DoDIG Audit Report on Navy and Air Force EHR and Security Systems

The Defense Health Agency (DHA), the Navy and the Air Force recently had their second Department of Defense Inspector General (DoDIG) audit of their electronic health record (HER) and security systems. The audit has uncovered existing serious security vulnerabilities which hackers could potentially exploit and get system and protected health information (PHI) access. In the first DoDIG report, it was already revealed that there was failure to consistently implement security protocols in the DHA and Army which left EHRs and systems for storing, processing or transmitting PHI unsecure. In the second DoDIG report, 11 different areas in the DHA, Navy and Air Force show serious vulnerabilities.

The Health Insurance Portability and Accountability Act (HIPAA) Rules consider the inconsistent implementation of security protocols and the deployment of ineffective administrative, physical and technical safeguards as violations in protecting EHRs and PHI. Three Navy and two Air Force facilities were visited by the DoDIG, namely

  • Naval Hospital Camp Pendleton, Camp Pendleton, CA
  • S. Naval Ship Mercy, San Diego, CA
  • San Diego Naval Medical Center, San Diego, CA
  • Wright-Patterson Medical Center, Dayton, OH
  • 436th Medical Group, Dover, DW

From these 5 locations, the DoDIG assessed 3 modified DoD EHR systems, 3 DoD EHR systems, 2 DHA-owned systems and 9 service-specific systems. In some instances, the vulnerabilities are left undetected but in some the failure is in addressing the vulnerabilities in a timely manner. For example, in the 436th Medical Group, the audit revealed that 342 out of the 1,430 vulnerabilities were already identified in May, but they were not resolved and so they appear again in the June vulnerability scan.

Each audited site had different reasons for failing to implement security protocols and address vulnerabilities. The most common reasons were lack of resources, system incompatibility, lack of guidance and vendor limitations. The DoDIG audit identified the following areas where there is failure in implementation of security controls:

  • setting up multi-factor authentication
  • configuring passwords that meet DoD length/complexity requirements
  • fixing known network vulnerabilities
  • assigning user privileges based on their duties
  • configuring the controls to lock EHRs when users have been inactive for 15 minutes
  • reviewing system activity reports to check for suspicious activities and access attempts
  • developing standard operating procedures and managing system access
  • implementing the appropriate security protocols to keep ePHI and PHI from unauthorized access
  • maintaining an inventory of service-specific systems for storing, processing, or transmitting PHI
  • developing and maintaining privacy impact assessments

When the proper security protocols are not implemented in the different areas mentioned above, it is very likely that there will be a higher risk of successful cyberattacks, more system and data breaches that lead to data loss or unauthorized disclosure of PHI. The DoDIG made the following recommendations that could immediately address the flaws in security:

  • configure systems that manage ePHI to lock automatically after 15 minutes of inactivity
  • develop an oversight plan to be sure that recommendations are implemented
  • take specific actions to address vulnerabilities promptly
  • implement procedures that restrict access to PHI systems based on the users’ responsibilities

These recommendations were generally accepted by the facilities but not all agreed that they would be implementing all recommendations.  Some could immediately incorporate the necessary actions while others still need further comments or study of the recommended or alternative actions.