DOD IG to assess Army’s EHR security
The Defense Department inspector general said it will audit the security of the Army’s electronic health records and individually identifiable health information in August.
“Our objective is to determine whether the Army designed and implemented effective security protocols to protect electronic health records and individually identifiable health information from unauthorized access and disclosure,” wrote Carol Gorman, assistant inspector general for readiness and cyber operations, in a memo.
This would be the first in a series of audits of the military on the subject, Gorman wrote, adding that they would consider management’s suggestions for extra or revised objectives.
The audit will review U.S. Army Medical Command, the enhanced Multi-Service Market led by the Army in the Puget Sound Region, the Army medical center at Joint Base Lewis- McChord in Washington state, and one Army hospital and clinic each at Fort Carson, Colorado.
The IG may add locations during the audit, Gorman wrote.
The DOD has been migrating to a new $9 billion EHR system, and a June IG audit found that finishing that move by the end of the year might not be realistic.
[Read more: Audit: DOD e-health timeline ‘not realistic’]
The audit listed “ensuring the system is secure against cyber attacks” as one of the causes of a potential delay.
Several companies in the health care sector have experienced cyber attacks this year.
Banner Healthcare announced this week that its systems were attacked, and hackers may have gotten access to “patient information, health plan member and beneficiary information, as well as information about physician and health care providers.” The attackers also may have gained access to credit card information from some purchases at the network’s food and beverage locations.
The company said it is sending out letters to about 3.7 million people related to the attack.
This latest audit also comes as health data systems have increasingly been the target of ransomware attacks — where malware encrypts a hard drive or server and hackers demand money before handing over a decrypt key.
Ransomware attacks in the health care sector have been on the rise since a California hospital was hit with a ransomware attack, said Kevin Haley, the director of product management at Symantec Security Response, in a media roundtable in April.
FedScoop reported at the time that Symantec figures showed the rate of ransomware attacks quadrupled from 2015 in the first quarter.
[Read more: Ransomware attacks quadrupled in Q1 2016]
At least one federal agency has experienced a ransomware threat. Department of Veterans Affairs CIO Laverne Council said in June that the department had experienced and responded to a ransomware threat.
Council did not say at the time when or where in the VA’s networks the threat occurred.
[Read more: CIO: VA faced, quickly corrected ransomware threat]
In May, the Senate Judiciary Committee’s Subcommittee on Crime and Terrorism discussed ransomware in a hearing, and one of the speakers mentioned ransomware attacks on the health care sector.
“A trend emerged that has become quite common: hospitals across the United States and Europe have been locked out of their own data and forced to pay a ransom,” said Adam Meyers in prepared testimony at the time. Meyers leads the intelligence team at CrowdStrike, Inc., a commercial security technology company.
He added: “The adversaries behind these attacks and others who are looking to generate revenue have surely taken notice of these increasingly desperate stories, which in some cases even speculate that medical procedures could be delayed by these attacks.”
