The Veterans Administration’s healthcare IT continues to be outdated, inefficient and without sufficient interoperability, and the agency needs to take significant steps before it’s no longer considered a high risk of fraud and abuse, the U.S. Government Accountability Office told a Senate panel on Wednesday.

VA healthcare will remain designated high-risk by GAO until it sufficiently addresses its unclear policies, process variability and other mismanagement issues, said Debra Draper, director of healthcare for the GAO, in testimony before the Senate’s Committee on Veterans’ Affairs. Draper said the VA’s healthcare IT struggles with unclear policies and variable processes, insufficient oversight and accountability, information technology concerns, insufficient training for staff and vague resource and allocation priorities.

The VA has not held its facilities sufficiently accountable, the GAO found, and it lacks updated training policies that the watchdog agency has recommended. In its report released in connection with the hearing, GAO suggested the VA come up with new processes, frameworks and goals to address these issues.

“We believe that it is critical that VA implement our recommendations not only to remedy the specific weaknesses we previously identified,” Draper said, “but because they may be symptomatic of larger underlying problems that also need to be addressed.”

The GAO made similar recommendations in 2015, when it first designated VA healthcare high-risk. The GAO calls programs and agencies high risk if they’re particularly susceptible to fraud, waste, abuse or are in dire need of transformation.

In healthcare IT, the VA has partially met only one of the criteria—leadership commitment—of the five that it must meet for IT to be removed from the high-risk list. The other goals—capacity, an action plan, demonstrated progress, and monitoring—remain unmet. The VA should set out specific milestones and examine the root causes of its problems so it can act on the most urgent challenges first, according to Draper.

In 2014, the Veterans Access, Choice, and Accountability Act put $10 billion in a Veterans Choice Fund to pay for veterans to get healthcare from non-VA providers. But the VA still struggles with successful collaboration between those within and those outside of the system.

Part of the problem arises from interoperability in EHRs. “To ensure that medical providers both inside and outside VA have the most complete and up-to-date information, VA needs to find a more effective method for sharing patients’ EHRs,” said Dr. Michael Missal, the VA’s inspector general, in his testimony.

Meanwhile, the fate of the VA’s VistA EHR system seems grim. Earlier this month, VA Secretary Dr. David Shulkin suggested that the VA would start using a commercial EHR, a decision that will be made by July 1. This comes after years of trouble for the VA’s EHR system, including a scrapped plan for a combined EHR for both the VA and the Department of Defense. In 2015, the Department of Defense contracted with Cerner to redo its EHR system for an estimated cost, over 18 years, of about $9 billion.

As Dr. Carolyn Clancy, the VA’s deputy undersecretary for health, noted in her testimony, using and updating VistA is “difficult and costly.” Former VA CIO Roger Baker has estimated that the cost of replacing VistA would be $16 billion.