Thursday, October 13, 2011

"24", This Computer Project Was Not

A fascinating case study of IT failure in another life-critical domain has come to my attention.

I think if the words "FBI" were replaced with "hospitals" and "healthcare IT", this could be a study of IT failure in the latter organizations. Many of the familiar issues are there:

The Failure of Virtual Case File and the FBI


The FBI first sought to embrace technology in the 1980s during the onset of computer availability and hoped to have a paperless office where agents could quickly pull up case files, information, and photographs at the comfort of their desks without having to sift and sort through numerous paper files. The infrastructure in that time was limited to text based search engines and there were no provisions for photo storage or the ability to scan written reports. As a result, the FBI found its agents decided not to rely on the existing technology and were reverting back to paper.

After the attacks on September 11, 2001, the FBI was placed under scrutiny for being ineffective and inefficient in its operations due to the time it would take to share information with other law enforcement agencies, locate reports, and transmit them from one location to another (usually done via fax or by mailed CDs). To combat this, the FBI developed a plan known as Trilogy, which aimed for three primary goals: A new computer network, personal computers for most agents, and an online criminal database that would be titled Virtual Case File (VCF). An external contractor by the name of Science Applications International Corp. (SAIC) was contracted in June 2001 to begin the project with an estimated schedule of three years for completion and a first year budget of $14 million. The project continued until early 2005 (7 months over schedule), at which time the project scope had expanded by 80% with costs of $170 million and was riddled with issues. Ultimately, in early 2005, the project was cancelled but not after escalation and persistence on the part of the FBI.

The Problems and Failure of VCF

The FBI wanted SAIC to create the database from scratch instead of using off-the shelf Oracle programs that could have been customized. A study by the National Research Council (NRC) after the planned 3-year period in late 2004 was conducted to gauge the success of the program, and while the first two goals had been achieved (personal computers for most agents and the creation of a new network), VCF was found to be problematic and incomplete. The project plan was incomplete and there were no monitoring controls regarding finances or the schedule. The FBI threw quality out the window by wanting to bypass testing and release the product upon its ready date.

However, VCF failed the most basic functionality tests under the NRC and had not included network management, security, and storage systems, or basic sorting capabilities. The study also found that most of the FBI's skilled managers had left for the private sector and there were little to no individuals who had the IT experience or knowledge to interact effectively with contractors to achieve what was needed. The definition and scope of operations and processes were ultimately entrusted to SAIC who were outsiders.

In an attempt to salvage the project, the FBI immediately hired a federally funded R&D firm (Aerospace Corp.) costing $2 million to conduct an assessment of the project who concluded that the project needed to be scrapped and shut down due to the severity of the software issues. Upon investigation by Congress, there was a lack of financial controls and safeguards on the part of the FBI, enabling SAIC to continue to develop a program which was lacklustre and failed to meet objectives.

200 programmers from SAIC were used on the project when only a dozen were required and SAIC was not being properly monitored by the FBI. They felt as long as money was being funnelled to them by the government on the project, they did not need to be responsible for the effectiveness or viability of the program [was there a "hold harmless" clause as in health IT? - ed.] they were building and fired staff who expressed concerns over the direction of the program. [They must have been Luddites and IT skeptics who just refused to change the way they do things - ed.]

Further, the FBI took a trial by error approach to the project without truly understanding their end goal and without setting benchmarks for evaluating the progress of the project and took a nearly hands off approach by entrusting SAIC entirely. SAIC claimed the FBI were indecisive in what they wanted and there had been 19 government personnel changes over the project tenure which brought on scope creep and the focus of the project in a state of flux, in addition to a clear lack of leadership. A further $17 million was then spent by the FBI to perform more rigorous testing to try to salvage the project once more, which was another missed opportunity to cancel the project. It was only in early 2005 that the decision was made by Congress to terminate the project.

Source: Eggen, Dan; Witte, Griff. 'The FBI Upgrade that wasn't'. August 8, 2006. Website: (accessed on November 7, 2009).

"24" this was not.

Chloe O'Brian, where were you?

In the FBI's case, the failure exposes us to potential crime. In a hospital's case, the stakes are even more personal.

Even worse, at least here Congress intervened; health IT is a virtually unregulated industry and nobody is minding the store.

The UK's National Programme for IT (NPfIT) in the NHS paid the price of failure through problems such as above.

Will the "NPfIT in the HHS" meet a similar fate?

-- SS

Oct. 13, 2011 Addendum: where have we seen SAIC before?

How about here?

Case 3: Bedlam

Meanwhile, Science Applications International Corporation disclosed that computer backup tapes containing medical data for 4.9 million military patients [that number also amounts to almost 2% of the total U.S. population - ed.] had been stolen from an employee’s car in San Antonio. The data included Social Security numbers, clinical notes, laboratory test results and prescriptions.

-- SS

No comments: