Two Indian Health Service Hospitals Had System Security and Physical Controls for Prescription Drug and Opioid Dispensing but Could Still Improve Controls

We conducted this review to assess the Indian Health Service's (IHS) physical and information technology controls over prescription drugs such as opioids and to identify measures that could prevent drug diversions.

HHS has recognized the escalating abuse of opioid drugs in our society. Among HHS operating divisions, the Centers for Disease Control and Prevention, National Institutes of Health, and IHS play key roles in HHS's programmatic response to the nation-wide epidemic.

IHS is responsible for implementing appropriate controls within IHS to protect prescription drugs, including opioids; IHS is also responsible for the security of related beneficiaries' personal health information in accordance with Federal security requirements.

Our objective was to determine whether IHS implemented federally required physical and information technology systems controls that would help to ensure prescription drugs (specifically opioids) are dispensed appropriately.

We reviewed IHS's policies and procedures, reviewed physical security controls, interviewed staff, and used vulnerability scanning software to determine whether security related vulnerabilities existed on the Personal Health Record website.

Although IHS had increased system security and physical controls surrounding prescription drug and opioid disbursements, IHS did not adequately implement information technology security controls to address risks related to health information and patient safety.

Specifically, we found that: two IHS hospitals had system security and physical controls for prescription drug and opioid dispensing; an IHS hospital lacked an adequate continuity of operations program and disaster recovery plan; two IHS hospitals did not have adequate logical access control procedures; two IHS hospitals lacked adequate information technology risk assessments; and, one IHS hospital lacked adequate flaw remediation and vulnerability management procedures.

We recommend that IHS:

• take immediate action to assess all IHS facilities and ensure each facility has a tested and viable continuity of operations program to respond to and recover from a range of disasters;
• test all backup mechanisms at all IHS hospitals to ensure patient information is fully recoverable and implement an effective continuity of operations program and disaster recovery plan and procedures in accordance with Federal requirements;
• develop and implement logical access control procedures to ensure compliance with the principle of least privilege and conduct privileged-based access reviews to remove unnecessary access to the Resource Patient Management System;
• perform information security risk assessments at all IHS hospitals in accordance with Federal requirements;
• identify all IHS hospitals with unsupported equipment and implement a system development life cycle plan to ensure hardware and software replacement prior to end-of-life; and
• determine if local IHS hospital system administrators are adequately trained to ensure compliance with all flaw remediation and vulnerability management procedures and, if not, develop a training program.

IHS concurred with all of our recommendations and described the actions it had taken and plans to take to implement them.