Defense health officials said on Thursday that they’re using a previously-planned pause in the deployment of the military’s new electronic health record to address early deficiencies that have cropped up in the system’s performance and the training delivered to its users. But they have no specific plans to further delay the $4.3 billion system’s worldwide implementation.
The latest update on MHS Genesis came during a conference call with reporters, arranged just hours after the publication of an article in Politico that was highly critical of the EHR’s preliminary rollout in the Pacific Northwest. The news outlet, citing interviews with six clinicians at the initial deployment sites, described severe problems involving inadequate training and technical issues, including a login process for clinicians that reportedly can take between 5 and 10 minutes.
Insight by Exterro: Capt. John Henry, operations officer of the USCG Cyber Command, discusses how the Command prepares for and responds to cyber incidents. Justin Tolman, forensic subject matter expert at Exterro, will provide an industry perspective.
The Pentagon’s office of developmental test and evaluation reported similar findings in an annual report summarizing its assessments of DoD programs.
“Users at all sites rated the system poorly for usability,” DOT&E found, adding that Genesis also suffers from cybersecurity vulnerabilities that render it “not survivable in a contested cyberspace environment.”
But DoD officials and the system’s primary contractors, Leidos and Cerner, portrayed the early problems as fairly common for the deployment of a new electronic health record in a complex health care delivery system, particularly when combined with the military’s unique cybersecurity requirements.
“It’s a significant undertaking, and there’s a tremendous amount of change associated with it,” said Maj. Gen. Jeffrey Clark, the Defense Health Agency’s deputy director for operations. “So yes, there is some stress associated with change, and I think the initial sites, by definition, are the ones that encountered most of it, which is why we roll it out in a step-wise manner.”
The first deployment sites involved Fairchild Air Force Base near Spokane, Washington, followed by the Navy’s Oak Harbor and Bremerton hospitals in Puget Sound and Madigan Army Medical Center at Joint Base Lewis-McChord. Formal operational assessments have now been finished at all four sites.
But some early warning signs began to appear as early as last June, well before DoD made the “go live” decision for Madigan, the largest and last of the four facilities, which switched over to the new system in October.
According to DOT&E, operational assessments based on user tests in DoD lab environments and two of the first real-world fielding sites — Fairchild and Oak Harbor — found more than two dozen “high priority” deficiencies, some technological, and some attributed to inadequate training.
“Users experienced problems managing appointments, medical records, radiology imaging orders, medical history, referrals, physical exams, and patient eligibility through the Defense Enrollment Eligibility Reporting System,” the DOT&E report said. “Operational users at Fairchild AFB reported problems with MHS Genesis billing and report generation.”
However, none of the problems appeared to be so insurmountable that DoD needed to alter its planned deployment schedule for the remaining IOC sites, said Stacy Cummings, the program executive officer for Defense Healthcare Management Systems. So officials pressed forward.
“I agree that our training was not sufficient and that the training strategy that we followed focused too much on using the system and not enough on how the workflows were going to change,” she said. “So that is a significant lesson learned that we’re applying now for our future sites. But knowing that training was going to be an issue, we actually increased the number and quality of adoption coaches, and brought them in earlier than we had at both Fairchild and Oak Harbor. And we shared all of this information with the commanding officer of Madigan.”
Col. Michael Place, the commander of Madigan Army Medical Center, said the decision to turn the system on at his facility was a joint one, and that he and his superiors at Army Medical Command only agreed to the October go-live decision after he was comfortable that it would not adversely impact patient care.
The EHR’s previous problems, however, did cause him to take some proactive steps to divert some staff time away from clinical duties so that they could focus on the training needed to adopt and implement Genesis.
“We were intimately aware of what the challenges were,” he said. “So we did a number of things to make sure that we had the right kinds of resources here, and then we also took some risk mitigation measures. We decreased the number of inpatient beds that we had, we decreased the number of outpatient visits per provider. Our emergency room was on trauma diversion for several weeks to make sure that we were completely ready to go.”
As of now, the Genesis deployment process is in the seventh week of an eight-week “stabilization and adoption period” in which officials are accumulating and addressing lessons from the problems that occurred at the first four IOC sites.
The Pentagon has not yet issued a full deployment decision that would allow the new EHR to be deployed across the rest DoD’s network of military treatment facilities. Cummings said she would not seek such as decision until her program office, the Defense Health Agency and the military’s surgeons general were confident that the complex software package had reached a common baseline that could be smoothly deployed to other MTFs.
Want to stay up to date with the latest federal news and information from all your devices? Download the revamped Federal News Network app
The program office currently hopes to attain that decision within the next several months, but does not expect the target for worldwide deployment — 2022 — to change. The current schedule calls for the next military treatment centers to receive the new EHR in 2019, after the department has finished developing what it hopes will be a repeatable and reliable rollout process.
Also on Thursday, representatives from Leidos, DoD’s main systems integrator for Genesis, and Cerner, the developer of the underlying commercial health record, insisted the problems the initial deployment sites have suffered are not unusual for an IT project as complicated as the one DoD is trying to undertake.
“Health care is complex, and change is hard. You’re dealing with technology, human behavior and workflow changes,” said Travis Dalton, Cerner’s senior vice president for government services. “But we’re starting to see positive momentum, and users are improving in their ability to use the system. We’ve seen an 80 percent decrease in the time spent ordering in the same scenario by providers. Eighty-two percent of physicians’ orders are being entered electronically. That’s significantly higher than the commercial comparison that we would see in a like-size system at this point in time, which is closer to the mid-70s range.”
In some other ways, however, the department is resistant to comparisons between its implementation of the commercial Cerner product (Millenium) and instantiations of that offering at private sector medical facilities.
Extremely long login times, for example, represent an area for improvement, Cummings said, but DoD’s cybersecurity requirements make it unlikely that Genesis will ever match the speediness of private sector Cerner deployments.
“That’s because we want to make sure that we know exactly who’s logging into the system,” she said. “We are using a level of identity management that is different than they do in the commercial world, giving us another layer of protection.”
For similar reasons, Defense officials pushed back — gently — against DOT&E’s critique of the cybersecurity posture of the new EHR.
In its report, the independent testing office noted that scans administered by the DoD chief information officer discovered 313 “Category 1,” or “high severity” vulnerabilities.
“These gaps in security indicate MHS Genesis is not survivable in a contested cyberspace environment,” the office wrote.
But whether or not Genesis is part of a “contested” cyberspace environment in the first place is a debatable question.
As part of the health IT system’s rollout, the Defense Health Agency is also implementing a new, secure network called the Medical Community of Interest (MedCOI). To be sure, the simultaneous introduction of that network alongside the Genesis implementation has made matters more complicated. But like other military networks, it would require a major accomplishment on the part of a malicious intruder to enter the network before he or she tried to exploit any particular cyber vulnerability at the application level of the health IT system.
“The reason we have networks that are separate from the Internet, the reason we go through such lengths in the Risk Management Framework and a very deliberate process to evaluate the security of those networks is because of that layered approach,” said Patrick Flanders, the Defense Health Agency’s CIO. “It’s one of the reasons as a department that we’ve also been slow to adopt commercial cloud: there are very special things that have to be evaluated for security before we can do that. The other thing to point out is that raw vulnerability counts don’t necessarily equal actual risk exposure, how risk is mitigated overall, or the vulnerabilities being replaced. I can stay pretty much unequivocally that this system is more secure than what it’s replacing. ”
The Veterans Affairs Department has already committed itself to adopt the same system DoD is using. To do so, it will enter into a sole-source contract to buy its own version of Cerner’s Millenium product.
But VA’s acquisition timeline remains uncertain, due, in part, to the problems the military has encountered during its own implementation.
“It’s incredibly important to the VA that Genesis is successful,” said Scott Blackburn, the department official who is currently performing its CIO duties. “We’re watching very closely and learning from both the successes and the mishaps of this and making sure the same mistakes aren’t made twice. But in the commercial world, where I come from, no ERP or EHR implementation is perfect, so it’s important that we continue to press through this and take the lessons learned from a continuous improvement type of environment.”