Weak security policies ‘compromised the integrity’ of DoD medical records
Network security issues, inconsistent access rules, and other deficiencies outlined in a new Department of Defense Inspector General report led auditors to a harsh verdict on DoD’s electronic health records practices.
“Without well-defined, effectively implemented system security protocols, the [Defense Health Agency], Navy and Air Force compromised the integrity, confidentiality, and availability of” patient health information, auditors stated, in a report released May 7.
In addition to privacy and access concerns, the violations could cost money: up to $1.5 million a year per each category violation under the Health Insurance Portability and Accountability Act of 1996, auditors noted. HIPAA is designed to protect the integrity and confidentiality of patient health information from unauthorized use or disclosure.
The IG report is based on visits to three Navy facilities in California―Naval Hospital Camp Pendleton, San Diego Naval Medical Center, and the Navy hospital ship Mercy―and two Air Force facilities: The 436th Medical Group in Dover, DE, and Wright-Patterson Medical Center in Dayton, OH. Among the findings:
- The facilities didn’t always require the use of common access cards to access records systems. DoD regulations mandate CAC usage to access all DoD networks.
- Network security issues were not addressed immediately. One example: Of the 36,926 vulnerabilities identified in an April 22, 2017, network scan at Naval Hospital Camp Pendleton, only one had been addressed as of a May 7, 2017, follow-up scan.
- Systems weren’t set up to lock after 15 minutes of inactivity, per DoD guidelines. Some stayed unlocked for hours, per the report, while others remained accessible indefinitely.
- Issues stemmed from a variety of causes, auditors stated, including lack of resources and guidance, system incompatibility and vendor limitations.
The investigation follows a July 2017 report, also from the DoD IG, detailing similar inconsistencies in DoD and Army security procedures regarding patient health records. That report noted that most of their recommendations were being addressed.
The Navy pledged to enforce CAC guidance at its facilities by June 1 as well as address concerns over weak passwords, in their response to the report. Air Force Surgeon General Lt. Gen. Mark Ediger responded that the Air Force is assessing its other military treatment facilities to ensure they are enforcing the use of CACs to access patient health information systems, and verifying their passwords meet the DoD security requirements by Nov. 1.
