Joel Willemssen wrote the General Accounting Office's report on Medicare's noncompliant status, which the GAO published on May 16, 1997. On May 7, 1998, he testified before a House Ways & Means subcommittee. What he said reinforced what he had said a year earlier. Unforunately, it is now a year later.
* * * * * * * *
We are pleased to be here today to discuss the computing challenges that the upcoming change of century poses to virtually all major organizations, public and private, including government programs with a high degree of interaction with the American public such as the Social Security Administration (SSA) and Medicare. . . .
Vital economic sectors of the nation are also vulnerable. These include state and local governments; telecommunications; banking and finance; health, safety, and emergency services; transportation; utilities; and manufacturing and small business. . . .
The federal government is extremely vulnerable to the Year 2000 issue due to its widespread dependence on computer systems to process financial transactions, deliver vital public services, and carry out its operations. This challenge is made more difficult by the age and poor documentation of many of the government's existing systems and its lackluster track record in modernizing systems to deliver expected improvements and meet promised deadlines.
Year 2000-related problems have already occurred. For example, an automated Defense Logistics Agency system erroneously deactivated 90,000 inventoried items as the result of an incorrect date calculation. According to the agency, if the problem had not been corrected (which took 400 work hours), the impact would have seriously hampered its mission to deliver materiel in a timely manner. . . .
One of the largest, and largely unknown, risks relates to the global nature of the problem. With the advent of electronic communication and international commerce, the United States and the rest of the world have become critically dependent on computers. However, with this electronic dependence and massive exchanging of data comes increasing risk that uncorrected Year 2000 problems in other countries will adversely affect the United States. And there are indications of Year 2000 readiness problems internationally. In September 1997, the Gartner Group, a private research firm acknowledged for its expertise in Year 2000 computing issues, surveyed 2,400 companies in 17 countries and concluded that "[t]hirty percent of all companies have not started dealing with the year 2000 problem." . . .
Because departments and agencies have taken longer than recommended to assess the readiness of their systems, it is unlikely that they will be able to renovate and fully test all mission-critical systems by January 1, 2000. Consequently, setting priorities is essential, with the focus being on systems most critical to our health and safety, financial well being, national security, or the economy. Agencies must start business continuity and contingency planning now to safeguard their ability to deliver a minimum acceptable level of services in the event of Year 2000-induced failures. . . .
As a nation, we do not know where we stand overall with regard to Year 2000 risks and readiness. No nationwide assessment--including the private and public sectors--has been undertaken to gauge this. In partnership with the private sector and state and local governments, the President's Council could orchestrate such an assessment.
MEDICARE AND THE HEALTH CARE FINANCING ADMINISTRATION
As the nation's largest health insurer, Medicare expects to process over a billion claims and pay $288 billion in benefits annually by 2000. The consequences, then, of its systems' not being Year 2000 compliant could be enormous. . . .
We found that HCFA had not required systems contractors to submit Year 2000 plans for approval. Further, it did not have contracts or other specific legal agreements with any contractors, other than one recently selected contractor, stating how or when the Year 2000 problem would be corrected, or whether contractors would certify that they would correct the problem.
HCFA had also not identified critical areas of responsibility for Year 2000 activities. Although HCFA's regional offices have a role in overseeing contractor efforts, their specific Year 2000 responsibilities had not been defined, nor had guidance been prepared on how to monitor or evaluate contractor performance. While HCFA had been assessing the impact of the century change on its internal systems, it had not completed a similar review of Medicare contractors' claims processing systems. Further, HCFA had not required its contractors to prepare an assessment of the severity of impact of potential Year 2000 problems.
Plans for independent validation of contractors' strategies and test plans were also lacking. Likewise, while HCFA had asked contractors to identify their system interfaces, it had no plans for approving the contractors' approaches for addressing interface and data exchange issues. Moreover, HCFA had not developed contingency plans to address continuity of business operations in the event of Year 2000-induced failures. HCFA officials were again relying on the contractors themselves to identify and complete the necessary work in time to avoid problems. Yet the contractors had not developed contingency plans--and did not intend to--because they considered this HCFA's responsibility. . . .
The Department of Health and Human Services (HHS) has agreed to implement our recommendations. For example, HCFA has established the position of Chief Information Officer (CIO); this individual has made the Year 2000 issue his top priority. HCFA has also established a Year 2000 organization, and the issue is included in HCFA's information technology investment process and annual performance plan goals. It is also developing business continuity and contingency plans, with a draft plan set for release this month. Further, the Medicare carriers' manual has been revised to require such contingency planning.
It should be noted, however, that since our report of last year, HHS' and OMB's concerns about the Medicare contractors' systems have become more evident. For example, according to HHS' February 1998 quarterly Year 2000 report, "HCFA's Medicare contractor systems continue to be of great concern to the Department." In addition, in its summary of all agencies' February 1998 reports, OMB concluded that HHS was making insufficient progress on Year 2000 due in large part to HCFA's delays.
There are also indications that the agency has not documented the severity of impact of Year 2000-related failures -- in other words, how its core business functions would be affected if its automated information systems failed because of Year 2000-related problems. For example, if Medicare systems failed, the number of health services providers who would not be paid, paid late, or in incorrect amounts is unknown. HCFA has recently begun contingency planning that may address some of these issues. We are currently evaluating the effectiveness of HCFA's actions, at the request of the Senate Special Committee on Aging.