A new report from the Defense Department inspector general faults officials from the Air Force, as well as the Defense Health Agency and Navy, for their handling of health records. Photo by SrA. Kasey Zickmund.?
Officials from the Air Force, as well as from the Defense Health Agency and Navy, did not consistently use security procedures on systems handling electronic health records and patient health information, a Pentagon inspector general’s report found May 2.
According to the FOUO report, a redacted version of which is available online, the Defense Department inspector general’s team visited two Air Force facilities—the 436th Medical Group at Dover AFB, Del., and Wright-Patterson Medical Center in Dayton, Ohio—as well as three Navy facilities, reviewing 17 information systems.
The team identified issues accessing networks, mitigating known network vulnerabilities, reviewing system records to identify suspicious activities, and implementing adequate physical security protocols.
The office said Air Force, DHA, and Navy officials did not consistently implement security protocols for various reasons, including insufficient resources or guidance, incompatible systems, and vendor limitations. The office made a number of recommendations, including that the Air Force and Navy departments’ surgeons general determine whether the issues in the report exist elsewhere, and they put into place a plan to verify that facilities enforce the use of Common Access Cards and configure sophisticated passwords to gain access to systems that handle patient health information.
The Air Force surgeon general agreed with all of the 15 recommendations to his office and Air Force facilities, although the IG’s office said one recommendation remains unresolved and requires more comments.
This report follows an earlier report that found the Defense Health Agency and the Army did not consistently put into place effective measures to protect systems handling patient health information.