An annual report from the Defense Department’s (DoD) Director for Operational Test and Evaluation (DOT&E) has found the Military Health System (MHS) GENESIS – DoD’s new electronic health records management (EHRM) system – was not deemed to be survivable in a cyber-contested environment following reviews in 2020 and 2021.
The report cites some progress achieved in 2021 through a change management program, but also offers a lengthy list of improvements in training and cybersecurity testing for the EHRM system including testing of vendor data storage solutions.
“MHS GENESIS is operationally effective for basic operations in conventional clinics, but not for certain specialty clinics and business areas,” the report writes. “While training remains an area of major concern, with 72 percent of respondents rating it poorly, hands-on practice in a mock environment also demonstrated potential to improve MHS GENESIS operational suitability. Despite ongoing cybersecurity improvements, MHS GENESIS is not yet survivable in a cyber-contested environment.”
The DOT&E annual report released on Jan. 27 looks broadly at the adequacy of the service branch test strategies and plans based on the degree that they will provide the following:
- Data to support credible evaluation of operational effectiveness and operational suitability;
- Battlespace and threat coverage;
- Adequate use of modeling and simulation (M&S);
- Complete cybersecurity and live fire assessments, like demonstrating system survivability and lethality against mission-relevant threats;
- Production-representative test articles;
- Operational realism; and
- Sufficient funding required to support test execution.
“Based on the FOT&E [Follow-on Operational Test and Evaluation] completed in 2020, MHS GENESIS was not operationally suitable largely because training and configuration management were unsatisfactory, dissemination of system change information was inadequate, and usability problems persisted,” the 2021 report states.
The follow-on 2021 suitability assessment demonstrated a new change management initiative called “Pay It Forward,” which was designed to provide experienced military treatment facility personnel on-site to support new users during each fielding wave. That effort proved successful, the new report says, but interviews and survey results showed it was not available to many users during fielding.
The annual report made five recommendations, including:
- Implement DOT&E’s 2020 recommendations, as they still apply;
- JITC [Joint Interoperability Test Command] should continue verifying incident report fixes and plan for an FOT&E to verify corrective actions and resolve any outstanding incident reports;
- DHA [Defense Health Agency] and the PMO [Project Management Office] should expand “Pay It Forward;”
- DHA and the PMO should expand new training initiatives that allow users to get hands-on practice in a mock environment. The ineffective computer-based training should either be shortened, focused on more relevant skills, or discontinued; and
- “DHA and the PMO should engage with vendors and JITC to conduct cybersecurity testing on vendor data storage solutions to assess the risk to mission and identify vulnerabilities that may expose sensitive protected health information and personally identifiable information.”