Oregon health and human services agencies outline multi‑year mainframe modernization and cybersecurity investments

Co chair Woods and Co chair Nathanson convened the Joint Legislative Committee on Information Management and Technology on Feb. 28 for an informational session in which Oregon Health Authority and Oregon Department of Human Services technology leaders described a multi‑year plan to move legacy systems to the cloud, strengthen cybersecurity and modernize aging mainframe applications.

The Office of Information Services, which jointly supports the two agencies, manages IT that serves roughly 1,700,000 clients and supports statewide programs, agency staff and benefit systems. Debbie Estabrook, chief information officer for the Office of Information Services, told the committee, “Our IT work has special meaning. We are the health and human services IT group. While we love technology, we love the people we serve even more. Our technology makes a difference in people's lives.”

Why it matters: OIS systems underpin Medicaid, eligibility and benefit payments and other critical services used by large numbers of Oregonians. Officials said continuing to run and modernize aging mainframe applications is necessary to reduce operational risk, improve service delivery and protect sensitive health and human services data.

Scope and scale Deputy Director Chris Kautz of the Oregon Health Authority described the shared‑services structure and said OIS teams support the agencies’ programs and a statewide footprint of local offices. Estabrook told the committee OIS maintains a portfolio of active technical projects: as of January 2025, she said there are 44 technical projects totaling $402,700,000, with 23 projects scheduled for completion in the current biennium representing about $78,000,000 in investment. The governor’s budget for OIS was presented as $288,000,000 and the office was said to have 669 positions supporting roughly 17,400 agency staff.

Modernization priorities and timeline Estabrook said the agency is pursuing three priorities emphasized in its strategic technology plan: improving customer and employee experience, strengthening cybersecurity and accelerating technology modernization. She described active work to migrate eligibility and enrollment systems, Medicaid systems and mainframe financial systems toward cloud environments in partnership with the state data center and Enterprise Information Services (EIS).

When committee members asked about timing, Estabrook said the mainframe modernization work was in pre‑initiation and that the project timeline foresees implementation activity during 2025–2027 and a cloud‑based financial system implemented in 2028. Estabrook also said some projects in the portfolio are in “red” status and that OIS is coordinating action plans with Enterprise Information Services and Legislative Fiscal Office oversight analysts.

Cybersecurity and privacy needs Estabrook and Kautz described sensitive client data across roughly 80 critical systems and said the agencies are proposing investments to strengthen security and privacy protections. Estabrook said the agencies face greater exposure because of more than 15,000 mobile devices and a broad user base; she said the Office’s second strategic goal is to “strengthen cybersecurity risk and privacy.” Kautz and Estabrook also noted ongoing coordination with Enterprise Information Services on statewide cybersecurity controls and with vendors used for large projects (Kautz mentioned Deloitte and Gainwell by name).

Governance and cross‑agency coordination Kautz described governance changes meant to improve coordination: an OHA/ODHS governance board created in 2023 and a 2025 plan to merge the agencies’ separate technology councils into a single joint Technology Council. Committee members asked about outreach and coordination with the state data center; Kautz said staff plan to bring the state data center administrator (identified in committee discussion as Mr. Foster) back for a follow‑up presentation about the broader mainframe migration, including a planned RFP for “mainframe as a managed service.”

Artificial intelligence and inventories Committee members and OIS staff discussed emerging work on artificial intelligence. Kautz and Estabrook said OIS submitted an inventory of AI and generative AI tools used in the OHA/ODHS environment; committee members and staff asked for that inventory to be shared with other agencies and for further briefings on AI risk and use cases.

Committee questions and next steps Committee members pressed on why aging technology remained in place and whether state agencies had coordinated earlier. Estabrook and Kautz said modernization is ongoing and emphasized workforce and vendor constraints around mainframe expertise. The committee asked for follow‑up briefings from the state data center and for updated impact assessments and comparative data on cyber threats; OIS agreed to provide additional materials and timeline details. No formal actions or votes were taken during the informational meeting.

What to watch: OIS said it expects continued project rollout through the 2025–27 timeframe and a cloud financial system by 2028, pending decisions by enterprise partners and procurement outcomes. The committee requested supplemental briefings from Enterprise Information Services and further documentation of AI inventories and cybersecurity remediation plans.