Hacker Tests Prompt Pentagon to Remedy Vulnerable Health Files

  • Working group created to help stave off cyberattacks
  • Department is spending $5.4 billion to overhaul records system

The Defense Department, which is spending $5.4 billion to overhaul its electronic health records system, has created a working group to remedy new cybersecurity vulnerabilities discovered last fall by a team of military hackers and information technology specialists.

The tests found the Military Healthcare System Genesis, which will eventually serve more than 9 million beneficiaries at dozens of military hospitals and hundreds of clinics, was still “not survivable” when the system was hit with staged attacks.

Performing the cyber assessment was the Joint Interoperability Test Command and a hacker red team with the Naval Warfare Systems Command. Details will be included in the forthcoming annual report of the Director for Operational Test and Evaluation Robert Behler, which was obtained by Bloomberg Government.

3 Staged Attacks

The team waged three successful cyberattacks on the MHS Genesis during a hacking test in September, according to Behler, though full details are classified. Last year, Behler warned that earlier system testing indicated cyber vulnerabilities that could lead to stolen and lost patient records.

The working group was then created by the Pentagon’s Healthcare Management System Modernization Office to shore up the vulnerabilities. It includes the prime contractor on the records overhaul, Leidos Holdings Inc. , and the health IT company Cerner Corp., which is part of the contract the department first signed in 2015. Accenture Federal Services and Henry Schein Inc. are also major contractors on the project.

The Pentagon is overhauling its health records system.

“We were not surprised that they were successful” during the staged attacks, said Stacy Cummings, head of the Program Executive Office for the Defense Healthcare Management Systems. “We expect that they are good at their job, and we want them to find things so that we can take action before somebody else finds them.”

Overall, MHS Genesis remains a work in progress, according to Behler’s report. It is “not yet operationally effective” or suitable because of poor system performance and insufficient training and documentation.

“I can say that, the Defense Department’s decision to continue MHS Genesis deployment is a testament to their confidence in the system and reinforces our shared commitment to delivering a transformed healthcare system for our service members and their families,” Leidos Senior Vice President Melissa Lee Koskovich said in a statement. “Without seeing the unpublished report in reference I cannot comment on the specifics.”

Cumbersome System

The military hopes to modernize its cumbersome and antiquated health-care records systems at 54 hospitals and more than 640 clinics by the end of 2023. The Coast Guard was also recently added to the contract.

The system was initially rolled out to four test sites in Washington state beginning in 2017—Naval Hospital Bremerton, Madigan Army Medical Center, Fairchild Air Force Base, and Naval Hospital Oak Harbor—revealing a variety of operating and user problems at the time, including holes in cybersecurity.

The latest assessments found MHS Genesis worked well in only 18 of 70 clinical areas, and “users satisfactorily performed 45 percent of the medical and administrative tasks used as measures of performance,” according to Behler’s report.

Cummings said the program office is working to improve training of military health-care staff on the new system, which was already known to be a problem area.

Behler wrote a memo to acting Defense Secretary Patrick Shanahan on Tuesday, saying the MHS Genesis program office, the Defense Health Agency, and the military services were “working aggressively” to solve the issues and that more testing is scheduled for the end of 2019.

The new cybersecurity issues and operating issues won’t stop the rollout of the MHS Genesis system.

`Work to Do’

The overhaul program office was cleared by the department’s chief information officer in November to put the new system in place in four more military health facilities beginning in the fall.

The next wave will include three California bases—Travis Air Force Base, Naval Air Station Lemoore, and U.S. Army Health Clinic Presidio of Monterey—as well as Mountain Home Air Force Base in Idaho, said Maj. Gen. Lee Payne, the assistant director for combat support at the Defense Health Agency.

The “report language tells us we still have got work to do, but we’ve developed a plan and are attacking that user satisfaction and we were paying extreme attention to the end user’s perspective in this as we move forward,” Payne said.

With assistance from Tony Capaccio (Bloomberg News)

To contact the reporter on this story: Travis Tritten at ttritten@bgov.com

To contact the editors responsible for this story: Paul Hendrie at phendrie@bgov.com; Robin Meszoly at rmeszoly@bgov.com