DOD IG to Probe Security of Army Patient Records

The Pentagon inspector general on Thursday announced plans to audit, starting this month, the security of Army digital patient files.

The probe comes at a time when government and private hospitals are up against employees who inadvertently compromise health care records and bad guys who extort money in exchange for leaving health data unharmed, among other computer threats.

"Our objective is to determine whether the Army designed and implemented effective security protocols to protect electronic health records and individually identifiable health information from unauthorized access and disclosure," Carol Gorman, assistant inspector general for readiness and cyber operations, said in a memo.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

This inspection will be the first in a series of reviews of security controls for military electronic patient records and personal health information, she says. 

Computer systems will be reviewed at the U.S. Army Medical Command; the enhanced Multi-Service Market led by the Army in the Puget Sound region; the Army medical center at Joint Base Lewis-McChord, Washington; and one Army hospital and clinic each at Fort Carson, Colorado.

During the audit, examiners may identify other locations they want to review, Gorman said. 

Military health care IT is a high-risk, high-reward industry in a field where lives are at stake, according to recent developments. 

The Pentagon last summer awarded Leidos and partners a $9 billion contract to build a next-generation electronic health records system. The setup was expected to be running at initial operating capability by December, but the DOD inspector general this spring signaled the system might miss that deadline. 

More recently, on July 14, the Defense Health Agency awarded EHR Total Solutions a potential $70 million contract for workflow assistance at military treatment facilities that use "tri-service" electronic health record systems. The five-year deal would support the Army, Navy and Air Force. 

Now, hackers are even trying to make money off patient file systems, by freezing the computer tools until the medical provider pays a ransom. Earlier this year, crooks reportedly held electronic records at Hollywood Presbyterian Hospital hostage for two weeks, before the health care center surrendered $17,000 in bitcoin, a digital currency.

So far, the Homeland Security Department isn't aware of any situations where federal agencies paid hackers to remove ransomware from a government system. 

Hardly a week goes by without news of a patient data breach, according to updates on Databreaches.net. For instance, a former Veterans Affairs Department nurse in Florida was sentenced to five years in prison for manipulating a veteran's health care records to cover up deficient care, U.S. officials announced in March.

An internal investigation at the VA Medical Center Miami revealed Enrique Martinez Mathews altered the data while the patient recovered in a surgical intensive care unit.

"The defendant’s actions caused appropriate medical treatment to be withheld from the veteran, who later passed away," Justice Department officials said in a statement. The ex-VA nurse was convicted of causing damage to the computer system, among other things.