HHS Inspector General Recommends More Safeguards for Patient Data
The National Institutes of Health must do more to ensure that its electronic health records system is secure and that patient data is kept safe and confidential, according to an audit by the U.S. Department of Health and Human Services’ Office of Inspector General.
The HHS OIG audit, released March 2, found that while NIH has used some security controls over its electronic health records, more needs to be done, including better back-up and recovery plans, as well as ensuring that software and hardware are up-to-date and supported by their manufacturers. The audit was conducted by the Minneapolis law firm CliftonLarsonAllen LLP on behalf of HHS’ OIG.
The audit looked at the NIH’s Clinical Research Information System, which contains EHRs for patients of the NIH Clinical Center, a hospital based in Maryland that conducts clinical research.
“NIH’s information security policies and practices were not operating effectively to preserve the security, confidentiality, integrity, and availability of NIH’s [EHR] information and information systems, resulting in potential risks of unauthorized access, use, disclosure, disruption, modification or destruction,” according to the audit.
NIH officials agreed with the audit’s recommendations and said they are working to implement them, according to the report.
In the audit, investigators found that NIH had not fully implemented certain IT and security requirements in order to protect the Clinical Research Information System’s electric health records. The report found weaknesses in access controls, contingency planning and IT maintenance.
The report focused on three areas that need improvement:
- NIH located its alternate IT processing site for the EHR system in the same geographic location as the primary site.
- NIH failed to upgrade all servers supporting the EHR information system in a timely manner, delaying software upgrades until system upgrades had been completed.
- NIH did not effectively implemented account management processes to ensure that terminated employees users and inactive accounts were promptly deactivated.
Under guidelines provided by the U.S. National Institute of Standards and Technology, organizations are encouraged to minimize their security risks by having an alternate IT processing site located in a different geographic area to ensure that an organization can access its back-up systems in the case a catastrophic event.
The HHS OIG audit, however, found that the primary and alternate processing NIH sites were located in buildings adjacent to each other on the same campus.
“As a result, the hospital may not have an alternative means to access EHR data because one threat could halt processing at both sites,” the HHS OIG report notes.
In addition, the audit found that NIH had four Clinical Research Information System servers running on outdated Microsoft software because the agency was in the middle of a updating its hardware, the report notes. The hardware upgrades would also include new software, but at the time of the audit, the NIH had not installed this new hardware.
The audit also found the nine out of 61 terminated users had active accounts in the Clinical Research Information System, and 19 out of 25 inactive accounts had not been deactivated.
“Inactive accounts that are not disabled when employees separate from NIH may be used to gain access to NIH data and sensitive information,” hence risking health record data leaks or breaches, the audit states.
NIH officials said they’re working on following NIST guidelines for separate processing centers, upgrading outdated software and ensuring that outdated users accounts are removed.
NIH officials noted that budget restraints were the main reason why the primary and back-up processing centers were located in the same areas. To mitigate the issues, NIH is now using servers and back-up systems provided by a third-party vendor that will help back-up the electronic records in a different location, according to the audit.
In addition, NIH is upgrading four servers updated Microsoft software, and the agency is fixing its automated user account management tool that was supposed to identify inactive accounts and employees who had been terminated.