With few exceptions, most of us are online. That means our personal information, including personal health information (PHI), is online, too. As VA transitions to a new electronic health record (EHR) system ― the software that stores health information and tracks patient care — security of PHI is a critical element.

Protecting PHI is part of Duc Nguyen’s (DOOK N-win) job as director of the Electronic Health Record Modernization Integration Office (EHRM IO) Joint Cyber Operations Integration Center (JCOIC). Nguyen and his team are responsible for ensuring all interfaces and components of the EHR system comply with VA policies for cybersecurity and data privacy.

“In this day and age, cybersecurity and privacy go hand in hand,” Nguyen said, “and we have an obligation to safeguard Veteran health care information. Those who have served can feel confident that we are taking these issues seriously.”

Certain segments of VA’s records are already online, of course, but EHR modernization, which began in 2018 and, as of July 29, 2022, has been implemented at five VA medical centers, represents a multiyear process that will provide seamless care to those who served. That connectivity touches millions of people ― from clinicians and administrators to Veterans themselves.

The EHR’s advanced cybersecurity protocols are deeply rooted in the principals of the Health Insurance Portability and Accountability Act (HIPAA), the 1996 legislation that established national standards for the protection of PHI, as well as in the National Institute Standards and Technology (NIST) cybersecurity standards and best practices.

Regarding such standards, Marvin Marin, who is part of JCOIC’s leadership team noted, “HIPAA surrounds us, and we incorporate it in every process, every step, both from an operations perspective and from a cyber perspective.”

An eye on every record

In a first step toward full integration of health records between the Department of Defense (DoD) and VA, in 2019, VA transferred the health records of some 23.5 million Veterans into the new EHR system. Now, by design, VA’s EHR connects with similar health data systems at DoD and the Department of Homeland Security’s U.S. Coast Guard, as well as with hundreds of community hospitals and clinics nationwide. That’s a lot of points of access.

But every one of those points of access is being vigilantly guarded by VA. Suzanne Leach is also on the JCOIC team, and part of her role is to make sure that each one has what is called an “authority to connect.” Simply put, that means when a person or another system tries to communicate with the EHR, VA knows who or what is behind the attempt.

Nguyen, Marin, Leach and the cybersecurity teams at VA and DoD — as well as the software itself — are always watching for what are commonly called “bad actors,” people or entities who pose threats that can take the form of ransomwarephishing emails and other incursions.

The new EHR system includes built-in technologies that watch for that kind of unauthorized activity. “The auditing and monitoring systems will flag if there’s any sort of erroneous update to a patient record,” Marin added. “Then those records are reviewed manually to make sure that nothing impacts patient care.”

Protecting with passion

With technology and cyberthreats always changing, the JCOIC team is committed to staying in front of issues before they arise.

“Cybersecurity needs to be ever evolving,” Leach said, returning to the value of the continuous monitoring built into the new EHR system. At VA, it is. And using these and other safeguards, the cybersecurity team is actively scanning and protecting the data environment, watching for new and persistent threats and working to deny bad actors any access to Veterans’ data.

“We don’t see this as work,” Marin said. “We see this as, I guess, passionate work. Cybersecurity professionals really embrace this mission.”

More Stories

  • How DoD program leader is transforming military health

    How DoD program leader is transforming military health

    Holly Joers is the sort of champion you want on your side. The program executive officer for Defense Healthcare Management Systems, she brims with excitement when discussing the future of health care for Veterans and active-duty service members.

  • VA adjusts electronic health record rollout schedule to assure continued success

    VA adjusts electronic health record rollout schedule to assure continued success

    To allow additional time to prepare for implementation, VA recently updated the deployment schedule of its new electronic health record (EHR) system.

  • New electronic health record system saves hours a day for VA lab staff in Walla Walla, Washington

    New electronic health record system saves hours a day for VA lab staff in Walla Walla, Washington

    The Department of Veterans Affairs’ new electronic health record (EHR) is saving lab staff hours of work each day at the Jonathan M. Wainwright Memorial VA Medical Center, in Walla Walla, Washington.