Report Outlines Military Health Facility Security Weaknesses
Various military health facilities haven’t consistently implemented security controls, putting patient data at risk, according to a new watchdog agency report.
Some security experts say many of the same weaknesses identified in the security reviews by the Department of Defense Office of Inspector General are also quite common at civilian healthcare entities.
The report is based on DoD OIG reviews of 17 information systems – including electronic health records systems – at three Navy and two Air Force health facilities.
Tom Walsh, Founder and Managing Partner of consultancy tw-Security, says most of the findings in the OIG report are common at civilian healthcare organizations as well.
“In the medium to large healthcare organizations, there are many diverse applications and systems, each having different security capabilities,” he says. “That also means multiple system administrators, and many could be workers not associated with the IT department – such as radiology, lab, pharmacy, and biomed. Therefore, consistency with security controls/settings is difficult to achieve.”
Walsh says the OIG finding that he found most troubling was the failure to mitigate known network vulnerabilities.
“Hacking is a persistent threat, and the physical security of a military installation will not thwart that type of threat,” he says. “There are nation-states that hate the U.S. military and would do everything possible to cause a disruption.”
Walsh says the timeout setting for user inactivity is a common trouble spot in healthcare settings. He suggests, however, that the timeout setting should vary in each medical department.
“For example, no physician wants the EHR timing out during a surgery,” he notes. “Certain departments/areas of the hospital are restricted access areas, and patients and/or their family would not have physical access to those areas. Therefore, some departments will request an exception to the auto logoff timeout setting because it would otherwise disrupt workflows. … Patient care is the mission, and information security needs to support the mission – not be seen as a hindrance to patient care.”
The report notes that officials at the Defense Health Agency, and various Navy and Air Force facilities agreed with most of the recommendations and said they would address the issues. Some of the recommendations, however, still await additional comments or suggestions from military health officials, the report states.