- While two Indian Health Service (IHS) hospitals had increased system security and physical controls surrounding prescription drug and opioid disbursements, the Office of Inspector General (OIG) still determined that more improvements needed to be made. This included but was not limited to implementing IT risk assessments and ensuring an adequate disaster recovery plan was in place.
“HHS has recognized the escalating abuse of opioid drugs in our society,” the OIG report explained. “Among HHS operating divisions, the Centers for Disease Control and Prevention, National Institutes of Health, and IHS play key roles in HHS’s programmatic response to the nation-wide epidemic.”
“IHS is responsible for implementing appropriate controls within IHS to protect prescription drugs, including opioids,” the report authors continued. “IHS is also responsible for the security of related beneficiaries’ personal health information in accordance with Federal security requirements.”
OIG reviewed the systems and policies at Quentin N. Burdick Memorial Hospital (Burdick Memorial) in Belcourt, North Dakota, and Blackfeet Community Hospital (Blackfeet Hospital) in Browning, Montana.
One of the main OIG findings was that the IHS hospitals could further improve their system security and physical controls.
READ MORE: The Role of Risk Assessments in Healthcare
For example, Blackfeet Hospital could improve its controls at hospital sensitive area entry points to protect its automated dispensing medication system. Improving these controls would also help keep prevent unauthorized access within the pharmacy inventory, OIG stated.
“Access to Blackfeet Hospital’s pharmacy (Appendix C, photograph 7) where regular drug stock were stored was controlled by assigning one PIN to a group of people,” report authors wrote. “Pharmacists used one shared PIN and pharmacy technicians used another to enter the pharmacy. This occurred because Blackfeet Hospital did not sufficiently assess the risk associated with shared PINs.”
Burdick Memorial did not have an effective continuity of operations program and disaster recovery plan, which could prove troublesome should a natural, manmade, or IT disaster occur, according to OIG.
The hospital’s risk assessment noted that the lack of a disaster recovery site was a risk, but there was no appropriate risk mitigation discussed.
“Lack of an effective contingency plan could have had a devastating effect on access to personal health information and prescription dispensing,” the report said. “If prescription drug records were lost and could not be recovered, the absence of accurate information would put patient safety at risk and make Burdick Memorial’s pharmacy vulnerable to inappropriate prescribing and possible drug diversion by individuals fraudulently claiming to have had prescriptions for opioids.”
Both IHS hospitals were also found to have lacking access control procedures. Specifically, the procedures and reviews had not implemented role-based access controls according to the principle of least privilege.
Lacking access control procedures means that IHS “cannot ensure that it can fully protect the confidently, integrity, and availability of health records and other mission critical data.”
Risk assessments are also a critical risk management aspect, OIG pointed out. However, “Burdick Memorial and Blackfeet Hospital did not have sufficient IT risk assessments, nor did the hospitals develop adequate risk mitigation plans.”
“Without an adequate risk assessment, IHS hospitals could not ensure that they could identify or implement appropriate controls to reduce or eliminate risks that could affect health information and patient safety,” report authors stated. “The same template and methodology used to execute the risk assessment at Burdick Memorial and Blackfeet Hospital is used at other IHS hospitals, so it should be reviewed throughout IHS.”
OIG also determined that Burdick Memorial lacked adequate flaw remediation and vulnerability management procedures. When organizations fail to mitigate certain IT vulnerabilities, it could lead to unauthorized access.
The WannaCry ransomware incident stemmed from unpatched Microsoft servers, OIG noted. An increased risk of compromise from known vulnerabilities could affect access to health information and patient safety, the agency added. It could also “create opportunities for drug diversion by unauthorized individuals manipulating electronic prescriptions to create fraudulent prescriptions or changing prescriptions to increase doses of opioids.”
OIG recommended that Blackfeet Hospital assign specific PINs for each employee for restricted areas and that IHS ensure its continuity of operations program and disaster recovery programs are tested and proved viable. Burdock Memorial should also test all of its backup mechanisms, OIG said.
Furthermore, OIG suggested that logical access-control procedures are developed and implemented. Information security risk assessments at all IHS hospitals should be performed, and be in accordance with NIST standards.
The following recommendations were also made:
- Identify all hospitals with unsupported networking equipment and implement a system development life cycle plan to ensure hardware and software replacement before EOL
- Determine if local IHS hospital system administrators are adequately trained to ensure compliance with all flaw remediation and vulnerability management procedures and, if not, develop and implement a training program
- Ensure that all vulnerabilities identified during vulnerability scanning are remediated in accordance with Federal requirements.
IHS concurred with all OIG recommendations and explained to the agency the actions it was taking and how the actions would be implemented, the report concluded.