- One-Quarter of Medical Devices Still Running Outdated Windows 7
- Windows Vulnerability Potentially Exposes Healthcare Networks
“With this upgrade, the VA IT network (network) could no longer support the software interface between the facility HRM and the EHR. The gastroenterology (GI) provider stated that, along with the facility biomed and IT, a decision was made to use the facilities HRM without the ability to interface with the patients’ EHR,” the report related.
The workaround to implement this decision included sharing data generated by the device using the GI provider's personal computer, unsecured emails and text messages, unencrypted flash drives, and the cloud.
The OIG found that 99 percent of emails sent from the GI provider’s personal email account and 91.7 percent of text messages between the GI provider and staff contained patients’ sensitive information that potentially was exposed.
Sensitive Personal Data of 133 VA Patients Exposed
The audit concluded that personal information of 133 patients could have been exposed by this unsecured workaround, although it did not find evidence that the information was accessed by authorized people.
The biomed and IT departments did not address software interface issues, the GI provider told the auditors. This required the provider to develop the workarounds to transfer patient information from the HRM to the EHR.
The OIG said it could not confirm this information because the GI provider did not have documentation of requests for assistance and the staff members in question no longer worked for the facility.
Although the OIG found that the HRM lacked an interface with the patients’ EHR, it noted a lack of documentation about any discussions between the GI provider, biomed, and IT personnel about how the GI provider could securely transfer data from the HRM to the EHR.
For other medical devices that were incompatible with Window 7, providers and staff were able to develop workarounds that ensured the secure transfer of data and images from the devices to the EHR. The OIG did not find any documentation that these providers and staff used biomed and IT personnel for assistance in developing the workarounds.
The OIG provided five recommendations for the Tibor Rubin VA facility based on the audit:
- Improve communication between the biomed and IT departments and employees about disclosure of sensitive information where technology interface issues exist
- Ensure that facility staff can identify which patient information is considered protected from disclosure and that staff transfer protected information across secure communication modes
- Ensure that the privacy officer and the information systems security officer take necessary steps when protected patient information is compromised or possibly breached
- Consider offering credit monitoring to the 133 patients affected by the incident
- Review the facility’s policy and use of physical logbooks and ensure compliance with VA policy
In addition, OIG recommended that the VA assistant secretary for information and technology adjust the VA handbook on sensitive data breaches to include guidance about the use of personal email systems and texting to transfer and store sensitive patient information.
Responding to this recommendation, the VA assistant secretary for information and technology stated that current VA policy addressed the most common privacy breaches and events on a case-by-case basis and that it was not practical to include information on every privacy and security event in the handbook.
The OIG said that while current VA policy advises employees not to use personal devices without permission, it identified a lack of VA guidance to the Tibor Rubin VA facility about the security implications of transmitting sensitive patient information using personal devices.