OCR of the Document

View the Document >>

Inspector General of the Department of Defense, “Protection of Patient Health Information at Navy and Air Force Military Treatment Facilities”, May 2, 2018. Unclassified(FOUO).

FOR OFFICIAL USE ONLY Report No DODIG-2018-109 e Ee CC eE e C e C e Cd U S Department of Defense M AY 2 2 0 1 8 Protection of Patient Health Information at Navy and Air Force Military Treatment Facilities I N T E G R I T Y E F F I C I E N C Y A C C O U N TA B I L I T Y E X C E L L E N C E dSG EZDZwGYl DZYlAsYE sYIZdwA ZY lSAl wALJ dG G GwDl IdZw wAYEAlZdLJ EsEDuZEZdG ZYEGd lSG dGGEZw ZI YIZdwA ZY Dl FOR OFFICIAL USE ONLY FOR OFFICIAL USE ONLY I N T E G R I T Y E F F I C I E N C Y A C C O U N TA B I L I T Y E X C E L L E N C E Mission Our mission is to provide independent relevant and timely oversight of the Department of Defense that supports the warfighter promotes accountability integrity and efficiency advises the Secretary of Defense and Congress and informs the public Vision Our vision is to be a model oversight organization in the Federal Government by leading change speaking truth and promoting excellence--a diverse organization working together as one professional team recognized as leaders in our field F r a u d W a s t e A b u s e HOTLINE Department of Defense dodig mil hotline 8 0 0 4 2 4 9 0 9 8 a G FOR OFFICIAL USE ONLY FOR OFFICIAL USE ONLY Protection of Patient Health Information at Navy and Air Force Military Treatment Facilities May 2 2018 KduGDls G Findings i O i o RO G G i G G O i O a a G a a a a G a AE AE AE AE G ae Background E a a AE a a AE G G i O a a AE a a a AE G a a G ae a a G a G G 1 An EHR is a digital patient-centered record that provides real-time information containing medical and treatment histories of patients and comprehensive information related to the patient's care For this report effective means that security controls were implemented and operated as defined by Federal and DoD system security requirements i G G I AE I AE I AE I i O AE I AE I AE I AE I AE I AE I G a a AE I G a a a a a a G G G i G G G G O i FOR OFFICIAL USE ONLY FOR OFFICIAL USE ONLY Protection of Patient Health Information at Navy and Air Force Military Treatment Facilities Findings cont'd Recommendations cont'd G a a a a a a G a a a i O G G Recommendations a a G a a G a a a ae I G AE I a a G a a ae I AE I a a AE 2 HIPAA requires covered entities to implement administrative technical and physical safeguards to protect the integrity and confidentiality of PHI from unauthorized use or disclosure I AE I i O a a G Management Comments and Our Response a a a G a a G G a a a a G a AE a G a a a G a G G FOR OFFICIAL USE ONLY ii G G i G G G G O FOR OFFICIAL USE ONLY Recommendations Table Recommendations Recommendations Recommendations Unresolved Resolved Closed Management Director Defense Health Agency 5 Surgeon General Department of the Navy 2 a 2 b 2 c 2 d Surgeon General Department of the Air Force Chief Information Officer U S Navy Bureau of Medicine and Surgery 2 a 2 b 2 c 2 d 2 a 2 b 2 c 2 d Chief Information Officer U S Air Force Medical Service 2 a 2 b 2 c 2 d Commander 436th Medical Group 3 Commander Naval Hospital Camp Pendleton 3 Commander Naval Medical Center San Diego 3 Commander U S Naval Ship Mercy 3 4 6 Commander Wright-Patterson Medical Center 3 Chief Information Officer 436th Medical Group 1 a 1 b 1 c 1 d 1 e 1 f 1 g 1 h 1 i Chief Information Officer Naval Hospital Camp Pendleton 1 a 1 b 1 c 1 d 1 e 1 f 1 g 1 h 1 i 4 Chief Information Officer Naval Medical Center San Diego 1 e 1 f 1 i 1 a 1 b 1 c 1 d 1 e 1 f 1 g 1 h 1 i 4 Chief Information Officer U S Naval Ship Mercy Chief Information Officer Wright-Patterson Medical Center 1 a 1 b 1 c 1 d 1 g 1 h 4 4 1 a 1 b 1 c 1 d 1 e 1 f 1 g 1 h 1 i Please provide Management Comments by June 1 2018 Note The following categories are used to describe agency management's comments to individual recommendations o Unresolved - Management has not agreed to implement the recommendation or has not proposed actions that will address the recommendation o Resolved - Management agreed to implement the recommendation or has proposed actions that will address the underlying finding that generated the recommendation o Closed - OIG verified that the agreed upon corrective actions were implemented FOR OFFICIAL USE ONLY G G i G G G G O iii FOR OFFICIAL USE ONLY INSPECTOR GENERAL DEPARTMENT OF DEFENSE 4800 MARK CENTER DRIVE ALEXANDRIA VIRGINIA 22350-1500 a a a a a ae i G G G O G G G G G a a G A G AE G a G a G a G a G a G G a G A G a G A G a G a a a G A G a a a G a G a a G a a G a G a G AE G A G AE G G G a G a AE AE a G FOR OFFICIAL USE ONLY G G i G G G G O v FOR OFFICIAL USE ONLY G G G A A G a i OG G i O G i G OG G ae a FOR OFFICIAL USE ONLY vi G G FOR OFFICIAL USE ONLY Contents Introduction GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG Finding DHA Navy and Air Force Security Protocols for Systems Containing PHI Were Not Effective GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG a a GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG a a GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG DDGYEs GE G GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG G GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG G GGGGGGGGGGGGGGGGGGGGGGGGGG Management Comments GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG DdZYLJwE AYE dddG sAlsZYE GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG Glossary GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG FOR OFFICIAL USE ONLY G G vii Introduction FOR OFFICIAL USE ONLY Introduction KduGDls G i O i o RO G i O a a G a a a G i O G G a ae a G G i O a G a G G a G Background G G G a a a a a a a G G a a G a Dz i Oadz a a G 3 4 For this report effective means that security controls were implemented and operated as defined by Federal and DoD system security requirements Report DODIG-2017-085 Protection of Electronic Patient Health Information at Army Military Treatment Facilities July 6 2017 5 Service-specific systems are systems used by the Navy and the Air Force 6 Covered entities as defined by HIPAA are health plans health care clearinghouses and health care providers who electronically transmit health-related information for transactions covered by Department of Health and Human Services standards FOR OFFICIAL USE ONLY G G 1 Introduction FOR OFFICIAL USE ONLY a a G G G G DoD Responsibilities for Protecting Health Information a a i Oa a a G G a G a a G a G G G I i OG a a G I A i G OG G I i OG a a a G I i OG a G G I A i OG G G G G I G G 7 42 U S Code 1320d-5 describes four categories related to HIPAA violations that covered entities 1 were unaware of 2 not willfully neglected and the violation was due to reasonable cause 3 willfully neglected but addressed in a timely manner and 4 willfully neglected and did not address in a timely manner FOR OFFICIAL USE ONLY 2 G G Introduction FOR OFFICIAL USE ONLY i a a O a a a G G a G a a a G G G a a a a G a a a a a G Service Commands' Role in Protecting Health Information i O i Oa a G a a a G a a G a G G a G a G G MTFs and Systems Reviewed a a G a G a a G G a a a G a a i OAE a i OAE a AE a a a i OAE G FOR OFFICIAL USE ONLY G G 3 Finding FOR OFFICIAL USE ONLY a a i OG a G G a a G i OG NHCP I I I NMC San Diego I I A i A O I i O USNS Mercy I i O Dover Clinic I I i O WPMC I i O I I Guidance on Protecting PHI a a G I Health Insurance Portability and Accountability Act of 1996 Public Law 104-191 August 21 1996 Section 1173 d 2 G a a G o DoD Instruction 8580 02 Security of Individually Identifiable Health Information in DoD Healthcare Programs August 12 2015G G a a a G FOR OFFICIAL USE ONLY 4 G G Finding FOR OFFICIAL USE ONLY o DoD Instruction 6025 18 Privacy of Individually Identifiable Health Information in DoD Health Care Programs December 2 2009G G G o National Institute of Standards and Technology Special Publication 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems and Organizations April 2013G G G G G a a G Review of Internal Controls G G a a G a a a a a a a G G a a a G 8 9 Federal Information Processing Standard Publication 200 Minimum Security Requirements for Federal Information and Information Systems March 2006 DoD Instruction 5010 40 Managers' Internal Control Program Procedures May 30 2013 FOR OFFICIAL USE ONLY G G 5 Finding FOR OFFICIAL USE ONLY Finding DHA Navy and Air Force Security Protocols for Systems Containing PHI Were Not Effective a a a a G a i O a a G i OG G a a a a a G i O G a ae I AE I i O G i O AE I a a G a G i O i O a a AE 10 Navy and Air Force officials include BUMED AFMS MTF Chief Information Officers and the MTF information assurance managers and officers FOR OFFICIAL USE ONLY 6 G G Finding FOR OFFICIAL USE ONLY I a a G i O AE I a a G a G i O G a G a a a G a a G a G i O a a i O G i OG a i G G OG G a a a a a a G a a AE AE AE G a a a G G 11 DoD Instruction 8510 01 Risk Management Framework RMF for DoD Information Technology IT March 12 2014 Incorporating Change 2 July 28 2017 FOR OFFICIAL USE ONLY G G 7 Finding FOR OFFICIAL USE ONLY System Security Protocols Were Ineffective or Not Implemented a a a a a a G a a a ae I AE I AE I AE I i O a a AE I AE I AE I AE I G CAC Usage Was Not Consistently Enforced a a a a a a G G AE a a a a G G G G G G 12 DoD Instruction 8520 03 Identity Authentication for Information Systems May 13 2011 FOR OFFICIAL USE ONLY 8 G G Finding FOR OFFICIAL USE ONLY G G a a G a a G a a AE a G G G a G a a a AE AE G a a a a G G a a a G a a a a ae I AE I AE I G G G G a a a G a a 13 14 15 A token authenticates a user's identity The CHCS provides the overall infrastructure for AHLTA To access the CHCS users must enter a user name and password Because users could access AHLTA through the CHCS the MTFs allowed users to also access AHLTA using a user name and password During the audit the USNS Mercy implemented the use of CACs in November 2017 to access Carestream FOR OFFICIAL USE ONLY G G 9 Finding FOR OFFICIAL USE ONLY G a G G G a a a G G a G G a G a a a a a G System Passwords Did Not Meet Complexity Requirements a a a a G G G a a a G G I AE I AE I AE I G i O a G G a G a 16 Application Security and Development Security Technical Implementation Guide Release 4 April 28 2017 FOR OFFICIAL USE ONLY 10 G G Finding FOR OFFICIAL USE ONLY i O G G G a G G a a G a G i O a G a G G G G a G a G i O a G a G G a G a G FOR OFFICIAL USE ONLY G G 11 Finding FOR OFFICIAL USE ONLY i O G G G a a a G a G a a a a G Network Vulnerabilities Were Not Consistently Mitigated i O G a i T O G G G a G G a G i O a a a a a a G G a G T a AE a a G 17 18 19 Chairman of the Joint Chiefs of Staff Manual 6510 02 Information Assurance Vulnerability Management IAVM Program November 5 2013 The scans we obtained identified all unmitigated vulnerabilities at a specific point in time regardless of the date when the vulnerability was first identified that could be used to exploit network security at the five MTFs Critical vulnerabilities if exploited would likely result in privileged access to servers and information systems and therefore require immediate patches High vulnerabilities if exploited could result in obtaining elevated privileges significant data loss or network downtime FOR OFFICIAL USE ONLY 12 G G Finding FOR OFFICIAL USE ONLY i O G T a a T G AE a G a G a G a a G i O a a a a a a a G a G a G T a a T G G T a G G G a a G i O a a a G G G T a AE a 20 Denial of service results in preventing authorized access to resources or delaying time-critical operations from occurring 21 Category I vulnerabilities if exploited would directly and immediately result in loss of confidentiality availability or integrity of data Category II vulnerabilities if exploited could potentially result in the loss of confidentiality availability or integrity of data FOR OFFICIAL USE ONLY G G 13 Finding FOR OFFICIAL USE ONLY i O G a G a a T G AE a G i O a a a a a G G a G T a G G a G i O a a a a a a a G a a G G T a AE a T G a G T a a T G a a G a G 22 DHA must agree to and approve an MTF CIO's decision to accept risk when the MTF operates on a DHA Medical Community of Interest network NMC San Diego was in the process of transitioning to the DHA's network and therefore required DHA approval FOR OFFICIAL USE ONLY 14 G G Finding FOR OFFICIAL USE ONLY a a a G G a G a G T G a a a a a G a a a AE T AE G Data Was Not Consistently Protected i O G G G G AE AE G a G G a a a G 23 24 DoD Instruction 8580 02 Security of Individually Identifiable Health Information in DoD Healthcare Programs August 12 2015 systems including printers fax machines or scanners FOR OFFICIAL USE ONLY G G 15 Appendixes FOR OFFICIAL USE ONLY i O a G a G a G a a G User Roles and Privileges Did Not Always Align With User Responsibilities a a a a G a G G G a G G G G G G a a G a G G G G a a a a G AE a a a G a a a 25 National Institute of Standards and Technology Special Publication 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems and Organizations April 2013 and DoD Instruction 8530 01 Cybersecurity Activities Support to DoD Information Network Operations March 7 2016 FOR OFFICIAL USE ONLY 16 G G Appendixes FOR OFFICIAL USE ONLY G a a a G a G a G G G G G a a a a G G G G a a a a a G G a G a a a a a a G G a a a a G G G a a a FOR OFFICIAL USE ONLY G G 17 Appendixes FOR OFFICIAL USE ONLY G a AE a a G G G a a a a G a a a A a a a G a a A a a a G a a a A a a a G a a a G a G a G a a a a G a a G G a G a a G G G a G a G a FOR OFFICIAL USE ONLY 18 G G Appendixes FOR OFFICIAL USE ONLY G a G a G a a a a a a G G a a a a a G a a a a a G a a G a G a a G a a a a a G a a a a G a G a a a a G a G G G G AE G a G a a G 26 System administrators at NHCP developed procedures to manage access to McKesson Cardiology FOR OFFICIAL USE ONLY G G 19 Finding FOR OFFICIAL USE ONLY Table 1 Systems Without Written Procedures for Managing System Access Systems Without Procedures for Granting Access By MTF System Name Dover NHCP Clinic AHLTA X X Systems Without Procedures for Deactivating Access By MTF NMC USNS WPMC Dover NHCP NMC USNS WPMC San Mercy Clinic San Mercy Deigo Diego X X X X X AHLTA-T X Audio Metric Database System X Carestream CHCS X X X X X X X X X X X X Innovian X Maritime Medical Module X McKesson Cardiology X X X Nuclear Medicine Information System X X X X Parata System Suite X X PeerVue X X TC2 X X Essentris PACS X X X Epiphany Electrocardiogram Management HAIMS X X X Source The DoD OIG a a G G a a G a FOR OFFICIAL USE ONLY 20 G G Finding FOR OFFICIAL USE ONLY a a a a a G a a a G Systems Were Not Configured to Lock Automatically After Extended Periods of Inactivity a a G G G G G G Table 2 Automatic Lockout Settings for Inactivity in Minutes MTF System Name AHLTA Dover Clinic NHCP NMC San Diego 30 30 30 AHLTA-T 30 NC Carestream NC 15 Essentris 1 666 166 20 NC NC 15 Innovian NC Maritime Medical Module 20 NC McKesson Cardiology Nuclear Medicine Information System PACS WPMC 30 Audio Metric Database System CHCS USNS Mercy NC 20 TC2 1 666 Note Gray cells indicate the system was not used at the MTF NC not configured indicates the system was not configured to lock automatically Carestream system administrator configured the system to lock after 10 minutes of inactivity after the site visit Source The DoD OIG FOR OFFICIAL USE ONLY G G 21 Finding FOR OFFICIAL USE ONLY ae I AE I AE I G a G a networks and systems o R G a a a a AE a G G a G G a G G a a G G G AE G a G a G G 27 BUMED Memorandum Exception to Policy Request to Exceed Standard 15-Minute System Timeout Setting November 15 2011 FOR OFFICIAL USE ONLY 22 G G Finding FOR OFFICIAL USE ONLY a a G a a G a a a a G System Activity Was Not Consistently Reviewed a a ae I a I a I G G G AE a ae I a I G a I a I a I a I a I a I a I a I a I a I a I a I G a G G a FOR OFFICIAL USE ONLY G G 23 Finding FOR OFFICIAL USE ONLY G G a G a G G a G G Physical Access to PHI Was Not Consistently Controlled a a G a G G G a a G a a a G a G AE a G G G G a 28 System activity reports are generated from audit logs that record system activity such as system access and user activities in a given period National Institute of Standards and Technology Special Publication 800-66 An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act Security Rule October 2008 FOR OFFICIAL USE ONLY 24 G G FOR OFFICIAL USE ONLY Finding G G a G a G a G a a AE a a G BUMED AFMS and MTFs Could Not Account for Systems Containing PHI a a G a a a G G G a G G a a G a a a a AE a a AE a a G a G 29 An authorized holder of official information determines if an individual requires access to specific information to perform official duties FOR OFFICIAL USE ONLY G G 25 Finding FOR OFFICIAL USE ONLY G a a G a a G G a a a a AE AE a a G W E tGdG EZl hDEAlGE Zd sE EZl sEl a a ae a a G a G G G a a a G G a a G Table 3 Systems With Expired PIAs System PIA Approval Date W DsdAlsZY AlG AHLTA October 10 2013 October 10 2016 Audio Metric Database System NS NS BMBB TS September 10 2014 September 10 2017 CHCS August 7 2013 August 7 2016 HAIMS September 9 2013 September 9 2016 Innovian May 2 2013 May 2 2016 PACS September 10 2014 September 10 2017 Parata System Suite August 20 2014 August 20 2017 NS not signed indicates the approving CIO did not sign the system's PIA Note Data current as of October 2017 Source The DoD OIG 30 DoD Instruction 5400 16 DoD Privacy Impact Assessment Guidance July 14 2015 FOR OFFICIAL USE ONLY 26 G G Finding FOR OFFICIAL USE ONLY G G G G a a a G G a G G a G a G G a G G a G G a a G Increased Risk of Unauthorized Disclosures of PHI i O a a a G a a G a a a a a a G G a a 31 DoD Instruction 8510 01 requires DoD Components to transition information systems that collect maintain and disseminate personally identifiable information to the integrated DoD-wide decision-making process by April 2018 FOR OFFICIAL USE ONLY G G 27 Finding FOR OFFICIAL USE ONLY i O a a G a a a a G a a G a a a G a a a G a a a a a G a a a a G a a a a a a G a G a a a a a a a a G a a a G G a G a a G G G G 32 A health care business associate is an organization that helps covered entities carry out its health care activities and functions 33 Breaches that affect 500 individuals or more must be reported to the Secretary of the Department of Health and Human Services Other locations of breached information included network servers e-mails laptops portable electronic devices desktop computers and paper 34 FOR OFFICIAL USE ONLY 28 G G Finding FOR OFFICIAL USE ONLY G G G a a G a AE AE a a G G Recommendations Management Comments and Our Response Recommendation 1 We recommend that the Chief Information Officers for Naval Hospital Camp Pendleton Naval Medical Center San Diego U S Naval Ship Mercy the 436th Medical Group and Wright-Patterson Medical Center a Implement appropriate configuration changes to enforce the use of a Common Access Card to access all systems that process store and transmit patient health information or obtain a waiver that exempts the systems from using Common Access Cards Navy Comments i O a a G a G G G a G a G G T a G 35 The BUMED Executive Director specifically responded for the Assistant Chief of Staff Naval Medicine West NHCP and NMC San Diego Assistant Deputy Chief for Information Management and Technology BUMED and the Privacy Program Office BUMED FOR OFFICIAL USE ONLY G G 29 Finding FOR OFFICIAL USE ONLY Our Response AE a G G G G Military Sealift Command Comments a a a G G a a a a a G a a G a a G Our Response AE a G i O G b Configure passwords for all systems that process store and transmit patient health information to meet DoD length and complexity requirements Navy Comments i O a a a a G G G a G a G FOR OFFICIAL USE ONLY 30 G G Finding FOR OFFICIAL USE ONLY Our Response i O AE a G a G Military Sealift Command Comments i O a a a a a G G a a G Our Response AE a G i O G c Develop a plan of action and milestones and take appropriate steps to mitigate known network vulnerabilities in a timely manner Navy Comments a a a a T T G G T G Our Response AE a G T G FOR OFFICIAL USE ONLY G G 31 Finding FOR OFFICIAL USE ONLY Military Sealift Command Comments a a a T G G Our Response AE a G T G T G d Require written justification for obtaining access to all systems that process store and transmit patient health information and implement procedures to grant access to the systems based on roles that align with user responsibilities Navy Comments a a a a a G G a G G a a a G a AE a G Our Response AE a G a i O a a G FOR OFFICIAL USE ONLY 32 G G Finding FOR OFFICIAL USE ONLY Military Sealift Command Comments a a a G G a G a G a G Our Response AE a G G e Configure all systems that process store and transmit patient health information to lock automatically after 15 minutes of inactivity Navy Comments a a a a G a a G G a G a G a a a G G FOR OFFICIAL USE ONLY G G 33 Finding FOR OFFICIAL USE ONLY Our Response a AE a G G a AE a G a G a G a G a G Military Sealift Command Comments a a a G a a a a G Our Response AE a G i O G a a a G f Appropriately configure and regularly review system audit reports and logs to identify user and system activity anomalies Navy Comments a a a a G G a G FOR OFFICIAL USE ONLY 34 G G Finding FOR OFFICIAL USE ONLY Our Response a AE a G a G a AE a G G a a G Military Sealift Command Comments a a a G a a G Our Response AE a G a G g Develop and maintain standard operating procedures for granting access assigning and elevating privileges and deactivating user access Navy Comments a a a a a G G G FOR OFFICIAL USE ONLY G G 35 Finding FOR OFFICIAL USE ONLY Our Response AE a G a a G Military Sealift Command Comments a a a a a a G Our Response AE a G G h Review and identify all systems used to process store and transmit patient health information develop a baseline of systems used at each military treatment facility and regularly at least annually validate the accuracy of the inventory of systems Navy Comments a a a a a a G G G Our Response AE a G a G FOR OFFICIAL USE ONLY 36 G G Finding FOR OFFICIAL USE ONLY Military Sealift Command Comments a a a G G Our Response AE a G a G i Develop and maintain access request forms for all users of systems that process store and transmit patient health information and verify at least annually the continued need for system access Navy Comments a a a a a G G G G Our Response a AE a G G a AE a G G a G FOR OFFICIAL USE ONLY G G 37 Finding FOR OFFICIAL USE ONLY Military Sealift Command Comments a a a G a G a a G Our Response AE a G a G G a a G Air Force Comments a a a G a G a G a G a G a G G a G a G a G G G Our Response AE a G G FOR OFFICIAL USE ONLY 38 G G FOR OFFICIAL USE ONLY Finding Recommendation 2 We recommend that the Surgeons General for the Departments of the Navy and Air Force in coordination with Chief Information Officers for the U S Navy Bureau of Medicine and Surgery and the U S Air Force Medical Service assess whether the systemic issues identified in this report exist at other Service-specific military treatment facilities and develop and implement an oversight plan to a Verify that military treatment facilities enforce the use of Common Access Cards to access systems that process store and transmit patient health information or obtain a waiver that exempts the systems from using Common Access Cards b Verify that military treatment facilities configure passwords for systems that process store and transmit patient health information to meet DoD length and complexity requirements c Develop a baseline of systems used at each military treatment facility and regularly at least annually validate the accuracy of the inventory of systems d Verify that privacy impact assessments are developed and updated for all systems that process store and transmit patient health information Navy Comments a a a a G G a AE G a a AE G a G T G a a G a a G a G FOR OFFICIAL USE ONLY G G 39 Finding FOR OFFICIAL USE ONLY Our Response AE a G G T a T G a G a G Air Force Comments a a a AE AE G G a G G a G a G a a G a G a a a G Our Response AE a G G 36 AFMS transitioned oversight responsibilities to the DHA in October 2016 Therefore the DHA is responsible for providing written procedures that include a process for verifying that PIAs are completed regularly for all systems FOR OFFICIAL USE ONLY 40 G G Finding FOR OFFICIAL USE ONLY Recommendation 3 We recommend that the Commanders 436th Medical Group Naval Hospital Camp Pendleton Naval Medical Center San Diego U S Naval Ship Mercy and Wright-Patterson Medical Center review the performance of their Chief Information Officers and consider administrative action as appropriate for not following Federal and DoD guidance for protecting patient health information to include o not mitigating known vulnerabilities in a timely manner o not developing plans of action and milestones for unmitigated vulnerabilities and o not formally accepting risks for unmitigated vulnerabilities Navy Comments a a a a G G Our Response AE a G G a G a G Air Force Comments a a G a G FOR OFFICIAL USE ONLY G G 41 Finding FOR OFFICIAL USE ONLY Our Response AE a G i O G Military Sealift Command Comments a a a G G Our Response a G a G Recommendation 4 FOUO We recommend that the Chief Information Officers for Naval Hospital Camp Pendleton U S Naval Ship Mercy and Wright-Patterson Medical Center and for systems that process store and transmit patient health information Navy Comments i O a a a a a G a G FOR OFFICIAL USE ONLY 42 G G Finding FOR OFFICIAL USE ONLY Our Response i O AE a G a G Air Force Comments i O a a G a G Our Response i O AE a G G G Military Sealift Command Comments i O a a a a G G Our Response i O AE a G i O a G FOR OFFICIAL USE ONLY G G 43 Finding FOR OFFICIAL USE ONLY Recommendation 5 We recommend that the Director Defense Health Agency configure the Armed Forces Health Longitudinal Technology Application the Composite Health Care System the Clinical Information System Essentris Inpatient System and all other Defense Health Agency-owned systems that process store and transmit patient health information to lock automatically after 15 minutes of inactivity DHA Comments a could potentially o R a a a a a i OG G a a G Our Response AE a G could potentially o R G Dz dz a a a G a a G a G G FOR OFFICIAL USE ONLY 44 G G Finding FOR OFFICIAL USE ONLY Recommendation 6 We recommend that the Commander U S Naval Ship Mercy implement physical access controls to identify and record the names of personnel and the times when personnel accessed a patient's paper medical records and regularly at least monthly reconcile the logs against the list of authorized personnel with access to the area Military Sealift Command Comments a a a G G G a a a G A G G Our Response AE a G G FOR OFFICIAL USE ONLY G G 45 Appendixes FOR OFFICIAL USE ONLY Appendix A Scope and Methodology G a G G a a a a G a a a a a a G a G G a ae I a AE I a AE I a AE I a AE I G a G a a a a a G a G G a a a G a a G a G G FOR OFFICIAL USE ONLY 46 G G Used by deployed medical staff to document clinical care Used by audiologists to obtain data from medical devices to diagnose patient hearing problems Used to collect and maintain blood records blood orders and patient information to support blood transfusions Used to access cardiovascular records Used to track appointments order laboratory tests authorize radiology procedures and prescribe medications Used by anesthesiologists to record and manage anesthesia vital signs in the operating room Used to import manage and export diagnostic test results Used to capture bedside point-of-care data such as realtime heart and fetal monitoring Used to access radiographs clinical photographs audio files videos and scanned documents Used to record the results of electrocardiograms stress tests and other heart-related tests Used aboard ships to store and process data and continuously monitor the medical environment and health of personnel who live and work on the ship AHLTA-T DHA Audio Metric Database System Navy BMBB TS DHA Carestream Picture Archiving and Communication System Carestream Navy CHCS DHA Innovian Air Force Epiphany Electrocardiogram Management Air Force Essentris DHA HAIMS DHA McKesson Cardiology Navy Maritime Medical Module DHA FOR OFFICIAL USE ONLY Used to access patient conditions prescriptions and diagnostic test results System Description AHLTA DHA System Name Owner Table 4 List of Systems Used at Each MTF Visited FOR OFFICIAL USE ONLY X X X X X X X X NHCP Dover Clinic X X X X X X NMC San Diego X X X USNS Mercy Systems Used at the MTFs Visited G G 47 X X X X X WPMC Appendixes Used to prioritize orders for ultrasounds and magnetic resonance imaging tests Used by radiologists to access radiology exam images regardless of their physical location Used by deployed medical personnel to document inpatient healthcare and ordered services and view patient results The TC2 includes limited CHCS functionality PeerVue Navy PACS Air Force TC2 DHA X Dover Clinic X X NHCP NMC San Diego X USNS Mercy Systems Used at the MTFs Visited X WPMC 48 G G FOR OFFICIAL USE ONLY a a a G a G G G a G G a a a G a a G G Source The DoD OIG Used to manage prescription barcode scanning and electronic imaging Parata System Suite Navy System Description Used to monitor the receipt and distribution of radioactive material to patients System Name Owner FOR OFFICIAL USE ONLY Nuclear Medicine Information System Air Force Appendixes Appendixes FOR OFFICIAL USE ONLY Table 5 Universe and Sample Size per System at Each MTF Visited Universe Sample Size EZwdGd of Errors Identified AHLTA 207 39 0 CHCS 471 43 52 HAIMS 137 33 4 PACS 25 17 34 840 132 90 AHLTA 1 211 45 3 CHCS 1 543 44 83 Essentris 973 44 68 McKesson Cardiology 142 33 33 Parata System Suite 68 30 31 PeerVue 484 43 1 4 421 239 219 3 747 45 9 Audio Metric Database System 14 14 17 BMBB TS 34 18 18 CHCS 1 221 45 54 Essentris 2 462 45 14 HAIMS 3 747 45 8 11 225 212 120 AHLTA-T 12 12 0 Carestream PACS 1 1 0 Maritime Medical Module 6 6 6 1 078 44 1 1 097 63 7 MTF Dover Clinic System Name Totals NHCP Totals AHLTA NMC San Diego Totals USNS Mercy TC2 Totals FOR OFFICIAL USE ONLY G G 49 Appendixes FOR OFFICIAL USE ONLY Universe Sample Size EZwdGd of Errors Identified AHLTA 2 354 45 7 CHCS 3 316 45 67 10 10 8 Essentris 1 923 44 41 Innovian 30 17 13 Nuclear Medicine Information System 7 7 0 7 640 168 136 25 223 814 572 MTF System Name Epiphany Electrocardiogram Management WPMC Totals Grand Total Multiple access control issues identified on systems at MTFs visited See Appendix B for specific issues identified Source The DoD OIG G a a G a G ae I AE I i O i OAE I AE I AE I AE I AE I G a G FOR OFFICIAL USE ONLY 50 G G Appendixes FOR OFFICIAL USE ONLY Use of Computer-Processed Data G a a G a G G G a a a a G a a a G a G G G G a a a G a G G a G a AE G a G G a G G a a a G a a a G Use of Technical Assistance a a G a G G FOR OFFICIAL USE ONLY G G 51 Appendixes FOR OFFICIAL USE ONLY Prior Coverage a a i Oa G aeAA G G G aeAA G G A G AG G GAO G G a Dz ae G adz G G a a G G G a Dz ae adz a a G DoD OIG i O G G a Dz adz a a G G a a a G ae I AE I AE FOR OFFICIAL USE ONLY 52 G G Appendixes FOR OFFICIAL USE ONLY I AE I G G G a Dz adz a G G G a Dz adz a a G a a a AE a G Navy G a Dz a a adz a G a a G G FOR OFFICIAL USE ONLY G G 53 FOR OFFICIAL USE ONLY 30 Parata System Suite NMC San Diego 54 G G 1 FOR OFFICIAL USE ONLY 5 Audio Metric Database System 9 9 AHLTA 8 59 Totals 6 1 1 1 NHCP 5 5 PeerVue 151 33 McKesson Cardiology 24 44 Essentris 8 32 59 Totals 44 17 PACS CHCS 4 HAIMS 8 2 38 CHCS Inactive Users with System Access Dover Clinic No Justification for Elevated Privileges AHLTA Missing or Incomplete Access Request Forms System Name Table 6 Access Control Problems at MTFs Visited 17 17 Shared System Administrator Accounts 2 1 1 1 1 System Roles Did Not Align With User Duties a a a G G a a a a G ZwwAdLJ ZI DDGEE ZYldZu WdZduGwE Al lSG s G Dd E ssEslGE Appendix B Appendixes 8 10 8 53 CHCS Essentris HAIMS Totals 34 6 27 10 81 CHCS Epiphany Electrocardiogram Management Essentris Innovian Totals Source The DoD OIG 4 AHLTA WPMC USNS Mercy 20 3 4 13 1 Inactive Users with System Access FOR OFFICIAL USE ONLY 28 7 2 16 3 1 Totals 6 1 48 4 30 No Justification for Elevated Privileges TC2 6 18 BMBB TS Maritime Medical Module Missing or Incomplete Access Request Forms System Name FOR OFFICIAL USE ONLY Shared System Administrator Accounts 7 3 4 18 16 G G 55 System Roles Did Not Align With User Duties Appendixes Management Comments FOR OFFICIAL USE ONLY Management Comments Defense Health Agency FOR OFFICIAL USE ONLY 56 G G FOR OFFICIAL USE ONLY Management Comments Defense Health Agency cont'd Final Report Reference Recommendation 5 on page 44 FOR OFFICIAL USE ONLY G G 57 Management Comments FOR OFFICIAL USE ONLY Surgeon General for the Department of the Air Force FOR OFFICIAL USE ONLY 58 G G FOR OFFICIAL USE ONLY Management Comments Surgeon General for the Department of the Air Force cont'd FOR OFFICIAL USE ONLY G G 59 Management Comments FOR OFFICIAL USE ONLY Navy Bureau of Medicine and Surgery FOR OFFICIAL USE ONLY 60 G G FOR OFFICIAL USE ONLY Management Comments Navy Bureau of Medicine and Surgery cont'd FOR OFFICIAL USE ONLY G G 61 Management Comments FOR OFFICIAL USE ONLY Navy Bureau of Medicine and Surgery cont'd FOR OFFICIAL USE ONLY 62 G G FOR OFFICIAL USE ONLY Management Comments Navy Bureau of Medicine and Surgery cont'd FOR OFFICIAL USE ONLY G G 63 Management Comments FOR OFFICIAL USE ONLY Navy Bureau of Medicine and Surgery cont'd FOR OFFICIAL USE ONLY 64 G G FOR OFFICIAL USE ONLY Management Comments Navy Bureau of Medicine and Surgery cont'd FOR OFFICIAL USE ONLY G G 65 Management Comments FOR OFFICIAL USE ONLY Navy Bureau of Medicine and Surgery cont'd FOR OFFICIAL USE ONLY 66 G G FOR OFFICIAL USE ONLY Management Comments Navy Bureau of Medicine and Surgery cont'd FOR OFFICIAL USE ONLY G G 67 Management Comments FOR OFFICIAL USE ONLY Navy Bureau of Medicine and Surgery cont'd FOR OFFICIAL USE ONLY 68 G G FOR OFFICIAL USE ONLY Management Comments Navy Bureau of Medicine and Surgery cont'd FOR OFFICIAL USE ONLY G G 69 Management Comments FOR OFFICIAL USE ONLY Navy Bureau of Medicine and Surgery cont'd FOR OFFICIAL USE ONLY 70 G G FOR OFFICIAL USE ONLY Management Comments Navy Bureau of Medicine and Surgery cont'd FOR OFFICIAL USE ONLY G G 71 Management Comments FOR OFFICIAL USE ONLY Navy Bureau of Medicine and Surgery cont'd FOR OFFICIAL USE ONLY 72 G G FOR OFFICIAL USE ONLY Management Comments Navy Bureau of Medicine and Surgery cont'd FOR OFFICIAL USE ONLY G G 73 Management Comments FOR OFFICIAL USE ONLY Navy Bureau of Medicine and Surgery cont'd FOR OFFICIAL USE ONLY 74 G G FOR OFFICIAL USE ONLY Management Comments Navy Bureau of Medicine and Surgery cont'd FOR OFFICIAL USE ONLY G G 75 Management Comments FOR OFFICIAL USE ONLY Military Sealift Command FOR OFFICIAL USE ONLY 76 G G FOR OFFICIAL USE ONLY Management Comments Military Sealift Command cont'd FOR OFFICIAL USE ONLY G G 77 Management Comments FOR OFFICIAL USE ONLY Military Sealift Command cont'd FOR OFFICIAL USE ONLY 78 G G FOR OFFICIAL USE ONLY Management Comments Military Sealift Command cont'd FOR OFFICIAL USE ONLY G G 79 Management Comments FOR OFFICIAL USE ONLY Military Sealift Command cont'd FOR OFFICIAL USE ONLY 80 G G FOR OFFICIAL USE ONLY Acronyms and Abbreviations Acronyms and Abbreviations Acronym Definition AFMS Air Force Medical Service AHLTA Armed Forces Health Longitudinal Technology Application AHLTA-T Armed Forces Health Longitudinal Technology Application-Theater BMBB TS Blood Management Blood Bank Transfusion Service BUMED Navy Bureau of Medicine and Surgery CAC Common Access Card CHCS Composite Health Care System CIO Chief Information Officer DHA Defense Health Agency EHR Electronic Health Record Essentris Clinical Information System Essentris Inpatient System HAIMS Health Artifact and Imaging Management Solution HIPAA Health Insurance Portability and Accountability Act Innovian Draeger Innovian Anesthesia MHS Military Health System MTF Military Treatment Facility PACS Picture Archiving and Communication System PIA Privacy Impact Assessment PHI Patient Health Information POA M Plan of Action and Milestones SOP Standard Operating Procedure TC2 Theater Medical Information Program CHCS Cache System FOR OFFICIAL USE ONLY G G 81 Glossary FOR OFFICIAL USE ONLY Glossary Audit Logs G G Authentication G Category I Vulnerability a a a a G Category II Vulnerability a a a a G Common Access Card CAC G Covered Entities a i O a i O a i O G G Critical Vulnerabilities a a a G Data at Rest G Data in Transit G Deactivated Access G Healthcare Business Associate G High Vulnerabilities a a a G FOR OFFICIAL USE ONLY 82 G G Glossary FOR OFFICIAL USE ONLY Information Assurance a a a a G G Information Assurance Vulnerability Alerts a G Least privilege G Nonprivileged User G G Patch a a G Patient Health Information PHI a a AE G Privacy Impact Assessment PIA G Public Key Infrastructure G Standard Operating Procedure SOP G Token G FOR OFFICIAL USE ONLY G G 83 FOR OFFICIAL USE ONLY Whistleblower Protection G G CeCeeECee Ec CcCeEC The Whistleblower Protection Ombudsman's role is to educate agency employees about prohibitions on retaliation and employees' rights and remedies available for reprisal The DoD Hotline Director is the designated ombudsman For more information please visit the Whistleblower webpage at www dodig mil Components Administrative-Investigations DoD-Hotline For more information about DoD OIG reports or activities please contact us Congressional Liaison 703 604 8324 Media Contact public affairs@dodig mil 703 604 8324 DoD OIG Mailing Lists www dodig mil Mailing-Lists Twitter www twitter com DoD_IG DoD Hotline www dodig mil hotline FOR OFFICIAL USE ONLY FOR OFFICIAL USE ONLY W ZdD Ed K E K K E W dKZ ' E Z a G G G G G G FOR OFFICIAL USE ONLY This document is from the holdings of The National Security Archive Suite 701 Gelman Library The George Washington University 2130 H Street NW Washington D C 20037 Phone 202 994-7000 Fax 202 994-7005 nsarchiv@gwu edu