[House Hearing, 118 Congress]
[From the U.S. Government Publishing Office]


                     THE FUTURE OF DATA PRIVACY AND
                     ARTIFICIAL INTELLIGENCE AT VA

=======================================================================

                                HEARING

                               BEFORE THE

                SUBCOMMITTEE ON TECHNOLOGY MODERNIZATION

                                 OF THE

                     COMMITTEE ON VETERANS' AFFAIRS

                     U.S. HOUSE OF REPRESENTATIVES

                    ONE HUNDRED EIGHTEENTH CONGRESS

                             SECOND SESSION

                               __________

                        MONDAY, JANUARY 29, 2024

                               __________

                           Serial No. 118-47

                               __________

       Printed for the use of the Committee on Veterans' Affairs


                    Available via http://govinfo.gov
                    
                               __________

                   U.S. GOVERNMENT PUBLISHING OFFICE                    
54-927                      WASHINGTON : 2025                  
          
-----------------------------------------------------------------------------------                       
                 
                     COMMITTEE ON VETERANS' AFFAIRS

                     MIKE BOST, Illinois, Chairman

AUMUA AMATA COLEMAN RADEWAGEN,       MARK TAKANO, California, Ranking 
    American Samoa, Vice-Chairwoman      Member
JACK BERGMAN, Michigan               JULIA BROWNLEY, California
NANCY MACE, South Carolina           MIKE LEVIN, California
MATTHEW M. ROSENDALE, SR., Montana   CHRIS PAPPAS, New Hampshire
MARIANNETTE MILLER-MEEKS, Iowa       FRANK J. MRVAN, Indiana
GREGORY F. MURPHY, North Carolina    SHEILA CHERFILUS-MCCORMICK, 
C. SCOTT FRANKLIN, Florida               Florida
DERRICK VAN ORDEN, Wisconsin         CHRISTOPHER R. DELUZIO, 
MORGAN LUTTRELL, Texas                   Pennsylvania
JUAN CISCOMANI, Arizona              MORGAN MCGARVEY, Kentucky
ELIJAH CRANE, Arizona                DELIA C. RAMIREZ, Illinois
KEITH SELF, Texas                    GREG LANDSMAN, Ohio
JENNIFER A. KIGGANS, Virginia        NIKKI BUDZINSKI, Illinois

                       Jon Clark, Staff Director
                  Matt Reel, Democratic Staff Director

                SUBCOMMITTEE ON TECHNOLOGY MODERNIZATION

              MATTHEW M. ROSENDALE, SR., Montana, Chairman

NANCY MACE, South Carolina           SHEILA CHERFILUS-MCCORMICK, 
KEITH SELF, Texas                        Florida, Ranking Member
                                     GREG LANDSMAN, Ohio

Pursuant to clause 2(e)(4) of Rule XI of the Rules of the House, public 
hearing records of the Committee on Veterans' Affairs are also 
published in electronic form. The printed hearing record remains the 
official version. Because electronic submissions are used to prepare 
both printed and electronic versions of the hearing record, the process 
of converting between various electronic formats may introduce 
unintentional errors or omissions. Such occurrences are inherent in the 
current publication process and should diminish as the process is 
further refined.
                         C  O  N  T  E  N  T  S

                              ----------                              

                        MONDAY, JANUARY 29, 2024

                                                                   Page

                           OPENING STATEMENTS

The Honorable Matthew M. Rosendale, Sr., Chairman................     1
The Honorable Sheila Cherfilus-McCormick, Ranking Member.........     2
The Honorable Mariannette Miller-Meeks, (IA-01)..................     4

                               WITNESSES

Mr. Charles Worthington, Chief Technology Officer, Office of 
  Information & Technology, U.S. Department of Veterans Affairs..     5

        Accompanied by:

    Mr. Gil Alterovitz, Ph.D., Director, VA National Artificial 
        Intelligence Institute, Veterans Health Administration, 
        U.S. Department of Veterans Affairs

    Mr. John Oswalt, Deputy Chief Information Officer, Office of 
        Freedom of Information Act, Office of Information & 
        Technology, U.S. Department of Veterans Affairs

    Ms. Stephania Griffin, Director, Information Access and 
        Privacy Office, Veterans Health Administration, U.S. 
        Department of Veterans Affairs

Ms. Shane Tews, Nonresident Senior Fellow, American Enterprise 
  Institute......................................................     6

                                APPENDIX
                     Prepared Statements Of Witness

Mr. Charles Worthington Prepared Statement.......................    27
Ms. Shane Tews Prepared Statement................................    30

                        Statement For The Record

2022 Ars Technica Article Submitted by Representative Mariannette 
  Miller-Meeks, (IA-01)..........................................    33

 
      THE FUTURE OF DATA PRIVACY AND ARTIFICIAL INTELLIGENCE AT VA

                              ----------                              


                        MONDAY, JANUARY 29, 2024

             U.S. House of Representatives,
          Subcommittee on Technology Modernization,
                            Committee on Veterans' Affairs,
                                                   Washington, D.C.
    The subcommittee met, pursuant to notice, at 3:32 p.m., in 
room 360, Cannon House Office Building, Hon. Matthew M. 
Rosendale, Sr. (chairman of the subcommittee) presiding.
    Present: Representatives Rosendale, Mace, Self, Cherfilus-
McCormick, and Landsman.
    Also present: Representative Miller-Meeks.

      OPENING STATEMENT OF MATTHEW M. ROSENDALE, CHAIRMAN

    Mr. Rosendale. Good afternoon. The subcommittee will come 
to order. I want to welcome our witnesses today to a hearing, 
examining how the brave new world of Artificial Intelligence 
(AI) will impact data and privacy at the VA.
    This is the subcommittee's third privacy hearing. We take 
this subject very seriously. Veterans entrust the VA with data 
on every aspect of their lives, often more information than any 
other government agency or company possesses. Yet the VA 
struggles at every level to comply with the law and keep 
veterans' health, personal and financial information secure. 
Data breaches happen every few months and they have taken many 
different forms. We have seen mass errors by a contractor 
mailing letters to the wrong veterans.
    We have seen employees lose or steal records and send files 
beyond the VA network where their ultimate destination is 
unknown. We have also seen companies gain access to veterans' 
data under false pretenses. No successful large scale cyber 
attack on the VA has been disclosed in several years. We also 
know the Department is the target of thousands of attacks every 
day. It remains a constant risk.
    The VA can be the target and at fault, sometimes both in 
the very same data breach. No organization can prevent every 
breach. In many of these incidents, VA officials did not 
realize that the veteran's information had been mishandled 
until well after the fact. In these situations, time is 
critical. The only way to step in before veterans' data makes 
its way from unwitting recipients to criminals is to move fast.
    Employees reported most of the breaches we will discuss 
today, and I commend them for that. The examples I just 
described are a significant problem and put veterans in a 
precarious position. They represent the stone age compared to 
the privacy risk posed by artificial intelligence.
    Much has been said about AI here on Capitol Hill. 
Unfortunately I think most of it can be characterized as 
utopian and apocalyptic. The AI companies and their emissaries 
want us to focus on speculative, civilizational threats rather 
than the practical problems that are right before us.
    AI has been with us for several years in different forms, 
but it is quickly becoming ubiquitous. The VA is accustomed to 
operating as an island. That has many downsides but in research 
and technology it can actually be beneficial for protecting the 
private information.
    The AI business model is moving quickly and overtaking the 
island. AI is being embedded into all sorts of software, dual 
use AI models are proliferating and narrow AI applications are 
broadening. In other words, the days of putting one data set 
into an AI model that only does one thing or ending. The VA has 
thousands of contractors and partner companies that access 
veterans' health and personal data today.
    Controlling how they apply AI will be extremely difficult. 
Without a doubt, I think the VA is using AI for some admirable 
purposes. Applying machine learning to analyze medical images 
can save lives by recognizing indicators of illnesses that the 
most experienced doctors may miss.
    Chatbots for customer service can be helpful if done well. 
The VA has a lot of catching up to do. Sophisticated automation 
can cleanup the VA's troves of disorganized administrative data 
in hours, whereas employees have been struggling with it for 
years. On the other hand, using AI to predict clinical outcomes 
for mental health problems may be powerful, but it presents a 
host of ethical problems.
    Even if the VA manages to prevent this bias, the imposition 
on civil liberties cannot be ignored. My goal here is to learn 
more about what the VA is already doing with AI and, how our 
witnesses plan to adapt the Department's old fashioned process 
as the technology evolves around them. I appreciate our 
witnesses being here to explain all that.
    With that, I yield to Ranking Member Cherfilus-McCormick 
for her opening statement.

OPENING STATEMENT OF SHEILA CHERFILUS-MCCORMICK, RANKING MEMBER

    Ms. Cherfilus-McCormick. Thank you, Mr. Chairman and thank 
you to our witnesses for being here. Our hearing this afternoon 
touches on topics that are old and new to our subcommittee, 
data privacy and the integration of artificial intelligence or 
AI at VA.
    In an ever growing and ever connected digital world our 
attention in matters of data privacy and budding technology is 
more important than ever. While this interconnectedness has 
brought us closer to our friends, colleagues and even strangers 
it has also raised numerous concerns about the privacy of user 
data especially in healthcare.
    In the past 10 to 15 years nearly 6,000 healthcare breaches 
of 500 or more records have been reported to Health and Human 
Services (HHS)'s Office of Civil Rights. Several of these 
reports originated out of the VA itself. It has been almost 2 
years since our last hearing on data privacy.
    In that time VA has reported at least seven data breaches, 
affecting over 4,000 veterans across the country. While this 
committee has heard repeatedly from VA about their IT 
infrastructure, as well as their privacy and security programs 
I look forward to hearing about VA's current and future efforts 
to protect veterans' data as a result of these breaches.
    We also plan to discuss VA's rapidly expanding use of 
artificial intelligence. While AI has been around for many 
years, it has recently become a hot topic in the media. I am 
interested in hearing from VA how they intend to utilize these 
tools while protecting veterans private and health information 
and Personally Identifiable Information (PII).
    In 2019 VA stood up the VA National Artificial Intelligence 
Institute in the AI network bringing experts clinicians and 
researchers together to collaborate on innovative AI proposals 
that seek to reduce administrative burdens, improving staff 
experience and provide better patient outcomes.
    In October 2023, the Biden administration released an 
Executive Order (EO) on the safe, secure and trustworthy 
development and use of artificial intelligence which provides a 
governmentwide framework to establish responsible AI 
development and application across Federal agencies and 
offices.
    This EO builds off previous Trump administration guidance 
encouraging Federal agencies to promote confidence and trust in 
AI in their respective jurisdictions while still maintaining 
integrity and patient user safety.
    In a briefing proved to committee staff VA acknowledged 
that they are still early in their development in adoption of 
AI and have committed to a cautious delivery of these tools. As 
this committee knows the rollout of any enterprisewide 
technology or even a new tool just one Veterans Administration 
Medical Center (VAMC) requires much planning and collaboration 
amongst leadership, staff and patients alike. For successful 
integration of AI into healthcare business claims, processing 
and IT infrastructures, VA must remain committed to gradual and 
intentional growth of these systems.
    Similarly, this committee must remain committed to 
providing consistent and clear oversight to ensure better 
outcomes than what we have seen in other IT modernization 
efforts. Our VA employees, veterans and their families deserve 
this much.
    However in shying away from technological advancements in 
the name of protecting our veterans, we only end up creating a 
VA that is less responsive, outdated and at times less 
transparent.
    VA has a place to define itself as both a leading 
healthcare provider and a large Federal employer in how it 
adopts emerging technology. Integrating these advances when 
they are beneficial for both patients and providers is not 
something we should shy away from, but rather something we 
should welcome albeit cautiously.
    Thank you, Mr. Chairman, I yield back.
    Mr. Rosendale. Thank you Ranking Member Cherfilus-
McCormick.
    Before we proceed I ask unanimous consent that any members 
of the Health Subcommittee be permitted to participate in this 
hearing.
    Without objection, so ordered.
    Dr. Miller-Meeks, would you like to make any opening 
remarks?

         OPENING STATEMENT OF MARIANNETTE MILLER-MEEKS

    Ms. Miller-Meeks. Thank you for recognizing me, chair.
    Good afternoon, I want to thank chairman Rosendale and 
Ranking Member Cherfilus-McCormick for having me here today. I 
chair the Health Subcommittee for the VA. I also am a physician 
and a veteran.
    As the utilization of AI in healthcare becomes more common 
it is important that we recognize the risks and challenges that 
come with it. AI has immense potential to transform the way VA 
delivers healthcare, including access. This committee will 
ensure that the VA does so with caution and an understanding of 
the risk. The burden of safeguarding that information is 
enormous. It also requires infallibility.
    This standard would be difficult to meet in a closed system 
but Veterans Health Administration (VHA), like other health 
systems requires outside partners to execute its mission. Like 
other health systems the VA has seen data breaches that occur 
with alarming frequency. An example is the breach in Veterans 
Integrated Services Networks (VISN)s 1, 2, 4 and 5 at the end 
of last year that affected nearly 50,000 veterans. Some 
breaches are the result of internal mistakes and some are the 
work of malicious actors.
    In some cases seemingly innocuous internal errors are taken 
advantage of by external actors such as the publication of 
source code on GitHub in 2022 with was cloned by 6 foreign IP 
addresses. This committee will take responsibility seriously as 
we explore VA's use of AI and its adaptation to ensure the 
security of veterans' data.
    I appreciate or witnesses' willingness to do so and I yield 
to chairman Rosendale.
    Mr. Rosendale. Thank you very much.
    Representative Miller-Meeks.
    I will now introduce the witnesses in our first and only 
panel. From the VA we have chief technology officer Charles 
Worthington. Mr. Worthington excuse me, serves as the chief AI 
officer. It is good to see you again.
    We also have Dr. Gil Alterovitz. Okay, the director of the 
VA's National Artificial Intelligence Institute.
    In addition we have deputy chief information officer John 
Oswalt who serves as the chief privacy officer.
    Ms. Stephania Griffin, the director of information access 
and privacy office in the Veterans Health Administration.
    Finally we have Ms. Shane Tews, a nonresident senior fellow 
at the American Enterprise Institute.
    I ask the witnesses to please stand and raise your right 
hands.
    [Witnesses sworn.]
    Mr. Rosendale. Thank you. Let the record reflect that all 
the witnesses have answered in the affirmative.
    Mr. Worthington, you are now recognized for 5 minutes to 
deliver your opening statement on behalf of the VA.

                STATEMENT OF CHARLES WORTHINGTON

    Mr. Worthington. Good afternoon, Chairman Rosendale, 
Ranking Member Cherfilus-McCormick, and distinguished members 
of the subcommittee. Thank you for the opportunity to testify 
today about the Department of Veterans Affairs efforts in 
patient data and privacy and artificial intelligence.
    My name is Charles Worthington, I am the Chief Technology 
Officer and the agency's Chief Artificial Intelligence Officer 
in VA's Office of Information and Technology (OIT). I am 
accompanied today by Mr. John Oswalt, the deputy Chief 
Information Officer, Freedom of Information Act and Records and 
Assessment Compliance office, in OIT.
    Dr. Gil Alterovitz, the director of the National AI 
Institute and VHA's Chief AI Officer. Ms. Stephania Griffin, 
Director of Information Access and Privacy Office within VHA.
    VA is committed to protecting veterans' data privacy while 
responsibly harnessing the promise of artificial intelligence 
to better serve veterans. While AI can be a powerful tool, we 
must adopt it with proper controls, oversight and security.
    The department is taking a measured approach as we begin to 
scale AI solutions to ensure that we are adopting these 
powerful tools safely. As the largest healthcare and benefits 
provider in the Nation and an early adopter of an Electronic 
Health Record (EHR) many decades ago, VA has a complex 
technical ecosystem, including one of the world's largest 
health record repositories.
    While we are enthusiastic about the vast potential of AI, 
the VA is equally concerned about privacy, ethical use and 
effectiveness of AI. Governance plays a key role in how VA has 
approached AI development, given the technology's unique risks 
and challenges.
    We will continue to invest in governance to ensure our use 
of AI comports with VA's security and privacy policies and with 
the Trustworthy AI framework that our National AI institute 
launched under the leadership of Dr. Alterovitz last year.
    Regarding privacy, securing veteran data is a top priority 
as my colleagues John Oswalt and Stephania Griffin can attest 
to. The VA uses the National Institute of Standards and 
Technology (NIST) risk management framework to comprehensively 
manage and report on privacy and security risks.
    This NIST framework requires independent privacy and 
security reviews to prevent conflicts of interest in privacy 
and security assessments and audits. Furthermore, VA security 
controls reduce the risk and impact of potential incidents by 
deploying a diverse technologies within the department's 
environment.
    Of course we must consider how our data security and 
privacy solutions interact with our users, veterans and vendors 
to ensure that we are taking a balanced risk management 
approach that provides guardrails while also enabling 
exploration of emerging technologies such as those AI solutions 
being pioneered by Dr. Alterovitz and VHA. VA has long been a 
leader in healthcare research and innovation and we seek to 
continue that leadership position.
    In conclusion, I believe that AI represents a generational 
shift in how our computer systems will work and what they will 
be capable of. If used well, AI has the potential to empower 
our employees to provide better healthcare, faster benefits 
decisions and more secure systems.
    Similar to other major transitions such as cloud computing 
or the rise of smartphones VA will need to invest in and adapt 
our technical portfolio to take advantage of this shift. With 
the strategies, policies and programs currently in place the 
Department will continue in its mission to protect the security 
and privacy of the data entrusted to us by the veterans we 
serve.
    Mr. Chairman, ranking member and members of the 
subcommittee, thank you for the opportunity to testify before 
the subcommittee today to discuss this important topic. My 
colleagues and I are happy to respond to any questions you may 
have.

    [The Prepared Statement Of Charles Worthington Appears In 
Appendix]

    Mr. Rosendale. Thank you, Mr. Worthington. The written 
statement of Mr. Worthington will be entered into the hearing 
record.
    Ms. Tews, you are now recognized for 5 minutes to deliver 
your opening statement.

                    STATEMENT OF SHANE TEWS

    Ms. Tews. Thank you, Mr. Chairman.
    I have to admit when the staff called I do not have any 
background in the veterans affairs area. I have been doing 
privacy for over 20 years. I have learned a lot over the last 
2--actually last week I have been very impressed with the work 
that the agency already has done in this area. Quickly I will 
just highlight some things that are in my written testimony.
    All the offers of immense improvement for veterans' well-
being really can be enhanced with AI tools but the most 
important part is instilling trust in the system. As you 
mentioned early on the challenges we have of people possibly 
being taken advantage of.
    Then early on in your opening statement quite a few of the 
things you said had human intervention elements to them. Now we 
add the speed of AI to it, we need to make sure we sandbox 
these things so they are safe.
    We need to be concerned about privacy, security fairness. 
The accountability from the start in developing responsibility 
we can enable to provide to make faster and better informed 
decisions for our veterans and allow them to focus more on 
patients with AI tools.
    In my written testimony I do go more in depth about 
potential advancements for diagnostic treatments, pretty good 
healthcare for preventive measures and early intervention 
virtual healthcare assistance for VA healthcare desks and 
telemedicine enhancements.
    Data integration and enhanced healthcare providers with AI 
tools, mental health support and many more advancements we will 
see with AI. To realize this future we need to be dedicated to 
the cross functional VA teams that evaluate every AI tool using 
metrics for security and addressing bias before approval.
    We must institute the same privacy rules as the Health 
Insurance Portability and Accountability Act (HIPPA) limit 
reliance on personal data and develop AI research and training 
and retain the VA's governance to build confidence. Annual 
audits will be a further accountability item you need to 
incorporate.
    The payoff of adopting AI tools across diagnostics, 
predictive health care, telemedicine, mental health support and 
more are too great to not purposely use AI thoughtfully.
    In closing, I urge earnest focus on ethics, inclusivity and 
communications to unlock AI's potential while veterans' trust. 
I look forward to your questions and look forward to hearing 
from the panel.

    [The Prepared Statement Of Shane Tews Appears In The 
Appendix]

    Mr. Rosendale. Thank you very much, Ms. Tews. The written 
statement of Ms. Tews will be entered into the hearing record.
    Now we will proceed to questioning. I recognize myself for 
5 minutes.
    Mr. Worthington, the VA has a national AI center, a working 
group, oversight committees and Institutional Review Board 
(IRB) for AI, many of these seems like talking shops. Who vets 
proposed AI projects and decides what gets approved, what is 
inappropriate and how veterans' data will be used?
    Mr. Worthington. Thank you for the question. The agency I 
would say is in our early stages of standing up with governance 
of AI as a separate category. Our framework that we have put in 
place with the National AI Institute which Dr. Alterovitz can 
talk more about was basically designed to catalogue use cases 
of AI across the agency and then assess those use cases for 
consistency with our Trustworthy AI principles, basically in 
relation to the earlier executive order on AI.
    At this moment what we are attempting to do is document all 
of the cases that the VA is experimenting with and bringing use 
cases into production and ensuring we have those documented so 
we can assess them using the government standards that will 
continue to evolve.
    Mr. Rosendale. Who is ultimately taking this information 
and making the final determination about what it will be used 
for and what it will not be used for? Is it a panel, is it a 
group--who is making the final call?
    Mr. Worthington. In the new executive order guidance we 
have been provided by Office of Management and Budget (OMB) we 
are asked to stand up an AI governance committee chaired by 
myself and the agency deputy secretary. We are in the process 
of finalizing that.
    That is a requirement that is going to come from OMB to the 
VA. In the previous--in the past what we have been using VA's 
Data Governance Council framework where AI used cases come up 
to that council, which is able to look at the work of the 
National Artificial Intelligence Institute staff and assess it.
    Dr. Alterovitz. I just want to add in there is kind of 
multiple layers at the local level with the medical centers, we 
have been piloting the AI oversight committee.
    We have been doing that for four centers to see how that 
could scale. There is other work at the VISN level. Finally, as 
was mentioned, the AI Working Group at the central VA level 
part of the data governance agency governance body.
    In this new executive order there is a statement basically 
about elevating that up so that there are higher level people 
on that committee but still, tying it down to the central 
office.
    Doing that you are able to triage different risk profiles 
and be able to scale these different types of analyses.
    Mr. Rosendale. That gives me another question though. Mr. 
Worthington, if we have these decisions being made at the local 
level we have them being made at the VISN level and then we 
have them being made at your level. Has anyone ever rejected an 
AI use case?
    Mr. Worthington. I would have to go back----
    Mr. Rosendale. How do we make sure that we have got some 
type of conformity or consistency amongst----
    Mr. Worthington. I think consistency is exactly what we 
want to create at the central level so that we can cascade that 
out to the field so decisions could be made locally for smaller 
pilots or for earlier stage risk.
    It is important I think to point out, though, that anything 
that is going live into production and touching veteran data, 
that would follow the same processes as existing IT systems 
have to follow in terms of an authority to operate and an 
authority to connect.
    If we are talking about bringing a system into production, 
whether it involves AI or not, there is sort of an existing 
technology assessment process that we would use to approve the 
use of those.
    Mr. Rosendale. Okay, Dr. Alterovitz, there are now three 
executive orders setting guiding principles for AI. It is up to 
you and your colleagues to interpret and apply them. You have 
created some new offices.
    You have not yet updated most of your policies for AI. Let 
me ask you a simple question, how do you know a bad AI use case 
when you see one.
    Dr. Alterovitz. We have been working together on 
integrating all of the different policies into our Trustworthy 
AI framework that came out this July. It integrates those 
executive orders as well as NIST, and agency specific guidance 
that we have, like a data ethics framework for example.
    It actually became the first department-wide trustworthy AI 
framework that includes all those latest items. Using that and 
the implementation guide that we have been now developing there 
are a series of questions that we analyze and determine if a 
use case falls under the consistent or inconsistent category 
with the principles and thereby being consistent or 
inconsistent with the different guidances like the EO 13960, 
14110 and the other ones--and so that is our process.
    We have done it now a couple years and we are going to 
upgrade it now with the now executive order that came out.
    Mr. Rosendale. Thank you.
    I will now recognize Ms. Cherfilus-McCormick for 5 minutes 
of questioning.
    Ms. Cherfilus-McCormick. Thank you, Mr. Chairman. VA hosts 
the largest integrated healthcare system in the country making 
it's responsibility for a wide swath of data, most which must 
remain secure and protected. How is VA working to bring 
groundbreaking technology to benefit veterans while also 
balancing potential privacy?
    Mr. Worthington. Thank you for the question. It is a great 
question because obviously we are hearing a lot about 
artificial intelligence. In some ways the problem of deciding 
which technologies we can use at the VA that ensure veterans 
data and privacy intact that problem is not new.
    The VA, especially our OIT office, has a lot of existing 
policies in place to ensure that any new system that we bring 
onto the network or entrust veteran data inside complies with 
VA's existing data privacy and data security policies. We would 
expect to apply many of those same policies and most in the 
same ways whether or not that system uses AI or is a more 
traditional competing system.
    Ms. Cherfilus-McCormick. This is question is for Ms. 
Griffin.
    Ms. Griffin, over the past 2 years VA has been the subject 
of several data breaches jeopardizing the PII and the Protected 
Health Information (PHI) of thousands of veterans. What 
safeguards does the VA currently have in place to help protect 
against future breaches.
    Ms. Griffin. Thank you. There are numerous mechanisms and 
processes that VHA has in place to safeguard veterans PII and 
PHI, along the lines of not only policies and procedures but 
training of our staff. We also have compliance monitoring and 
audits that are performed, as well as many other processes that 
we put in place to comply with various Federal privacy laws and 
regulations including the HIPAA Privacy Rule requirements. I 
would be happy to give greater detail if you would like for the 
record.
    Ms. Cherfilus-McCormick. That would be wonderful. Could the 
new bastion of this new AI infrastructure exacerbate any 
existing privacy issues at VA how might AI assist in protecting 
against future breaches?
    Ms. Griffin. The Federal privacy laws and regulations, 
including the HIPAA Privacy Rule, they are technology neutral. 
They put the same processes and mechanisms in place to protect 
and safeguard data regardless of the technology.
    However, certainly as you look to new technologies we look 
to the privacy impact analyses that we have to perform and may 
put additional security and information security processes in 
place and enhancements around that technology to ensure 
privacy.
    Ms. Cherfilus-McCormick. My next question is really about 
the biases in AI from Mr. Worthington as we continue to support 
improving and expanding access to care among minority veteran 
populations we must be mindful the biases that accompany the 
application of AI. How is the VA working to combat these biases 
that may impact with access to care for minority veterans?
    Mr. Worthington. It is a wonderful question and it is one 
that our colleagues in VHA who designed the Trustworthy AI 
framework had really been thinking a lot about as have both 
administrations with the executive orders. I think the key to 
understanding how any particular AI may introduce biases is to 
understand the data that it was trained on and then the outputs 
that it gives given a set of inputs.
    Assessing the potential for bias in each of the models is 
one of the six principles of our ethical or trustworthy AI 
framework. It is one of those things the governance bodies are 
looking at when they are assessing each of the use cases.
    Ms. Cherfilus-McCormick. The VA has historically struggled 
when it comes to collecting data on veteran's racial, ethnic 
and LGBT+ identities. How is the VA compensating for gaps in 
status to ensure that bias is mitigated in AI projects?
    Mr. Worthington. That is a great question. I may have to 
take part of that back for the record. I think that, you know, 
obviously the VA's health system is very large and we have lots 
of data. The veteran population also is not, you know, exactly 
representative of the country in terms of gender and other 
attributes.
    Every time we create a model or any sort of analysis using 
only VA data, the researchers have to be cognizant of the 
limitations inherent in that data set.
    Ms. Cherfilus-McCormick. Ms. Tews, what problems or risks 
do you expect to see if VA is not able to successfully account 
for biases in AI products?
    Ms. Tews. First of all I want to reiterate the importance 
of transparency and accountability. Throughout the entire 
process you always know what is being looked at and how it is 
being reviewed. Part of that is then making sure that in the 
areas where you are concerned about wanting to fund results 
without knowing who it is that you disaggregate the data.
    You do not have certain data sets that are compiled into 
that. That will help just alleviate--sometimes we share too 
much candidly. We have that problem not only in the VA but just 
in general use of data as we just tend to grab everything that 
we can. When you are doing information flow you make sure that 
you are only using the pieces that need to be participated in 
disaggregating the pieces that do not need to be here.
    That does not mean that you cannot make sure that you are 
looking for things around bias. Besides bias and minorities you 
realize that women have had this challenge all along in 
healthcare as well. I mean, during COVID I had a friend of mine 
who said why would I want to give my mother a shot that was 
designed for a 180 pound man? I had not really thought about 
that.
    I did not have a problem with the shot. I was, like, I see 
your point. We have done a lot of that throughout our history. 
I think while we are reviewing all this we an opportunity to do 
a lot of corrections in a way that we have been doing 
healthcare in general for a long time so I think this is a good 
opportunity.
    Ms. Cherfilus-McCormick. Thank you, Mr. Chairman. I yield 
back.
    Mr. Rosendale. Thank you, Ranking Member Cherfilus-
McCormick.
    I now recognize my good friend from Texas, Representative 
Self.
    Mr. Self. Thank you, Mr. Chairman.
    Once again and this is my common comment we are talking 
about inputs, so I want to try to get to outputs.
    Dr. Alterovitz, how many projects or use cases do you 
currently have underway.
    Dr. Alterovitz. Clarification, is that a question for our 
group specifically or for the VA in general or----
    Mr. Self. Your national institute.
    Dr. Alterovitz. The national institute. We collaborate and 
engage in I would say the between 15 to 20 projects.
    Mr. Self. 15 to 20. How many are in widespread use, as 
opposed to test?
    Dr. Alterovitz. We typically start with the early stage. 
The goal is that eventually they may end up to be widely used. 
We started a few years ago and through various mechanisms such 
as AI Tech Sprints, we have had a few of them launched to 
become pilots that are used in up to four or so medical centers 
and then the next stage beyond that is scaling up.
    Mr. Self. How many are in widespread use?
    Dr. Alterovitz. If you define widespread as across the 
network.
    Mr. Self. I will let you define it.
    Dr. Alterovitz. Then I would say maybe like three.
    Mr. Self. Three. When do we expect to see significant 
outputs from these uses.
    Dr. Alterovitz. Significant outputs. Could you clarify?
    Mr. Self. Improvement in veterans' healthcare. That is 
always the bottom line here. We talk a lot about theory on this 
committee, we talk a lot about processes, we talk a lot about 
inputs. I am more interested in the output in the health 
benefits to the veteran.
    Dr. Alterovitz. Great, because some of them also involve 
efficiency cost savings. All of those are designed to do that 
actually, the three that I was thinking about. I should say 
just that the ones we are looking at are just one piece of how 
we look at AI solutions; we have different mechanisms, like I 
said, e.g. AI Tech Sprints.
    Mr. Self. When do you expect to see an output?
    Dr. Alterovitz. Well, with an AI Tech Sprint, you see 
output in 90 days, if it is something useful that you want to 
then go on to contracting.
    Mr. Self. These three are giving you significant outputs 
today?
    Dr. Alterovitz. Yes.
    Mr. Worthington. I might just add that in addition to the 
projects that Dr. Alterovitz is describing where his group 
works specifically to shepherd them along, there are other uses 
of AI in production today across our health system. Primarily 
these are things in categories like medical devices. For 
example, there is a product called GI Genius which helps 
oncologists or others identify scans and look for cancers.
    In addition to those that this organization helped with, 
the VA does have a number of more traditional AI models in 
production now.
    Mr. Self. Okay. I understand you got about 1,100 petabytes 
of sensitive information you are rolling this out. A sentence 
in the packet here that got my attention is the commercial 
sector has eaten up all of the available data sets and now they 
need nonpublic data sets.
    How many--I mean, how in the world are you going to protect 
1,100 petabytes of sensitive information because there is the 
only saying, a secret is something you tell one person at a 
time. How are you going to protect against the cascading 
release across the commercial sector?
    It seems to me like it is impossible to put the horse back 
in the barn once its out. Can you talk to me about that?
    Mr. Worthington. It is a great question and it is something 
we think about all the time how to protect that data. We do 
have existing contractual, you know, rules around what vendors 
can do with the data.
    In general when we are building models or analyzing this 
data, that is happening within the VA environment with tools 
that we are hosting internally as opposed to sending that data 
outside of the VA.
    Mr. Self. I am about out of time. What is a sanction? If 
someone releases the data, what is the sanction you have on 
them?
    Mr. Worthington. I defer to Mr. Oswalt on that.
    Mr. Oswalt. Well, it defers back to the contractual 
language. In the IT realm there is standard language in every 
contract which lays out the expectations.
    Mr. Self. Give me an example of a sanction for someone that 
would release sensitive information.
    Mr. Oswalt. Well, I know there - it is an acquisitions 
question, but I have seen contracts over my career that have 
been canceled because of nonperformance to the letter of the 
contract. For egregious activity, it would probably be turned 
over to our inspector general's office for investigation.
    Mr. Self. Has that happened within of--yes, I know it has.
    Mr. Chairman, I yield back.
    Mr. Rosendale. Thank you very much, Representative Self.
    I now recognize Representative Miller-Meeks from Iowa.
    Ms. Miller-Meeks. Thank you very chair Rosendale, Ranking 
Member Cherfilus-McCormick thank all our witnesses for being 
here.
    It seems as we go through this information that we think of 
AI, but AI in and of itself is not necessarily a source of 
release of private healthcare information or PII, that simply 
having electronic or digitization of data can lead to leaks. 
Often it seems the human link having worked in the healthcare 
field for numerous years may be the weakest link.
    I think as we identify potential pitfalls that we have to 
remember that we have to have the best cybersecurity and safety 
and access to care and keep all of those in mind as I juggle 
through this.
    As a clinician, I understand the value AI can bring to the 
practice of medicine. It can help with everything from the 
diagnosis of disease to transcription of clinical notes, to the 
development of a response back to be a patient from repetitive 
machine learning and from creating staffing plans to coaching 
health behaviors.
    I can also see the potential as the The Sergeant First 
Class Heath Robinson Honoring our Promise to Address 
Comprehensive Toxics (PACT) Act is unveiled and as we are still 
determining toxic substances that we can identify and prevent 
and form causation or causality from toxic substances which we 
have only scratched the surface on. This integration I think is 
really important and we see the value, but we also understand 
that there are challenges ahead.
    Ms. Tews, thank you for testifying before the committee 
today. In your written testimony you state that the VA must be 
vigilant in creating proper safeguards around veteran data 
privacy and security. In your opinion, how can the VA implement 
AI and algorithmic technologies to increase efficiency that 
both administrative items and the delivery of care without 
compromising patient safety and privacy.
    Ms. Tews. One thing to keep in mind is that you are dealing 
with a closed loop which I think a lot of us when we think 
about artificial intelligence right now are really fascinated 
with the learning language model, the LLM. A lot of data going 
out from a lot of sources.
    You have a very finite, it is a lot of terabytes of data, 
but it is a finite area where you can actually do some amazing 
sandbox studies that you cannot do in the open public.
    I would think not a clinician, but the whole idea of what 
you can do in an environment like Veterans' Affairs on medicine 
is very amazing as long as we make sure that those guardrails 
are in place. We do have the terms of use, I call it policy 
through procurement. You make sure that those are fines, you 
know.
    You get outside your remit you are going to see probably a 
major financial fine for doing that, I will keep you inside the 
guardrail. Then knowing ahead of time what it is you are trying 
to discover so you keep within the sandbox where you are 
looking to participate.
    They are not overly complicated, you have to actually 
commit to them and make sure that the information does not go 
outside of where it is supposed to go and you do with the 
information what you say you are going to do.
    Ms. Miller-Meeks. Mr. Worthington, does the VA use the 
Large-scale Artificial Intelligence Open Network (LAION) data 
set to train AI?
    Mr. Worthington. I am not familiar with that.
    Dr. Alterovitz, are you familiar with that one?
    We may have to take that back for the record.
    Dr. Alterovitz. We can certainly take that back for the 
record. There is not a standardized approach to doing that at 
this time.
    Ms. Miller-Meeks. The reason for asking that question 2022 
Ars Technica article found that the LAION data set contained 
pictures that originated from medical records which made their 
way into the data set without authorization from patients who 
were the subjects.
    Now as a clinician and a physician who has published you 
have to get permission from patients to use their images in any 
publication that you utilize. How does the VA assure that PHI 
and PII whether images or text are not leaking into publicly 
available data sets either by accident, omission or 
purposefully, especially through contractors and their business 
associates who have access to data use to deliver or assist the 
VA in delivering healthcare.
    Mr. Worthington. Thank you for the question, Congresswoman. 
We have I would say robust existing privacy policy on all 
vendor and IT contracts that really is explicit about what our 
partners are allowed to do with VA data and what is not 
allowed. Any time we are allowing a vendor access to VA data it 
is usually--it is under the strict confines of what that 
contract is for. My colleagues could talk more about the 
specifics, but we would be seeking to avoid cases where veteran 
data or really any of our data would wind up in some general 
purpose model that it was not expected to be.
    Ms. Miller-Meeks. Well, certainly if an employee can be 
terminated in the healthcare system for talking about a patient 
in an elevator, I would think that sanctions, loss of contract 
and especially financial sanctions would be appropriate.
    Mr. Chair, I would like to enter into the record the Ars 
Technica article I mentioned from 9/22/21.
    Mr. Rosendale. Without objection.
    Ms. Miller-Meeks. Thank you and I yield.
    Mr. Rosendale. Thank you, Representative Miller-Meeks.
    Dr. Alterovitz and Ms. Griffin, on this same topic about 
the patients themselves, what is going on with their 
information, do you notify and or do you believe that you have 
a responsibility to notify veterans or any American when their 
health or personal information is fed into an AI model and 
whether the analysis that effects them was done by AI rather 
than a person.
    Ms. Griffin. Thank you for that. The--as I indicated 
earlier, the Federal privacy laws and regulations that we 
adhere to including the HIPAA Privacy Rule does not--is not 
technology specific. It is technology neutral.
    It is regarding the use of personally identifiable 
information and protected health information for purposes such 
as treatment, payment and healthcare operations.
    It is not focused on giving notice as it relates to 
specific technology. We are required to give notice to our 
veterans and our patients, how we use their data, how we 
collect their data, how we share their data for the purposes, 
but again it is not specific to a technology.
    Mr. Rosendale. Okay. My question is then it sounds like 
they are not notified. It is not disclosed to the patient if 
their information is being analyzed by AI. Is that correct?
    Ms. Griffin. Correct, there is not a specific notice----
    Mr. Rosendale. Do you think that that is something that 
should be in policy so that an individual knows that their 
information is being analyzed by AI and now is subject to all 
of the different potential problems that could take place that 
we have not even identified yet.
    In addition to the fact that they may be getting some type 
of an analysis given to them that was created by AI.
    Ms. Griffin. I think that is something that the data 
governance council and the AI framework that is being set up 
needs to look at more closely. In terms to whether there is a 
specific use case notice that needs to be given, we often give 
informed consent in the healthcare setting for various 
processes and procedures and it is possible that is something 
that needs to be looked at more closely.
    Mr. Rosendale. Yes, I would highly recommend that if that 
disclosure is not going out and someone's information is going 
to be analyzed by AI, that certainly the patient should be made 
aware of that. It could present all types of issues going 
forward.
    If the groups that are doing all that analysis of what is 
and what is not acceptable, a disclosure at the very beginning 
would be a good place to start.
    Ms. Tews, how do you feel about this?
    Ms. Tews. I think in general it goes to my idea--
transparency and accountability are important whenever you are 
using technology. You always want to regulate or put license on 
the outcome not the technology.
    I mean, the idea is what is it you are trying to accomplish 
and do not worry about what the actual tech is because it is 
going to change. Absolutely I think that any time you--any time 
somebody uses your healthcare information or you enter into 
something you should know what is going on just as a human 
element.
    I think we do that continue our general healthcare system. 
We absolutely should the should be doing that in the veteran 
system. I would believe it probably is going on. I also am 
somebody though that I am the first one to volunteer and be 
like you want to throw that in the machine, please do.
    You know, I idea of having AI look at my results first and 
then an intern I do not have a problem with that. I think that 
actually would probably perhaps get me an earlier recognition 
on a few things but I would want to be notified.
    Mr. Rosendale. Thank you very much.
    Mr. Oswalt, most of your data breaches happen when letters 
or digital files get sent to the wrong veterans or when paper 
records are misplaced.
    Typically an employer or contractor makes a mistake and an 
employee discovers it. Once you realized a breach has happened 
what do you do to trace down where the information went and 
also what are you doing--what actions are you taking to get 
that information back again.
    Mr. Oswalt. When a data breach happens and it is either 
employee self report or a veteran might have received something 
that was not theirs, the privacy officer or the information 
security officer at the subject facility will enter an incident 
ticket in a system we call say PSETS, which is Privacy Security 
Event Tracking System and there is a Data Breach Response 
Service team, a group of individuals who work for me who begin 
the investigation of what happened.
    They work with the medical center folks, the staff, the 
veterans, a lot of times the individuals. Based on what they 
adjudicate, there is a VA wide body called the Data Breach Core 
Team which investigates further and makes the determination 
whether it is a worthy--whether one, is VA is at fault and two, 
is credit monitoring offered, warranted and also what type of 
event it is, PII or PHI.
    Mr. Rosendale. Thank you. My time is up. I will now 
recognize Representative Cherfilus-McCormick.
    Ms. Cherfilus-McCormick. Thank you, Mr. Chairman.
    I want to examine some of the AI governance issues that we 
might potentially have. VA has moved to the Cerner millennium 
electronic health record has highlighted concerns about the 
quality of VA's healthcare data, specifically the fact that the 
majority of the data does not conform to the standard data 
definition. How is VA counting for this variation when 
developing new AI models.
    Mr. Worthington. That is a wonderful question. I do not 
think any of us up here are experts on the EHR program. In 
general I think that you are raising a very important challenge 
that we have when we are adopting AI which is it is very rare 
that an AI product would live by itself.
    We need to figure out how to integrate these models and 
these insights into our existing software ecosystem, which as 
you noted is very complex.
    I am sure that that would require a lot of testing to make 
sure that it worked with both the Cerner data models as well as 
the legacy Veterans Health Information Systems and Architecture 
(VistA) data models.
    Ms. Cherfilus-McCormick. Would anybody know how the 
variations impacting the quality of the AI output?
    Mr. Worthington. I am not familiar with that issue in 
particular.
    Dr. Alterovitz. I just wanted to add that one of the things 
that is most complicated when you are using AI in the 
healthcare setting is embedding in the work flow. If someone 
has to enter another password or something like that, it takes 
them out of their work-flow. Sometimes you lose data 
potentially as you have to kind of translate from one system to 
another.
    Essentially the closer it is into the native pipeline of 
data, the better you are going to be in terms of output, how it 
will affect and be able to be stored, and then used by future 
physicians for clinical decision-making.
    Ms. Cherfilus-McCormick. Thank you.
    My staff recently visited one of the automationsites for 
Veterans Benefits Administration (VBA)'s claims automation. 
While these seems to be beneficial to the automated decision 
support staff, staff's perception of its usefulness was a 
little inconsistent. How was VA soliciting feedback from the 
frontline staff about ADS and other AI projects.
    Mr. Worthington. Well the ADS project in particular I am 
not personally familiar with. I think you are raising a great 
point around engaging with our workforce on the topic of AI. 
The way that AI I think could be most usefully applied in the 
VA and elsewhere is by augmenting the capabilities of our 
existing people.
    That means giving them new capabilities but also training 
them how to use it. What it can and cannot do. What its 
limitations are. I think we are going to have to have a lot of 
engagement with the workforce, not just AI experts but really 
anyone that is using the VA software--including this system--
about what the system is intending to do, how it works and 
getting to the point about transparency and explainability.
    I think being very communicative about what the system did 
and why is an important way to build that trust with our users.
    Ms. Cherfilus-McCormick. How is VA validating these models 
working effectively?
    Mr. Worthington. As part of the governance framework we are 
looking at basically what these models output compared to what 
should be expected. Each time something is put into production 
they are tested based on what is expected, what should be 
given, given a set of inputs.
    Ms. Cherfilus-McCormick. I want to go back to the question 
before real quick. Is there a processing place where you are 
actually getting data and feedback from the frontliners 
presently?
    Mr. Worthington. With regard to that program in particular 
I am not familiar with it enough to let you know one way or the 
other. We can take the question back for the record. We do have 
a broader system I know that is designed to gather feedback 
from employees on their experiences with various programs.
    Ms. Cherfilus-McCormick. If not I would like to see a 
implementation plan so we can have that information there. A 
lot of times we talk about getting feedback but we never get 
around to actually getting that feedback. If we have them able 
to articulate what their needs are and actually build it in I 
think that would be the best case scenario for us.
    How are they measuring how often the output does or does 
not met the expectation?
    Mr. Worthington. Again, I would have to take that one back 
for the record for that program.
    Ms. Cherfilus-McCormick. Mr. Chairman, I yield back.
    Mr. Rosendale. Thank you very much, Ranking Member 
Cherfilus-McCormick.
    I now recognize Representative Self.
    Mr. Self. Thank you, Mr. Chairman.
    I want to revisit both of the my lines of questions from 
the first question. First of all, for this hearing you provided 
a list of 128 AI use cases. To the Senate you provided a list 
of 300 AI use cases. You have said there are 21 that have 
advanced implementation. Why the difference in what you 
testified in the first round to these numbers in the second 
round?
    Mr. Worthington. Well, that is a great question. I think 
what you are seeing is use case inventory is a work in progress 
for us. Different points in time the inventory has been created 
to comply with various OMB memos.
    I am not familiar with the specifics of the communication 
that you just mentioned about the inventory, but I think the 
inventory has been growing over time so at various points of 
time----
    Mr. Self. The way I understand from the committee's staff 
that these are numbers that you provided to us the 128 and the 
21. Is that correct?
    Dr. Alterovitz. I just wanted to clarify what these numbers 
could be in terms of----
    Mr. Self. Well, no, I do not want a speculation, doctor. I 
appreciate it. My point is that we get this fairly often up 
here who is in charge, who is on first. I just ask you to make 
sure who is in charge.
    I am also not satisfied with your sanctions answers, a 
general contract acquisition answer is not satisfactory because 
of the importance, the potential devastating consequences of a 
breach of 1,100 petabytes of data, sensitive data.
    I think it is got to be first you have got to identify some 
sanctions and they have got to be fairly severe sanctions and 
they have got to be in policy up front. This is not--this is 
something you have got to settle in policy early.
    I do not--frankly in my mind, it is not going to be 
sufficient to say we are going to cancel a contract, because as 
Dr. Miller-Meeks pointed out, this is more serious and than 
simply canceling a contract for a medical device. You are 
talking about personal data here.
    I think you need to take a more serious look at what are 
going to be the sanctions written up front into your contracts 
when you give sensitive data for 1,100 potentially 1,100 
petabytes of data across the commercial sector. This is 
concerning to me.
    With that, Mr. Chairman, I yield back.
    Mr. Rosendale. Thank you very much.
    Mr. Oswalt, there are recently two data breaches at the 
Ashville, North Carolina medical center. Please tell us what 
happened. How the medical center reacted to that, and how your 
office responded and how long that response took.
    Mr. Oswalt. One of the Asheville incidents was three 
individuals received electronic files containing, I think 
approximately 1,500 veterans' protected information. I believe 
that it was through My Healthy Vet portal so it was not open 
email. The three individuals, one of them self reported back to 
the medical center, like, hey, I think I got something that I 
should not have gotten.
    Two of the messages were indicated as being read. The third 
was retrieved; pulled back. The normal process of responding to 
that would be as I indicated before working with the privacy 
officer at the facility, the information security officer and 
then the Data Breach Response Service will do the investigation 
and the adjudication of how that--and I believe this indicated 
it was a personal protected health information so it did 
warrant notification to HHS as a protected HIPPA entity and 
resulting in a press release also.
    The other event----
    Mr. Rosendale. Excuse me. How long did it take to turn that 
scenario around, that exercise around to get the information 
collected and protected?
    Mr. Oswalt. I would have to get back to you and the 
committee with that information, sir because I do not want to 
speculate. The primary emphasis is to make sure we identify the 
affected veterans first.
    We want to make sure we get it right before we actually 
initiate the outreach. There are prescribed days, number of 
days in policy where we have to act, especially with a PHI 
HIPPA related event.
    Mr. Rosendale. Mr. Oswalt and Ms. Griffin, let me ask you 
about the Clarksburg, West Virginia incident. The medical 
center sent 700 veterans' letters with their Social Security 
numbers (SSN)s instead of their ZIP Codes in the address line.
    First of all, was not the VA supposed to phaseout using 
veterans' Social Security numbers for the purposes many years 
ago? Again what was the response? How long did that response 
take?
    Mr. Oswalt. Well, I--to address the question about the 
Social Security end use, we do have a department wide 
integrated project team now which is identifying systems that 
have Social Security numbers that need to be remediated from--
from use.
    Social Security number use is not to be totally eliminated 
because there is an initial identification period but for 
authentication we will eliminate use of that. There is also 
Social Security number use, by law where we have to share with 
other agencies like Internal Revenue Service (IRS) and Social 
Security Administration and things, like, like that.
    Social Security number use by itself will not go away, but 
a number of the business practices in the administrations and 
staff offices will change to integrate or to use what they call 
an integrated control number, an ICN, which is a masking 
identifier for veterans.
    Mr. Rosendale. That is great moving forward. What do we do 
about the 700 veterans and their Social Security numbers going 
out on the mail and what was the response to that? What kind of 
response time did we have?
    Mr. Oswalt. Again, sir I would have to go back and ask for 
your forbearance. Put the information in the record. The 
process remains the same that there is an initial reporting by 
whatever entity discovers it, an investigation and an 
adjudication and a determination made, there is credit 
monitoring offered. Generally in the case of SSN use and a name 
or even a date of birth, credit monitoring offers are tendered 
to the veterans.
    Mr. Rosendale. Okay, that sounds like a very timely 
process. I am thinking about someone's Social Security number 
and their information floating around out in the public 
somewhere and that is very problematic because I think everyone 
in this room certainly understands it does not take that long 
for someone to take that kind of information and use it in a 
nefarious way against our veterans.
    How long do you think it is going to take to clean up this 
process which would remove the Social Security numbers from 
these other documents in the cases where they do not--they are 
not necessary?
    Mr. Oswalt. We have identified approximately 250 
applications, IT applications that use SSN that require this 
type of remediation. A number of those are legacy systems that 
will be retiring. Rather than invest in removing the SSN for 
those which are going to be retired in the foreseeable future, 
we take a risk management approach to try and eliminate that 
because in an austere fiscal environment we can only attack so 
much.
    There is a request in the President's fiscal year 2024 
budget for funds to be begin this remediation effort. The 
biggest part of this is and it is not necessarily an IT issue, 
it is the business practices of the administrations. I liken it 
to an iceberg where there is the IT part that is above the 
water but underneath the surface is a whole set of business 
practices from VBA, VHA.
    Mr. Rosendale. Yes, that is what we call bureaucracy around 
here. We understand that very thoroughly. I have run out of 
time, Mr. Oswalt.
    I now recognize Ranking Member Cherfilus-McCormick.
    Ms. Cherfilus-McCormick. Thank you, Mr. Chairman.
    How does VA intend to structure its governance to ensure 
that the organization takes a strategic enterprise-wide view of 
the use and oversight of AI at VA?
    Mr. Worthington. Thank you for the question. We are still 
in the process of standing up the governance as--as per the 
memo that is coming out after the executive order.
    At a high level, I think what we are looking to do is to 
maximize the impact that we can get from these systems by 
focusing on the Agency's strategic priorities.
    Topics like clinician burnout and mental health, things 
that are consistent with the overall Agency's priorities, we 
want to understand what are the most promising places where 
artificial intelligence might be applied to help with those 
priorities and then obviously pursue those in a way that 
minimizes the risks that AI could introduce.
    Ms. Cherfilus-McCormick. Mr. Worthington, you and chief 
information officer, Kurt DelBene, recently hosted a press 
conference where you discussed the impact that Congress' 
failure to pass a long-term budget has on hiring VA for those 
with AI capabilities.
    If Congress continues to be unable to pass the standing 
funding what is VA's plan for working around this hurdle?
    Mr. Worthington. Well, we are--we are working with what we 
have. You know, we are pretty tight in terms of the number of 
employees within OIT, and so the ability to bring new folks on 
with that expertise is limited.
    I think what we are looking to do is, as best we can, 
shuffle existing resources to explore these priorities, but 
obviously it is hard to start new things when we are focused on 
running all of our existing things.
    Ms. Cherfilus-McCormick. What additional resources do you 
need to ensure that modernization can happen in a safe and 
strategic way?
    Mr. Worthington. I think that having experts, both on the 
IT side as well as in the administrations, that understand how 
to use these tools effectively is really important. The talent 
that we need in the government, not just at the VA but in the 
government, writ large, that has this expertise, is in 
extremely high demand across the country right now.
    We do have a really compelling mission, though. I think 
there are a number of these experts that are willing to do 
public service if only we can provide them, you know, a pathway 
into government.
    I think first and foremost, making those opportunities 
available to people so that some of our country's best AI 
experts can easily serve is probably our top priority.
    Ms. Cherfilus-McCormick. Well, I wanted to shift a little 
bit and talk about the academic affiliates. We have received a 
lot of outreach from VA's academic affiliates about a proposed 
new rule that would close inactive accounts after 30 days as 
opposed to the current 90-day rule.
    Can you explain how having inactive accounts poses an 
additional privacy risk?
    Mr. Worthington. I--this is not a topic that I am an expert 
on. I know at a high level what we are seeking to do is ensure 
that the folks that have access to VA medical data, that that 
list is reviewed regularly and kept up to date.
    The specifics of how that is implemented, I would have to 
probably defer to some of my other colleagues and bring that 
back for the record if you had specific questions about that.
    Ms. Cherfilus-McCormick. I saw Dr. Alterovitz. Did you want 
to comment on that or--because I have another question if not.
    Dr. Alterovitz. No, go ahead.
    Ms. Cherfilus-McCormick. Okay. The academic affiliates are 
concerned that given how long it takes VA to credential new 
users' accounts, their students will be losing a lot of 
education opportunity if they rotate in and out of VA's 
facilities.
    If this proposed rule is adopted, how is VA going to ensure 
that students are not left sitting around for days or weeks 
waiting for their user accounts to be re-created?
    Mr. Worthington. Again, it is a great question. I would 
have to defer to my colleagues and take that back for the 
record, but I do understand the concerns, and we obviously need 
to balance the security, you know, maintaining the secure list 
of folks that should have access, with the ease of use of 
getting the right people provisioned. That is constantly a 
balance we are on struggling to maintain.
    Ms. Cherfilus-McCormick. Thank you.
    I yield back, Mr. Chairman.
    Mr. Rosendale. Thank you very much, Ranking Member 
Cherfilus-McCormick.
    Representative Self.
    Mr. Self. Thank you, Mr. Chairman.
    The breach of Lighthouse, that one or more claims sharks 
apparently, as we referred to them, monetized personal 
information, was that process, was that security, 
cybersecurity, was it employee, how did that breach happen?
    Mr. Worthington. Thank you for the question. I am not sure 
that we have called that a breach, but I guess what I 
understand from the situation is that our Office of General 
Counsel (OGC) assessed that some of the partners that were 
using the Lighthouse program were not in compliance with the 
Title 38 rules, and so we removed them from that program.
    I think that that was discovered as a part of the 
assessment that all partners of Lighthouse should be put 
through a framework that we assess all public-private 
partnerships with, and as a part of that, the OGC group that 
reviews partnerships like that, identified a potential issue 
with these.
    Mr. Self. We are back to my sanctions. You simply remove 
them from the project. In the future, that will be an incentive 
for your partners to monetize, to use the information 
improperly. They will use it improperly, they will get the 
benefit from it, and you will simply remove them from the 
program. In my mind, that is not a significant-enough sanction.
    You have a--Dr. Alterovitz, you have a very high sounding 
name--the National AI Institute. Is this the National AI 
Institute with overall jurisdiction for AI development in the 
Nation? Are there other national institutes for AI?
    Dr. Alterovitz. We are the one within the VA. We were 
started as a joint effort between the Office of Research and 
Development and the Secretary's Center for Strategic 
Partnerships.
    Mr. Self. Are there any other national institutes in the 
United States?
    Dr. Alterovitz. Oh, there are definitely other national 
institutes on a number--I mean like----
    Mr. Self. Which department has overall jurisdiction for the 
development of AI?
    Dr. Alterovitz. There is no one--to my knowledge, there is 
no one department that is associated with developing all of AI. 
A number of agencies--the Department of Energy, HHS--they have 
either centers of excellences or institutes----
    Mr. Self. Okay.
    Dr. Alterovitz [continuing]. for AI.
    Mr. Self. That brings me to my last point, Mr. Chairman. We 
have heard--we dealt with the EOs here, the executive orders. I 
have not heard a lot about law. One of the issues that this 
Congress is starting to deal with is clawing back Article I 
authority in light of the overreach of Article II authorities 
through EOs, through executive orders.
    Mr. Chairman, I recommend we get into that. Why are we 
focused on EOs, executive orders? Why are we using them as the 
baseline here? What is the law that is going to operate not 
only with this national institute, but the national institutes 
across the United States? I think we have got a bigger issue 
here that we perhaps this committee could delve into and lead 
the way toward, what is the law on AI development?
    Thank you. I will yield back.
    Mr. Rosendale. Thank you very much, Representative Self, 
and that is a truly good concept, and you are right, we have 
been working toward that, to regain the power for Congress and 
for all of us.
    Dr. Alterovitz, another of your priority AI uses cases is 
applying machine learning to patients' genetic and phenotypic 
information to predict and optimize surgery outcomes. That is 
how their genes affect or responds to medication and their 
observable physical traits. What ethical challenges do you 
think that could pose?
    For example, if AI says, do not do the surgery based on a 
veteran's genes, what is the surgeon's responsibility? Again, 
is that patient advised of who generated this prognosis, man or 
machine?
    Dr. Alterovitz. Thank you for your question. I think there 
are a number of use cases that we are evaluating at different 
stages, and that is one of the key things that we are looking 
at Trustworthy AI at the beginning. There are a number of 
principles there, and a number of the areas that you mentioned 
are ones that we would look at.
    A few that come to mind, as you said: the genetics, you can 
have different demographics, you may have to look at different 
types of polymorphisms. Basically, different parts of the 
genetics may be applicable. How do you quantify those surgical 
outcomes in different settings?
    I mean, there are a lot of questions like that, and so when 
they are research projects, there is more time to engage and to 
do that.
    Then in other projects, if we do not find it consistent, 
there is time to make a consistency plan where we kind of keep 
going back and getting more questions answered and maybe 
analyzing some of that data.
    Mr. Rosendale. Dr. Alterovitz----
    Dr. Alterovitz. Yes.
    Mr. Rosendale. Look, I understand. Additional information 
is good. We have all of that data coming in, but, again, the 
first thing that I go back to is, should not this be disclosed 
to the veterans? Should not this be disclosed to the patients, 
that they understand exactly who is performing this analysis 
and creating this prognosis?
    Dr. Alterovitz. Well, for research studies, we do have, 
informed consent through Institutional Review Boards (IRB)s. 
Through non-research, we have developed and are piloting 
something called a model card, which basically is like a 
pamphlet that explains how the AI is being used for different 
settings.
    One setting may be for the patient. Another setting may be 
for the doctor who is interested in other parts of how the AI 
works.
    Model cards are a way that are now pioneering, and we are 
not the only ones pioneering this, but we are really looking at 
it in the healthcare setting and piloting to see how that works 
across the network.
    Mr. Rosendale. Okay. Dr. Alterovitz, here is another 
example. You are using natural language processing to extract 
signals of suicide risk from clinical progress notes and other 
medical records.
    We need to do whatever we can to prevent veteran suicide. 
We know that--I have heard everything from 19 veterans a day to 
as high as 24, but we need to be extremely careful.
    First of all, how prone to false positives is the software, 
and what level of accuracy do you consider acceptable? I am 
concerned that this could lead to a violation of veterans' 
rights, limiting personal freedoms and gun ownership.
    Dr. Alterovitz. Thank you for your question. I think 
everything you have said are concerns that need to be looked 
at, where this uses AI is in the natural language process, 
looking at those notes and extracting potential meaning out of 
it.
    There are always a human in the loop that then looks at the 
results, and so this is a way to help them shift through a 
large amount of text and----
    Mr. Rosendale. There is a human reviewing that, but there 
is also a human who is creating those notes. We have a very 
subjective component that is part of this analysis that we have 
to be very, very careful of.
    Do the veterans know that the VA is using this technology, 
and if so, could it color, could it taint what they are willing 
to tell their healthcare providers?
    Dr. Alterovitz. For ones that are involved in research and 
there is a consent form, then they could be aware. For ones in 
operations, generally there are tools used that have been 
publicized on our website, through the inventory, that explain 
how they use AI and----
    Mr. Rosendale. Okay. We still do not have a good, 
consistent disclosure process that is being utilized and being 
signed off by our veterans, correct, across the system?
    Dr. Alterovitz. That is correct. I do not----
    Mr. Rosendale. Okay. Again, please, that has got to be 
elevated to a top priority. It absolutely has to be elevated to 
a top priority. I would yield to--have no more? Have no more. 
Okay. Goodness gracious. Okay. Where do I go?
    I want to thank our witnesses for joining us this 
afternoon. It is been an enlightening discussion. It truly has.
    I will yield to Representative Cherfilus-McCormick for a 
closing statement then.
    Ms. Cherfilus-McCormick. Thank you. Thank you again for the 
witnesses for being here today. It is absolutely crucial that 
we do everything in our power to ensure that the data veterans 
have entrusted VA with is protected and that we ensure that no 
one, VA and its vendors alike, is monetizing that data for 
personal gain.
    I am also grateful for today's conversation about the use 
of artificial intelligence at VA. The opportunity that AI 
provides to improve patient care and access as well as reducing 
the administrative burden of VA personnel are exciting.
    However, as the proverb goes, with great power comes great 
responsibility. We have already seen how AI can be used for 
less noble purposes. AI deepfakes have been all over the news 
recently. These uses of the technology are unacceptable.
    I am convinced that this is just the beginning of our 
oversight of AI and how it can safely be applied at the VA.
    Thank you, Mr. Chairman, for this great discussion, and I 
yield back.
    Mr. Rosendale. Thank you very much, Representative 
Cherfilus-McCormick.
    Again, I would like to thank everyone for joining us this 
afternoon. It has been an enlightening discussion. I think that 
we all have identified some areas that right now, immediately, 
we are going to be able to go out and take some action items 
for Congress to do their part and for the Veterans 
Administration to do their part to make sure the veterans are, 
again, getting the best possible care that they can.
    This is by no means the last hearing that the committee 
will hold on artificial intelligence. It is an expanding, 
complex area that warrants serious oversight.
    I want to thank Dr. Miller-Meeks and the Health 
Subcommittee for working with us and for delving into AI 
projects that the Veterans Health Administration has under way.
    With that, I ask unanimous consent that all members have 5 
legislative days to revise and extend their remarks and include 
extraneous material.
    without objection, we will adjourn.
    [Whereupon, at 4:46 p.m., the subcommittee was adjourned.]
    
=======================================================================


                         A  P  P  E  N  D  I  X

=======================================================================


                     Prepared Statements of Witness

                              ----------                              


               Prepared Statement of Charles Worthington

    Good afternoon, Chairman Rosendale, Ranking Member Cherfilus-
McCormick, and distinguished Members of the Subcommittee. Thank you for 
the opportunity to testify today about the Department of Veterans 
Affairs (VA) efforts in patient and data privacy, and Artificial 
Intelligence (AI). I am accompanied today by Mr. John Oswalt, Deputy 
Chief Information Officer of Freedom of information Act, Records and 
Assessment Compliance, Office of Information and Technology (OIT); Dr. 
Gil Alterovitz, Director, VA National Artificial Intelligence Institute 
and Chief AI Officer, Veterans Health Administration; and Ms. Stephania 
Griffin, Director, Information Access and Privacy Office, Veterans 
Health Administration (VHA).
    VA is committed to protecting Veterans' data while responsibly 
harnessing the promise of AI to better serve Veterans. While AI can be 
a powerful tool, its use and application needs to have the proper 
controls, oversight, and security guided by VA's Zero Trust 
Cybersecurity Strategy; and Executive Order 14110 on the Safe, Secure, 
and Trustworthy Development and Use of AI.
    In order to run the largest integrated health care system in the 
nation and deliver a myriad of benefits to eligible veterans, VA has a 
complex data ecosystem with over 1,100 petabytes of sensitive 
information, and an extensive digital footprint spanning over 500,000 
desktops across 2,000 locations. To protect this environment, VA's 
Cybersecurity Strategy was established to unify an enterprise-wide 
solution that protects the Department's data at-rest, in-use, and in-
motion.
    The Department leverages sound cybersecurity practices to protect 
the confidentiality, integrity, and availability of our information and 
information systems now and in the future. These practices include 
physical, technical, and administrative controls and enables 
cybersecurity professionals to monitor, detect, and respond to cyber 
threats. These protections constitute a strong defense-in-depth 
strategy comparable to those deployed in the commercial sector. 
Identity Management is key in this area. Federal departments and 
agencies should require least privilege access to data resources and 
tiered user permissions to enforce separation of duties to those 
resources that house data. This testimony provides an overview of all 
VA currently does to protect Veterans' data, as well as note what 
challenges we currently face and where resources can best be allocated.

Protecting Data at Risk

    VA uses the National Institute of Standards and Technology (NIST) 
Risk Management Framework (RMF) to comprehensively manage and report on 
privacy and security risk throughout the IT system lifecycle (hardware 
and software components). This enforces independent privacy and 
security reviews that prevent conflict of interest when conducting 
privacy and security assessments and audits. The overall RMF does not 
involve vendors in the determination of system security risk nor in the 
performance of security audits. As part of RMF, VA deploys a 
comprehensive Assessment and Authorization (A&A) program that requires 
independent or third-party security assessors to perform assessment 
reviews, testing, and audits against vendor hardware and software 
components to ensure that security risk is identified and mitigated or 
remediated to an acceptable level prior to deployment. Within the A&A 
process, the Authorizing Officials use the security and privacy posture 
of a system to determine if the risk to organizational operations and 
assets are at an acceptable level, in accordance with VA risk 
management strategy.
    VA risk management aligns with NIST Special Publication 800-53, 
Security and Privacy Controls for Information Systems and 
Organizations. VA security control requirements deploy a diverse set of 
information technologies for VA systems within the Department's IT 
footprint to reduce the risk and impact of potential exploitations of 
specific technologies and to defend against common mode failures. 
Additionally, the Department is aligning the program to VA's Data 
Governance Council to provide strategic direction and visibility across 
the enterprise.
    This balanced risk management approach deliberately provides VA the 
guardrails it needs when considering emerging technology tools that 
have a large potential to improve Veteran health care and benefits such 
as Artificial Intelligence (AI).

Artificial Intelligence

    VA is committed to responsibly harnessing the promise of AI to 
better serve Veterans. VA is excited about the potential of emerging AI 
technologies and how those technologies can empower the Department's 
mission on delivering world-class, secure technology solutions that 
enable a seamless, unified, efficient Veteran experience. To that end, 
VA was one of the first five Federal agencies to publish an AI 
strategy. VA's AI Strategy, published in 2021, which articulates a 
clear vision to improve outcomes and experiences for Veterans by 
developing trustworthy AI capabilities. It is imperative that VA and 
other government agencies implement AI responsibly and securely. VA 
needs to be very intentional and strategic about its implementation to 
ensure these technologies do not perpetuate bias or introduce 
inaccuracies. VA's goal is to maximize the potential value of AI to 
improve Veteran health and benefit outcomes and comply with Executive 
Order 14110 and upcoming Office of Management and Budget (OMB) 
memorandum.
    As you know, VA has one of the Nation's largest and most 
extensively curated collections of health and benefits data in the 
world, representing a great opportunity to use AI with the potential to 
unlock improved outcomes for Veterans. AI at VA is at a transition 
point, where solutions that leverage AI will graduate from the lab into 
enterprise-grade systems. VA's current execution plan for AI has the 
following four main workstreams: governance; execution of several high 
priority use cases; AI workforce development; and AI infrastructure.

Overview of VA's Use of AI in Health Care Delivery

    VA has embraced the power of AI to revolutionize health care 
delivery. The Department is strategically leveraging this tool to 
improve the health care experience for the Nation's Veterans by 
enhancing patient care, streamlining administrative processes, and 
improving health care outcomes. By integrating AI into various aspects 
of Veteran health care, such as decision support systems, predictive 
modeling, and personalized care plans, VA is enhancing diagnostic 
accuracy and efficiency. VA is actively using AI in the area of 
predictive analytics, which uses vast amounts of data to identify 
patterns and trends, including predicting risks of cancers \1\ and 
adverse outcomes, allowing for early and personalized interventions, 
ultimately improving health outcomes for Veterans. AI tools such as 
these hold the promise of optimizing efficiency of VA's health care 
delivery, while improving the quality of care provided to our 
beneficiaries.
---------------------------------------------------------------------------
    \1\ The official OIT Compliance, Risk, and Remediation AI Use Case 
Inventory submitted to OMB shows 10 use cases related to cancer.

---------------------------------------------------------------------------
Benefits and Potential of AI in Veteran Health Care

    VA is building a network of cross-disciplinary experts to 
capitalize on VA data and drive AI research, development, and practical 
AI implementation to improve Veterans' health and benefit services. 
With over 120,000 clinicians serving more than 9 million patients 
across 1,200 medical facilities, VA possesses an unparalleled wealth of 
health care data. These data, which include over 10 billion medical 
images and the world's largest genomic data base tied to medical 
records, can be leveraged to propel the United States to the forefront 
of AI leadership. Furthermore, as the Nation's largest integrated 
health care system, VA is uniquely positioned to test and scale 
effective AI solutions.
    Effective AI implementation can improve staffing, development of 
novel treatments, patient safety monitoring, and disease prediction. VA 
is focused on using AI to alleviate provider burnout by reducing 
administrative tasks such as data entry. VA is currently hosting an AI 
Tech Sprint to source tailored AI solutions to further reduce burnout. 
In addition to reducing burnout, VA is also dedicated to accurately 
identifying health care providers, improving provider directories' 
accuracy to over 90 percent,\2\ and enhancing access to care and 
patient safety. VA is leveraging AI in clinical settings as another 
tool available for providers. One example of AI in clinical use is GI 
Genius, a U.S. Food and Drug Administration--authorized system that 
aids in detecting concerning polyps during colonoscopies, leading to a 
50 percent reduction in missed colorectal polyps compared to standard 
procedures.\3\
---------------------------------------------------------------------------
    \2\ Council for Affordable Quality Healthcare (CAQH). (2023). 
Improve provider data management and accuracy. Available at: https://
www.caqh.org/solutions/provider-data.
    \3\ Wallace MB, Sharma P, Bhandari P, East J, Antonelli G, 
Lorenzetti R, Vieth M, Speranza I, Spadaccini M, Desai M, Lukens FJ, 
Babameto G, Batista D, Singh D, Palmer W, Ramirez F, Palmer R, Lunsford 
T, Ruff K, Bird-Liebermann E, Ciofoaia V, Arndtz S, Cangemi D, Puddick 
K, Derfus G, Johal AS, Barawi M, Longo L, Moro L, Repici A, Hassan C. 
(2022, July). Impact of Artificial Intelligence on Miss Rate of 
Colorectal Neoplasia. Gastroenterology. 163(1):295-304.e5. doi: 
10.1053/j.gastro.2022.03.007.

---------------------------------------------------------------------------
    Addressing Concerns and Ensuring Accountability in AI Utilization

    The main risks associated with AI are data breaches, biased 
predictions in health care, and patient safety. However, the use of 
Trustworthy AI \4\ can mitigate these risks and lead to increased 
adoption, decreased risks, improved competitiveness, and higher returns 
on investment for VA. To ensure the safe and responsible use of AI, VA 
has developed its own Trustworthy AI framework aligned to VA's mission. 
Adopted in July 2023, VA's Trustworthy AI framework outlines six 
principles for all instances at the agency to ensure that they are 
Purposeful, Effective and Safe; Secure and Private; Fair and Equitable; 
Transparent and Explainable; and Accountable and Monitored.
---------------------------------------------------------------------------
    \4\ This framework helps organizations develop ethical safeguards 
across seven key dimensions of AI governance and compliance, ensuring 
the network remains: Private; Transparent and Explainable; Fair and 
Impartial; Responsible; Accountable; Robust and Reliable; and Safe and 
Secure.
---------------------------------------------------------------------------
    Within the National Artificial Intelligence Institute AI Network, 
VHA currently has several pilot efforts in place to increase safety, 
transparency, and trust in AI. The AI Institutional Review Board (IRB) 
module incorporates Trustworthy AI principles into the existing IRB 
process to protect Veterans participating in AI research and enhance 
transparency and trust in AI. The AI Oversight Committee pilot is 
another mechanism to instill trust and empower medical center directors 
to establish processes and systems of governance that support 
compliance.

Collaborations and Partnerships for AI Advancement in Veteran Health 
Care

    We practice a high-level of continuous collaboration, while 
building many strategic partnerships, all to advance the development of 
Trustworthy AI innovations for Veterans, their survivors and 
caregivers, and American citizens, fostering a global impact. Our 
collaborations span multiple sectors--including other VA entities, 
Federal organizations,\5\ academia, the military, international bodies, 
and private industry--enabling us to identify AI use cases; advance 
research and development capabilities; expand our reach to diverse 
populations and demographics; connect with top data science talent; and 
disseminate Trustworthy AI solutions. AI Tech Sprints are a prime 
example of how VA fosters connection with innovators outside of 
government to develop new solutions and improve Veteran care and 
experience. VA will complete two in this calendar year. \6\ The current 
AI Tech Sprint focuses on reducing provider burnout and administrative 
burden, ultimately improving care for Veterans. Teams from across the 
Nation are competing to develop AI solutions in two distinct tracks 
that will support health care workers. Track one will focus on AI 
powered, advanced health care record integration, while track two will 
identify an AI solution to enable ambient dictation for clinical 
encounters to improve provider-Veteran patient connection and reduce 
clinicians' documentation burden. Additionally, utilizing Cooperative 
Research and Development Agreements provides us with the flexibility to 
transfer commercially useful technologies to the non-Federal sector.
---------------------------------------------------------------------------
    \5\ Current collaborators in the federal sector include the Office 
of the National Coordinator for Health Information technology; the 
Departments of Health and Human Services, Defense, and Energy; the FDA; 
the Defense Health Agency; the Center for Medicare and Medicaid 
Services; the National Institute of Health; and others.
    \6\ As required by EO 14110, Safe, Secure, and Trustworthy 
Development and Use of Artificial Intelligence (October 20, 2023). 
Available at https://www.govinfo.gov/content/pkg/FR-2023-11-01/pdf/
2023-24283.pdf.

---------------------------------------------------------------------------
Ethical Considerations in AI-Powered Decision-Making

    With the vast potential of AI, VA is equally concerned about the 
ethical and effective use of AI. Governance plays a key role in 
building in proper checks and balances and guidance on how AI is 
ultimately put to work--ensuring AI initiatives conform with wider 
accepted practices. AI has risks and challenges, so VA is focusing on 
an AI strategy, ethical guidelines, and best practices across VA and 
with external partners to deploy trustworthy, secure AI, that benefits 
our delivery of health care and benefits to the Veteran community.
    Currently, VA is piloting VA AI Oversight Subcommittees, created an 
AI Working Group, and created an AI IRB Pilot, which allows 
comprehensive vetting of AI use cases to determine if an AI model 
follows the principles of trustworthy AI per EO 13960 and other Federal 
regulations that protect human subjects. Finally, VA recognizes the 
importance and need for AI transparency and publishes AI use cases on 
our VA AI Inventory website, sharing VA's inventory with other 
government agencies and the public.

Conclusion

    VA's patient and data security solutions must consider the 
interaction with users, the value to the Veteran, as well as the 
confidentiality, integrity, and availability of VA's information 
resources. With a balanced, risk-managed approach toward secure 
computing, we will maintain the confidence and trust of Veterans, our 
stakeholders, and the public. With the strategies, policies, and 
programs in place, the Department continues in its mission to protect 
and secure the information of, and services for, the Veterans. Mr. 
Chairman, Ranking Member and Members of the Subcommittee, thank you for 
the opportunity to testify before the Subcommittee today to discuss one 
of VA's top priorities. I am happy to respond to any questions that you 
have.
                                 ______
                                 

                   Prepared Statement of Shannon Tews

    Chairman Rosendale and esteemed members of the Committee, thank you 
for inviting me to testify today regarding the responsible and ethical 
use of artificial intelligence to enhance healthcare for our nation's 
veterans.
    As the VA increasingly looks to incorporate AI tools to improve 
efficiency, accuracy, and personalization of care, we must be vigilant 
in creating proper safeguards around veteran data privacy and security. 
If implemented conscientiously, AI systems present a tremendous 
opportunity to better serve veterans' health needs. My testimony will 
focus on best practices and considerations for that responsible 
integration.
    First, any AI tools leveraged by the VA must be deployed in 
accordance with the Department's Trustworthy AI Framework centered on 
six fundamental principles: purposeful, safe, and effective, secure and 
private, fair and equitable, transparent and explainable, and 
accountable and monitored. Adhering to these values can foster 
confidence and adoption of AI innovation among veterans.
    The VA should assemble dedicated, multidisciplinary teams combining 
healthcare expertise, technical capabilities, and ethics specialization 
to evaluate AI systems at every phase - from initial procurement and 
design through validation, implementation, and continuous improvement. 
These teams can ensure tools align with intended use cases while 
meeting stringent standards around security, explainability, and 
unbiased outputs that impact care.
    Ongoing community participation is also instrumental. Veterans 
should have opportunities to actively inform system requirements and 
provide feedback on AI experiences as part of closing the loop--their 
real-world insights further accountability while enhancing utility. 
External third-party testing around safety, security, and fairness 
further verifies performance to standards for VA procurement approval 
before systems interact with sensitive data.
    Any AI tools or platforms brought in must then operate within 
comprehensive data privacy environments matching the rigor of HIPAA 
controls already governing healthcare data security - including 
encryption, access management, activity monitoring, and audits.
    The Veterans Affairs Department should institute de-identification 
techniques like differential privacy to minimize reliance on personal 
information for development or analytics while preserving analytical 
validity. When systems utilize private data temporarily, they should 
quickly dissociate any data, securing veterans' details.
    The VA must retain clear ownership and governance of veterans' 
healthcare data through this AI journey, avoiding reliance on external 
software vendors or open data bases that cannot provide assurances on 
control or appropriate use aligned to individuals' preferences.
    Here are some additional ideas for the Veterans Affairs Department 
to consider regarding the enhancements available to current systems by 
using artificial intelligence in veterans' healthcare:

    Advanced Diagnosis and Treatment: There is massive potential for AI 
to assist healthcare providers with more accurate and timely diagnosis 
of veterans' health issues. AI can analyze vast medical data sets, 
including electronic health records, imaging, and genetic information, 
to identify patterns and suggest personalized treatment plans. These 
enhancements could lead to quicker interventions and improved health 
outcomes.

    Predictive Healthcare: The power of AI to utilize predictive 
analysis in potential health issues for veterans could be a key asset 
for early medical treatments that could get ahead of larger problems 
with scheduled monitoring and counseling earlier in the process. 
Machine learning algorithms can analyze historical data to identify 
veterans at higher risk of specific conditions, allowing for preventive 
measures and early interventions.

    Virtual Health Assistants: Eventually AI-powered virtual health 
assistants can provide veterans with 24/7 access to healthcare 
information, answer questions, schedule appointments, and even provide 
mental health support, improving the overall patient experience once 
the processes have been tested for accuracy and consistency in their 
responses to enable a cohesive network application available to 
Veterans who want to use the AI driven program.

    Data Integration: Thoughtful introduction of AI systems integration 
could enable VA healthcare infrastructure to ensure that AI tools 
complement and enhance the work of healthcare providers rather than 
disrupt their workflows.

    Telemedicine: AI can improve telemedicine services for veterans, 
making it easier for them to access healthcare remotely. AI-driven 
chatbots and virtual consultations can provide immediate assistance and 
reduce the burden on VA healthcare facilities by unitizing chatbot 
technology for the first layer of questions for the operators 
interacting with a patient that is then sent to the right branch of the 
medical practice group after the stated concerns of the patient have 
been reviewed while looking at health patterns and their health 
history. A human would be the most important element of a telemedicine 
visit, but AI could speed up the initial entrance into the visitation 
system.

    Mental Health Support: AI can play a crucial role in identifying 
early signs of mental health issues, providing resources, and 
connecting veterans with appropriate care through more efficient 
pattern recognition and effective solution set matching to the 
diagnosed problem .

    Ethical AI Use: The importance of adhering to ethical guidelines 
must be part of the development and deployment phases AI in healthcare. 
Transparency in AI algorithms so that veterans and healthcare providers 
can understand the use of artificial intelligence tools in decision-
making is critical.

    Education and Training: The VA will need to invest in training 
healthcare professionals to work effectively with AI systems. Proper 
education and understanding of AI technologies will ensure a higher 
level of the healthcare professionals responsible and effective use of 
the AI toolsets.

    Collaboration with AI Industry: The potential for collaboration 
with AI companies and researchers to leverage the latest advancements 
in AI technology for veterans' healthcare can accelerate progress in 
this field.

    Data Sharing and Research: Collaborative research efforts can lead 
to breakthroughs in veterans' health. However, the importance de-
identified healthcare data for research purposes is vital for ensuring 
privacy and security must be a top priority.

    Continuous Monitoring and Improvement: The practice of ongoing 
monitoring and evaluation of AI systems with regular audits and 
assessments can ensure that AI tools continue to meet the highest 
standards of performance, fairness, and security.

    Veteran Inclusivity: Making AI tools and services accessible to 
veterans of all backgrounds, including those with disabilities is a 
crucial part of this effort. Veterans Affairs must ensure that medical 
system's design utilizing AI systems includes inclusivity.

    Public Awareness: Clear communication can alleviate concerns and 
build trust among veterans and their families. There should be 
educational initiatives to raise public awareness about AI's benefits 
and responsible use in veterans' healthcare.

    International Collaboration: The potential for collaboration with 
international partners in AI research and healthcare will allow for the 
sharing of knowledge and best practices globally, which can lead to 
faster advancements.

    Budget Allocation: Adequate budget allocations are vital for AI 
initiatives in veterans' healthcare. Funding is essential to support AI 
system research, development, implementation, and ongoing maintenance.
    By incorporating many of these additional ideas the Department of 
Veterans Affairs could provide a more comprehensive overview of the 
benefits veterans' healthcare will receive from using AI tools in the 
decision-making processes while ensuring the responsible and ethical 
use of artificial intelligence.
    In closing, I reiterate my conviction that AI and machine learning 
can unlock immense potential in enhancing experiences, outcomes, and 
care availability for those who bravely served our country. As the VA 
advances its AI strategy for veterans, instilling Trustworthy AI 
principles centered on security, fairness, and accountability at every 
step is paramount to delivering on that promise.
    I welcome any questions on components of the framework or 
recommendations to actualize AI's benefits for veterans while upholding 
their rights to informed consent and confidentiality through this 
transition. Getting the balance right will prove key to unlocking AI's 
immense potential while retaining foundational trust.

                        Statement for the Record

                              ----------                              


   2022 Ars Technica Article Submitted by Representative Mariannette 
                         Miller-Meeks, (IA-01)
                         
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

                                 [all]