DOD's health data exchange running on bridge contract

The system that allows the Department of Defense to share health data across multiple legacy platforms and with outside providers is running on a sole-source bridge contract while a bid protest is being resolved.

In June 2018, DOD awarded a five-year contract with a $90 million ceiling for sustainment services for the Defense Medical Information Exchange (DMIX) system to ASRC Federal Data Solutions. But a protest by incumbent ActioNet looks to delay the start of the new contract.

DMIX is a core component of the Defense Department's ongoing health record modernization effort. Although it was created before the DOD acquired a commercial health record capability and began plans to implement it, DMIX is now managed by the same office that handles the implementation of MHS Genesis -- the Cerner-based system it acquired in 2015.

DMIX supports sharing of health data in standardized formats across multiple current and legacy DOD systems, including MHS Genesis system and the Joint Legacy Viewer, which connects DOD and Veterans Affairs systems. The DMIX system is busy, supporting between 60,000-70,000 data exchanges just between DOD and VA every day. DMIX also links the DOD health IT system with 53 external health information exchanges.

According to contracting documents signed in late December but just posted publicly on Jan. 11, the Program Executive Office Defense Healthcare Management Systems (DHMS) authorized a six-month sole-source extension to ActioNet to continue work on the DMIX system, citing the need to implement needed patches and upgrades. One upgrade, scheduled for May, has been in the works for almost a year and involves coordination with multiple legacy vendors, according to contracting documents.

"The longer the systems remain offline, the larger the risk of patient misdiagnosis, missed allergies alerts, duplicative procedures, increased overlook of 'drug seeking' behavior, and missed negative medicine interactions," contracting officials wrote in a document justifying the sole-source extension.

The dollar amount of the extension, which covers two months base and four one-month options, was redacted in contracting documents. ActioNet's protest is due to be resolved at the Government Accountability Office by the end of February.

The DMIX program has had problems in the past. According to an internal oversight report from the Office of the Director of Operational Test and Evaluation, DMIX release 5 "is not survivable against cyber-attacks." A pair of tests conducted between May and September 2017 discovered "several vulnerabilities that could allow an adversary to compromise patient data," according to the DOTE report. Those vulnerabilities were exploited an "adversarial assessment."

A DHMS spokesperson told FCW those vulnerabilities had been mitigated in a subsequent DMIX release.

The contracting documents justifying the sole source extension don't explicitly mention cybersecurity vulnerabilities. In addition to the needed updates, officials cited "network latency (local or enterprisewide),miscommunicated systems patches that bring systems down, corrupted databases, a blade being pulled out of a storage network" as examples of everyday problems that demand a contractor stay on the job while the protests are being resolved. "Without this contract action, DMIX will not have insight into critical systems, which could result in more frequent outages of longer duration that directly impact patients and providers," the justification states.