Back to Top Skip to main content

Cybersecurity: For better results, let's bake it in

Servio Medina, seen here addressing attendees at a recent health information technology conference, is branch chief of the Defense Health Agency's Cyber Security Division. (Courtesy photo) Servio Medina, seen here addressing attendees at a recent health information technology conference, is branch chief of the Defense Health Agency's Cyber Security Division. (Courtesy photo)

October is Cybersecurity Awareness Month. It's a time to recognize and appreciate how the Defense Health Agency protects the Military Health System's information technology networks. But protecting your information is something the DHA thinks about year-round.

Cybersecurity has never been more important to safeguard and enable the DHA’s health care mission. Advancements in health care IT have produced many benefits for our medical community. However, they've also coincided with a rise in cyberattacks aiming to access, change, or destroy sensitive information. These attacks not only threaten to disrupt the normal business of health care. They also may lead to medical identity theft or even unauthorized access to medical records, both of which can have serious consequences.

For cybersecurity to be successful at DHA, it needs to be “baked” into health care. While cyber incident responses are important, effective cybersecurity should prevent the risk of such incidents in the first place. Many incidents in the cyber domain involve some sort of human error: risky choices and behavior while behind the keyboard or on a smart device. We have to wonder, do cybersecurity requirements make sense to the user, and are they operationally meaningful? A provider who understands cybersecurity requirements in the context of delivering health care is better at safeguarding patient information before, during, and after the time of treatment. Fundamentally, that's what it means to bake cybersecurity into health care.

While speaking about training efforts for MHS GENESIS, the Defense Healthcare Management Systems Program executive officer remarked that the point is not to train providers on how to use the electronic health record. Rather, it's how to help them do their jobs better. There's a similar consideration for cybersecurity training. Even with the required training, the most likely cause of a cyber breach is human error.

Thus, the goal of cybersecurity training shouldn’t be to get smarter on cybersecurity (and pass a test), but to help individuals do their jobs better and in doing so, minimize risky cyber behavior. This underscores the importance of being operationally meaningful.

Cybersecurity applies to everyone and cannot be considered “someone else's job.” It's everyone's job. Health care providers, for example, can and should continue to safeguard patient data well after the point of care. Compromised data can adversely impact health care and the patient directly.

Patients also play a role. Innovations are enabling MHS beneficiaries to have greater and easier access to electronic health records, communication and prescription tools, and more. Without cyberfitness, these innovations might lead to information being misused – intentionally or unintentionally – even with all the protections in place.

Did you know that electronic health records have privacy impact assessments? A PIA is an analysis of how personally identifiable information is handled in DHA information systems or electronic collections. The PIA examines and evaluates protections for handling information to mitigate potential privacy risks, and documents the cybersecurity controls DHA uses to protect your information.

Cybersecurity at DHA extends beyond our hospitals and clinics. At home, MHS beneficiaries must protect themselves online and reduce their risk of becoming victims of cybercrimes. A cyberspace threat or breach to one person can affect the health and well-being of the entire family. This can impact military readiness.

As the DHA deputy director asserted in 2018, “The family being taken care of at home gives you [the warfighter] that base to go do your mission.” We want the right choice to be the easy choice, especially for our deployed members and their dependents. To help with these choices, the DHA offers tips and information on cybersecurity and internet safety.

Looking toward the future, we want to hear from you. Whether you’re a provider, a medical logistics official, or a patient, do the DHA's cybersecurity requirements make sense?  Do you know the right choice while you’re at your desk, at home, and on the road?  And if you're uncertain, do you know whom to contact to get good information?

As a DHA employee or MHS beneficiary, knowing the answers, or knowing where to get those answers, is also what it means to bake cybersecurity into health care.

DHA Address: 7700 Arlington Boulevard | Suite 5101 | Falls Church, VA | 22042-5101

Some documents are presented in Portable Document Format (PDF). A PDF reader is required for viewing. Download a PDF Reader or learn more about PDFs.