What can the DoD and VA do to secure the vulnerability of medical records?

SGT Private RallyPoint Member — Wed, 16 Apr 2014 10:15:52 -0400

http://www.armytimes.com/article/20140415/BENEFITS06/304150050/Your-medical-files-may-risk

After veteran Aaron Alexis shot and killed a dozen people at the Washington Navy Yard last September, the Air Force noted a spike in the number of personnel dipping into his electronic medical file....

Response by SFC A.M. Drake made Apr 16 at 2014 10:21 PM

SFC A.M. Drake — Wed, 16 Apr 2014 22:21:07 -0400

That's a tough issue as I have worked in both environments. One solution would be to whatever record you are going into, it needs to be electronically signed for prior to signing/viewing it. And you must have a need to know for the information contained therein. Also each record needs to have an access key, with an alphanumeric mix, that can be changed only by the SM, Veteran, or designee (Power of Attorney)...just my thoughts.

Response by SSG Laureano Pabon made Apr 16 at 2014 10:40 PM

SSG Laureano Pabon — Wed, 16 Apr 2014 22:40:20 -0400

Some time back around Feb. I posted a video about copiers and what information can be found in them. Here is that video again:

https://www.facebook.com/photo.php?v= [login to see] 532761&set=vb.716992760&type=2&theater

Ron Wininger - Never Trust A Photo Copier | Facebook

This will get your attention. I will never look at a copier the same way.

Response by SFC(P) Private RallyPoint Member made Apr 16 at 2014 11:40 PM

SFC(P) Private RallyPoint Member — Wed, 16 Apr 2014 23:40:51 -0400

The DoD uses a system called AHLTA to store and document electronic medical records. This system is by no means brand new, its been around since at least 2005 when I came into the military. Most healthcare providers working in an AMEDD facilities (doctors, nurses, medics, etc.) have access to this system. With only a first and last name, and maybe a last 4 of SSN for more common names, you can pull up the records of anyone in the system. While pulling up a record does leave a trail, it won't automatically send up a red flag unless you try to access privileged portions of the record. These portions, mainly behavioral health notes and some sensitive test like HIV, can be opened by anyone with access, but will be flagged for an audit of the reasons as to why it was accessed. Access to this system is necessary for a modern clinic to function, and a heavy focus is placed on HIPPA in both training and execution of daily activities to avoid unauthorized disclosures of PHI. Are there dirtbag Soldiers out there that will do it anyways, of course, and this is true for many other areas of the military as well; these Soldiers when caught are often made examples of to deter others, and renew confidence in healthcare provider's dedication to privacy.

Response by Sgt Abdullahi Mohamud made Apr 21 at 2015 8:33 AM

Sgt Abdullahi Mohamud — Tue, 21 Apr 2015 08:33:13 -0400

In order to maintain a sustainable, reliable and available database, every organization must attain not only people with information security skills but also people with sense of Cybersecurity awareness. In addition, every organization must commit to training their data custodians and retain only those personnel that have sense of duty of protecting the databases that is in their custody.

Response by CW3 Kevin Storm made Sep 2 at 2015 5:02 PM

CW3 Kevin Storm — Wed, 02 Sep 2015 17:02:42 -0400

First off this issue is not unique to VA and DoD, it is to Healthcare in General. As long as we go paperless and have information out there, there will be those who seek to gain access to that information. I am not sure there is an easy fix, but moving towards CAC government wide is one way. And new technologies in access will improve it further, right to the point where some Dip hits the email with "open attachment" on it.