in keeping with the Health Insurance Portability and Accountability Act of 1996 and a presidential directive on cybersecurity issued by President Clinton in 1998, according to Brian Burns, deputy chief information officer for Health and Human Services.The department, which comprises 11 operating divisions that oversee more than 300 separate programs, spent about $1.4 billion on information technology in fiscal 1999. That figure should hit about $1.7 billion by 2004, according to the market research firm Input, Vienna, Va.That funding is parceled among a long roster of contractors, with no one company holding more than a 6 percent stake. But initiatives to boost information infrastructure management and security should spark more business opportunities in the coming year. Already, the department is exploring incremental implementation of enterprise resource programs. Meanwhile, operating divisions of the department, such as the Centers for Disease Control and Prevention (CDC) and the Health Care Finance Administration (HCFA), are developing plans to revamp their information architectures. At the same time, the department is looking for opportunities to outsource IT management. One source of outsourcing contracts, the Chief Information Officers-Solutions and Partners program, which is managed by the National Institutes of Health, Bethesda, Md., is slated for rebidding this year. This agency within Health and Human Services is the principal biomedical research arm of the federal government. Although the existing contract, which has a spending ceiling of $10 billion, ends in 2001, NIH is hurrying the bidding process so that vendors can compete for longer-term task orders. "When you tell customers that you can provide services for only another year or two, they tend to look for another vehicle," said Michael Duffy, senior vice president and director of health systems at SRA International Inc., Fairfax, Va.One of the contractors selected to compete for task orders under governmentwide agency contracts, SRA has garnered more than $150 million in task orders, said Duffy. With a dedicated health unit, the company earns about $80 million, or a quarter of its revenue, from its health-related business. Of that amount, about $60 million is from civilian agencies, and $20 million is from defense agencies.Two major outsourcing service contracts are also about to be put up for grabs. The Health Care Finance Administration plans to rebid its $58 million Data Center Facility Management Services contract currently held by Computer Sciences Corp., El Segundo, Calif. The contract requires the vendor to provide total IT support services for HCFA's data center. "I think that CSC has done a really good job, but once you get into a bidding process, you can never predict," said Gary Christoph, HCFA's chief information officer.A draft request for proposals is expected by this summer for the CDC's Omnibus Information Systems Support Services contract, according to James Seligman, CDC's chief information officer. Worth about $260 million, the contract, which covers one base year and four option years, initially was awarded to TRW Inc. in 1996.The contract stipulates that the vendor provide CDC with IT support and processing services. Over the past few years it has developed into a bit more than the average information services program, said John Cook, vice president for TRW's health care services unit in Reston, Va. Along with basic information services, TRW personnel have been enlisted to address specific projects, he said, adding "we also provide epidemiologists and other science types of staff to augment" the agency staff.These and other programs have been moved to the front burner after an exhausting year 2000 software remediation effort that cost HHS about $806 million, Burns said. The department's systems came through unscathed, but some of the programs it had planned to fund or develop were put on hold pending those efforts, he said.HCFA especially was pressed. "A third of my organization was moved over to work on Y2K," said Christoph, who added that the final tab could run to about $390 million. Among the vendors who helped HCFA in its year 2000 efforts were SRA, TRW's Systems Integration Group, Fairfax, Va., and Averstar Inc., Burlington, Mass."We got involved in their Y2K effort about two and a half years ago [when] we were hired to provide independent verification and validation of the Medicare system," said Richard Saad, senior manager of Averstar's Y2K services for HCFA. The Medicare system spans 85 different systems in various locations, Saad said. A key challenge for HCFA was tightening up its vendor oversight so contractors' solutions are done in a fairly uniform way, added Bruce Burton, Averstar's executive vice president. "There have been some good lessons learned," said Burton, who noted that on a basic level, HCFA learned how to set a priority, develop a good program management plan and implement it.For HHS as a whole, "it forced us to inventory our systems and determine which ones were really mission critical and which could be upgraded or needed to be replaced," said Burns. "It also helped us build the partnerships with the states and even internally between our organizations."Along with raising awareness of the critical importance of the IT infrastructure, the two-plus year effort also provided a good prelude to the next big information security issue: cyberterrorism.The department is beginning to focus its energies on developing a security strategy, an effort that officials concede was set back by Y2K preparations. "We have some ideas," said Burns, who warned it would take a lot of work, both internally and with the private sector, to identify what the department needs to lock down and manage that security capability.Among the operating divisions, there have been some incremental initiatives. The National Institutes of Health is ordering security systems under the General Services Administration's Access Certificates for Electronic Services, a governmentwide acquisition contract offering off-the-shelf, public-key infrastructure products and services. CDC went through its own process to select a suite of information security tools last year, designed to address intrusion detection, vulnerability analysis, PC security (encryption), public key infrastructure and forensics, said Seligman. HCFA's situation is sensitive because it has oversight responsibility for the world's largest repository of health information. The division runs a wide area network with a security perimeter that reaches to points throughout the country, Christoph said.The agency is studying the situation and looking at what other divisions are doing, he said, noting that GSA's Access Certificates for Electronic Services has some interesting products."We're not in a position to be able to develop a custom solution here," he said. Instead, Christoph said HCFA will take something that is available commercially and that can be scaled up to serve more than 1 million users. Along with security upgrades, Health and Human Services wants to improve its information infrastructure and management. For example, CDC is looking to migrate from its "stovepipe orientation to a much more real-time and comprehensively integrated set of information systems," said Seligman. To do this, the agency is leveraging the Internet and developing database standards and more holistic integrated information systems. HHS' Program Support Center also is looking into implementing human resources and payroll programs. "These would be the first pieces of enterprise resource planning systems we would tackle," he said. If those areas show success, the department will expand that capability into the other areas of enterprise resource planning, he said.The department is also looking to outsource IT management responsibilities wherever possible. For example, HCFA opted last year to outsource about 4,000 desktops to Boeing Information Services Inc., (acquired by Science Applications International Corp. of San Diego) through a $50 million task order that came off NASA's Outsourcing Desktop Initiative. "It is going quite well," Christoph said. HCFA primarily outsourced the hardware and software, he said, adding "we still maintain our own help-desk network." HHS is also looking at whether to outsource some of its Internet operations, said Burns. The department stepped in that direction in September 1999 when it outsourced the management of its Web site to GTE Internetworking, McLean, Va.The contract was awarded in September and is worth about $155,000 annually under the NASA Scientific & Engineering Workstation Procurement, according to Tim Gamble, federal account manager for GTE Internetworking. As it upgrades its security and management, the Department of Health and Human Services also will use the Internet to deliver ever-more information to meet growing public demand. Its Healthfinder Web gateway (www.healthfinder.gov) served almost 5.9 million users last year, more than double the 1998 total. And since it opened for business in 1994, the Web site for the CDC (www.cdc.gov) has seen its monthly tally surge from about 10,000 to 2 million. "There is no sign of abatement yet," said CDC's Seligman. The CDC has about 65,000 pages of information available at its Web site, which will be revamped over the next two to three years to make it more user friendly, he said.Healthfinder offers resources from about 1,700 government, non-profit and education sponsored sources, up from 1,100 when it was first established in 1997, said David Baker, senior publishing adviser with HHS' office of disease prevention and health promotion. It costs about $1 million a year to manage and maintain the sites, he said. Many of the Web offerings take place on a smaller scale. For example, DynCorp Information Systems, Chantilly, Va., is developing an Internet site for NIH's National Institute for Neurological Disorders & Stroke Office (NINDS)."NINDS has a very diverse clientele coming to its Web site," ranging from medical researchers to family members of Alzheimer's patients or stroke victims, said James Kane, vice president of DynCorp Information Systems. DynCorp is receiving about $2 million to develop and implement the Web site, which is expected to go online this summer, according to Kane.While health organizations are offering more and more data on the Web, human services divisions have been more cautious. For example, HCFA has been slow to take advantage of the Internet because of concerns over privacy, said Christoph. How that reconciles with HHS' desire to make better use of the Web remains to be seen.The agency does host the medicare.gov, a site designed to help Medicare beneficiaries with health care choices.