The Department of Defence (DoD) Office of Inspector General (OIG) has released a report revealing that the Defense Health Agency (DHA) failed to implement security protocols consistently. This failing resulted in failings to protect against the unauthorised accessing of systems that stored, processed, and transmitted electronic health records and other sensitive patient information.
The DoD OIG Report – DoDIG-2017-085, “Protection of Electronic Patient Health Information at Army Military Treatment Facilities” details the failings and includes suggestions made by OIG to improve the system.
The DoD OIG found that Common Access Cards (CACs) were not used to access three DoD EHR systems and two Army-specific systems. In response to this criticism, system administrators claimed that the CAC software was not compatible with some of the software used by older systems and it was not possible for multiple users to log in and out of the system without rebooting local terminals.
DoD has requirements for passwords, including minimal demands on their complexity. However, the DHA failed to comply with those requirements for its Clinical Information System/Essentris Inpatient System and two Army-specific systems. System administrators believed that existing network authentication requirements were sufficient to control access, and addressing the DoD’s password requirements was not necessary.
The report identified three further cybersecurity failures at the Brooke Army Medical Center, Evans Army Community Hospital, and Kimbrough Ambulatory Care Center. Network and system administrators failed to grant the user access to three EHR systems and four Army-specific systems based on assigned duties, did not require user justifications for access, and did not align user responsibilities to specific system roles.
Five Army-specific systems and two EHR systems were not configured to lock users out after 15 minutes of inactivity. According to the report, the CIOs in those facilities failed to implement to the lockout as they did not want to affect system availability negatively. Automatic lockouts are considered to be a basic IT security requirement by many experts.
Additionally, standard operating procedures were not developed to manage access to systems as they did not consider documented procedures to be necessary.
According to the DoD OIG, “Without well-defined, effectively implemented system security protocols, the DHA and Army introduced unnecessary risks that could compromise the integrity, confidentiality, and availability of patient health information.”
The DoD OIG report criticises the failure to implement security protocols and the ineffective application of security protocols, citing the increased risk of a cyber attack, data breach, loss of data, data manipulation, and unauthorised disclosures of patients’ health information as possible consequences.
In addition to the threat to the confidentiality, integrity, and availability of patient data, the failure to adhere to HIPAA Rules exposed the Defense Health Agency to HIPAA compliance fines of up to $1.5 million, per violation category, per year.
The report included 39 recommendations to correct the security failures, based on the NIST Cybersecurity Framework. These recommendations ranged in complexity. For example, the report recommended the use of CACs when accessing DoD EHR and Army-specific systems. A more basic proposal was to ensure that all systems met the password complexity requirements outlined by the DoD.
Three of the recommendations were closed after the DHA Chief of Staff provided reports from the three sites detailing one or more specific security-related performance standards for complying with security requirements and protecting patients’ PHI. One of the criteria was to hold CIOs accountable for the protection of patient health information.
According to the DoD OIG, six of the recommendations remained unresolved as the measures implemented failed to address the identified issues. On September 30, 2018, 36 of the recommendations stayed open.