A Department of Defense Inspector General (DoDIG) audit of the electronic health record (EHR) and safety systems at the Defense Health Agency (DHA), Navy, and Air Force has found serious safety weaknesses that might possibly be abused to gain access to systems and protected health information (PHI).
This is the 2nd DoDIG report from latest checks of military training facilities (MTFs). The 1st report disclosed the DHA and Army had failed to constantly apply safety procedures to defend EHRs and systems that saved, processed, or conveyed PHI. The latest report, which includes the DHA, Navy, and Air Force, has disclosed serious weaknesses in 11 different areas.
Variation of applying safety procedures to safeguard EHRs and PHI, and the ineffective managerial, technical, and physical defenses positioned are violations of Health Insurance Portability and Accountability Act (HIPAA) Rules. Those violations might attract financial fines of up to $1.5 million per violation type.
The DoDIG visited three Navy and two Air Force facilities and evaluated 17 information systems throughout the five sites.
- Wright-Patterson Medical Center, Dayton, OH
- 436thMedical Group, Dover, DW
- Naval Ship Mercy, San Diego, CA
- San Diego Naval Medical Center, San Diego, CA
- Naval Hospital Camp Pendleton, Camp Pendleton, CA
3 DoD EHR systems, 3 improved DoD EHR systems, 9 service-specific systems, and 2 DHA-possessed systems were evaluated.
There were examples where weaknesses had gone unnoticed and several instances of identified weaknesses failing to be tackled in a realistic time frame. In its report, DoDIG said the audit at the 436th Medical Group disclosed 342 of the 1,430 weaknesses found in May had not been tackled and appeared in the susceptibility scan carried out in June.
The reason for the failure to consistently apply safety procedures and tackle weaknesses differed at each audited site, however, were mainly because of a lack of resources, a lack of leadership, system incompatibility, and seller limitations.
Safety problems were found in the following areas:
- Failure to constantly apply multi-factor verification
- Failure to set up passwords to meet DoD length/complexity needs
- Failure to tackle known network weaknesses
- Failures to set privileges based on users’ allocated duties
- Failure to constitute controls to lock EHRs after 15 minutes of idleness
- Failure to study system activity reports to find doubtful activities and access attempts
- Failure to create standard operating procedures and administer system access
- Failure to apply proper and sufficient security procedures to safeguard ePHI and PHI from illegal access
- Failure to keep an inventory of all service-specific systems that saved, handled, or transferred PHI
- Failure to develop and maintain secrecy impact evaluations
“Without well-defined, effectively applied system safety procedures, the DHA, Navy, and Air Force undermined the integrity, secrecy, and availability of PHI”, wrote DoDIG in its report. “Safety procedures, when not applied or ineffective, enhance the danger of successful cyberattacks; system and data breaches; data loss and misuse; and illegal disclosures of PHI.”
DoDIG made numerous suggestions to improve safety which contained configuring systems used to save, handle, or transfer ePHI to lock automatically after 15 minutes of idleness; the development of an oversight plan to make sure recommendations are implemented throughout all sites; actions to be taken to tackle weaknesses in a timely way; apply procedures to only grant access to systems used to save, handle, and transmit Phi based on users’ duties.
DoDIG also suggested the Surgeons General for the Departments of the Navy and Air Force coordinate with the Navy Department of Medication and Surgery and the Air Force Medical Facility to evaluate whether the problems found exist at other service-specific military training facilities.
Generally, the suggestions were accepted, even though at certain sites some suggestions remain unsettled and need additional comments.
The DHA Director agreed that the DHA might possibly organize systems to lock after 15 minutes of idleness, however, didn’t provide guarantees that its systems would be altered to include that control.
The Executive Director for the Naval Medical Center, San Diego disagreed with one suggestion. The Military Sealift Command Chief of Staff partially agreed with two suggestions and disagreed with one, however, proposed other controls and substitute actions that might be taken to tackle all suggestions for the USNS Mercy.