The Defense Health Agency looks to collapse multiple legacy health IT networks used by military hospitals and clinics into a single modern network called the Medical Community of Interest (MedCOI). It includes more than 240,000 users worldwide and will serve as a “key enabler” for greater health IT security.
The project enables a single security context across the agency, and allows DHA to standardize its virtual local area networks into a new 13-zone architecture, with each zone designed for a different level of security to segment network traffic.
“Since we’ll have that same design at each facility, it’s going to allow inheritance of security controls, reduced variants in configuration, and is going to greatly reduce the time to complete our risk management framework processes for each enclave and the associated systems,” Pat Flanders, DHA’s Chief Information Officer, said in an interview.
Tom Hines, DHA’s director of engineering and technology transformation and a senior advisor to Flanders, said the agency’s zone architecture, combined with its risk management and system monitoring processes, can track real-time events on its network or adversely impacted devices.
“This allows us to flag any suspicious activity, identify its source, and isolate the system or systems that may have been affected,” Hines said.
This allows the agency to defend against all instances of malicious code, including ransomware. Hines said the agency has seen instances of ransomware, but has not been affected by those instances because of its network defenses.
Hines also attributed that success to DHA’s advanced forensics capability, which allows the agency to analyze attacks and their effect on a device or system.
He said these methods, to some extent, allow DHA to “reverse-engineer” those attacks.
“We have the capability to map that into our systems to then detect something that looked like the last thing that occurred and also stop it from affecting our devices,” Hines said.
To mitigate the risk of malicious code entering the network through users accessing websites, DHA is working with the Defense Information Security Agency on a web browser pilot called Cloud-Based Internet Isolation (CBII).
Hines said the pilot provisions a web browser in the cloud that doesn’t reside on the end-user’s device. “Any malicious activity only affects the virtual browser that gets de-provisioned at the end of the user’s session,” Hines said. “In this way, we are managing and securing anyone or anything connecting from the internet to a DHA system or from a DHA system to the internet.”
Meanwhile, the Defense Department expects to further reduce its cyber-attack surface area through its ongoing migration of its medical records systems to an electronic format.
The rollout of the Military Health System’s GENESIS e-health records program began with one military base in 2017, then spread to four bases in 2018 and an additional four in 2019.
GENESIS is expected to fully deploy by 2023, and will provide electronic health records to more than 9.5 million DoD beneficiaries.
Flanders said the MHS GENESIS rollout will replace hundreds of instances of legacy health record systems across the globe that have previously operated under separate chains of command and separate cybersecurity policies.
“If you understand the real challenge, the opportunity and benefits of MHS GENESIS become more obvious. I think most obvious is the opportunity for consolidation of legacy infrastructure and systems and the associated costs,” Flanders said. “We have a long list of systems that will be shut off and others that are going to be gradually sunset.”
Moving to a single network with standardized equipment and processes, he added, will “greatly reduce” the network’s attack surface to cyber attacks, and will ensure a continuity of care for patients.
“When we’re using more of the same types of devices, it’s easier to secure them. GENESIS will be using the same record every place in the DoD,” Flanders said. “And so if I’m seen at a hospital at Fort Bragg and I then moved to the D.C. area and I’m seen at Walter Reed, you’re seeing the exact same system, the exact same data, and the exact same record.”