The Department of Health and Human Services’ Office of Inspector General (OIG) conducted an audit of the National Institutes of Health (NIH). The results revealed that technology control flaws in the NIH electronic medical records system and IT systems put the patients’ protected health information (PHI) at risk.
NIH obtained $5 million in congressional appropriations in FY 2019 to oversee the NIH grant programs and operations. Congress would like to make certain that cybersecurity controls were in place to safeguard sensitive data and determine whether NIH complies with the Federal regulations.
CliftonLarsonAllen LLP (CLA) conducted the audit on July 16, 2019 on behalf of OIG to find out the effectiveness of particular NIH information technology controls and to evaluate how NIH gets, processes, keeps, and transmits electronic Health Records (EHR) within its Clinical Research Information System (CRIS), which comprised the EHRs of NIH Clinical Center patients.
NHS has roughly 1,300 physicians, dentists and Ph.D. researchers, 830 nurses, and about 730 allied healthcare experts. In 2018, the Clinical Center had over 9,700 new patients, above 4,500 inpatient admissions, and more than 95,000 outpatient appointments.
CLA learned that NIH had enforced controls to make sure the integrity, confidentiality, and availability of health data contained in its EHR and information systems, however, those measures did not work efficiently. As a result, unauthorized individuals might have potentially accessed the data in their EHR system and information systems. Data was vulnerable to impermissible disclosure, alteration, and destruction.
The National Institute of Standards and Technology (NIST) advises the principal and alternative EHR processing sites must be separate by location. The geographical separation minimizes the danger of unintended disturbances and helps to make sure essential operations may be restored when extended interruptions happen. OIG discovered the main and alternative sites were located in adjoining buildings within the NIH campus. In case a devastating event had happened, there was a high possibility of both sites being affected.
The hardware used for the EHR system was either approaching end of life or was on expanded support. Four servers use a Windows operating system that Microsoft does not support since 2015. NIH paid for expanded support until January 2020, however, OIG found out there was no beneficial transition program. OIG additionally found out that NIH was not deactivating user accounts promptly upon termination of employees or leaving NIH. Of 26 user accounts that had been inactive for greater than 365 days, 19 were not deactivated. Of the 61 terminated users, 9 were still active. Of the 25 new CRIS users, 3 had altered their permissions without completing a form to justify the change.
NIH notified CLA that it had deferred software upgrades until the completion of system improvements. NIH was upgrading its hardware during fieldwork in anticipation of enhancements to CRIS. Software upgrades were expected to be done after the completion of the hardware upgrade.
NIH had used an automated tool to check for inactive accounts and remove them, but the tool was not completely used at the time of fieldwork. There were problems with the tool, like problems tracking people who transferred departments.
OIG preferred using an alternative processing site in a geographically unique area and to act to minimize risks connected with the present alternate site until the new website is established. Policies and procedures must be enforced to make sure that software is improved before the end of life, and NIH should make sure that its automated tool is working as expected. NIH concurred with all suggestions and has explained the steps that were and will be undertaken to ensure the implementation of the suggestions.