Why FedRAMP Should Be the Baseline for Health IT Security in Government

In federal health IT, security has become a critical mission. As cyber threats grow more sophisticated and health data becomes increasingly valuable on the black market, federal agencies and their partners must operate at the highest security standards.

That is why FedRAMP should not be seen as a checkbox, but as the baseline for all health IT systems supporting the federal mission.

Andrea Hopkins, chief information security officer at DSS, discusses it plainly.

“Health care data is the most valuable data on the black market right now. Every health care organization is under attack, and the attackers are only getting more sophisticated.”

This is why DSS is actively pursuing FedRAMP High certification for the DSS Health Cloud. The High impact level represents the most rigorous standard under FedRAMP and is required for systems that store or process highly sensitive data such as protected health information (PHI) or mental health records. We chose to aim for this level from the outset.

“We knew the kinds of payloads we were going to be carrying, and it just made no sense to start anywhere but High,” said Hopkins. “The risk is too great, and the stakes are too high.”

Rising to Meet a Complex Challenge

FedRAMP was not originally built with health care in mind. It emerged from the Department of Defense’s need to secure infrastructure and storage systems. But applying it to health IT introduces unique complexity. Health environments are filled with FDA-certified medical devices that cannot be modified to meet FedRAMP standards. That means organizations must secure everything around those devices and ensure any system that the data touches, meets the same high bar.

“You cannot lock down a prescription dispensing machine to a FedRAMP standard because it has to stay the way it is to remain FDA approved,” said Hopkins. “So, you need compensating controls. You must secure the entire ecosystem around it. And once that data hits the EHR, that system better be just as locked down.”

DSS spent over three years navigating these complexities in its FedRAMP process. “We thought we could do it in six to nine months,” Hopkins shared. “Three and a half years later, we now know just how hard it is. You must plan for that level of effort from the beginning.”

Security Is Not Static

For many organizations, achieving FedRAMP certification might feel like the end goal. But it is just the beginning.

“FedRAMP is not something you complete and walk away from,” Hopkins said. “Once you are in the FedRAMP lane, you are moving fast. You have monthly scans, quarterly reporting, and annual assessments. It is a constant process. You have to keep up because the threat landscape never stops evolving.”

That is why DSS emphasizes the importance of ongoing training, internal testing, and third-party audits. Hopkins pointed to recent breaches across the health sector as examples of what happens when organizations get complacent.

“A single phishing email, an unpatched server, a text pretending to be from your CEO - any one of those can take you down,” she said. “It only takes one person clicking the wrong link.”

More Than Compliance, It Is a Commitment

The benefits of FedRAMP go beyond security. It also enables vendors to do business with the federal government and signals to partners that an organization is committed to protecting sensitive information. For DSS, FedRAMP High is a powerful differentiator.

“It opens the door for us to support not just VA, but a wider federal health mission,” said Hopkins. “It shows that we have expertise in house, that we have locked everything down, and that an independent auditor has confirmed we are operating at that level.”

Hopkins believes this level of rigor should be the standard, not the exception. “You cannot show up with leaky software and expect to be trusted. The federal government is not going to take that risk.”

Proactive Protection is Mission Essential

When a breach occurs, the damage goes far beyond the system itself. Affected organizations must notify every individual impacted, pay for identity protection, shift resources away from other projects, and face public scrutiny.

Cybersecurity is everyone’s responsibility, Hopkins emphasized. “You are only as strong as your weakest link. That is why education is such a huge part of this. We need to help more people understand the risks and the steps they can take to protect themselves and their agencies.”

In that spirit, DSS continues to invest in FedRAMP, zero trust architecture, and ongoing cybersecurity training. Because in federal health care, the stakes are not theoretical, they are personal. “Security is not a black hole. It is something we can all understand,” said Hopkins. “And we are all in the same boat.”

Health data is both valuable and vulnerable. As Andrea shared, even a small breach can cause lasting damage. That is why DSS is committed to building a secure cloud foundation that meets the highest government standards and supports a safer future for federal health care.

To learn more about how the DSS Health Cloud is driving a new era of federal health IT, please click here.