With few exceptions, most of us are online. That means our personal information, including personal health information (PHI), is online, too. As VA transitions to a new electronic health record (EHR) system ― the software that stores health information and tracks patient care — security of PHI is a critical element.
Protecting PHI is part of Duc Nguyen’s (DOOK N-win) job as director of the Electronic Health Record Modernization Integration Office (EHRM IO) Joint Cyber Operations Integration Center (JCOIC). Nguyen and his team are responsible for ensuring all interfaces and components of the EHR system comply with VA policies for cybersecurity and data privacy.
“In this day and age, cybersecurity and privacy go hand in hand,” Nguyen said, “and we have an obligation to safeguard Veteran health care information. Those who have served can feel confident that we are taking these issues seriously.”
Certain segments of VA’s records are already online, of course, but EHR modernization, which began in 2018 and, as of July 29, 2022, has been implemented at five VA medical centers, represents a multiyear process that will provide seamless care to those who served. That connectivity touches millions of people ― from clinicians and administrators to Veterans themselves.
The EHR’s advanced cybersecurity protocols are deeply rooted in the principals of the Health Insurance Portability and Accountability Act (HIPAA), the 1996 legislation that established national standards for the protection of PHI, as well as in the National Institute Standards and Technology (NIST) cybersecurity standards and best practices.
Regarding such standards, Marvin Marin, who is part of JCOIC’s leadership team noted, “HIPAA surrounds us, and we incorporate it in every process, every step, both from an operations perspective and from a cyber perspective.”
An eye on every record
In a first step toward full integration of health records between the Department of Defense (DOD) and VA, in 2019, VA transferred the health records of some 23.5 million Veterans into the new EHR system. Now, by design, VA’s EHR connects with similar health data systems at DOD and the Department of Homeland Security’s U.S. Coast Guard, as well as with hundreds of community hospitals and clinics nationwide. That’s a lot of points of access.
But every one of those points of access is being vigilantly guarded by VA. Suzanne Leach is also on the JCOIC team, and part of her role is to make sure that each one has what is called an “authority to connect.” Simply put, that means when a person or another system tries to communicate with the EHR, VA knows who or what is behind the attempt.
Nguyen, Marin, Leach and the cybersecurity teams at VA and DOD — as well as the software itself — are always watching for what are commonly called “bad actors,” people or entities who pose threats that can take the form of ransomware, phishing emails and other incursions.
The new EHR system includes built-in technologies that watch for that kind of unauthorized activity. “The auditing and monitoring systems will flag if there’s any sort of erroneous update to a patient record,” Marin added. “Then those records are reviewed manually to make sure that nothing impacts patient care.”
Protecting with passion
With technology and cyberthreats always changing, the JCOIC team is committed to staying in front of issues before they arise.
“Cybersecurity needs to be ever evolving,” Leach said, returning to the value of the continuous monitoring built into the new EHR system. At VA, it is. And using these and other safeguards, the cybersecurity team is actively scanning and protecting the data environment, watching for new and persistent threats and working to deny bad actors any access to Veterans’ data.
“We don’t see this as work,” Marin said. “We see this as, I guess, passionate work. Cybersecurity professionals really embrace this mission.”