- The US Navy and US Air Force have poor security practices for their electronic health record (EHR) systems and could face millions of dollars in HIPAA violation fines if action is not taken to correct these problems, warned the Department of Defense Inspector General (DoD IG) in a recent audit.
The services failed to consistently implement security protocols to protect EHRs at the locations visited by the DoD IG, putting patients’ PHI at risk.
The DoD IG visited three Navy facilitiies—Naval Hospital Camp Pendleton, San Diego Naval Medical Center, and the US Naval Ship (USNS) Mercy docked in San Diego—and two Air Force facilities—the 436th Medical Group in Dover, Delaware, and Wright-Patterson Medical Center in Dayton, Ohio.
It reviewed 17 information systems at the five locations: three DoD EHR systems, three modified EHR systems used aboard the USNS Mercy, two Defense Health Agency (DHA)-owned systems, and nine service-specific systems.
The audit determined that officials from the Navy, Air Force, and DHA did not consistently require users to use a common access card (CAC) to access EHR systems, comply with password complexity requirements, mitigate known network vulnerabilities, implement an effective identity and access management program, configure EHR systems to lock automatically after 15 minutes of inactivity, or review systems activity reports to identify suspicious behavior.
The services came up short on protecting EHRs and PHI due to lack of resources and guidance, system incompatibility, and vendor limitations.
“Without well-defined, effectively implemented system security protocols, the DHA, Navy, and Air Force compromised the integrity, confidentiality, and availability of PHI,” the audit explained.
“In addition, ineffective administrative, technical, and physical security protocols that result in a violation of the Health Insurance Portability and Accountability Act (HIPAA) of 1996 could cost the MTFs [military treatment facilities] up to $1.5 million per year in penalties for each category of violation,” the audit warned.
The DoD IG recommended that the DHA director configure the DoD EHR systems and other DHA-owned systems that process, store, and transmit PHI to automatically lock after 15 minutes of inactivity.
The agency recommended that the Surgeons General for the Navy and Air Force, in coordination with the Navy Bureau of Medicine and Surgery and the Air Force Medical Service, put in place an oversight plan to verify that MTFs enforce the use of CACs and configure passwords that meet DoD password complexity requirements to access EHR systems.
The DoD IG also advised the Navy and Air Force MTF CIOs to develop a plan of action and milestones to mitigate known network vulnerabilities; implement procedures to grant access to systems that process, store, and transmit PHI based on roles that align with user responsibilities; and configure all systems that contain PHI to lock after 15 minutes of inactivity.
This report is the second in a series of reports on security protocols used by the military to protect EHR and PHI systems, DoD IG explained.
The first report examined the US Army and MHA facilities: two MTFs in the Army’s Regional Health Command Central—Brooke Army Medical Center at Fort Sam Houston, Texas, and Evans Army Community Hospital at Fort Carson, Colorado—and one in the Regional Health Command Atlantic—Kimbrough Ambulatory Care Center at Fort Meade, Maryland.
Like the Navy and Air Force, the Army did not consistently enforce the use of CACs, comply with DoD password complexity requirements, mitigate known network vulnerabilities, implement an effective identity and access management program, configure EHR systems to lock after 15 minutes of inactivity, or review systems activity reports to identify suspicious behavior, according to the audit.
“Officials from the U.S. Army Medical Command and the MTFs also were not aware of all Army‑specific systems operating on their networks that stored, processed, and transmitted patient health information because U.S. Army Medical Command officials did not require MTFs to identify systems that contained patient health information,” the DoD IG audit found.
The Army report contained similar recommendations to the Navy and Air Force report. The Army Medical Command and MTFs should enforce the use of CACs and configure EHR passwords to meet DoD complexity requirements.
The DoD IG also recommended that the Army MTF CIOs develop a plan of action and milestones to mitigate known network vulnerabilities in a timely manner; implement procedures to grant access to systems that process, store, and transmit PHI based on roles that align with user responsibilities; and configure all systems that contain PHI to lock after 15 minutes of inactivity.
“Furthermore, we recommend that the MTF Commanders review the performance of their CIOs, and consider administrative action, as appropriate, for not following Federal and DoD guidance for protecting patient health information,” the DoD IG report said.