Healthcare Information Security

Cybersecurity News

DoD Wants Army EHR Security Audit, Security Protocol Review

An EHR security audit will be performed at multiple Army medical center locations, according to a Department of Defense Inspector General memo.

By Elizabeth Snell

The Department of Defense plans to investigate whether or not the Army implemented effective security protocols to protect electronic health records through an EHR security audit, set to be performed in August 2016.

EHR security audit planned for Army medical centers

The DoD Inspector General explained in a memo that it will perform the audit at the U.S. Army Medical Command, the enhanced Multi-Service Market led by the Army in the Puget Sound Region (Washington), the Army medical center at Joint Base Lewis- McChord, Washington, and one Army hospital and clinic each at Fort Carson, Colorado.

However, other locations may be added during the audit, the DoD said.

“This is the first in a series of audits of Military Department security protocols over electronic health records and individually identifiable health information,” stated the memo, which was signed by Assistant Inspector General of Readiness & Cyber Operations Carol N. Gorman. “We will consider suggestions from management on additional or revised objectives.”

Earlier this year, the DoD published an audit report of the its planned EHR modernization, bringing the timeline into question about whether the federal agency could meet its end-of-the-year goal for EHR implementation.

As reported by EHRIntelligence.com, that audit was designed to ensure that the agency “had approved system requirements for the DoD Healthcare Management System Modernization (DHMSM) program and whether the acquisition strategy was properly approved and documented."

Along with potential risk and mitigation strategies, the audit found that the DoD “is still at risk for obtaining an EHR system by the December 2016 initial operational capability date because of the risks and potential delays involved in developing and testing the interfaces needed to interact with legacy systems, ensuring the system is secure against cyber attacks, and ensuring the fielded system works correctly and that users are properly trained.”

EHR security is an essential area for healthcare providers of all sizes and in the public and private sector.

More organizations are also beginning to adopt EHRs, with 96 percent of hospitals with a certified EHR technology in 2015, according to the Office of the National Coordinator.

Furthermore, hospital adoption of basic EHR rose from 75.5 percent in 2014 to 83.8 percent in 2015.

Hacking incidents, ransomware, and phishing scams are just a few of the potential issues that could create problems in EHR security.

“Web-based EHR systems easily allow them to access data from hundreds or thousands of health networks in one fell swoop,” Digital Guardian Principal Architect of Network and Cloud Security Mark Menke wrote in a HealthITSecurity.com contribution piece. “Additionally, like other similar applications, it’s likely that web-based EHR systems suffer from many common vulnerabilities that might give attackers access to backend systems and data – from SQL injections to cross site scripting.”

The EHR is just one piece in the complex ecosystem, which also includes securing physical spaces, protecting credentials, networks, biomedical devices, mobile devices and other software, according to Epic SVP and CSO Stirling Martin.

“Today, organizations in healthcare and other sectors are spending millions of dollars to increase their security with surveillance tools, network firewalls, intrusion prevention systems, host level security technologies, multifactor authentication, and integrating commercial threat intelligence,” Martin said in an April article. “They are also beginning to work together against a common enemy.”

Dig Deeper:

X

SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
BYOD
Cybersecurity
Data Breaches
Ransomware

Our privacy policy

no, thanks