Due to a rigorous and lengthy process to ensure patient information and privacy standards are now more secure than ever, Naval Health Clinic Oak Harbor (NHCOH) has been awarded the first ever three-year Risk Management Framework (RMF) Authorization To Operate (ATO) for a Navy Medicine command.
The ATO falls under the Defense Health Agency’s (DHA) new RMF process and is contingent on a command such as NHCOH effectively minimizing risk in protecting patient information, including Health Insurance Portability and Accountability Act (HIPAA) and Personally Identifiable Information (PII).
“It is commonly understood that the threat to healthcare systems from cyber security attacks is among the greatest risks in the world of information management. Patient records are highly sought after by cyber criminals and many healthcare networks in America have recently been targeted by a wide variety of cyber threats to illegally obtain medical records or simply hold healthcare institutions hostage,” said NHCOH’s Director for Administration, CDR Tim Coker.
“Reducing risks so that our patients' information is as safe as we can make it is a top priority for the DoD and for the DHA,” stated NHCOH Executive Officer, CAPT Denise Gechas. “This ATO represents a very long process of setting in place the security and controls needed to keep those records safe”.
According to Coker, implementation of the RMF process began several years ago. It involved mitigating cyber security risks, building a new secure network, and developing and documenting hundreds of pages of evidence related to the security of the command’s network.
“For our Information Management staff, this represents several years of dedicated effort to achieve something that has not been done before in Navy Medicine,” explained NHCOH Commanding Officer, CAPT Christine Sears. “The health, wellness, and peace of mind of all our patients has always come first in everything we do, and this commitment to ensuring all personal information is safe and secure is another example of that.”
Mr. Greg Carruth, NHCOH Chief Information Officer, attests the hard work required for this accreditation will have long-lasting ramifications for other Navy Medicine commands. By providing a blueprint that others may follow, NHCOH’s lessons learned can be utilized to ensure patient information is secure and privacy standards are fully met, while minimizing risk to the network.
“It was an intense effort for an extended period of time. The process itself made it a learning exercise at all levels,” said Carruth.
Mr. Rex Collins, Information Systems Security Manager for NHCOH, added that there was significant dedication required. “This was the longest IT project in my 20 years as an IT professional. It took 37 months from the first e-mail to DHA requesting resources and guidance to the final ATO itself,” noted Collins.