- The Department of Defense Health Agency (DHA) failed to consistently implement security measures to protect the systems that stored, processed, and transmitted electronic health record and patient information, according to a DoD Office of Inspector General report released this week.
The report found DHA and Army officials didn’t enforce the use of Common Access Cards meant to give access to its EHR and two other Army systems. DoD officials said the CAC software was incompatible with older system software, or didn’t allow multiple users to log in and out of the system, without a system reboot. Currently, DoD is replacing its legacy EHR with Cerner.
What’s worse is that DoD failed to comply with its own password complexity requirements for its clinical information system and two other DoD systems – “because system administrators considered existing network authentication requirements sufficient to control access,” OIG officials said.
As seen with many healthcare breaches, user authentication is one of the largest problem areas for health cybersecurity.
“Without well-defined, effectively implemented system security protocols, the DHA and Army introduced unnecessary risks that could compromise the integrity, confidentiality, and availability of patient health information,” the report authors wrote.
“Security protocols, when not applied or ineffective, increase the risk of cyber-attacks, system and data breaches, data, loss or manipulation, and unauthorized disclosures of patient health information,” they added.
Officials also noted that three audited DoD health sites—Brooke Army Medical Center, Evans Army Community Hospital, and Kimbrough Ambulatory Care Center – had their own security weaknesses.
The medical sites lacked access controls on three DoD EHRs and four DoD systems, meaning user access was not determined by assigned duties. Users were also not required to justify access and user responsibilities weren’t aligned with specific system roles.
Also notable, two of the DoD EHR systems and five DoD-specific systems weren’t configured to automatically lock after 15 minutes of inactivity, as “the military treatment facility CIOs did not want to negatively affect system availability.”
Adding to the security flaws: DoD did not have standard operating procedures to manage system access, as “they did not consider documented procedures necessary.”
“Ineffective administrative, technical, and physical security protocols that result in a HIPAA violation could cost military treatment facilities up to $1.5 million per year in penalties for each category of violation,” the report authors wrote.
OIG made 39 recommendations based on the NIST Cybersecurity Framework, which included the CIOs for the DHA, U.S. Army Medical Command, and military treatment facilities need to enforce the use of CACs to access EHRs and configure passwords to meet complexity requirements.
Three of those recommendations were closed after the DHA Chief of Staff provided OIG with officer evaluation reports from the three medical sites that “included one or more specific security-related performance standards for complying with security requirements and protecting patient health information.”
“One included standards to hold CIOs accountable for protecting patient health information,” the report author wrote.
However, OIG officials considered six recommendation unresolved, as DoD leaders had not fully addressed the identified issues. According to the report, as of September 30, 2018, 36 of the 39 recommendations remain open.
The DHA audit was part of a 50-page report on the state of security across the entire DoD. In total, the Defense Department has 266 unresolved risks, some dating back to 2008.
“Without proper governance, the DoD cannot ensure that it effectively identifies and manages cybersecurity risk as it continues to face a growing variety of cyber threats from adversaries, such as offensive cyberspace operations used to disrupt, degrade, or destroy targeted information systems,” officials said in a statement.
“DoD must also ensure that cybersecurity risks are effectively managed to safeguard its reliance on cyberspace to support its operations and implement proper controls and processes where weaknesses are identified to improve the overall cybersecurity,” they added.