Department of Defense Health Agency Security Failures Placed Patient Health Information at Risk

According to a recent Department of Defense (DoD) Office of Inspector General report (PDF), the Defense Health Agency (DHA) failed to consistently implement security protocols to protect against the unauthorized accessing of systems that stored, processed, and transmitted electronic health records and other sensitive patient information.

The failures are detailed in the DoD OIG Report – DODIG-2017-085, “Protection of Electronic Patient Health Information at Army Military Treatment Facilities.”

The DoD OIG found that Common Access Cards (CACs) were not used to access three DoD EHR systems and two Army-specific systems. System administrators claimed that the CAC software was not compatible with some of the software used by older systems and it was not possible for multiple users to login and out of the system without rebooting local terminals.

DoD password complexity requirements had been set; however, the DHA failed to comply with those requirements for its Clinical Information System/Essentris Inpatient System and two Army-specific systems. System administrators believed that existing network authentication requirements were sufficient to control access.

Three further cybersecurity failures were identified at the Brooke Army Medical Center, Evans Army Community Hospital, and Kimbrough Ambulatory Care Center. Network and system administrators failed to grant user access to three EHR systems and four Army-specific systems based on assigned duties, did not require user justifications for access, and did not align user responsibilities to specific system roles.

Five Army-specific systems and two EHR systems were not configured to lock users out after 15 minutes of inactivity. According to the report, the CIOs in those facilities failed to implement to lockout as they did not want to negatively affect system availability.

Additionally, standard operating procedures were not developed to manage access to systems as they did not consider documented procedures to be necessary.

According to the DoD OIG, “Without well-defined, effectively implemented system security protocols, the DHA and Army introduced unnecessary risks that could compromise the integrity, confidentiality, and availability of patient health information.”

The DoD OIG pointed out that the failure to implement security protocols and the ineffective application of security protocols increases the risk of a cyberattack, data breach, loss of data, data manipulation, and unauthorized disclosures of patients’ health information.

In addition to threat to the confidentiality, integrity, and availability of patient data, the failure to adhere to HIPAA Rules exposed the Defense Health Agency to HIPAA compliance fines  of up to $1.5 million, per violation category, per year.

The DoD OIG made 39 NIST Cybersecurity Framework-based recommendations to correct the security failures, which included use of CACs when accessing DoD EHR and Army-specific systems and to ensure that password complexity requirements were met for those systems.

Three of the recommendations were closed after the DHA Chief of Staff provided reports from the three sites detailing one or more specific security-related performance standards for complying with security requirements and protecting patients’ PHI. One of the standards was to hold CIOs accountable for the protection of patient health information.

According to the DoD OIG, six of the recommendations remained unresolved as the measures implemented failed to address the identified issues. On September 30, 2018, 36 of the recommendations remained open.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.