Share this article on:
A recent inspection of a California VA medical center by the Department of Veteran Affairs Office of Inspector General (VA OIG) has revealed security vulnerabilities related to medical device workarounds and multiple areas of non-adherence with Veterans Health Administration (VHA) and VA policies.
Tibor Rubin VA Medical Center in Long Beach, California was inspected by the VA OIG after VHA and VA privacy and security policy violations were identified during an unrelated investigation.
The auditors identified inappropriate staff workarounds for transferring and integrating information from patient medical devices into the medical center’s EHR system. The auditors also found two potential breaches of patient information while performing the inspection.
The medical center did not have an interface between VHA medical devices and its EHR system, which forced staff to use inappropriate workarounds. Biomedical engineering and IT assistance had not fully resolved software interface issues between VHA medical devices and the EHR, and facility staff were using unapproved communication modes which risked the accidental disclosure of sensitive patient information.
Inspectors discovered 9 out of 12 medical devices lacked an interface with the EHR system, including a high-resolution esophageal manometry (HRM) medical device. The interface with the VHA EHR stopped functioning when the medical center upgraded to Windows 7 from Windows XP in 2013. Biomed and IT had provided assistance initially when problems were first experienced, but additional software interface issues remained unaddressed.
The gastroenterology (GI) provider told the inspectors that the facility’s biomedical engineering and IT departments were involved in the decision to continue using the equipment even though there was no working interface. The GI provider developed two workarounds that were not in line with VHA and VA policies covering sensitive personal information. Those workarounds placed patient information at risk of exposure.
Those methods involved the use of the GI provider’s personal computer and the transfer of sensitive information via unencrypted email, the cloud, and a non-VA-issued unencrypted flash drive. Staff in the GI laboratory, pulmonary/sleep laboratory, and neurology departments had also developed workarounds as a result of interface issues following the operating system upgrade.
Staff were aware of the importance of patient privacy and securing patient information, and one staff member ensured information was only sent via secure, encrypted email. However, other staff members sent email using personal email accounts, unsecured devices, and via SMS text messages.
VA OIG found 99% of the emails sent from the GI provider’s email account contained sensitive patient information as did 91.7% of SMS text messages sent to staff. Inpatient and nursing staff were also discovered to be using non-secure methods of communicating patient information. The medical center was also discovered to still be using logbooks to record equipment taken home by staff, which is against VHA policy.
The report involved one VA medical center, but the findings are not surprising. Similar problems are experienced by many healthcare providers, which also use workarounds to solve software compatibility issues, even though those workarounds can introduce considerable risk.
The VA OIG has made several recommendations on how the medical center can correct the violations and improve security. Those recommendations include taking steps to ensure staff members only use secure methods to communicate patient information, and for the medical center director to conduct a review of communications processes between staff and IT/biomedical engineering and to take action to address interface issues and improve communication. The medical center is currently in the process of implementing those recommendations.