An investigation by HHS' Office of Inspector General found that the National Institutes of Health did not have proper security controls and policies in place to protect patient data in its EHR.
NIH uses its Clinical Research Information System to store information for patients involved at the Clinical Center. In collaboration with the CliftonLarsonAllen, the OIG reviewed NIH policies and procedures, tested system security controls and configurations, and inspected public information on its website. Additionally, NIH staff were interviewed to determine the integrity of EHR data.
While investigators determined NIH had certain controls in place to protect patient data, overall the investigators determined that NIH's information security policies and procedures were not effectively preserving the security, confidentiality and integrity of EHR information.
Specifically, the OIG found that servers supporting the EHR were soon to be outdate, with no transition plan in place for updates. Additionally, when employees were terminated, their accounts were not deactivated in a timely manner.
Investigators recommended new polices that would ensure all software is upgraded and replaced in a timely manner. NIH was also asked to implement a tool that would ensure all inactive or terminated accounts are deactivated promptly.