Skip to content Skip to navigation

New DoD health records will not be Epic

The DoD recently reported that they have awarded a $4.3 billion contract for their Defense Healthcare Management System Modernization program, including the choice and implementation of an electronic health record system (EHRs, or EMRs—electronic medical records—are required as part of the American Recover and Reinvestment Act of 2009) to Leidos, partnering with Cerner for the EHR and Accenture for implementation [1]. A heavyweight runner-up was Epic in partnership with IBM (and, implicitly, its Watson supercomputing technology). Epic is a company based in Verona, Wisconsin, whose products cover more than half of US patients, and are used at the Cleveland Clinic, Kaiser, and Stanford Hospitals and Clinics. The DoD’s Under Secretary for Acquisition, Technology and Logistics, departing from folk wisdom that no one ever got blamed for choosing IBM, noted that DoD wanted minimal modifications, and a product that worked off-the-shelf in as many locations and situations as possible. [2]

The DoD is likely highly concerned with security, and with interoperability; Epic’s initial reluctance to offer cloud services or SaaS was seen as a cautious security strategy by some, but as introducing multiple potential points of failure by others, and it would be very difficult for many DoD locations to have their own IT teams servicing their own Epic implementations. Similarly, Epic’s reluctance to dive into interoperable standards to easily share data between their products and other EHR/EMR systems could pose a problem for systems whose patients travel frequently and often live far from their home physicians. Another seemingly obvious choice would have been the Department of Veterans’ Affairs open-source VistA EHR. VistA was developed in 1978 using the same language that Epic uses, and has proven largely successful for the VA system—for years, VA patients were some of the only patients in the country whose medical records could easily be shared between hospitals and providers in the same system—but hasn’t been adopted outside the VA system except in a few instances, likely because of its lack of on-the-ground IT support or implementation resources. Although the DoD could have made a useful display of support by adopting VistA, (which it considered as part of a team involving PwC and Google, it chose a system that it believes will be easier to implement, despite the added price tag.

DoD health records will be immediate targets for hackers, an issue of which all bidders are aware. Particularly after the OPM breach, system developers have to assume that much of the information that could be used for verification of patients in the DoD system (address information, relative information, social security numbers, and more) is available to hackers. It may be worthwhile for the team to invest in the development of biometric identification measures upfront, to produce uniquely identifiable signatures that haven’t been compromised. Measures to reliably detect tampering with records are also vital—one of the easiest ways to disrupt patient care would be to inject some records with false information, casting doubt on the reliability of the entire system—and recording patient information in the blockchain may be the best way to do so. At only four days in, the project is under budget—a perfect time for innovation.   

-Allison Berke




Read more of the blog