Network security issues, inconsistent access rules and other deficiencies outlined in a new Department of Defense Inspector General report led auditors to a harsh verdict on DoD’s electronic health records practices.

“Without well-defined, effectively implemented system security protocols, the [Defense Health Agency], Navy and Air Force compromised the integrity, confidentiality, and availability of” patient health information, auditors stated, in a report released Monday.

In addition to privacy and access concerns, the violations could cost money: up to $1.5 million a year per each category violation under the Health Insurance Portability and Accountability Act of 1996, auditors noted. HIPAA is designed to protect the integrity and confidentiality of patient health information from unauthorized use or disclosure.

The IG report is based on visits to three Navy facilities in California ― Naval Hospital Camp Pendleton, San Diego Naval Medical Center, and the Navy hospital ship Mercy ― and two Air Force facilities: The 436th Medical Group in Dover, Delaware, and Wright-Patterson Medical Center in Dayton, Ohio. Among the findings:

  • The facilities didn’t always require the use of common access cards to access records systems. DoD regulations mandate CAC usage to access all DoD networks.
  • Network security issues were not addressed immediately. One example: Of the 36,926 vulnerabilities identified in an April 22, 2017, network scan at Naval Hospital Camp Pendleton, only one had been addressed as of a May 7, 2017, follow-up scan.
  • Systems weren’t set up to lock after 15 minutes of inactivity, per DoD guidelines. Some stayed unlocked for hours, per the report, while others remained accessible indefinitely.

Issues stemmed from a variety of causes, auditors stated, including lack of resources and guidance, system incompatibility and vendor limitations.

The investigation follows a July 2017 report, also from the DoD IG, detailing similar inconsistencies in DoD and Army security procedures regarding patient health records. That report noted that most of their recommendations were being addressed.

The Navy pledged to enforce CAC guidance at its facilities by June 1 as well as address concerns over weak passwords, in their response to the report. Air Force Surgeon General Lt. Gen. Mark Ediger responded that the Air Force is assessing its other military treatment facilities to ensure they are enforcing the use of CACs to access patient health information systems, and verifying their passwords meet the DoD security requirements by Nov. 1.

Auditors also recommended all DoD-run systems that process medical information be set to lock after 15 minutes of inactivity, except in rare cases where such a lock could be a barrier to real-time patient care, such as in an operating room.

Naval Hospital Camp Pendleton, Calif., was one of five facilities surveyed in a recent DoD Inspector General report. (Cpl. Brianna Christensen/Marine Corps)
Naval Hospital Camp Pendleton, Calif., was one of five facilities surveyed in a recent DoD Inspector General report. (Cpl. Brianna Christensen/Marine Corps)

DoD is the process of replacing three electronic health records systems with MHS Genesis, which will provide a single health record service for service members, veterans and their families, and is expected to be fully deployed at all military treatment facilities in 2022.

In addition, the defense authorization act for fiscal 2017 requires that, beginning Oct. 1, the Defense Health Agency will manage information technology, budget, policies and procedures, health care administration and management, and military medical construction for the DoD electronic health records systems at all the military treatment facilities.