Defense Health Agency (DHA) is currently migrating Military Treatment Facilities (MTF) into a DoD JIE CSRA compliant Medical Community of Interest (Med-COI) architecture. As a precursor to accessing the new Electronic Health Record (EHR), each MTF requires an evaluation of Information Technology assets and services. MTFs must undergo an in-depth Risk Management Framework (RMF) evaluation to receive an Authorization to Operate (ATO) on the Med-COI. MTFs diverse operational environments required the creation of a standardized process for 134 locations to successfully migrate services, while maintaining an effective cybersecurity posture that ensures beneficiary treatment and data are protected at the highest standards.
The Med-COI Transition Risk Assessment Process (MTRAP) provides decision-makers an accurate cyber risk rating and recommendation based on an aggregate of system information and findings. The process utilizes a custom risk assessment tool, methodology mappings, and correlating scan data, asset inventories, and network topologies that provide a comprehensive medical enterprise operational environment risk picture. This process expedites risk approvals, facilitating on-time delivery of the Med-COI as a precursor to MHS Genesis, the new electronic health record for the Military Health System. The combined output is analyzed for risk across Physical, Local, Adjacent, and Network domains, while also factoring in Common Vulnerability Scoring System.
“The project is a huge success and continues to find value well after the initial phases; This process ages better with time,” said Nate Swab, MTRAP Team Lead. “The initial scope of the project was to assess and identify risk from service line transitioning equipment. However, the real grace in the process is the ability to continually track vulnerabilities and provide cybersecurity monitoring throughout the lifecycle of the equipment to better security posture over time.”
This procedural transformation effectively facilitates DHA RMF authorizations across a constantly evolving cyber landscape comprised of 700+ systems of record including over 200,000 endpoints. MTRAP is an operational risk management catalyst that ultimately creates a mechanism to safely accelerate the authorization-to-operability period for enclaves and medical devices while delivering services compliant within DoD RMF constraints. The process fuels the ability to obtain authorizations, provide continuous monitoring, and allows senior leadership in the medical community to make informed cyber risk-based decisions within the RMF construct, reducing the nine to twelve month cycle of introducing medical systems to the enterprise to as little as one month.
“This project was, and still is, a linchpin in the A&A offerings within the DHA. Vital to its success was our NIWC leadership and our subcontractors. Within Team Sentar, Nathan Luikart led the charge,” said Nate.
MTRAP Team Members include the Marketplace Team, the SAVR Team, and the CAMO/TAS Team (which is now dissolved and serving the Legacy ACAS, Cyberlog, and NSISB teams).
The MTRAP Program was awarded a 2021 FedHealthIT Innovation Award, along with two other Sentar-collaborated programs: the EIDS Cyber Team and the CyOC Team.
Have any questions on this award-winning program or Sentar’s Health IT solutions? Please reach out to Sentar’s VP of Health IT, Joseph Sabin, at joseph.sabin@sentar.com.