The Department of Health and Human Services’ Office of Inspector General (OIG) performed a review of the National Institutes of Health (NIH). The audit findings showed that technology management problems in the NIH digital health records system and IT systems endanger the patients’ protected health information (PHI).
NIH got $5 million in congressional appropriations in FY 2019 to supervise the NIH grant programs and procedures. Congress wants to make sure that cybersecurity controls were available to secure sensitive information and find out if NIH follows with the Federal regulations.
CliftonLarsonAllen LLP (CLA) performed the review on July 16, 2019 for OIG to figure out the efficiency of some NIH IT controls and to examine how NIH obtains, processes, retains and transfers electronic Health Records (EHR) in its Clinical Research Information System (CRIS), which included the EHRs of NIH Clinical Center patients.
NHS has around 1,300 doctors, PhD researchers and dentists, 830 nurses, and approximately 730 allied healthcare specialists. In 2018, the Clinical Center had greater than 9,700 new patients, more than 4,500 inpatient admissions, and above 95,000 outpatient consultations.
CLA discovered that NIH had employed controls to make certain the integrity, availability and confidentiality of health information included in its EHR and data systems, nevertheless, those measures didn’t work properly. Subsequently, unauthorized people may have accessed the information in their EHR system and information systems. Data was at stake of impermissible disclosure, changes, and disruption.
The National Institute of Standards and Technology (NIST) suggests basic and substitute EHR processing websites ought to be separate by area. The geographical separation lowers the threat of accidental disruptions and helps to make certain vital operations could be gained back when lengthy interruptions take place. OIG identified the principal and substitute sites were established in nearby buildings in the NIH campus. When a tragic event had transpired, there was a high probability of the two websites being impacted.
The hardware employed for the EHR system was possibly reaching the end of life or was on lengthened support. Four servers were using a Windows operating system which Microsoft doesn’t support ever since 2015. NIH paid for longer support up to January 2020, nevertheless, OIG learned there was no reliable transition package. OIG likewise learned that NIH wasn’t deactivating user accounts quickly upon the end of the contract of staff members or leaving NIH. Of 26 user accounts that had been non-active for over 365 days, 19 weren’t deactivated. Of the 61 terminated user accounts, 9 remain active. Of the 25 new CRIS users, 3 had modified their permissions without completing a form to complete the alteration.
NIH advised CLA that it had postponed software updates until the finalization of system enhancements. NIH was updating its hardware while in the fieldwork, improvements to CRIS is expected. Software changes were scheduled to be carried out after the finalization of the hardware update.
NIH had employed a programmed tool to search for non-active accounts and erase them, however, the tool wasn’t totally employed during fieldwork. There were concerns with the tool, for instance, problems following persons who switched departments.
OIG advised employing a substitute processing website in a geographically specific place and to do something to offset risks linked with the existing substitute website until the new website is set up. Policies and procedures ought to be executed to make certain that software is enhanced before the end of life, and NIH has to make certain that its automatic tool is performing as designed. NIH agreed with all advice and has detailed the things that were and will be done to ensure the execution of the advice.