An audit of eight military hospitals and clinics found security flaws that allowed unauthorized access to patient records and pharmacies, and left the facilities vulnerable to incidents of violence, sabotage or terrorism, according to a Pentagon inspector general report released this week.
Though the facilities “generally implemented physical security controls,” weaknesses were found at all eight locations, and the auditors concluded that similar vulnerabilities may also exist at other facilities operated by the Defense Health Agency.
The report cited recent security incidents at medical facilities —including a 2015 shooting near the William Beaumont Army Medical Center on Fort Bliss, Texas — that underlines the need for more stringent protocols. The rate of workplace violence is also four times higher for health care workers, according to the Occupational Safety and Health Administration, and the Drug Enforcement Agency often warns of the propensity of criminals to target pharmacies for controlled substances.
None of the eight medical treatment facilities audited appear named in the redacted report. The auditors looked at the facilities’ use of security cameras, duress alarms, intrusion detection systems and badging methods to regulate entry to restricted areas.
Six of the eight treatment facilities allowed personnel access to restricted areas like pharmacies, even when they were not specifically authorized to visit those areas. All six had procedures for adding personnel to access control systems, but did not have procedures to ensure that access was revoked when no longer authorized.
“For example, we determined that three unauthorized personnel at a major medical center used a badge to access the narcotics vault,” the audit reads. “According to Army officials, security personnel removed vault access for the three unauthorized personnel as a result of our testing.”
Those individuals were later determined to have had a legitimate need to enter the vault, but shouldn’t have been able to do so with their current badges. Unauthorized access sometimes occurred because the facilities did not properly update access rosters.
However, commanders of two treatment facilities also granted 24-hour access for all staff — including volunteers — to all exterior doors, including emergency exits.
“Security personnel stated that there was no operational need for this level of access but that it was the commanders’ preference,” the audit reads. "The security manager at one of the clinics stated that stairwell doors should be exits only, but the commander overruled him.”
This meant that unauthorized personnel could use a loss or stolen badge to enter through rear exits undetected during hours of darkness and get to equipment, pharmaceuticals and personal patient information.
Fences guarding generators and fuel storage tanks at some of the facilities were also not properly maintained. Some security personnel told the auditors that they lacked the funding to replace ineffective barriers.
The Army, for instance, requires fences surrounding outdoor emergency utilities to be 7-feet high with three-strand barbed wire, and the bottom of the fence must extend to within 2 inches of the ground.
“However, we observed fuel tanks and backup generators at one Army [medical clinic] that were easily accessible by climbing over or crawling under existing fencing,” the audit reads. “Personnel at this clinic stated that unauthorized personnel have breached the fences in the past. The security manager at this [clinic] stated that fences could not be upgraded due to a lack of funding.”
The central energy plant at a “major Navy medical center” was also found to be easily accessible through a large door that was left open and unattended. An audit team member walked through the facility freely, according to their report.
“Access to backup generators and fuel tanks by unauthorized personnel increases the risk of damage, sabotage, or acts of terrorism, potentially resulting in failure of medical equipment and loss of life," the report added.
The standards across DoD medical medical facilities can vary. Although all eight facilities had video monitoring and alarm systems, the equipment was used inconsistently. Some facilities hired contractors to actively watch security cameras in real-time, while others simply archived the video to reference in the event of an incident.
The audit recommended DHA issue new guidance requiring personnel to enter and exit medical facilities through specific sets of doors, such as main entrance or emergency room doors. It also recommended that the DHA conduct quarterly reviews to ensure that access to sensitive areas be limited to authorized personnel and reassess generator and fuel storage security at each medical treatment facility under its purview.
DHA director Army Lt. Gen. Ronald J. Place said he would correct the flaws with interim policies for the use of specific entry doors, security guards, video monitoring and alarm systems until the agency updates physical security requirements.
Place also told the Pentagon inspector general that his agency will task each military service with conducting inspections to identify weaknesses and implement better controls.
“We will close the recommendations when the DHA provides documentation to support these actions,” the audit team wrote.