Report Outlines Military Health Facility Security WeaknessesWatchdog Agency: Problems Put Patient Data at Risk
Various military health facilities haven't consistently implemented security controls, putting patient data at risk, according to a new watchdog agency report.
See Also: HIPAA Audits: A Revised Game Plan
Some security experts say many of the same weaknesses identified in the security reviews by the Department of Defense Office of Inspector General are also quite common at civilian healthcare entities.
The report is based on DoD OIG reviews of 17 information systems - including electronic health records systems - at three Navy and two Air Force health facilities.
Among problems identified at the facilities are:
- Multifactor authentication for network access was underutilized. Multifactor authentication often was not used because single-factor was viewed as more "efficient" for accessing PHI at bedside, the report notes.
- Passwords were not configured to meet DoD length and complexity requirements.
- Known network vulnerabilities sometimes went unmitigated.
- User access was often not granted based on assigned duties.
- Systems were often not configured to automatically lock after 15 minutes of inactivity.
- System activity reports often were not regularly reviewed to identify unusual or suspicious activities and access.
- Facilities often lacked standard operating procedures for managing system access.
- A common issue was inadequate physical security protocols to protect electronic and paper records containing PHI from unauthorized access.
- An inventory of all service-specific systems operating that stored, processed and transmitted PHI was lacking.
- Privacy impact assessments were not always developed or maintained.
Data at Risk
As a result of these shortcomings, data is at risk for potential compromise of integrity, confidentiality, and availability of protected health information, OIG says. "In addition, ineffective administrative, technical and physical security protocols that result in a violation of HIPAA could cost the military facilities up to $1.5 million per year in penalties for each category of violation," OIG says.
"Officials from the Defense Health Agency, Navy, and Air Force did not consistently implement security protocols to protect systems that stored, processed and transmitted EHRs and PHI for a variety of reasons, including lack of resources and guidance, system incompatibility and vendor limitations," the report notes.
Tom Walsh, president of consultancy tw-Security, says most of the findings in the OIG report are common at civilian healthcare organizations as well.
"In medium to large healthcare organizations, there are many diverse applications and systems, each having different security capabilities," he says. "That also means multiple system administrators, and many could be workers not associated with the IT department - such as radiology, lab, pharmacy and biomed. Therefore, consistency with security controls/settings is difficult to achieve."
Authentication is a particularly common challenge within many types of healthcare facilities, says Rebecca Herold, president of Simbus, a privacy and cloud security services firm, and CEO of The Privacy Professor consultancy.
"I've had doctors and nurses complain about needing to authenticate at all," she says. "In one hospital, the CISO was always trying to identify a better authorization process that would take as little time from the medical staff as possible, and found one that required one login by ID and complex password at the beginning of the employee's shift, then locked the devices after 20 minutes of inactivity. The staff would then unlock the computer by either an iris scan or fingerprint scan - whichever they chose for each unlocking."
The caregivers disliked the system, saying it took too long and was cumbersome, Herold says. "Bottom line, the doctors, nurses and technicians said their focus was on patient care, and any type of interruption in that, such as to unlock devices, was not acceptable to them."
Herold notes that another weakness identified by the OIG - log review - is also common throughout healthcare. "Most providers I've worked with do try and review logs, but they all also have challenges with the manual requirements and time for doing so, which results in the review of system activity reports not being as thorough as it should be," she says.
Walsh says the OIG finding that he found most troubling was the failure to mitigate known network vulnerabilities.
"There are nation-states that hate the U.S. military and would do everything possible to cause a disruption."
—Tom Walsh, tw-Security
"Hacking is a persistent threat, and the physical security of a military installation will not thwart that type of threat," he says. "There are nation-states that hate the U.S. military and would do everything possible to cause a disruption."
OIG recommends that military health officials take action to address security issues, including:
- Assessing whether the systemic issues identified in the OIG report exist at other military health facilities;
- Developing and implementing an oversight plan to verify that military health facilities enforce the use of common access cards - an ID card with a microchip - and configure passwords that meet DoD password complexity requirements to access systems that process, store, and transmit PHI;
- Developing a plan of action and milestones and take appropriate steps to mitigate known network vulnerabilities in a timely manner;
- Implementing procedures to grant access to systems that process, store and transmit PHI based on roles that align with user responsibilities;
- Configuring all systems that contain PHI to automatically lock after 15 minutes of inactivity.
Walsh says the timeout setting for user inactivity is a common trouble spot in healthcare settings. He suggests, however, that the timeout setting should vary in each medical department.
"For example, no physician wants the EHR timing out during a surgery," he notes. "Certain departments/areas of the hospital are restricted access areas, and patients and/or their family would not have physical access to those areas. Therefore, some departments will request an exception to the auto logoff timeout setting because it would otherwise disrupt workflows. ... Patient care is the mission, and information security needs to support the mission - not be seen as a hindrance to patient care."
The report notes that officials at the Defense Health Agency, and various Navy and Air Force facilities agreed with most of the recommendations and said they would address the issues. Some of the recommendations, however, still await additional comments or suggestions from military health officials, the report states.