SSN Justification Memo

DEFENSE HEALTH AGENCY
7700 ARLINGTON BOULEYARD, SUITE 5101
FALLS CHURCH, VIRGINIA 22042-5101

Administration &
Management (Jl)

4 October 2024
MEMORANDUM FOR Defense Privacy, Civil Liberties and Transparency Division
THROUGH: Defense Health Agency (DHA), Privacy and Civil Liberties Office
SUBJECT: Justification for the Use of Social Security Numbers (SSNs) in DHMSM
Electronic Health Record (DHMSM EHR) MHS GENESIS Electronic Health Record
CORE (EHR CORE) system, Department of Defense Information Technology Portfolio
Repository (DITPR) # 16913.
This memorandum is written to satisfy the requirement established under
Department of Defense Instruction (DoDI) 1000.30, Reduction of Social Security
Number (SSN) Use Within DoD, dated August 1, 2012, requiring justification of the
collection and use of the SSN in DoD Systems, with respect to MHS GENESIS
Electronic Health Record CORE (EHR CORE), eMASS 3202 and the interconnected
sub-components; MHS-GENESIS - Infrastructure (Infrastructure), eMASS 3166, MHS­
GENESIS - High Assurance/Clinical Application Services (HA-CAS), eMASS 3203,
MHS-GENESIS - Test (Test), eMASS 3206, MHS-GENESIS - Train (Train), eMASS
3207, MHS-GENESIS - Build (Build), eMASS 3205.
The MHS GENESIS Electronic Health Record CORE (EHR CORE) provides
access to authoritative clinical data sources and is the authoritative source of clinical
data to support improved population health, patient safety, and quality of care to
maximize medical readiness for the DoD. As the modernization effort continues, the
DHMSM EHR system will replace the legacy Electronic Health Record (EHR) systems
and become MHS GENESIS. Hereinafter, DHMSM EHR is referred as MHS GENESIS.
MHS GENESIS is an EHR information system that collects, processes, and
distributes EHR longitudinally across the Military Health System (MHS), Department of
Veterans Affairs (VA), United States Coast Guard (Coast Guard), TRICARE network of
service providers, and Federal and State agencies for approximately 9.6 million DoD
beneficiaries worldwide.
MHS GENESIS collects, processes, and distributes the following categories of
PII, which includes Protected Health Information (PHI) and SSNs. This information is
needed for the timely and high-quality delivery of health care services to and the
determination and processing of patient benefit information for DoD, VA, Coast Guard,
and other beneficiaries, as well as for Defense Health Agency (DHA) authorized
clinical trials, medical research, and disease registries.
MHS GENESIS is intended for use by clinicians for the purpose of providing
Privacy, Civil Liberties. and Freedom of Information Directorate > Privacy> SORNslndex > DOD Component Notices >
DHA Article List (defense.gov)

environment at Lee's Summit providing an ability to fail-over in the case of a system
outage. Each data center implements the 800-53 RMF PE controls documented in
eMass. Network connectivity, transport, and boundary defense are outside the security
assessment/authorization boundary and are provided by the enterprise wide MedCOI
network leveraging DODIN transport and conforms to DoD Joint Information
Environment (JIE) objectives. CSSP services for the MedCOI network and connected
MHS GENESIS systems are provided by Naval Information Warfare Center (NIWC).
The primary Oracle database for MHS GENESIS is journaled and transactions
are replicated in the backup database. The transmission of transactional journals and
the backup database are encrypted. Audit logs are maintained for all assets in the
enclave, per Security Technical Implementation Guide (STIG) and SRG requirements.
Regular external audits are conducted on MHS GENESIS, per ATO requirements.
Encryption of Data at Rest uses approved DoD encryption methods (i.e., NIST
FIPS 140-2 validated cryptographic modules) and by the hardware platform hosting the
client or server application. In MHSG2, data center storage is encrypted by the Storage
Area Network (SAN) or the server (for locally hosted storage). MHSG2 end-user
devices encrypt local storage. MHS GENESIS-Theater (MHSG-T) hardware encrypts
local disk. Data exchanges between MHS GENESIS and end-user devices is
encrypted using Hypertext Transfer Protocol (HTTP) Transport Layer Security (TLS)
HTTPS. Data exchanged between MHS GENESIS, and external systems is encrypted
using TLS. For data exchanges between MHS GENESIS and trusted external systems
is encrypted using TLS using X.509 certificates issued by DoD Certificate Authorities
(CAs). MHS GENESIS and its clinical applications provide users data access rights
based upon job functionality, authority, and responsibility within the enterprise.
Access to the system requires use of a CAC or RSA SecurlD, and a valid
account that is vetted prior to access being granted. Regular external audits are
conducted on MHS GENESIS, per requirements in the ATO memo for the system. No
user has direct access to an MHS GENESIS data store; role-based access control
(RBAC) is enforced through end-user applications. The applications access a local
Lightweight Directory Access Protocol (LDAP) with the user's credentials to pull the list
of associated attributes which extends the DoD schema with MHS GENESIS-specific
least-privilege attributes to identify the system capabilities and data access available to
that user. Some access control attributes are maintained internally to the clinical
applications within MHS GENESIS.
For questions related to this memorandum contact please contact Mr. Gurpreet
Brar, the DHMSM Information Systems Security Manager (ISSM), at 571-314-3191 or
[email protected].
Recommend Approval
signed by
SHEDRICK.CHARLES.J Digitally
SHEDRICK.CHARLES.JOSE.1125538459
Date: 2024.10.08 13:56:21 -05'00'
OSE.1125538459

Charles J. Shedrick, GS14, DHA
Supervisor, Privacy Compliance
J-1 Administration and Management
Directorate

BRAR.GURPRE
ET.1300416469

Digitallysignedby
BRAR.GURPREET.1300416469
Date: 2024.10.0710:22:36-04'00'

Gurpreet Brar
Information Systems Security Manager
Defense Healthcare Management Systems
Modernization

Privacy, Civil Liberties. and Freedom of Information Directorate > Privacy > SORNslndex > DOD Component Notices >
DHA Article List (defense.gov)