DevSecOps is Enabling VA’s Secure EHR Integration

The Department of Veterans Affairs is looking to foster a secure transition to its new Oracle Cerner electronic health records system through DevSecOps and other streamlined development practices.

Speaking at the GovCIO Media & Research Disruptive DevSecOps forum, Release Manager for VA’s EHRM Integration Office Linda Ennis discussed how the agency is overseeing an enterprise-wide process to securely update its EHR system and integrate new capacities without jeopardizing IT security.

As a foremost priority, VA is working to ensure the applications that are developed and deployed for the end-user are both intuitive and secure in their design — allowing VA employees to safely and effectively use the newly deployed EHR.

“You’ve got to choose a system with a friendly user interface. Any EHR system can either streamline or hinder operations within a large-scale medical system,” Release Manager for VA’s EHRM Integration Office Linda Ennis said at GovCIO Media & Research Disruptive DevSecOps forum. “You want to make sure the user interface of the system you choose is intuitive and simple to learn. That will help make the transition easier for staff and increase the effectiveness of the system without depressing productivity.”

Another method VA is using to foster a secure EHR transition is templatizing a process for connecting individual sites with the new EHR product, allowing information to be securely and automatically connected to the broader enterprise.

“The first step in setting up a new EHR configuration is to accurately represent the details of your medical practice and your patient information within the software. That means programming in the locations of your practice and the providers who will be using the system in order to design the practices’ clinical workflow, which includes the creation of clinical templates,” Ennis said.

As a result, these methods will allow data to be transferred through secure channels whose setup is integrated as part of a methodical development practice.

“During the system configuration phase, EHR will be integrated with the IT enterprise. Any data stored in the old system will be migrated to the new one in this phase. A vital component of putting a complete EHR system in place is conducting data import from the legacy system to the new system. Without this, a new software system will not automatically convert patients from one system to another,” Ennis said.

As an overall safety measure, Ennis emphasized that VA is engaging in ongoing review of its development processes to ensure these deployments remain secure and that vulnerabilities do not become built into the system itself.

“You need to troubleshoot the system in order to mitigate risk. EHR software is complex and far reaching. So be prepared to engage in troubleshooting and review,” Ennis said.