IG: DoD Did Not Properly Secure Access to VIP RecordsExperts: Private Healthcare Entities Struggle with Similar Woes
The Department of Defense did not effectively control access to the health information of high-profile personnel, says a new watchdog agency report.
The report hints that the findings also may indicate ineffective access control over other DoD employees' health records.
"The DoD did not effectively control access to health information of well-known DoD personnel and possibly of any DoD personnel, as exemplified by what we found regarding well-known DoD personnel," says the DoD Inspector General audit report issued Aug. 26.
Meanwhile, some security and privacy experts note that the findings at the DoD are similar to records access issues that private sector healthcare entities struggle with concerning VIPs and other patients.
"Record snooping of VIPs generally happens out of curiosity," says Keith Fricke, principal consultant at privacy and security consultancy tw-Security. "Many healthcare organizations have protocols in place that closely monitor access to a VIP’s record."
The IG says it performed an audit from January 2020 through May 2021 in accordance with generally accepted government auditing standards. That included assessing compliance with HIPAA and DoD guidance, which say all authorized users of health information must access only data that they are authorized to access, must have a need to know, and must assume only authorized roles and privileges, the IG says.
For instance, the Defense Health Agency issued interim guidance in November 2018 that established how to restrict access for individuals who have “notoriety,” the report notes.
In summary, the DHA guidance says that upon notification or viewing of a high-profile or high-media incident involving a DoD Service member, DoD civilian, or veteran, the DoD will implement a process to restrict that individual’s health information to only a few DoD personnel.
The objective of the IG audit was to determine whether the DoD effectively controlled access to health information of well-known DoD personnel, the report notes.
In conducting its audit, the IG "nonstatistically selected 38 well-known individuals to determine whether their health information was accessed by an unauthorized healthcare official," the report says. The watchdog agency's review was limited to individuals "that became well-known from a high media incident," which was not described in the report. Names of individuals were also redacted from the report.
“A high-media incident is when a large audience learns of an event through media communications, such as social media, broadcasting, or newspapers," the IG notes.
The IG auditors requested electronic health record access logs from the Defense Health Agency in April 2020 for the selected DoD personnel, the report notes.
The IG audit found a total of 1,410 individuals accessed the health information of the 38 high-profile individuals, the audit found.
To assess the access, the IG says it then "nonstatistically selected" 44 DoD personnel - or "viewers" - who accessed the health information for 18 of the 38 high-profile individuals based on risk factors, such as a difference in locations of the viewers and the well-known individuals, and information accessed immediately after high-media incidents, the report says.
“Afterward, we requested the applicable Military Department or the DHA provide a reason for why the selected viewers accessed the health information of the well-known individual.”
The IG found that only about seven of the viewers - or 15% - were confirmed as having authorized access to the high-profile individuals' health information.
Fifteen of the viewers - or 30% - were confirmed as not being authorized to access the health information. Another 22 viewers - or 50% - were not confirmed as having either authorized or unauthorized access to the health information of the DoD well-known personnel, "however, the access was likely unauthorized," the report notes.
The IG recommends that the DHA, in coordination with the military departments' surgeons general, perform a review of unauthorized and undetermined access of the protected health information of all personnel identified in the unredacted audit.
Based on the results of that review, the DHA should initiate appropriate disciplinary actions for individuals who were not authorized to access the information of all personnel, and report the incidents in accordance with applicable laws and DoD guidance, the IG recommends.
The public report does not mention recommendations of any specific access control best practices or technologies that should be implemented by the DHA.
The report notes that the DHA concurred with the IG's recommendations, and is in the process of reviewing what DoD IG presented as unauthorized and undetermined access of protected health information of all personnel identified in this audit.
Analysis of that undetermined access is expected to be completed by year-end.
Incidents found to be in violation of unauthorized access or disclosure "will be dealt with in accordance with applicable laws and DoD guidance," the report notes.
Some experts note that record snooping and other unauthorized access to health information of high-profile patients also is a problem for healthcare entities in the private sector.
Healthcare entities can help prevent the unauthorized access to health information of high-profile individuals in several ways, Fricke of tw-Security notes.
"Education is high on the list. It is helpful to show the workforce a sanitized copy of an audit trail capturing access activity on a patient record," he says.
It is also important to closely monitor activity logs for instances of access to a VIP record. This should be done during the length of stay when the VIP is in the hospital or outpatient clinic, he adds.
"It can be helpful to also periodically check access activity when a VIP is in the news. Some organizations make it known that a specified number of workers were terminated during the previous month or quarter … based on unauthorized access to a patient’s record - not necessarily limited to VIPs," he notes.
Additionally, some healthcare organizations flag the human resources record of a terminated employee as “Do not hire” if the former employee was terminated due to a HIPAA violation, he says.
Healthcare entities can also take other critical steps to help prevent and detect unauthorized access to VIP as well as other individuals' sensitive health records, says Mac McMillan, CEO of privacy and security consultancy CynergisTek.
"We have the tools to make this very difficult. Patient privacy monitoring systems permit organizations to label individuals as VIPs and apply not only restrictions but monitoring and alerts when someone other than the primary care team accesses their record," he says.
"With the newer heuristic systems, this alerting can be immediate and allow privacy staff to address [the issue] right away. The days of doing this unnoticed are over if the healthcare entity has the tools and people to monitor access. The question we should be asking is: 'Why did this happen?'" he says.