By Mike Farahbakshian
In this month’s article, Mike Farahbakhshian abstains at DHITS to deliver his take-aways from all the morning sessions you were too hung over to attend. The content is as dry as Mike – but it gives a critical sneak peek into the challenges DHA faces as it modernizes its systems in a changing cybersecurity landscape. Time to read: 10 minutes. Suggested drink pairing: How about a nice herbal tea?
Grab Some Water, because this Article’s Gonna Be Dry (and you might be dehydrated)
Over the years, I’ve developed a reputation as a stick in the mud. I’m not one for late nights, loud places, or excessive drinking. What people don’t realize is that I got all that out of my system in the early 2000’s, when I ran a nightclub with an undocumented alcoholic fugitive.
I’m a party pooper precisely because I spent three prime years of my mid-20’s picking up cigarette butts, breaking up fights, assisting “white-girl-wasted” patrons on beer-slickened dance floors, kicking drug dealers off the premises, and collapsing in bed at 5am to get two hours sleep before my day job.
As a result, I’m an early riser who doesn’t drink much. This makes me no fun during industry conferences, such as HIMSS or the Defense Health Information Technology Symposium (DHITS). However, it makes me a smash hit after these conference, because I can now provide you with all my comprehensive notes. You know, the ones from those early morning sessions that started about an hour after the alarm you slept through?
To capitalize on my not-really-super power, I gave myself a challenge: attend DHITS without drinking a single drop of alcohol. I call this Sobriety-as-a-Service (SaaS), marketed to all you folks who opted to get“DHIT-faced” at the plentiful and well-provisioned parties. With SaaS, you can have your cake and eat it too!
Without further ado, here are my three big take-aways from DHITS:
DHA isn’t COI About the Challenges of Medical Device Cybersecurity
From the opening session, COL Terry made it unmistakably clear that medical device security was going to be huge in the coming year. DHA has many moving parts: AHLTA, CHCS, and Essentris will be replaced with Cerner Millenium; meanwhile, legacy or ancillary systems such as those within the Solution Delivery Division portfolio will continue to be sustained, and in some cases, enhanced. Each of these systems must be hardened and accredited. Complicating this is the switchover from the DIACAP accreditation standard to the Risk Management Framework (RMF) model. Many systems will require recertification and reaccreditation.
Muddying the waters further is this fact: as this rollout of Cerner and modernization of legacy DHA systems occur over the next several years, systems at the Military Treatment Facility (MTF) level will be migrated to an isolation architecture known as the Medical Community of Interest (MEDCOI).
What is MEDCOI, you ask? MEDCOI is a DISA-managed enterprise Virtual Private Network (VPN) service providing access to the Medical Community of Interest VPN for use by Defense Health Agency and the Department of Veterans Affairs. (Full disclosure: I personally have not seen any VA systems using MEDCOI.) Specifically, MEDCOI will be used to isolate medical devices, to include EHRs such as CHCS or Cerner Millennium, as well as specific devices such as MRI machines or infusion pumps. This way, in theory, the MTF systems are isolated from tactical and strategic combat and combat support systems wherever possible.
I’m lucky to have some insight into MEDCOI; By Light Professional IT Services currently manages, secures, and accredits MEDCOI at the Joint Force Headquarters Department of Defense Information Network (JFHQ-DODIN) and as part of the DISA Global Information Grid Services Management-Engineering, Transition and Implementation (GSM-ETI) Contract. Moreover, we also perform MEDCOI project management as part of the same vehicle. There’s a lot of expertise behind the setup and execution of MEDCOI. Almost as much expertise as there are challenges.
First and foremost, the question remains whether a packet-based VPN is the proper way to isolate medical devices, versus a Software Defined Network (SDN). SDNs utilize the OpenFlow protocol: people smarter than me should verify, but my interpretation is that VPNs use packet based routing, whereas SDNs use application based routing. Moreover, SDNs have logic and processes to handle internal chatter between multiple middleware instances while servicing client requests; VPNs are more suited to point to point traffic. An example SDN architecture can be seen below:
The second challenge is whether DISA, in its execution of MEDCOI, or DHA, in its use of MEDCOI, will learn any lessons from VA’s implementation of the Medical Device Protection Program (MDPP) Medical Device Isolation Architecture (MDIA). I’ve written about MDIA in a previous article. As a brief recap, MDIA provides a Virtual Local Area Network (VLAN) using a firewall and Access Control Lists (ACLs) to limit traffic to and from medical devices. The firewall rule sets are kept in change management databases, periodically reviewed and refreshed, and monitored as part of the Continuous Readiness in Information Security Program (CRISP). While MDIA has served adequately since its inception in 2009, there are countless lessons learned at the enterprise and hospital levels. I am not aware of any information sharing between DoD and VA specifically regarding lessons learned from MDIA as applied to MEDCOI. My recommendation to decision makers is that this information exchange take place immediately at the DoD-VA Interagency Program Office (IPO). The sooner it’s done, the safer we all will be.
The third challenge is how MEDCOI, as a DISA-operated entity on the Department of Defense Information Network (DODIN), will be treated now that President Trump has elevated USCYBERCOM to a Unified Combatant Command. This would, in essence, allow CYBERCOM to conduct military operations – in other words, “cyberwarfare.” What will this elevation mean for command directives or responsiveness? Will there be ramifications from the Posse Comitatus act, which limits the ability for the United States military to act domestically? Some would make the case that Posse Comitatus would need to be updated to meet the reality of the threats we face against our domestic infrastructure. Others would argue that there are civil rights ramifications. Will this statue of cyberwarfare be permanent? While attacks such as WannaCry can be seen as acts of war, it may be a bridge too far for the safety and security of our citizens.
While these difficult decisions are being hashed out, the bad guys are still attacking, and medical devices are still being modernized and implemented across DHA, so this process won’t be easy.
Speaking of DHA Cyber Security and cyberwarfare…
SPAWAR! Huh! Good God, Y’all! What is it good for?
As it happens, it’s good for quite a lot. SPAWAR Charleston has been the home for a wide variety of DHA systems, including:
- The Health Artifact and Image Management Solution (HAIMS);
- the CarePoint Health Application Suite (CHAS);
- the Medical Data Aggregation and Collection Application, (MDACA);
- and the Integrated Clinical Database (ICDB), among others.
However, changes are coming. Namely, the FY2018 DoD-wide audit.
This audit will be onerous enough for DHA, but extra moving parts make this extra challenging.
Specifically: the Charleston enclave has received an Authority to Operate (ATO), but not every individual system within the enclave have an ATO. Some do, some don’t; and of those that do, some have been accredited under the old DIACAP paradigm instead of the new RMF. The current understanding is that systems kept at SPAWAR’s data center in accordance with enclave-level ATO posture are considered accredited. However, this department-wide audit may trigger reassessments of these systems, which will lead to significant time and labor expenditures during the largest government audit in recorded history.
In addition, the rollout of Cerner to replace CHCS/AHLTA at each MTF means that many localized (such as MTF-level ICDB servers) need to be migrated to MEDCOI, which can potentially trigger audit complications. Moreover, the Charleston enclave itself is set to hook up to MEDCOI and AWS GovCloud, requiring completion of the Connection Approval Process (CAP). The good news is, as of early August, SPAWAR has begun work on the CAP effort. This process is funded, allocated to contractors (plus SPAWAR staff), and they are executing on a published timeline.
Still, the cyber challenges for SPAWAR will be present. SPAWAR recently competed two procurements for Cybersecurity Authorization and Assessment, and Risk Management Operations. In addition, SPAWAR recently awarded a $66M contract to Spinvi for modernizing and consolidating DHA Infrastructure. The only way such a massive effort can execute without problems is for DHA, SPAWAR, and vendors to communicate in an Agile, multilateral way; everyone’s helping right the ship, so we all need to be pulling in the same direction.
Speaking of SPAWAR, let’s talk about …
JOMIS and Health Readiness Engineering
As it so happens, SPAWAR also hosts many of the theater based medical systems between Charleston, SC, Norfolk, VA and New Orleans, LA.
Historically, these theater systems fell under the responsibility of the Theater Medical Information Program – Joint (TMIP-J) Program. The program comprises software components such as: AHLTA-Theater (AHLTA-T); the Deployed Tele-Radiological System (DTRS); Maritime Medical Modules (MMM); Shipboard Automated Medical System (SAMS); Medical Situational Awareness in Theater (MSAT); Joint Medical Workstation (JMeWS); TMIP CHCS Caché (TC2); Theater Medical Data Store (TMDS); and more.
All of these systems are now under the aegis of the Joint Operational Medical Information Systems (JOMIS). JOMIS provides integrated medical care information across multiple levels of operational medicine to combatant commanders. This real-time or near-real-time information supports of time-sensitive decisions for successful operations. JOMIS integrates medical care information under a joint concept of operations that comprises the following functional areas, including: command and control, medical logistics, patient regulation and evacuation, medical/threat intelligence, healthcare delivery, manpower/training, and medical capabilities assessment and sustainability analysis. JOMIS is intended to support the Cerner Millennium-based MHS GENESIS.
Two of the key components of JOMIS are the Theater Medical Data Store (TMDS), which is an UNCLASSIFIED system; and the Medical Situational Awareness in Theater (MSAT), which is CLASSIFIED.
TMDS is a web-based application through NIPRNET, which allows providers the ability to view, track and disposition ill or injured patients as they move through the Theater levels of care, the sustaining base and those shared with the Department of Veterans Affairs. TMDS serves as the authoritative Theater database for service members’ medical information, allowing users to track patients’ disposition and display their longitudinal medical record information. TMDS pulls information from the Defense Manpower Data Center (DMDC), AHLTA-T, TC2, CHCS, and SAMS.
MSAT, on the other hand, is a web-based application through SIPRNET, which combines information from multiple databases to provide Worldwide Asset Visibility and Decision support for COCOM and JTF Commanders’ medical staff. MSAT provides a common operating picture and decision support capability for assisting staff in assessing risks, mitigating operational vulnerabilities, and allocating scarce combat resources during the planning and conducting of operations. In addition to health information, MSAT aggregates other information such as map and weather data. As a result, the aggregate can give away operational status; for example, if an entire platoon or company is afflicted with a sinus infection compounded by rainy weather, the bad guys will know whom to attack, where, and when. Think of it as a giant Protected Health Information (PHI) disclosure, except instead of individually identifiable information, it’s summary information about the health of a fighting force.
And that’s why MSAT is CLASSIFIED. With this established but what are the challenges with rolling out JOMIS? There are several.
First, TMDS is in dire need of a hardware refresh. Many of the systems are nearly a decade old. ‘Nuff said.
Second, the JOMIS systems are currently located in the national capital region with an unsatisfactory Continuity of Operations (COOP)/Disaster Recovery (DR) plan. While the PEO DHMS and the JOMIS PMO are working for a satisfactory solution, it’s not exactly commonplace to find a ready-made COOP/DR solution with both NIPRNET and SIPRNET drops collocated. Since TMDS and MSAT were originally accredited under DIACAP with a Mission Assurance Category (MAC) Level II, it is critical that the Recovery Point Objectives (RPO) and Recovery Time Objectives (RTO) are met. For MAC II, if my failing memory serves me, RTO is 24 hours and RPO is 8 hours.
Likewise, with a mix of CLASSIFIED and UNCLASSIFIED information, long-term primary hosting TMDS and MSAT will require some juggling. It’s still nebulous where their final home will be. Options I’ve heard include Tripler AFB in Hawaii; MacDill in Tampa, FL; and Madigan AMC in Washington state. Wherever the system finally resides, it will need the proper network connectivity, cyber posture and accreditation under the new Risk Management Framework paradigm. This is no easy task.
Finally, a key component of the JOMIS solution will be maintenancing the shipboard/naval systems such as the PowerBuilder-based Maritime Medical Modules as well as Navy Medicine On-Line (NMO). This work will fall under the DHA Health Readiness Engineering procurement. The challenge here is that the JOMIS backend systems may be maintained or hosted by a different vendor than Health Readiness Engineering. Once again, ensuring the stakeholders are in synch will be key to ensure that these real-time, mission critical, theater systems are functioning smoothly and safely.
Stay Thirsty, My Friends
So there you have it: my big three take-aways from DHITS. While there is so much more I could rant about (the revised Tricare On-Line versus Cerner’s patient portal; the future of HAIMS; and so much more), that will have to wait for another time.
May my (rightly earned) reputation for being a stick in the mud serve you well; I hope my fuddy-duddy note-taking at morning DHITS sessions are helpful. I may not be the most interesting man in the world, but I think the value here will help industry and Government collaborate to provide effective, safe, secure solutions that help the warfighter and spare the taxpayer. I don’t always share my conference notes, but when I do, I do it with gusto.