• About Us
  • Events
  • Newsletter Sign Up
  • Spotlight Series
  • Webinars
  • WhitePapers
  • Videos
  • Podcasts
    1. Policy & Value-Based Care

    Weak security policies ‘compromised the integrity’ of DoD medical records

    May 10, 2018

    Network security issues, inconsistent access rules, and other deficiencies outlined in a new Department of Defense Inspector General report led auditors to a harsh verdict on DoD’s electronic health records practices.

    “Without well-defined, effectively implemented system security protocols, the [Defense Health Agency], Navy and Air Force compromised the integrity, confidentiality, and availability of” patient health information, auditors stated, in a report released May 7.

    In addition to privacy and access concerns, the violations could cost money: up to $1.5 million a year per each category violation under the Health Insurance Portability and Accountability Act of 1996, auditors noted. HIPAA is designed to protect the integrity and confidentiality of patient health information from unauthorized use or disclosure.

    The IG report is based on visits to three Navy facilities in California―Naval Hospital Camp Pendleton, San Diego Naval Medical Center, and the Navy hospital ship Mercy―and two Air Force facilities: The 436th Medical Group in Dover, DE, and Wright-Patterson Medical Center in Dayton, OH. Among the findings:

    • The facilities didn’t always require the use of common access cards to access records systems. DoD regulations mandate CAC usage to access all DoD networks.
    • Network security issues were not addressed immediately. One example: Of the 36,926 vulnerabilities identified in an April 22, 2017, network scan at Naval Hospital Camp Pendleton, only one had been addressed as of a May 7, 2017, follow-up scan.
    • Systems weren’t set up to lock after 15 minutes of inactivity, per DoD guidelines. Some stayed unlocked for hours, per the report, while others remained accessible indefinitely.
    • Issues stemmed from a variety of causes, auditors stated, including lack of resources and guidance, system incompatibility and vendor limitations.

    The investigation follows a July 2017 report, also from the DoD IG, detailing similar inconsistencies in DoD and Army security procedures regarding patient health records. That report noted that most of their recommendations were being addressed.

    The Navy pledged to enforce CAC guidance at its facilities by June 1 as well as address concerns over weak passwords, in their response to the report. Air Force Surgeon General Lt. Gen. Mark Ediger responded that the Air Force is assessing its other military treatment facilities to ensure they are enforcing the use of CACs to access patient health information systems, and verifying their passwords meet the DoD security requirements by Nov. 1.

    Army Times has the full article

    Continue Reading

    Sponsored Recommendations

    Enhancing Healthcare Through Strategic IT and AI Innovations

    Learn how strategic IT and AI innovations are transforming healthcare - join Tomas Gregorio as he explores practical applications that enhance clinical decision-making, optimize...

    The Intersection of Healthcare Compliance and Security in the Age of Deepfakes

    As healthcare regulations struggle to keep up with rapid advancements in AI-driven threats like deepfakes, the security gaps have never been more concerning.

    Increasing Healthcare Security Behind and Beyond the Firewall

    Read how 5 identity security solutions can help you protect against these threats while improving user experience and reducing costs.

    Improve and Secure Healthcare Delivery with Digital Identity

    Get a deep understanding of how Digital Identity can help secure your healthcare organization while offering seamless access to your growing portfolio of apps and APIs.