The Department of Veteran Affairs Office of Inspector General (VA OIG) inspected a California VA medical center recently and found security vulnerabilities linked to medical device workarounds as well as non-compliance with Veterans Health Administration (VHA) and VA policies.
VA OIG inspected Tibor Rubin VA Medical Center based in Long Beach, California after identifying VHA and VA privacy and security policy violations while conducting an unrelated investigation.
The auditors discovered unacceptable employee workarounds for transmitting and adding data from patients’ medical devices into the EHR system of the medical center. The auditors additionally discovered two possible breaches of patient data while doing the inspection.
There was no interface between the medical center’s EHR system and VHA medical devices. That is why the center’s staff were forced to employ unacceptable workarounds. Biomedical engineering and the IT department were not able to resolve software interface issues between the EHR and the VHA medical devices. Moreover, facility employees were using unacceptable communication modes which endangered the unintended disclosure of sensitive patient data.
Inspectors found 9 of 12 medical devices didn’t have an interface with the EHR system, such as a high-resolution esophageal manometry (HRM) medical equipment. The interface between the VHA and the EHR stopped working when the medical center upgraded its Windows XP to Windows 7 in 2013. Biomed and IT offered help when issues were first experienced, however further software interface problems remained unresolved.
According to the gastroenterology (GI) provider, the biomedical engineering and IT departments of the facility partly made the decision to keep on using the equipment despite the fact that there was no functioning interface. The GI provider created two methods, which were not approved by VHA and VA policies relating to sensitive personal data. Patient information became predisposed to exposure because of those workarounds.
The methods use the personal computer of the GI provider and transfer sensitive data through unencrypted email, an unencrypted flash drive not issued by VA and the cloud. Employees in the pulmonary/sleep laboratory, GI laboratory and neurology departments also created workarounds because of interface problems following the upgrade of the operating system.
Employees did not know the value of patient privacy and obtaining patient data, and one employee made certain that information was just sent by using secure, encrypted email. However, other employees emailed messages via personal email accounts, SMS text messages and unsecured gadgets.
VA OIG determined that 99% of the emails dispatched from the GI provider’s email account had sensitive patient data. The same is true with 91.7% of the sent SMS text messages. It was also discovered that inpatient and nursing staff use unsecured methods of communicating patient data. The medical center also continued to record equipment that its staff takes home on logbooks, which is not approved by the VHA policy.
The report was about one VA medical center, however, the results are not unexpected. Many healthcare providers experience the same problems, which also utilize methods to solve software compatibility concerns, though those methods can bring in significant risk.
The VA OIG gave the following recommendations to correct the violations of the medical center and enhance security:
- Take steps to make sure that employees only use secure methods for communicating patient data
- The medical center director must review communications processes between IT/biomedical engineering and employees
- Take steps to fix interface problems and better communication
Currently, the medical center is working on carrying out those recommendations.