The U.S. Navy and Air Force may face millions of dollars in penalties related to HIPAA violations after the Department of Defense Office of Inspector General found a number of flaws in the security systems for its hospitals' EHRs, Military.com reports.
The DOD OIG released its report May 7 as a follow-up to a previous investigation at Army Medical Treatment Facilities where it found similar problems. Investigators reviewed three Naval facilities: Oceanside, Calif.-based Naval Hospital Camp Pendleton; Naval Medical Center San Diego; and the U.S. Naval Ship Mercy in San Diego. It also inspected two Air Force hospitals: the Dover, Del.-based 436th Medical Group and the Wright-Patterson Air Force Medical Center in Dayton, Ohio.
"We determined that Defense Health Agency, Navy and Air Force officials did not ensure system security protocols to protect systems that stored, processed and transmitted electronic health records and patient health information were consistently implemented at the locations tested," the report read, according to Military.com. "As a result, ineffective administrative, technical and physical security protocols, resulting in [HIPAA] violations, could cost Military Treatment Facilities up to $1.5 million in penalties each year."
The report pointed to DHA, Navy and Air Force use of single-factor authentication, which the organizations deemed acceptable for accessing PHI while providing bedside care despite the heightened risk of compromise associated with it.
Network administrators at the five facilities often did not address the vulnerabilities once investigators notified them, and the facilities' CIOs failed to "develop plans of action and milestones to mitigate vulnerabilities affecting their networks," the report states.
OIG recommends the military reconfigure its EHRs to automatically lock after 15 minutes of inactivity as a way to mitigate the risk of compromise.
More articles on cybersecurity:
15 healthcare privacy incidents in April
Ransomware infects computers at Center for Orthopedics Specialists; clinic notifies 85k
Transcription service MEDantex leaks medical records