Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it's official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you're on a federal government site.


The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Two Indian Health Service Hospitals Had System Security and Physical Controls for Prescription Drug and Opioid Dispensing but Could Still Improve Controls

We conducted this review to assess the Indian Health Service's (IHS) physical and information technology controls over prescription drugs such as opioids and to identify measures that could prevent drug diversions.

HHS has recognized the escalating abuse of opioid drugs in our society. Among HHS operating divisions, the Centers for Disease Control and Prevention, National Institutes of Health, and IHS play key roles in HHS's programmatic response to the nation-wide epidemic.

IHS is responsible for implementing appropriate controls within IHS to protect prescription drugs, including opioids; IHS is also responsible for the security of related beneficiaries' personal health information in accordance with Federal security requirements.

Our objective was to determine whether IHS implemented federally required physical and information technology systems controls that would help to ensure prescription drugs (specifically opioids) are dispensed appropriately.

We reviewed IHS's policies and procedures, reviewed physical security controls, interviewed staff, and used vulnerability scanning software to determine whether security related vulnerabilities existed on the Personal Health Record website.

Although IHS had increased system security and physical controls surrounding prescription drug and opioid disbursements, IHS did not adequately implement information technology security controls to address risks related to health information and patient safety.

Specifically, we found that: two IHS hospitals had system security and physical controls for prescription drug and opioid dispensing; an IHS hospital lacked an adequate continuity of operations program and disaster recovery plan; two IHS hospitals did not have adequate logical access control procedures; two IHS hospitals lacked adequate information technology risk assessments; and, one IHS hospital lacked adequate flaw remediation and vulnerability management procedures.

We recommend that IHS:

IHS concurred with all of our recommendations and described the actions it had taken and plans to take to implement them.

Filed under: Indian Health Service