DoD IG finds massive security flaws in Army, Navy EHR and handling of patient data
The electronic health record and security systems at the Defense Health Agency and some Navy and Air Force hospitals and clinics are riddled with serious vulnerabilities, according to a recent U.S. Department of Defense Office of Inspector General report.
OIG identified the issues at the Naval Hospital Camp Pendleton, San Diego Naval Medical Center, NSNS Mercy, 436th Medical Group and Wright-Patterson Medical Center. These vulnerabilities ranged from password configurations to meet DOD requirements to user access based on assigned duties.
In fact, OIG officials said DHA, Navy and Air Force may have violated HIPAA with their lax security protocols, which could result in millions of dollars in fines.
"Specifically, DHA, Navy and Air Force officials did not consistently implement technical, physical and administrative protocols to protect Department of Defense EHR systems, modified EHR systems and Service-specific systems from unauthorized access and disclosure," the report read.
"As a result, ineffective administrative, technical, and physical security protocols, resulting in HIPAA violations, could cost Military Treatment Facilities up to $1.5 million in penalties each year," the report said.
What's more troubling is that officials said when network administrators at the audited sites discovered vulnerabilities, they often failed to address them. In June, for example, the Dover Clinic performed a scan that revealed 342 of the 1,430 vulnerabilities found in May.
Reasons for failing to implement proper security measures varied by site and flaw, including a lack of guidance or resources, vendor limitations, and system incompatibility.
To address these flaws, OIG made several recommendations, including configuring the DoD EHR systems and other DHA systems that handle patient data to automatically lock after 15 minutes of inactivity.
OIG also recommended that the Surgeons General for the Departments of the Navy and Air Force, in coordination with the Navy Bureau of Medicine and Surgery and the Air Force Medical Service, coordinate efforts to assess whether the issues found in the report are systemic or specific to the audited locations.
Officials also asked those leaders to develop and implement an oversight plan to make sure those sites enforce the use of common access card and configure passwords to meet DoD requirements. Further, CIOs need to draft an action plan to outline steps to mitigate vulnerabilities in a timely fashion.
The DHA director agreed that DHA could potentially lock systems automatically after a period of inactivity, however, they "did not provide assurance that the DHA would configure its systems that process, store, and transmit PHI to lock automatically after 15 minutes of inactivity."
The Navy Executive Director at the Navy Bureau of Medicine and Surgery agreed with all recommendations for the Navy Bureau of Medicine and Surgery and the Naval Hospital Camp Pendleton. But the other sites have unsolved issues that require additional comments.
DHA is not the only federal agency to be chastised for its security protocols. The Department of Veterans Affairs has been on the Government Accountability Office's and Inspector General's high-risk list for more than three years, despite efforts to improve its status.