1

Standardizing, Modernizing, Securing Health Information Technology (IT)

Session 9, February 12, 2019

Mr. T “Pat” Flanders, Military Health System (MHS) Chief Information Officer (CIO)

2

Mr. Thomas “Pat” Flanders, SES

Defense Health Agency (DHA) Chief Information Officer (CIO)

Deputy Assistant Director Information Operations (DAD IO)

Has no real or apparent conflicts of interest to report

Conflict of Interest

3

• Enterprise overview

• Role of DAD IO/J-6

• Standardization

• How we get there

• Questions

Agenda

4

• Describe the important changes and direction of MHS health IT

• Discuss how DAD IO/J-6 works to ensure the right information is accessible to the right customers at the right time and in the right way

• Describe how DAD IO/J-6 is supporting partnerships among the Services, DHA, the Department of Veterans Affairs (VA) and Industry to implement and sustain a protected health IT environment

Learning Objectives

What is the MHS?

6

A Week in the Life of the MHS

6

What IT is Involved?

7

MHS Future State

8

9

Hyper Variance … We Own “One of Everything”

Health IT: Reform Objective & Mission

10

11

Our Target For SavingsHistory: Since 2014, DHA and the Services have undergone comprehensive IT Reform

analysis and are executing plans to achieve required savings …

Four Areas Identified For Efficiencies:

–Creation of Shared Services: Includes reengineering IT management, help desks,

and portfolio rationalization (FY15-19)

–Medical Network Modernization: IT optimization including Infrastructure, Cyber,

Microsoft Windows Active Directory (FY17-21)

–Electronic Health Record (EHR) Modernization: MHS GENESIS replacement of

legacy systems (FY18-22)

–Reduce Manpower: Reduction in IT staffing footprint, elimination of duplicative IT

systems, and consolidation of infrastructure and support capabilities (FY19-23)

MHS IT Reform Manpower Decrement By Component ($M)*

Component FY19 FY20 FY21 FY22 FY23FYDP

Total

Services -16.6 -95.2 -148.5 -150.3 -107.2 -517.8

DHA -9.5 -89.8 -241.5 -299.6 -390.8 -1,031.1

Total Decrement -26.0 -185.0 -390.0 -450.0 -498.0 -1,549.0

12

Health IT Implementation Plan

12D2D: Desktop to Datacenter

Three lines of effort will reduce duplicative IT services and systems, reduce the IT manpower footprint and standardize IT business processes and workflows

13

Centralized Services

13

D2D program provides centralized, standardized core infrastructure capabilities that

collectively enable healthcare operations including the deployment of the Department of

Defense’s (DoD’s) new electronic health record (EHR) – MHS GENESIS

Orchestrating D2D Implementation

Centralized ServicesLPNI = Low probability of being replaced,

no interface

LPI = Low probability of being replaced,

requires interface

15

16

Continued Standardization Of Products• Current tool portfolio is decentralized and contains duplicative and

varying tools with unknown statuses and critical tool information

• Many were acquired for local necessity without a common enterprise standard to gain efficiencies and provide centralized management capabilities

FY19 – 21:

34/117 tools rationalized

Allows shutdown of 616 servers

17

Know Ourselves

17175+3 tMTFs All Other MTFsCentrally managed IT

Analysis

“All Humans” Visibility “All Budgets” Visibility

Savings Identify redundancy, non-

standard products

• Personal accountability: Ask “who” is responsible … not “what office, committee, or governance group is responsible”

• Financial accountability: Personally manage money to the level of the check and the name of the person who can justify it

• Schedule accountability: Ask “by when”

o If something doesn’t get done on time, it usually means that it costs more money … ask “can you still afford it?” … “what can you not do elsewhere to be able to afford it?” … do not become a burden to your clinicians, patients, or the enterprise

• Customer focus:

o Nobody likes going to the DMV

o Must know customer priorities … and communicate that understanding … constantly

• Engineering competency: “Own the technical baseline” … don’t outsource your brain … or you’ll pay too much

• Contracting: Plan for it to take longer than you think … have a plan A, B, and C … strive for no 4th QTR awards

• Never stop refining your understanding of what you do, why you do it, and how you do it

• Cybersecurity Compliance: There are two kinds of lawyers … “Judgement vs. Counsel”

Developing “Cost Warriors”… Important Traits

Recognize and Combat Cyber Risk 85,000 records

Ransomware

attack

20

Defense-In-Depth

• Department of Defense (DoD) – Common network information assurance (IA) controls

• D2D – DHA specific common IA controls

• Site enclave – Site specific IA controls

• Med-COI architecture – Zone specific IA controls

• Individual systems and medical devices address/comply with remaining IA controls

Enable Risk Balancing

22

Building Security In

– National Institute of Standards and Technology (NIST) Standards

• https://www.nist.gov

– Security Technical Implementation Guide (STIG) standards

• Provide technical guidance to “lock down” information systems/software

• https://iase.disa.mil

• DISA STIG Customer Support Desk: disa.stig.spt@mail.mil

– Security Requirements Guides (SRG)

• Provide high level guidance where product specific STIGs don’t exist

• https://iase.disa.mil

Help us and yourselves by building to DoD required security

standards, including:

23

• For additional questions, please contact us at

dha.ncr.health-it.mbx.director-workflow@mail.mil

• Please complete the online session evaluation

Questions