Upload
others
View
10
Download
0
Embed Size (px)
Citation preview
1
Standardizing, Modernizing, Securing Health Information Technology (IT)
Session 9, February 12, 2019
Mr. T “Pat” Flanders, Military Health System (MHS) Chief Information Officer (CIO)
2
Mr. Thomas “Pat” Flanders, SES
Defense Health Agency (DHA) Chief Information Officer (CIO)
Deputy Assistant Director Information Operations (DAD IO)
Has no real or apparent conflicts of interest to report
Conflict of Interest
3
• Enterprise overview
• Role of DAD IO/J-6
• Standardization
• How we get there
• Questions
Agenda
4
• Describe the important changes and direction of MHS health IT
• Discuss how DAD IO/J-6 works to ensure the right information is accessible to the right customers at the right time and in the right way
• Describe how DAD IO/J-6 is supporting partnerships among the Services, DHA, the Department of Veterans Affairs (VA) and Industry to implement and sustain a protected health IT environment
Learning Objectives
What is the MHS?
6
A Week in the Life of the MHS
6
What IT is Involved?
7
MHS Future State
8
9
Hyper Variance … We Own “One of Everything”
Health IT: Reform Objective & Mission
10
11
Our Target For SavingsHistory: Since 2014, DHA and the Services have undergone comprehensive IT Reform
analysis and are executing plans to achieve required savings …
Four Areas Identified For Efficiencies:
–Creation of Shared Services: Includes reengineering IT management, help desks,
and portfolio rationalization (FY15-19)
–Medical Network Modernization: IT optimization including Infrastructure, Cyber,
Microsoft Windows Active Directory (FY17-21)
–Electronic Health Record (EHR) Modernization: MHS GENESIS replacement of
legacy systems (FY18-22)
–Reduce Manpower: Reduction in IT staffing footprint, elimination of duplicative IT
systems, and consolidation of infrastructure and support capabilities (FY19-23)
MHS IT Reform Manpower Decrement By Component ($M)*
Component FY19 FY20 FY21 FY22 FY23FYDP
Total
Services -16.6 -95.2 -148.5 -150.3 -107.2 -517.8
DHA -9.5 -89.8 -241.5 -299.6 -390.8 -1,031.1
Total Decrement -26.0 -185.0 -390.0 -450.0 -498.0 -1,549.0
12
Health IT Implementation Plan
12D2D: Desktop to Datacenter
Three lines of effort will reduce duplicative IT services and systems, reduce the IT manpower footprint and standardize IT business processes and workflows
13
Centralized Services
13
D2D program provides centralized, standardized core infrastructure capabilities that
collectively enable healthcare operations including the deployment of the Department of
Defense’s (DoD’s) new electronic health record (EHR) – MHS GENESIS
Orchestrating D2D Implementation
Centralized ServicesLPNI = Low probability of being replaced,
no interface
LPI = Low probability of being replaced,
requires interface
15
16
Continued Standardization Of Products• Current tool portfolio is decentralized and contains duplicative and
varying tools with unknown statuses and critical tool information
• Many were acquired for local necessity without a common enterprise standard to gain efficiencies and provide centralized management capabilities
FY19 – 21:
34/117 tools rationalized
Allows shutdown of 616 servers
17
Know Ourselves
17175+3 tMTFs All Other MTFsCentrally managed IT
Analysis
“All Humans” Visibility “All Budgets” Visibility
Savings Identify redundancy, non-
standard products
• Personal accountability: Ask “who” is responsible … not “what office, committee, or governance group is responsible”
• Financial accountability: Personally manage money to the level of the check and the name of the person who can justify it
• Schedule accountability: Ask “by when”
o If something doesn’t get done on time, it usually means that it costs more money … ask “can you still afford it?” … “what can you not do elsewhere to be able to afford it?” … do not become a burden to your clinicians, patients, or the enterprise
• Customer focus:
o Nobody likes going to the DMV
o Must know customer priorities … and communicate that understanding … constantly
• Engineering competency: “Own the technical baseline” … don’t outsource your brain … or you’ll pay too much
• Contracting: Plan for it to take longer than you think … have a plan A, B, and C … strive for no 4th QTR awards
• Never stop refining your understanding of what you do, why you do it, and how you do it
• Cybersecurity Compliance: There are two kinds of lawyers … “Judgement vs. Counsel”
Developing “Cost Warriors”… Important Traits
Recognize and Combat Cyber Risk 85,000 records
Ransomware
attack
20
Defense-In-Depth
• Department of Defense (DoD) – Common network information assurance (IA) controls
• D2D – DHA specific common IA controls
• Site enclave – Site specific IA controls
• Med-COI architecture – Zone specific IA controls
• Individual systems and medical devices address/comply with remaining IA controls
Enable Risk Balancing
22
Building Security In
– National Institute of Standards and Technology (NIST) Standards
• https://www.nist.gov
– Security Technical Implementation Guide (STIG) standards
• Provide technical guidance to “lock down” information systems/software
• https://iase.disa.mil
• DISA STIG Customer Support Desk: [email protected]
– Security Requirements Guides (SRG)
• Provide high level guidance where product specific STIGs don’t exist
• https://iase.disa.mil
Help us and yourselves by building to DoD required security
standards, including:
23
• For additional questions, please contact us at
• Please complete the online session evaluation
Questions