DoD Watchdog Agency to Audit Military EHR SecurityReviews of Several Army Medical Facilities Start in August
The Department of Defense Office of Inspector General will begin auditing several military healthcare facilities this month to evaluate whether the Army is properly safeguarding electronic health record data and other personally identifiable information of military personnel.
With the planned IG audits, "our objective is to determine whether the Army designed and implemented effective security protocols to protect EHRs and individually identifiable health information from unauthorized access and disclosure," said Carol Gorman, DoD assistant IG of readiness and cyber operations in a recent memo sent to U.S. Army Medical Command officials at the DoD.
"This is the first in a series of audits of Military Department security protocols over EHRs and individually identifiable health information. We will consider suggestions from management on additional or revised objectives," she noted.
The first DoD IG audits will be conducted at the U.S. Army Medical Command, including the enhanced Multi-Service Market led by the Army in the Puget Sound Region in Washington; the Army medical center at Joint Base Lewis- McChord, also in Washington; and one Army hospital and clinic each at Fort Carson, Colorado, she indicated. "We may identify additional locations during the audit."
Some security experts say the latest audits are one important piece in the DoD's overall effort to examine how military personnel data is being protected from cyberattacks, as well as insider breaches.
"The DoD runs audits all the time of various aspects of their operations and programs, so this audit is no surprise," says Mac McMillan, a former DoD information security leader who is now CEO of security consulting firm CynergisTek. The DoD also puts all of its systems "through a thorough certification and accreditation process under Federal Information Security Management Act, and/or DoD regulation, so this is in addition to what they normally do to assure security of these systems," he says.
However, the additional scrutiny with these latest audits is particularly timely and necessary, McMillan notes.
"Many of our service members serve in sensitive positions and are involved in operations all over the world. Information related to our armed forces and its personnel are high priority targets for other state actors," he says. "Today's Lieutenant is tomorrow's Chairman, Joint Chief of Staff, National Security Advisor, Agency Head or political leader."
New EHR Project Risks
The DoD security audits of the Army's current EHR also come as the DoD plans to acquire and implement its multibillion-dollar DoD Healthcare Management System Modernization, or DHMSM, a new integrated EHR system that is slated to replace the DoD's legacy Military Health Systems at DoD medical facilities over the next 10 years.
The DoD IG in May issued a separate audit report examining whether the DoD had approved system requirements for the DHMSM program and whether its acquisition strategy was properly approved and documented.
That report noted that the DHMSM program's mandated execution schedule "may not be realistic for meeting the required initial operational capability date of December 2016."
The DoD IG noted that DHMSM program officials "identified risks, determined the risk probability of occurrence, and assessed the impacts to the cost, schedule, and performance" and that the DHMSM program office also developed and implemented mitigation plans to address the risks.
However, despite the risk mitigation strategy, DoD IG noted in its report that the DHMSM program office "is still at risk for obtaining an EHR system by the December 2016 initial operational capability date because of the risks and potential delays involved in developing and testing the interfaces needed to interact with legacy systems, ensuring the system is secure against cyberattacks, and ensuring the fielded system works correctly and that users are properly trained."
In that audit report, DoD IG recommended that DHMSM officials perform a schedule analysis to determine whether the December 2016 initial operational capability deadline is achievable, and suggested that they continue to monitor DHMSM program risks and report to Congress quarterly on the progress of the program.
The DHMSM program office agreed to conduct "regular quarterly briefings for the Congressional Defense committees on the progress of the DHMSM program, including potential risks to the program," DoD IG noted in the report.
The latest DoD IG audits also come amidst other recent federal watchdog and Congressional scrutiny over how other large federal government entities are protecting health and related personal data, including the Department of Veterans Affairs, the nation's largest healthcare provider.
For instance, in March, a watchdog agency's audit of the VA cited nearly three dozen recommendations for how the VA should address "material weakness" in its information security program, ranging from issues concerning identity and access management to incident response (see OIG: VA Must Address Infosec Weaknesses).
The VA is currently implementing plans for addressing a portion of those VA Office of Inspector General's audit findings by the end of 2016, with the remainder due for completion by the end of 2017, VA CIO LaVerne Council testified in March during a hearing of the House Oversight and Government Reform Committee's subcommittee on IT.
Meanwhile, a bipartisan Senate bill unveiled in June proposes to remove Social Security numbers of U.S. veterans from all VA information systems within the next five years in an effort to reduce identity theft and fraud affecting veterans (see Senate Proposal Calls for VA to Drop Use of SSNs).
In that effort, the VA would be playing catch up with the DoD, which in 2011 completed an initiative to replace almost 10 million military identification cards that had Social Security numbers printed on them with cards that stored the numbers in bar codes. DoD is also working to remove the numbers from the barcodes and magnetic stripes on the cards.