(The Center Square) — The Joint Legislative Committee on Technology and Cybersecurity convened this week to examine the state’s oldest and most expensive information technology systems, shedding light on the challenges state agencies face in modernizing critical infrastructure while managing escalating costs and cybersecurity risks.

During the hearing, officials outlined the complexities of maintaining and upgrading IT systems that support essential state functions, including Medicaid, child welfare, and eligibility programs.

Among the key revelations: approximately 40 to 50% of the state’s IT systems are hosted outside core data centers, split between public and private cloud environments managed by third-party vendors, according to the Division of Administration.

The committee delved into the three oldest systems, which include a 26-year-old Disability Determination Services system, a 25-year-old Centralized Bank Reconciliation system handling $470 million in monthly payments for the Department of Children and Family Services and a 24-year-old Incident Reporting System for State Police, raised concerns about cybersecurity vulnerabilities.

Despite their age, officials noted that replacement costs for some are relatively low — ranging from $50,000 to $200 million — yet modernization efforts have lagged.

Officials from the DOA attribute delays to a combination of factors: Funding prioritization by individual agencies, risk assessments deeming some systems low-priority due to limited internet exposure and their integration into broader modernization projects.

For instance, the Centralized Bank Reconciliation system, despite its critical role, is classified as a medium cybersecurity risk because it operates internally with robust monitoring and layered defenses.

“It’s not exposed to the internet, so the available attack surface is…reduced,” Chase Hymel, the chief information security officer for the DOA, said.

Legislators expressed skepticism given the system’s age and financial significance.

On the costlier end, the three most expensive systems — including the Integrated Eligibility Application, launched in 2018 — drew scrutiny for their high maintenance and operations expenses, totaling roughly $150 million annually across two agencies.

Much of this cost stems from ongoing enhancements, as vendors develop new features to meet evolving federal requirements.

Legislators raised concerns about procurement practices potentially inflating costs, citing examples of vendors submitting low initial bids only to increase expenses through change requests post-award.

In response, officials pointed to a new “invitation to negotiate” process, enabled by House Bill 845, which promises greater flexibility and transparency in vendor negotiations. According to Hymel, the bill may “widen the market” and allow for “more creative approaches”.

The hearing also spotlighted broader systemic challenges.

The state’s Office of Technology Services, which oversees all 1,200 applications under the state’s umbrella, employs approximately 810 staff — a figure significantly higher than neighboring states like Arkansas (84 staff) or Alabama (139 staff), according to Rep. Josh Carlson, R-Lafayette.

While OTS operates a fully consolidated IT model, managing everything from a statewide network to 24/7 data centers, legislators questioned whether staffing levels and $1 million daily maintenance costs for the top three systems align with efficiency goals.