Red team hackers crack MHS Genesis

Department of Defense cybersecurity testers were able to crack into MHS Genesis, the $5.5 billion commercial electronic health record system being deployed to host the medical records of 9.5 million beneficiaries worldwide.

The system "is not survivable in a cyber-contested environment," according to the unclassified summary of a report from the Director of the Operational Test and Evaluation released publicly on Jan. 31.

This assessment is based on an adversarial assessment conducted in September 2018 and a red team probe from November 2017 through June 2018. DOT&E said the results of three successful cyberattacks against the system are detailed in a classified report.

In response to the results of the test, the Defense Healthcare Management Systems and the Defense Health Agency established a Cyber Integrated Working Group to tackle high-priority vulnerabilities and flaws. According to the DOT&E report, "all top priority software defect incident reports" have been recommended for closure by DHS. The working group assigned 34 tasks for completion in areas including medical-device vulnerabilities, configuration management and incident response.

MHS Genesis is based on the commercial health record system from Cerner, and hosted in a special enclave in a Cerner data center in Kansas City, Mo. The DOD records are physically separated from the data on Cerner's commercial clients, and the facility is staffed in part by DOD personnel.

The system was installed at four sites in the Pacific Northwest as part of an initial operation capability launch completed in 2018. The system will be fielded enterprise wide in six waves scheduled to be completed by 2022.

"The adversarial assessments, such as the one highlighted in this report, help us develop a proactive and forward leaning cybersecurity posture," Stacy Cummings, Program Executive Officer of DHMS, told FCW in an emailed statement.

More red team probes of MHS Genesis are coming as a follow-on to the 2017 and 2018 rounds of adversarial testing, according to a DHMS spokesperson.

The DOT&E report also delved into the performance of MHS Genesis. The reports were mixed, but overall a vast improvement over a report from April 2018 that deemed the system unsuitable for use and pointed to latency, long log-in times, system failures and bugs that potentially compromised patient safety.

The current report describes the rollout of MHS Genesis as "not yet operationally effective or operationally suitable." The "yet" is important. The April 2018 report recommended that officials delay fielding of the new system to address core usability problem. The current report does not push any delays to the rollout schedule.

Still, MHS Genesis users gave the system a 40 out of 100 rating on the System Usability Scale. The system was said to work well in just 18 of 70 clinical areas, and the report noted that "users satisfactorily performed only 45 percent of the medical and administrative tasks used as measures of performance." Poor training and documentation were cited as problem areas.