DoD: Cerner EHR will meet military cybersecurity standards

Implementing a new electronic health record is never easy and always has some challenges. But, the undertaking is particularly complex for the Department of Defense because of its operational requirements.

Among DoD’s requirements for the Cerner EHR system is the ability to operate in austere environments and the need for robust cybersecurity, according to Navy Vice Admiral Raquel Bono, MD, director of the Defense Health Agency (DHA).

William Tinston, program executive officer for the Program Executive Office Defense Health Care Management Systems, notes that DoD and the Department of Veterans Affairs will share a single common EHR, and cybersecurity is an example of how the two agencies are cooperating and engaging in joint decision-making.

“DoD sets the standard for cybersecurity, and we invest time and resources to ensure the common system (with the VA) meets that standard,” said Tinston during a briefing this week. “Our cyber team is collocated with the commercial (Cerner) data center, which strengthens our federal and commercial relationships and allows for continuous cyber monitoring.

The_Pentagon_January_2008.jpg

“As a result of our efforts, the VA will leverage the cyber posture and actively participate in critical decisions required to protect the environment,” he added.

Also See: DoD and VA still working out how to create single EHR

DoD’s Cerner EHR system, called MHS GENESIS, is on track for full deployment worldwide by the end of 2023. However, the initial rollout of the Cerner Millennium platform to pilot sites has not been without some major challenges.

The system was deemed “neither operationally effective nor operationally suitable,” according to a 2018 report from DoD’s director of operational test and evaluation (DOT&E) that was based on an assessment of three of four pilot sites in Washington State.

When it came to cybersecurity, the DOT&E report found that initial Cooperative Vulnerability and Penetration Assessment testing identified that the data stored within MHS GENESIS—including personally identifiable information and protected health information—was not protected in accordance with DoD standards.

“We’ve learned important lessons over the last 18 months at initial deployment sites in the Pacific Northwest,” said Bono. “We will soon be implementing MHS GENESIS locations in California and Idaho, and the lessons learned from the (initial operating capability) experience will be essential to our work in these sites.”

Tinston contends that DoD has learned important lessons from the initial deployment and has put those lessons to work, including in the area of cybersecurity.

“From a cyber perspective, we’ve made big changes,” he said. “We’ve changed the way we protect the enclave. We have a continuous cyber monitoring team in place and have even received comments from some of the DOT&E staff that where we’ve taken cyber and MHS GENESIS could serve as a model for other enterprise IT implementations.”

At Cerner's data center in Kansas City, MHS GENESIS is being hosted in a separate enclave that incorporates cybersecurity enhancements to protect the data, as well as physical and virtual separation from the EHR vendor's commercial clients.

Potential cybersecurity vulnerabilities for medical devices linked to MHS GENESIS are also being addressed by DoD.

Tom Hines, director of engineering and technology transformation in the DHA’s Office of the CIO, said that DoD is “concentrating substantially on cybersecurity that’s mostly around isolating medical devices and ensuring appropriate protections around those devices, particularly those that are going to be communicating with the new system.”

“We work with the DoD CIO and the DHA CIO team to evaluate the cyber risk that they might pose and make a determination whether we can connect it, whether there’s sufficient risk to not connect it or if there are mitigations that we can take to make sure that we have a secure environment and are protecting the patient data,” added Tinston.

For reprint and licensing requests for this article, click here.