Protection of Patient Health Information at Navy and Air Force Military Treatment Facilities
Audit: DODIG-2018-109 (pdf)
From the audit’s findings:
Officials from the DHA, Navy, and Air Force did not consistently implement security protocols to protect systems that stored, processed, and transmitted EHRs and PHI at the locations tested. Specifically, we identified issues at the Naval Hospital Camp Pendleton; San Diego Naval Medical Center; USNS Mercy; 436th Medical Group; and Wright-Patterson Medical Center related to:
- accessing networks using multifactor authentication;
- configuring passwords to meet DoD length and complexity requirements;
- mitigate known network vulnerabilities;
- granting users access based on the user’s assigned duties;
- configuring systems to automatically lock after 15 minutes of inactivity;
- reviewing system activity reports to identify unusual or suspicious activities and access;
- developing standard operating procedures to manage system access;
- implementing adequate physical security protocols to protect electronic and paper records containing PHI from unauthorized access;
- maintaining an inventory of all Service specific systems operating that stored, processed, and transmitted PHI; and
- developing or maintaining privacy impact assessments.
Officials from the DHA, Navy, and Air Force did not consistently implement security protocols to protect systems that stored, processed, and transmitted EHRs and PH for a variety of reasons including lack of resources and guidance, system incompatibility, and vendor limitations.
Without well-defined, effectively implemented system security protocols, the DHA, Navy, and Air Force compromised the integrity, confidentiality, and availability of PHI. In addition, ineffective administrative, technical, and physical security protocols that result in a violation of the Health Insurance Portability and Accountability Act (HIPAA) of 1996 could cost the MTFs up to $1.5 million per year in penalties for each category of violation.
Read more on DODIG.