good afternoon everyone my name is jonathan albaum and i'm the principal digital strategist for the federal government at servicenow one of the best parts of my job at servicenow is getting to speak with cios regarding their digital transformations and related challenges so today i'm really excited that as part of the genius machines virtual summit i have the pleasure of speaking with pat flanders cio for the defense health agency hi pat hi so it's great to talk to you let's let's get started uh with you giving us a short background about yourself and your role at dha so uh i am the chief information officer uh for the defense health agency and um i also have another name it's called the deputy assistant director for information operations and so if you ever looking at anything official you might see that as well my background on uh i spent 29 years in the army as an acquisition officer and i had responsibility for a lot of large software implementations logistics i retired and i got this job about three years ago and here it's kind of interesting the cio here at the defense health agency has a responsibility for the networks development of the software as well as cyber and procurement of infrastructure and associated hardware which uh in the services it's that's that's more distributed kind of chopped up so um pat give us a a two second overview of what the role of dha is in the government so um we run all of the military treatment facilities so that's the military way of saying hospitals and clinics and we're actually in kind of a period of transition right now um we don't actually run them all yet um we are taking them over from the army navy and air force uh prior to the establishment of dha um the services ran and so what's interesting about that is it allows us to kind of integrate and single up processes for care to patients so there isn't going to be an army way a navy way an air force way and the experience as you go to in individual hospitals is actually the same so you know we want to talk a little bit about uh risk and resilience today and and that change you're describing of you know consolidating those services i think make these make the topic of risk and resiliency then um more uh you know important to you than than before so so when you when we think about this idea of risk and being a resilient organization um that we you have to make sure that the systems are always going to be there when you need them and the services are going to be relying on you clearly so what are the kinds of things and challenges things you do and the challenges you face and ensuring um that systems are available when dha needs them your customers need them so the the real cancer is we own one of everything and so as i said you know we're taking over management and administration of the treatment facilities well um heretofore the individual services and in many cases the individual treatment facilities a lot of stuff developed their own stuff and so we are all chopped up and so that's the biggest problem because when you own one of everything it's very difficult to establish consistent processes to ensure everything is secured instead of doing risk management framework evaluation of five kinds of device for a certain medical procedure well maybe you're doing 30. and it just yeah just it just takes too much and the same is true of software across the landscape of software that we use to run the facilities [Music] we have a system that's used for inpatient medical records and it's used for outpatient we have a system that tries to put those two things together and and there's just all these systems that attempt to pull all of these disparate systems back together so all of that um is being modernized the two big modernizations i have are uh i four networks into one four legacy networks into one and these many many medical systems of which there are it's a distributed system so although i say there's an inpatient system while there's 52 instances of it all configured differently and all of that is coming together under a new electronic health record system called military health system genesis so those are two big initiatives um and then on the heels of that we're also singling up on the people right so there are 200 small contracts out there across the military health system for things like touch labor and i t personnel and so we're trying to single those up as well so a very large uh series of contracts that award in the next couple years the first one [Music] went out i think last friday so they have an environment that's very fragmented it sounds like and you're taking steps to make it more uh simpler less complex in doing that you need to operationalize some aspects of your of your business uh to to drive simplicity less complexity and ideally less risk where do you begin in that process you know you're you're going to modernize systems but how do you how do you make sure that things are working the way you need them to to work um well the way we began the the uh the transformation of dha um like i said taking over management and administration of these treatment facilities it was not with the actual command you know not with the actual chain of community actually started with i.t so whereas we have only taken over the first four markets um associated with the actual management administration and control of those facilities for it we took them all over in 2014. step one was singling up the networks because on all these different networks i didn't have visibility of what was on them the ability to secure them the ability of my cyber security service provider to monitor them because they were all different different products procured by the individual services so it all started with that the new network is called the medical community of interest or med coy and it's very deliberately architected with a 12 zone security architecture basically it's the same set of vlans at each facility a single active directory a single set of tools that we install on the network and in the enclaves so that we can monitor and um a singling up of the security stacks and associated hardware so you create that from scratch and then migrated the the networks and various technologies you inherited to the new thing yes so basically it's it's like from the ground up um engineered architecture specifically designed for this that we worked with the defense information systems agency on you know all of the rules for cloud access points and how our gateways are configured for anybody that follows the department of defense the name of the overarching military network is the doden defense information network and in there you have different networks the two big ones are the nipper net and the net so one is classified one is unclassified we're actually outside of those two so we really do run our own network it's called a mission partner environment so uh and you know do you feel you feel those changes have increased your operational resilience and decreased your risk i saw it's huge i mean everything uh it's uh the singled up processes the singled up ability to monitor and defend the singled up help desk um the singled up tools i mean it's just massively more efficient and productive and we're not done we're probably everyone has started the transition all the sites have started i'd say about 60 percent of them are what i would consider done there are some instances where you know if you go into a hospital and picture the basement of a hospital and there's you know the old network the new network we've migrated everything over except a few things that we don't want on our network prefer to leave them on the old one and they're going to be shut down rather than migrated yeah well i mean it sounds like it sounds like a good plan uh creates some formality like we were talking about around how you manage risk you know i i spent a number of years in the government myself before uh working at servicenow and as a cio and i i relied on the risk management framework you mentioned the rmf uh as well i liked it because you could tailor the controls to the systems you were managing can you talk a little bit about how you're using rmf and um you know any challenges that you're encountering so um we use rmf extensively and rmf prior to the new network was really it you know it's not an easy thing to do accreditation and authorizations for the systems that require it but when you have four different networks and everybody buying everything well then it's hundreds of times harder right so a key enabler to being able to efficiently do rmf was our network when we engineered it we engineered it so that at every facility the same 12-zone vlan architecture was set up and the same tools the same set of compute and infrastructure and by doing that now when it comes time to put the devices on the network well once someone accredited accredits it somewhere on the network and you can basically use it anywhere it's not quite that easy but it's way easier than it was before because we have the same configuration within the facilities so that was just that was just a huge thing the other thing is just go as i'm saying that's one of the great advantages you have from building your network from the ground up you know took a pretty wise approach as a you know as opposed to trying to make something work you took the risk of building something new so see the real uh advantage there how can we use the same uh system to uh enforce emass and document emacs or document emails rmf and the name of the system is emass and i don't know what it stands for so i can't tell you what the acronym is right but it's a it's essentially the documentation tool that we use to document all of those rmf controls well uh so you know i've talked to a lot of cios about um the rmf and you know these topics and you know it seems like having an integrated approach like you're describing is is really important um being able to break down silos and make cross-functional process automation continuous authorization um a reality is something you know that's integral to you know successful risk management and rmf implementation uh talk a little bit more maybe about how you're continuing to you know homogenize the network and be more consistent across all of dha with your your systems and risk management approaches yep so uh one big thing is instrumentation and so we have uh instrumented the network now with some very very good tools enterprise tool to help give us visibility things like tanium palo altos a system called armis that we use in conjunction with those to help monitor traffic on the network really interesting product the way we've implemented it really allows us to enforce compliance um and so we're real happy about that but then just the ever present management of money and knowing what all the mtfs are actually buying so that i can go out and look for places where oh 65 of the treatment facilities already own product a you know the rest own 27 different products maybe we should single up on those maybe we should look at some kind of competitive award those kinds of things well i mean i think that's a that's a call for software asset management technology technology support software asset management hardware asset management you know broader i.t asset management kind of approach so you can group some of those savings and apply those back into your your environment ah and that's where servicenow comes in you know it it is it is something that consistently uh makes a difference uh you know i found in in environments um but you know pat we're getting close to the end of our time i wanted to give you a chance to um share any uh final thoughts or lessons learned with our with our audience uh i think um the covid pandemic uh really opened up people's eyes about um the ability to get into a military network from the outside and so whereas we have we corporately the department of defense has specifically and purposely designed our networks not to let people in when your own people are all working home from a massive scale um yeah we had to we had to do some things and so disa implemented a kind of an emergency stand-up of microsoft teams called the cvr program and basically it allows you to use your own pc to do business with the military um and uh you know share text share screens things like that and so that kind of thing going forward there was a big realization that the dod needs a capabil we need to be closed for when we need to be closed but we also need to be able to share um with in a way that we haven't really enabled up until now well i think uh kovitz showed all of us that we need to have open minds and be flexible when it comes to technology and managing risk and accepting risk so pat thanks for your insightful comments it sounds definitely sounds like you and your team at dha are implementing some best practices around managing risk and ensuring operational resiliency so thanks for joining us and best of luck in the future thank you very much have a great week all right