According to a recently issued Department of Defense (DoD) Office of Inspector General report (PDF), the Defense Health Agency (DHA) did not consistently apply its security practices and failed to protect stored, processed, and transmitted electronic health records (EHR) and other sensitive patient data against unauthorized access.
The DoD OIG Report – DODIG-2017-085, entitled “Protection of Electronic Patient Health Information at Army Military Treatment Facilities” detailed the failures of the DHA which are summarized below.
The DoD OIG discovered Common Access Cards (CACs) were not utilized for accessing two Army-specific systems and three DoD EHR systems. System administrators stated that there was incompatibility between the CAC software and some of the software utilized by older systems. Also, it was not possible for multiple users to sign in and out without rebooting the local terminals.
Strong DoD passwords were required but not set for two Army-specific systems and the Clinical Information System/Essentris Inpatient System. System administrators assumed that present network authentication controls were enough to secure access.
Three cybersecurity failures were found at the Evans Army Community Hospital, Brooke Army Medical Center and Kimbrough Ambulatory Care Center. Network and system administrators did not set user access for three EHR systems and four Army-specific systems based on designated duties. There were no user justifications for access and user responsibilities were not assigned to distinct system roles.
Two EHR systems and five Army-specific systems were not set up to lock out users who had been inactive for 15 minutes. As per the report, the CIOs in those facilities did not implement a lockout because they didn’t want to adversely impact system availability. Furthermore, there was no standard operating procedures developed to handle systems access because they didn’t think documented procedures were essential.
The DoD OIG reported that without clear, effectively executed system security practices, the DHA and Army introduced unnecessary risks that could possibly endanger the confidentiality, integrity and availability of patient records.
The DoD OIG noted that the inability to carry out security protocols as well as the ineffective use of security protocols increases the probability of a cyberattack, data breach, data loss, data manipulation, and unauthorized patient PHI disclosures.
Besides the risk to the integrity, confidentiality and availability of patient information, the inability to follow HIPAA Rules opened the Defense Health Agency to HIPAA compliance penalties of up to $1.5 million, per violation category, per annum.
The DoD OIG listed 39 NIST Cybersecurity Framework-based suggestions to fix the security failures, including the use of CACs whenever accessing DoD EHR and Army-specific systems and the adoption of password complexity requirements for those systems.
Three of the suggestions were closed after the DHA Chief of Staff presented reports from the 3 sites outlining one or more specific security-linked performance standards for meeting security requirements and keeping patients’ PHI secure. One of the requirements was to have CIOs made responsible for the security of patient health data.
As per the DoD OIG, six of the suggestions have not yet been resolved as the actions taken did not deal with the identified problems. On September 30, 2018, 36 of the recommendations were still open.