Gaping Security Holes in Handling of Troops' Medical Records, IG Finds

An airman types on his computer at MacDill Air Force Base, Fla.
An airman types on his computer at MacDill Air Force Base, Fla., March 9, 2018. (Senior Airman Mariette Adams/U.S. Air Force photo)

The Pentagon Inspector General's office has found gaping holes in the security systems for the electronic health records and patient information at Navy and Air Force hospitals and clinics, including aboard the USNS hospital ship Mercy.

The report released Monday by the office of Acting Inspector General Glenn Fine was a follow-up to a previous one that found similar problems at Army Medical Treatment Facilities (MTFs).

Navy and Air Force security was so lax that both services could be liable for millions of dollars in penalties for violations of the Health Insurance Portability and Accountability Act (HIPAA), the latest IG report said.

"We determined that Defense Health Agency, Navy and Air Force officials did not ensure system security protocols to protect systems that stored, processed and transmitted electronic health records and patient health information (PHI) were consistently implemented at the locations tested," the report said.

"As a result, ineffective administrative, technical, and physical security protocols, resulting in Health Insurance Portability and Accountability Act violations, could cost Military Treatment Facilities up to $1.5 million in penalties each year," it continued.

"For example, officials for the DHA, Navy and Air Force considered single-factor authentication, such as a user name and password, more efficient to access PHI while providing bedside care, even though single-factor authentication presents a greater risk of compromise," the report said.

Currently, the Defense Department's Military Health System provides medical and dental services to about 9.4 million beneficiaries worldwide at 673 MTFs, including 55 military hospitals and 373 military medical clinics.

The IG's report was based on inspections at three Navy facilities: Naval Hospital Camp Pendleton, California; San Diego Naval Medical Center, California; and the U.S. Naval Ship (USNS) Mercy in San Diego. The two Air Force facilities inspected were the 436th Medical Group in Dover, Delaware, and the Wright-Patterson Medical Center in Dayton, Ohio.

When vulnerabilities were found, network administrators at all five facilities often failed to address them, the IG's report said.

In addition, the chief information officers (CIOs) at the facilities "did not develop plans of action and milestones to mitigate vulnerabilities affecting their networks," it added.

"For example, at the Dover Clinic, a June 21, 2017, scan revealed that 342 of the 1,430 vulnerabilities identified on a May 10, 2017, network scan remained unmitigated," the report said.

Officials at DHA, the Navy and the Air Force did not implement adequate medical records security for a variety of reasons, the report said, including "lack of resources and guidance, system incompatibility, and vendor limitations."

The report recommended that DHA configure the electronic health records to lock automatically after 15 minutes of inactivity to prevent abuses.

Another recommendation was that the surgeons general for the Air Force and the Navy "assess whether the systemic issues identified in this report exist" at other MTFs.

-- Richard Sisk can be reached at

Story Continues