VA, DoD EHR Project: Security Game Plan

Outgoing VA CIO Baker Describes Strategy
VA, DoD EHR Project: Security Game Plan

Although the Department of Veterans Affairs and Department of Defense are taking a new approach to building their long-awaited integrated electronic health record system, many key components of the data security strategy for the project will remain the same, says Roger Baker, the VA's outgoing CIO.

See Also: The Application Security Team's Framework For Upgrading Legacy Applications

The original approach called for building a new, consolidated EHR system from scratch. The new approach calls for building interoperability and real-time data exchange between existing VA and DoD systems (see: VA, DoD Accelerate Secure EHR Project).

Baker is stepping down as CIO on March 8 after four years on the job (see: VA CIO Roger Baker Resigning). On Feb. 27, he and other DoD and VA leaders testified before Congress to explain the revised EHR strategy. And in his final media briefing on Feb. 28, he offered more details, including insights into the security strategy.

Security Plans

Baker says some of the aspects of the security strategy that are unchanged, despite the new approach to an integrated EHR, are:

  • VA plans to adopt the common identification system of the DoD's Defense Manpower Data Center, or DMDC, as the basis of the iEHR.
  • VA and DoD will build a single "medical community of interests, or enclave" that allows DoD and VA users to work on the same network. That makes it easy for users to interact and to create "data assurance" rather than building bridges across multiple networks.
  • DoD and VA users will use a common employee ID system that allows clinicians to use smart cards to access either DoD or VA applications.
  • The VA and DoD will use a single patient matching system to ensure that all the correct data from the two records systems that are being integrated is matched to the correct patient and is accessible to appropriate DoD and VA users based on their roles. "We've done a lot of work on probabilistic matching," Baker says.

Also, in part because Congress outlawed a single national ID system for patients, the VA and DoD are working to remove patients' Social Security numbers from all EHR-related data.

While the security strategy for the new iEHR approach largely remains the same as the strategy for the original plans for building a new EHR from the ground up, other aspects of security will evolve once the DoD decides whether it will use as its new core EHR the VA's VistA records system or a commercial product, Baker says.

Congressional Scrutiny

At a congressional hearing on Feb. 27, Rep. Jeff Miller (R-Florida), chairman of the House Committee on Veterans Affairs, expressed frustration at learning from press reports - and not directly from the departments' leaders - about the two departments' seemingly sudden decision earlier this month to change plans that had been in place since 2009 to build an integrated EHR system from scratch.

"It sounds like you're making a U-turn" in dropping plans for building a single core system, Miller said.

Baker and several DoD leaders testified that the decision to build upon existing DoD and VA systems instead of creating a new integrated EHR was based on a recent analysis showing escalating costs and risks involved with a ground-up approach.

Elizabeth McGrath, DoD deputy chief management office, also acknowledged that concerns about impending budget sequestration that's due to take effect on March 1 were also a consideration in the decision, although she did not provide specifics about that impact (see: Keeping IT Secure Under Sequestration).

The decision to change course on building an integrated VA and DoD EHR was announced jointly at a briefing on Feb. 5 by outgoing DoD Secretary Leon Panetta and VA Secretary Eric Shinseki.

At the time, Panetta described the reasons behind dropping the original strategy: "Our worry is, how long is it going to take to get to that goal? And what is going to be the price tag to get to that goal? And how many times is it going to be delayed?"

The original plan to build a new EHR was estimated to cost $4 billion to $6 billion, but the most recent estimates showed the cost would be double, Baker testified. VA and DoD officials said the new approach is expected to cost less than the single-system approach.

McGrath testified that DoD and VA is on schedule to meet a timetable of key interoperability goals set based on the revamped approach:

Interoperability Milestones

The timeline for the revamped approach to EHR integration includes:

  • Select a core set of iEHR capabilities no later than March;
  • Allow VA and DoD patients to download their records via the Blue Button Initiative by May;
  • Expand the use of the iEHR's Janus graphical user interface to seven additional VA sites and two DoD sites by July;
  • Launch real-time data exchange between VA and DoD by December.

New DoD EHR

While the VA will continue to use its home-grown VistA EHR as its core system, the DoD recently issued a request for information before it decides what core EHR it will use instead of its legacy system, Armed Forces Health Longitudinal Technology Application, or AHLTA. Choices include commercial products as well as VA's VistA, McGrath said.

However, while VistA is often considered a strong EHR platform by the VA clinicians who use it, it's an older technology that been leapfrogged in capabilities, such as decision support, compared to newer commercial products available, Woodson testified. "As good as VistA is, it's not one system," Woodson said, noting that there are a number of iterations of software. Also, "VistA was ahead of its time [when it was first implemented years ago by VA], but it doesn't have all its manuals, and [would not be easy for DoD] to acquire it," he testified.

A representative of the Government Accountability Office testified about the GAO's concerns about VA and DoD's long history in trying to securely share health data, and its most recent change in strategy.

VA and DoD operate two of the nation's largest healthcare systems, which, in fiscal year 2013, are projected to provide coverage to approximately 6.3 million veterans and 9.6 million active duty service members and their beneficiaries at estimated costs of about $53 billion and $49 billion, respectively, testified Valerie Melvin, GAO director of information management and technology resources issues.

"While VA and DoD have made progress in increasing interoperability between their health information systems over the past 15 years, these efforts have faced longstanding challenges," she said. There has been inadequate program management and accountability, she says.

"There's been a persistent absence of clearly defined, measurable goals and metrics, together with associated plans and time frames, that would enable the departments to report progress in achieving full interoperability," Melvin said. The newest DoD and VA plan for a secure, iEHR "has no defined roadmap," she added.

GAO also issued a new report on Feb. 27 outlining the long history challenges in achieving interoperability between DoD and VA medical record data. "GAO is monitoring the departments' progress in overcoming these barriers and has additional ongoing work to evaluate their activities to develop integrated electronic health record capabilities," the report says.

Security Achievements

In written testimony submitted to the House Committee on Veterans Affairs, Baker cited improvements in privacy and security.

"We have made substantial progress in information security since the challenges experienced in 2006 by instituting controls that now provide for remote access to VA resources for employees and selected business partners, and implementing a sound security strategy to facilitate secure data exchange with DoD and private sector healthcare organizations, and facilitating access to electronic health records for our Veterans over the Internet," Baker said in his written testimony. "These efforts are instrumental in making the administration's vision towards a virtual lifetime health record possible."


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.