Building DHA Network Took ‘Massive Amount of World-Class Engineering’

Photo By Jason Cunningham | Pat Flanders Program Executive Officer Medical Systems/ Chief Information Officer for...... read more read more

Photo By Jason Cunningham | Pat Flanders Program Executive Officer Medical Systems/ Chief Information Officer for the Defense Health Agency speaks at the HIMSS conference in Chicago, Illinois.  see less | View Image Page

UNITED STATES

05.31.2023

Story by Robert Hammer 

Defense Health Agency

✔ ✗ Subscribe

72

How do you take nearly 400 military hospitals and clinics, more than 398,000 users, half a million medical devices, and 9.6 million beneficiaries from four different networks and transition them to a single, secure, global network?

Pat Flanders, program executive officer for medical systems and chief information officer for the Defense Health Agency, explained this was exactly the question to answer before beginning the consolidation of the Military Health System’s four medical networks into one.

In his presentation, titled “Managing Change in an Information Technology Environment,” he discussed the DHA’s transition to the Medical Community of Interest, a single, modern, consolidated network designed to standardize the enterprise health IT infrastructure, enhance cyber security, and fulfill the technical requirements of MHS GENESIS at the annual Healthcare Information and Management Systems Society Global Health Conference & Exhibition in Chicago in April.

“This new network is the fourth largest in the DOD behind the Army, the Navy, and the Air Force,” said Flanders. “There is a massive amount of world-class engineering that took place.”

He noted the top five keys to the success of this transition were:
• Defining responsibilities and determining what is enterprise IT
• Including all parties in communication
• Raising awareness to the visibility of resources
• Demanding deliberate design and configuration management
• Investing in his people

Without a deliberate design, this network would not work, and it was key to making it a success, Flanders said. “It's designed to protect health information.”

Deliberate Design and Configuration Management

Key efforts behind the DHA’s successful transition to the MED-COI included:
• Creating an engineering solutions architecture and business analytics division: Single organization responsible for engineering and integration
• Establishing a cybersecurity service provider: Single organization to monitor and protect the network
• Establishing medical enterprise gateways: The controlled entry and exit points for direct access to the outside world
• Building local core infrastructure: Common compute and storage architecture at all military hospitals and clinics
• Developing a standard virtual local area network architecture (VLAN): Established common VLANs to allow better security and easier accreditation
• Creating an application virtual hosting environment to secure access to our applications allowing a “Bring Your Own Device” environment
• Establishing a cloud access point: Single entry and exit point to our Department of Defense accredited cloud environments
• Building a joint MHS active directory, which is a single active directory.
• Instituting the Global Service Center
• Creating the MHS Information Platform, a data repository for all Military Health System analytics data

Flanders said he was fortunate that key capabilities required for success were “put under one roof” within his organization, the Program Executive Office for Medical Systems/CIO (J-6). He noted that the engineering, cyber, software development, global help desk, hardware/software procurement, budget, policy, and training offices are all now under one umbrella. “We are a one-stop shop.”

Flanders also discussed the ramifications of DOD’s publication of a Zero Trust Reference Architecture framework in 2021 on the DHA.

According to DOD, “zero trust is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources. Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location or based on asset ownership.”

“The DHA has been establishing building blocks for zero trust for years,” said Flanders. “At this point, several aspects of zero trust are implemented and an integration to a holistic dynamic solution is in progress.

“The good news is because I just built a brand-new shiny network, I feel like we're way ahead of it. We were looking at complex systems, and they had to be built with zero trust in mind, so we created our own medical enterprise gateways,” he added.
This new strategy was created because the “IT space has had a fundamental shift,” said Flanders. He noted that there are more internet-connected devices, data is moving to cloud environments, and users are working remotely. Threats to the network, applications and data continue to evolve, and the scope of what must be protected has shifted. The Zero Trust Framework illustrates how to meet these needs.

What’s in the Future for the DHA?

Over the next 12 months, the DHA plans to:
• Teach and execute lifecycle management
• Define enterprise medical device portfolios and processes
• Award enterprise information technology services contracts
• Decommission legacy systems
• Continue MHS GENESIS roll-out
• Sunset MILCLOUD2, the DODs former cloud infrastructure service, and re-host of all applications to other locations
• Align with “Zero trust” principles; completion of comply-to-connect
• Complete end-state architecture for enterprise telephony options

Flanders mentioned the DHA’s recent achievement of compliance with the department wide mandate to migrate to a Defense Enterprise Office Solution leveraging the Microsoft Office 365 cloud-based software as a service business environment which provides email, TEAMS, messaging services, office tools, and much more.

This migration impacted nearly 180,000 MHS personnel, including health and administrative personnel from the U.S. Army, U.S. Navy, U.S. Air Force, and U.S. Public Health Service, along with DHA headquarters staff.

To protect any Personally Identifiable Information and Protected Health Information exchanged in the course of DHA operations performed in the Office 365 environment, the DHA received approval from the DOD Chief Information Officer to acquire an independent tenant for O365. This approval permitted DHA to define and secure an O365 environment apart from other 4th Estate Agencies and Components.

The DHA's “MED365” is specifically designed to support the unique cybersecurity needs of the medical community to protect patient privacy and medical systems. The design construct supports incorporation of specific security licensing to achieve necessary protections for PHI.

MED365 migrated 180,0000 user e-mail boxes across 11 non-contiguous time zones, 20 terabytes of data and 20,000 non-personal entity mailboxes to DHA's own MED365 tenant.

“We did it in nine months,” explained Flanders. “The next steps are continued governance and policy refinement in support of defense health.”

To learn more about health care technology within the DHA, visit health.mil.