Apr 27 2017

Will the VA Go to the Cloud for Its VistA Health Records System?

The Veterans Affairs Department explores providing electronic health records via Software as a Service.

The future of the Veterans Affairs Department’s electronic health record system is up in the air, and VA Secretary David Shulkin has vowed to decide, by July 1, whether the agency will hold on to the service or replace it with a commercial offering.

However, there may be another path forward for the system, the Veterans Information Systems and Technology Architecture, better known as VistA: in the cloud.

Earlier this month, the VA released a request for information on whether it could hold onto VistA but have it run, via the cloud, on a Software-as-a-Service model using commercial, off-the-shelf technology. Indeed, the VA calls it VistA as a Service, or VaaS.

Moving VistA to the Cloud Would Not Be Easy

It’s not a foregone conclusion that the VA will move VistA to the cloud; the agency is just considering it as an option. “The Secretary is committed to making a final decision on our EHR modernization approach in July 2017. Our current assessments will provide for the necessary due diligence required insofar as to select the best solution possible to meet VA’s immediate needs, as well as its long-term goals,” Tim Cox, a spokesperson for the VA’s Office of Information and Technology, said in a statement to FCW.

Moving VistA to the cloud would likely be a difficult undertaking. FedScoop notes that it would be difficult to minimize and get rid of the system’s “many redundancies, unique instances and interdependencies.”

The RFI notes that VistA interfaces with other VA systems, Defense Department systems and private-sector partners, all of which must be maintained and transitioned so that services for veterans are not degraded. “Any services to be provided for this effort, which may span multiple contracts, will create interdependencies which must be managed to achieve the ultimate goals described herein on an aggressive timeline,” the RFI notes.

What exactly would be moved? Well, it’s a lot. The RFI describes the current VistA environment, which is incredibly complex.

VA currently runs 130 separate and unique VistA instances, each with their own routines and data dictionaries. They are hosted at five data centers across the country and support over 1,200 Veterans Health Administration hospitals and clinics.

Each VistA instance is composed of over 2,700 files, 64,000 data fields, 1,300 print templates, 9,100 options structured across 1,700 menus, 3,300 remote procedure calls, 38,000 routines and 4.7 million lines of code. Additionally, each system has some local variation of these artifacts, and the current environment is further described at a multi-tier architecture layer level. Each of the 130 instances also has disaster recovery, test and read-only versions.

Requirements for a SaaS Version of VistA

According to the RFI, any cloud solution would need to consolidate the current legacy VistA data from 130 VistA instances at five data centers to a commercial VaaS solution, as a single VistA instance in a commercial cloud environment, or provide a commercialized VistA.

The VA wants any cloud solution to be both secure and highly reliable. The RFI states that the VistA cloud solution would need to meet the high baseline security requirements of both the Federal Risk and Authorization Management Program and the Federal Information Security Management Act, with sufficient load balancing and disaster recovery (at multiple sites) to support at least 99.9 percent — and up to 99.999 percent — reliability, depending on the VistA component.

Additionally, the RFI says the environment needs to support Platform and Software as a Service that the VA could use to co-locate other infrastructure that it might need to reside next to the VaaS for performance, security or other purposes.

The cloud environment would also need to support VistA development, test and pre-production environments for a single, standardized VistA instance at the infrastructure layer.

VistA’s current way of presenting itself to users is the Computerized Patient Record System (CPRS), which is deployed as a thick client-server based system. However, the RFI states, the VaaS should not require a thick application for day-to-day operations.

The VaaS web-based CPRS should integrate the current Joint Legacy Viewer web-based application, which provides EHR interoperability between the VA and the DOD medical systems.

Airman 1st Class Rito Smith/U.S. Air Force

Zero Trust–Ready?

Answer 3 questions on how your organization is implementing zero trust.