“At best, these attacks cause disruption and financial loss. At worst, they undermine trust in the health systems on which people depend, and even cause patient harm and death.” – Tedros Adhanom Ghebreyesus, World Health Organization Director-Generali
Introduction
U.S. military service members, retirees, and their dependents deserve the highest quality of health care for their service and support to the nation. Whether they are seeking care for pregnancy, service-related injuries, or Individual Medical Readiness (IMR)ii requirements, there should never be a delay in care like those experienced in recent years. The Defense Health Agency (DHA) has a responsibility to serve and protect the health of all beneficiaries, and the use of Electronic Health Records (EHR) should be seamless so that patients can visit any military medical facility to receive the treatment they need. When EHR failure occurs due to server issues, cyber-attacks, or other communication infrastructure breakdowns, patient safety is the primary concern for medical providers who are unable to access and update their patient’s medical history and unable to fill vital tests and prescriptions. Each healthcare data breach costs approximately $10 million which is double the cost of some other industries, making healthcare infrastructure a priority target to hackers.iii Protections and redundancy are needed to prevent single-point vulnerabilities to EHRs so the millions of beneficiaries can access the healthcare they are entitled to by their military service.
Military Health System
The Military Health System (MHS) Genesis is the newest iteration of DHA’s EHR system. The primary function and purpose of MHS is to support the servicemember and beneficiaries through the medical readiness missions of each branch of service to ensure a “fit to fight” force and to prepare for them for deployment.iv But it’s more than just warfighter readiness, it is also in-patient hospital stays, surgery, general family medicine, humanitarian assistance, and medical research to name a few. Only 14% of the 9.5 million beneficiaries are active-duty service members; the remaining 86% fall into categories of dependents of active-duty members, retirees and their dependents, and reserve component members and their dependents.v
The DHA’s budget is passed by the annual Defense Appropriations Bill and accounts for various costs to include personnel costs, construction, and Veterans Affairs (VA) related hospital funding through the Unified Medical Budget.vi The FY2025 request for funding through Congress was $61.3 billion, which is only ~7% of the Department of Defense’s (DOD) total budget.vii A portion of the budget goes to private healthcare company costs, such as co-pay costs when outsourced patients visit a non-Military Treatment Facility (MTF).viii However, one of DHA’s goals is to attract military beneficiaries to their local MTF for care instead of outsourcing to private health companies which is being done by increasing recruitment and retention of medical providers and capacity of patients able to be seen at a local MTF on a daily basis.ix As of 2023, there were a total of 736 MTFs, 135 of which were located outside the continental U.S.x
MHS Genesis EHR provides real-time patient medical history for providers to quickly review and update records during and after patient visits. These records are also available to the patient at home through the patient portal system which allows a review of doctor’s notes, see upcoming and previous appointments, schedule appointments and review prescriptions and vaccination history.xi Although EHRs improve access to care, quality of care, and is more cost-effective and efficient than paper copies or legacy systems of medical records, there are ethical and security considerations that must be realized and overcome to secure patient privacy and ensure patient safety.xii Loss or degradation in communication interfaces, such as the server lag providing the data to the consumer (patients and medical providers), can disrupt treatment facility productivity and cause financial loss, but more importantly it can impact quality of care and risk endangering patients due to the inability to access critical medical records.xiii
Outages and Effects
Over the past three years there have been several substantial outages to the MHS network that provides access to EHRs of TRICARE beneficiaries; TRICARE is the government-managed health insurance program for military beneficiaries and is managed by DHA. In 2022, a three-hour outage at 66 DOD sites, 109 Coast Guard sites and 3 VA sites prevented healthcare providers from accessing over 95,000 EHRs.xiv During the outage, the providers were unable to view MHS Genesis records and only able to access the outdated legacy EHR data, which at the time was the redundant mechanism in case of failure of MHS Genesis, preventing prescription fills, record updates, and referrals.xv The outage in 2022 was caused by a “bug” in the EHR software; the software is maintained by Oracle’s Federal EHR database and was developed by Cerner and Leidos Partnership for Defense Healthxvi and fortunately no patients were harmed by this outage.xvii
In 2023, two back-to-back outages of the same Oracle database occurred over an eight day period at five MTFs in which providers were unable to access EHRs due to a failed background process that normally would compensate through other, back-up databases but were not able to do so for unknown reasons; the entire database cluster had to be restarted, and recovery took a total of almost four hours.xviii
At the beginning of 2024, two MTFs located in Japan and one in Alaska experienced MHS Genesis EHR outages just three months after rolling out the program.xix The first outage was reportedly due to human error where all DHA systems that allowed patients to schedule appointments and laboratory tests online as well as communicate with their patient care team were deliberately disabled.xx According to a DHA representative, because the scheduling personnel at the MTFs were overwhelmed with the amount of beneficiaries who mistakenly scheduled appointments for a different MTF or with an incorrect provider, the patient portal function for self-scheduling in MHS Genesis was not available for 4.5 hours, causing more chaos for providers and patients than intended.xxi The alternative to this type of error or systems outages is for patients to call the MTF appointment phone line which many people prefer and trust as more reliable.xxii The second outage, which occurred within the same week, was due to a cyber-attack that not only affected beneficiaries in the Indo-Pacific region, but worldwide.xxiii The cyber-attack was on Change Healthcare, the nation’s largest commercial prescription processing company and used by all DOD MTFs as well as other pharmacies, and the attack left all U.S. military pharmacies unable to fill prescriptions that were not recently put into the system awaiting pick-up.xxiv The cyber-attack attributed to a Blackcat ransomware lasted over a week but costed Change Healthcare over $22 million and prevented new prescriptions from being filled for a short period of time.xxv This cyber-attack also slowed prescription filling at MTFs dramatically, creating distress and anger among beneficiaries.xxvi Not being able to fill prescriptions in a timely manner can be the difference between life and death for some patients if they are unable to obtain the medication due to the delay or forgo it due to inconvenience. DHA is not the only institution experiencing these issues, many hospitals across the U.S. have been fending off cyber-attacks for many years. In 2023 for example, a small county hospital for 120,000 rural residents had over 17,000 ransomware cyber-attacks, which dramatically slowed and stopped operations for a period of time.xxvii
In 2025 after another outage of Oracle’s database, VA hospitals decided it was time to create contingency procedures to defend against more extreme patient care disasters such as those experienced in 2020 to 2021 where over 150 patients were harmed due to errors in the new (at the time) EHR software.xxviii Providers that ordered tests or other procedures for patients ended up in an unknown queue that hospital staff did not know existed thus failed to check.xxix The orders were never filled and patients never received follow-up care or phone calls to ensure their healthcare needs were handled adequately and readily; though the specifics on these harm events were not made public, patient harm events can range from failure or delay in treatment, to adverse and preventable events that require additional medical interventions, whether prolonged or temporary.xxx xxxi Although the more recent outage only occurred at a few VA hospitals in the U.S. West and Midwest, the outage lasted for approximately four hours during peak clinic hours and caused a delay for those receiving care.xxxii
Following several cyber issues over the years, many lawmakers have challenged Cerner, Oracle, and the DOD to terminate MHS Genesis, stating complete failures in the system that have caused patient harm and lack of confidence and morale in troops, retirees, disabled veterans, and providers, while potentially wasting tens of billions of dollars in development and implementation.xxxiii When EHR software does not function properly, whether it is due to unscheduled software updates, bugs in the software, or cyber-attacks, the lives of patients are at risk and medical readiness of troops is hindered which does not correspond with the “fit to fight” servicemember readiness narrative the DOD is seeking to sustain. When an active-duty member is required to stay home because their child’s critical prescriptions are not filled, the active-duty member is distracted at best and is unable to perform essential work at worst. When EHRs are dysfunctional, providers are challenged in obtaining appropriate medical records to tract the status of chronic conditions, mitigate negative medication interactions, and refer patients to specialty care to name just a few impacts, all of which results in longer wait times for patients, continuation of persistent health issues, misdiagnosis, and concerning medication interactions. If MHS Genesis and the other companies the MTFs rely on for providing efficient healthcare continue to have vulnerabilities, the servicemembers will not have the health needed to serve the country and fight at a moment’s notice.
Redundancy and Protection
In an environment where one critical infrastructure, such as the Healthcare and Public Health Sector, relies heavily on another sector to function, the results can be devastating when damage or outages occur. Redundancy and protection against cyber-attacks and outages due to software issues need to be in place to prevent a total military healthcare breakdown, patient safety and harm events and chaos amongst servicemembers and beneficiaries. When integrating EHRs into a healthcare facility, hospital administrators have many concerns such as digital proficiency and technology acceptance within their patient care teams, thus cyber-attacks and outages only hinder the productivity and acceptance of onboarding the new systems and the users.xxxiv
Cyber-attacks can lead to data breaches of sensitive and private information and tax fraud or identity theft and can be devastating to the safety of patients who rely on imbedded technology such as insulin pumps or pacemakers; if a hacker were to access a widely and publicly searchable imbedded technology site, it could kill the patient in a matter of seconds.xxxv Trustworthy systems need to be established for healthcare facilities, ones that control and monitor physical and mechanical capabilities and provide the ability to access, manipulate, transmit, store and share resources or data where the data is protected against loss due to unauthorized access or outages.xxxvi
DHA needs to implement security measures and ensure their cyber security vendors are using appropriate tools and technologies that flag vulnerabilities and monitor every asset. The Department of Health and Human Services (HHS) developed a healthcare system cybersecurity readiness and response plan that should be utilized by DHA facilities to prevent and prepare for when cyber-attacks and outages occur.xxxvii DHA cybersecurity teams can sign up for real-time federal alerts and guidance for preventing an imminent threat but should also understand the vulnerabilities of each site and have response and recovery plans regularly updated and readily available. Specifically, life safety or life-reliant equipment should be segregated into isolated networks and redundancy on all networks. Offline endpoints, or “Golden Images”, should be implemented where data remains clean and available if the provider’s workstations are affected during an outage.xxxviii A system should be created that allows providers to continue to access critical medical information regardless of a MHS Genesis outage. The cybersecurity system should automatically back up patient data every few minutes into a separate system to prevent loss of data and prevent patient safety disasters. DHA leaders can ensure monitoring protocols are established with their cybersecurity vendor and should be exercising scenarios to better understand and plan for cyber emergencies.1 Each hospital and clinic should have their own Continuity of Operations Plan (COOP) to ensure that patient care is minimally disrupted during downtime and communicate with patients and staff early and often to prevent adverse patient safety events.
Conclusion
TRICARE servicemembers and beneficiaries deserve undisrupted access to medical care and DHA needs to do more to protect those who serve or have served our nation, no matter what the capacity. Cybersecurity within DHA facilities needs to be strengthened with a strong COOP and also strong monitoring systems that will allow for medical providers and patients to better understand and plan for downtime in EHRs and prevent patient harm events if outages do occur. More reliable back-up systems need to be established for effective redundancy instead of relying on outdated information from legacy systems. Cybersecurity teams may not be able to tackle all complex software bugs or defend against cyber-attacks from happening on DHA systems, but they can plan and respond to such cyber-attacks in the future with adequate protections in place.
(The author is responsible for the content of this article. The views expressed do not reflect the official policy or position of the National Intelligence University, the Office of the Director of National Intelligence, the U.S. Intelligence Community, Department of Defense, or the U.S. Government. )
Endnotes
i Vibhu Mishra, “Cyberattacks on Healthcare: A Global Threat That Can’t Be Ignored,” UN News, November 8, 2024, https://news.un.org/en/story/2024/11/1156751.
ii Department of Defense, “DODI 6024.19: Individual Medical Readiness Program,” Washington Headquarters Service, July 13, 2022, https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/602519p.pdf?ver=R2OKfDXWHtMkQ9hrl8wdOw%3D%3D.
iii Brad Brooks, “Critical Condition: How to Protect the Healthcare Industry from Increasingly Frequent—and Harmful—Cyberattacks,” Forbes, February 5, 2025, https://www.forbes.com/councils/forbestechcouncil/2025/02/05/critical-condition-how-to-protect-the-healthcare-industry-from-increasingly-frequent-and-harmful-cyberattacks/.
iv Bryce H.P. Mendez, “Defense Primer: Military Health System,” Congressional Research Service, October 18, 2024, https://sgp.fas.org/crs/natsec/IF10530.pdf.
v Ibid.
vi Ibid.
vii Ibid.
viii Ibid.
ix Ibid.
x Ibid.
xi Military Health System, “MHS GENESIS Patient Portal,” Health.mil, n.d., https://health.mil/Military-Health-Topics/Technology/MHS-GENESIS/Frequently-Asked-Questions/MHS-GENESIS-Patient-Portal.
xii Nayer Jamshed et al., “Ethical Issues in Electronic Health Records: A General Overview,” Perspectives in Clinical Research 6, no. 2 (2018): 73–76.
xiii Ibid.
xiv Aaron Boyd, “VA, DOD Electronic Health Record System Suffers Nationwide Outage – Nextgov/FCW,” Nextgov.com, 2022, https://www.nextgov.com/modernization/2022/04/va-dod-electronic-health-record-system-suffers-nationwide-outage/364164/.
xv Ibid.
xvi Ibid.
xvii Ibid.
xviii Patricia Kime, “Another Outage Hits Troubled Records System at VA, DoD Health Facilities,” Military.com, April 28, 2023, https://www.military.com/daily-news/2023/04/28/another-outage-hits-troubled-records-system-va-dod-health-facilities.html.
xix Joseph Ditzler, “Military Health Records System Genesis out of Action ‘Intermittently,’ Agency Says,” Stars and Stripes, February 27, 2024, https://www.stripes.com/theaters/asia_pacific/2024-02-27/mhs-genesis-outage-military-hospitals-13131983.html.
xx Ibid.
xxi Ibid.
xxii TRICARE, “Patient Portal Outages | TRICARE,” Tricare.mil, 2024, https://tricare.mil/outage?p=1.
xxiii Wyatt Olson, “Cyberattack on Health Tech Firm Cripples US Military Pharmacies Worldwide,” Stars and Stripes, February 22, 2024, https://www.stripes.com/theaters/us/2024-02-22/cyberattack-military-pharmacy-prescriptions-13087693.html.
xxiv Jeremy Stillwagner, “Military Hospitals Experienced 2 System Outages in 2 Weeks; One Persists,” Stars and Stripes, March 6, 2024, https://www.stripes.com/theaters/asia_pacific/2024-03-06/mhs-genesis-outage-military-hospitals-13222568.html.
xxv Ibid.
xxvi Ibid.
xxvii Microsoft, “Going the Distance,” Microsoft Unlocked, March 22, 2025, https://unlocked.microsoft.com/cybersecurity-hospitals/?ocid=M402JX&form=M402JX&msclkid=edc6911e3ec11c1c60f3f6cb9bdfe749.
xxviii Lindsay Clark, “Oracle Outage Hits US Federal Health Records Systems,” Theregister.com (The Register, March 7, 2025), https://www.theregister.com/2025/03/07/oracle_outage_federal_health_records/.
xxix Lindsay Clark, “Computer Glitches Harm 150 Patients, Senate Committee Hears,” www.theregister.com, July 27, 2022, https://www.theregister.com/2022/07/27/oracle_cerner_glitches_harm_patients/.
xxx Ibid.
xxxi Department of Health and Human Services, “Adverse Events,” Office of Inspector General | Government Oversight | U.S. Department of Health and Human Services, September 7, 2023, https://oig.hhs.gov/reports/featured/adverse-events/.
xxxii Lindsay Clark, “Computer Glitches Harm 150 Patients, Senate Committee Hears,” www.theregister.com, July 27, 2022, https://www.theregister.com/2022/07/27/oracle_cerner_glitches_harm_patients/.
xxxiii Patricia Kime, “Another Outage Hits Troubled Records System at VA, DoD Health Facilities,” Military.com, April 28, 2023, https://www.military.com/daily-news/2023/04/28/another-outage-hits-troubled-records-system-va-dod-health-facilities.html.
xxxiv Norah Alotaibi, Christine Brown Wilson, and Marian Traynor, “Enhancing Digital Readiness and Capability in Healthcare: A Systematic Review of Interventions, Barriers, and Facilitators,” BMC Health Services Research 25, no. 1 (April 4, 2025), https://doi.org/10.1186/s12913-025-12663-3.
xxxv WIRED Staff, “Medical Devices Are the next Security Nightmare,” WIRED (WIRED, March 2, 2017), https://www.wired.com/2017/03/medical-devices-next-security-nightmare/.
xxxvi Ronald S Ross, “Engineering Trustworthy Secure Systems,” NIST, 2022, https://doi.org/10.6028/nist.sp.800-160v1r1.
xxxvii Administration for Strategic Preparedness and Response, “HEALTHCARE SYSTEM CYBERSECURITY Readiness & Response Considerations,” 2021, https://files.asprtracie.hhs.gov/documents/aspr-tracie-healthcare-system-cybersercurity-readiness-response.pdf.
xxxviii Ibid.
1 Ibid.
