Report No. DODIG-2018-109 FOR OFFICIAL USE ONLY U.S. Department of Defense InspectorMAY 2, 2018 General Protection of Patient Health Information at Navy and Air Force Military Treatment Facilities INTEGRITY EFFICIENCY ACCOUNTABILITY EXCELLENCE The document contains information that may be exempt from mandatory disclosure under the Freedom of Information Act. FOR OFFICIAL USE ONLY FOR OFFICIAL USE ONLY INTEGRITY EFFICIENCY ACCOUNTABILITY EXCELLENCE Mission Our mission is to provide independent, relevant, and timely oversight of the Department of Defense that supports the warfighter; promotes accountability, integrity, and efficiency; advises the Secretary of Defense and Congress; and informs the public. Vision Our vision is to be a model oversight organization in the Federal Government by leading change, speaking truth, and promoting excellence—a diverse organization, working together as one professional team, recognized as leaders in our field. Fraud, Waste, & Abuse HOTLINE Department of Defense dodig.mil/hotline|800.424.9098 For more information about whistleblower protection, please see the inside back cover. FOR OFFICIAL USE ONLY FOR OFFICIAL USE ONLY Protection of Patient Health Information at Navy and ResultsAir Force Military in BriefTreatment Facilities May 2, 2018 Objective Findings We determined whether the Departments Officials from the DHA, Navy, and Air Force did not of the Navy and Air Force designed and consistently implement security protocols to protect systems implemented effective security protocols to that stored, processed, and transmitted EHRs and PHI at protect electronic health records (EHRs) and the locations tested. Specifically, we identified issues at individually identifiable health information the Naval Hospital Camp Pendleton; San Diego Naval (patient health information [PHI]) from1 Medical Center; USNS Mercy; 436th Medical Group; and unauthorized access and disclosure. Wright-Patterson Medical Center related to: This report is the second in a series of • accessing networks using multifactor authentication; reports on security protocols used by the Military Departments for protecting • configuring passwords to meet DoD length and EHR and PHI systems. The first report complexity requirements; (DODIG-2017-085) identified that the • mitigating known network vulnerabilities; Defense Health Agency (DHA) and the Army • (FOUO) did not consistently implement effective and security protocols to protect systems that ; stored, processed, and transmitted PHI. Background • granting users access based on the user’s assigned duties; • configuring systems to lock automatically after We visited three Navy facilities—Naval 15 minutes of inactivity; Hospital Camp Pendleton, Camp Pendleton, • reviewing system activity reports to identify unusual or California; San Diego Naval Medical suspicious activities and access; Center, San Diego, California; and the U.S. Naval Ship (USNS) Mercy, San Diego, • developing standard operating procedures to manage California; and two Air Force facilities, system access; the 436th Medical Group, Dover, Delaware; • implementing adequate physical security protocols and Wright-Patterson Medical Center, to protect electronic and paper records containing Dayton, Ohio. We reviewed 17 information PHI from unauthorized access; systems at the 5 locations: 3 DoD EHR • maintaining an inventory of all Service-specific systems, 3 modified EHR systems used systems operating that stored, processed, and aboard the USNS Mercy, 2 DHA-owned transmitted PHI; and systems, and 9 Service-specific systems. 1 An EHR is a digital patient-centered record that provides • developing or maintaining privacy impact assessments. real-time information containing medical and treatment histories of patients and comprehensive information Officials from the DHA, Navy, and Air Force did not related to the patient’s care. For this report, “effective” means that security controls consistently implement security protocols to protect were implemented and operated as defined by Federal systems that stored, processed, and transmitted EHRs and and DoD system security requirements. PHI for a variety of reasons including lack of resources and guidance, system incompatibility, and vendor limitations. i i FOR OFFICIAL USE ONLY │ DODIG-2018-109 DODIG-2018-109 (Project No. D2017-D000RC-0113.000) │ FOR OFFICIAL USE ONLY Protection of Patient Health Information at Navy and ResultsAir Force Military in BriefTreatment Facilities Findings (cont’d) Recommendations (cont’d) Without well-defined, effectively implemented • configure all systems that contain PHI to lock system security protocols, the DHA, Navy, and automatically after 15 minutes of inactivity; and Air Force compromised the integrity, confidentiality, • (FOUO) and for and availability of PHI. In addition, ineffective systems that process, store, and transmit PHI. administrative, technical, and physical security protocols Management Comments and that result in a violation of the Health Insurance Portability and Accountability Act (HIPAA) of 1996 could Our Response cost the MTFs up to $1.5 million2 per year in penalties for each category of violation. Recommendations The DHA Director agreed that the DHA could potentially configure systems to lock automatically after a defined period of inactivity, but did not provide assurance that We recommend that the Director, DHA, configure the the DHA would configure its systems that process, store, DoD EHR systems and other DHA-owned systems that and transmit PHI to lock automatically after 15 minutes process, store, and transmit PHI to lock automatically of inactivity. after 15 minutes of inactivity. The Navy Executive Director, Navy Bureau of Medicine We recommend, among other actions, that the Surgeons and Surgery, agreed with all recommendations for the General for the Departments of the Navy and Air Force, Navy Bureau of Medicine and Surgery and the Naval in coordination with the Navy Bureau of Medicine and Hospital Camp Pendleton. The Executive Director Surgery and the Air Force Medical Service: also agreed with 10 recommendations for the Naval Medical Center San Diego and disagreed with one • assess whether the systemic issues identified recommendation. However, recommendations for the in this report exist at other Service-specific Navy Bureau of Medicine and Surgery, Naval Hospital MTFs; and Camp Pendleton, and the Naval Medical Center San Diego • develop and implement an oversight plan to are unresolved, and require additional comments. verify that MTFs enforce the use of Common Access Cards and configure passwords that meet In addition, the Air Force Surgeon General agreed with DoD password complexity requirements to access all 15 recommendations addressed to his office and systems that process, store, and transmit PHI. the Air Force MTFs; however, one recommendation is unresolved and requires additional comments. We also recommend, among other actions, that the MTF Furthermore, the Military Sealift Command Chief of Staff Chief Information Officers: agreed with nine recommendations, partially agreed • develop a plan of action and milestones and take with two, and disagreed with one recommendation appropriate steps to mitigate known network for the USNS Mercy. However, the Chief of Staff vulnerabilities in a timely manner; identified additional controls and alternative actions that the USNS Mercy would implement that resolved all • implement procedures to grant access to systems recommendations. Please see the Recommendations that process, store, and transmit PHI based on Table on the next page. roles that align with user responsibilities; 2 HIPAA requires covered entities to implement administrative, technical, and physical safeguards to protect the integrity and confidentiality of PHI from unauthorized use or disclosure. FOR OFFICIAL USE ONLY ii │ DODIG-2018-109 (Project No. D2017-D000RC-0113.000) FOR OFFICIAL USE ONLY Recommendations Table Recommendations Recommendations Recommendations Management Unresolved Resolved Closed Director, Defense Health Agency 5 Surgeon General, Department of the Navy 2.a, 2.b, 2.c, 2.d Surgeon General, Department of the Air Force 2.a, 2.b, 2.c, 2.d Chief Information Officer, U.S. Navy Bureau of 2.a, 2.b, 2.c, 2.d Medicine and Surgery Chief Information Officer, U.S. Air Force 2.a, 2.b, 2.c, 2.d Medical Service Commander, 436th Medical Group 3 Commander, Naval Hospital Camp Pendleton 3 Commander, Naval Medical Center San Diego 3 Commander, U.S. Naval Ship Mercy 3, 4, 6 Commander, Wright-Patterson 3 Medical Center 1.a, 1.b, 1.c, Chief Information Officer, 1.d, 1.e, 1.f, 1.g, 436th Medical Group 1.h, 1.i 1.a, 1.b, 1.c, 1.d, Chief Information Officer, Naval Hospital 1.e, 1.f, 1.g, 1.h, Camp Pendleton 1.i, 4 Chief Information Officer, Naval Medical 1.a, 1.b, 1.c, 1.d, 1.e, 1.f, 1.i Center San Diego 1.g, 1.h, 4 1.a, 1.b, 1.c, 1.d, Chief Information Officer, U.S. Naval Ship 1.e, 1.f, 1.g, 1.h, Mercy 1.i, 4 1.a, 1.b, 1.c, Chief Information Officer, Wright-Patterson 4 1.d, 1.e, 1.f, 1.g, Medical Center 1.h, 1.i Please provide Management Comments by June 1, 2018. Note: The following categories are used to describe agency management’s comments to individual recommendations. • Unresolved – Management has not agreed to implement the recommendation or has not proposed actions that will address the recommendation. • Resolved – Management agreed to implement the recommendation or has proposed actions that will address the underlying finding that generated the recommendation. • Closed – OIG verified that