New OIG Reports IHS didn't Implement Telehealth Cybersecurity Measures

Sarasota, FL (WorkersCompensation.com) – Indian Health Service (IHS) is a separate division under the U.S. Department of Health and Human Services (HHS) that is responsible for providing medical care to members of federally recognized Native American tribes and Alaskan Natives. Based on a treaty signed in 1787, the IHS provides healthcare to around 2.6 million indigenous people that are part of 574 recognized tribes across 37 states.

The injury mortality rate is 2.4 times higher among indigenous populations than it is among Americans. For age category for 65 and under, the IHS estimates that 42 percent of productive life years are lost due to unintentional injuries, with a cost of $350 million per year. Some of the risk factors associated with the higher injury rate includes rural environments, a lack of traffic safety enforcement, and a greater number of alcohol-related incidents.

Additionally, American Indians and Alaskan Natives have an overall higher death rate than other demographics in the U.S., with a life expectancy that is 5.5 years lower than the rest of the country. In addition to injuries, some of the leading causes of death include heart disease, diabetes, and cancer. However, death rates from chronic liver disease and cirrhosis, homicide, suicide, and chronic lower respiratory disease are also higher for American Indians and Native Alaskans.

In an effort to address health disparities seen among indigenous populations, the IHS established standards for wait times for primary care and urgent care. The average time for a primary care visit at an IHS facility is 28 days or less, and for urgent care is 48 hours or less.

Given the high percentage American Indians and Native Alaskans living in rural environments and the wait time standards set by the IHS, telehealth seemed to be the perfect option during the pandemic. However, according to a new report from HHS the division implemented their telehealth system without some of the cybersecurity requirements.

According to the release, the OIG interviewed IHS employees and reviewed system security documentation to determine if their telehealth system was in fact secure. Some of the infractions that the OIG found included not completing a contingency plan or risk assessment. Additionally, the IHS did not complete the finalized authorization to operative or the system security plan. Even after implementation and use of the telehealth system, IHS did not correct known risks on some of the telehealth systems in an acceptable time limit.

In addition to providing more training for staff, the OIG recommends that the IHS develop a strategy for cybersecurity controls. Included is a definition of minimum set of critical controls that is implemented and tested before deployment with full assessment of risk, as well as an appropriate time period for the finalized authorization to operate to be completed. 

In 2020, Harvard researchers brought to light some of the weaknesses of telemedicine, which included security risks. The alarm highlighted the fact that many telehealth platforms don’t have the robust security measures that most practice management systems have. Given the alarming increase in healthcare data breaches this last year, it is critical that IHS shore up any vulnerabilities for such a large demographic of patients with higher death rates, especially given the fact that they serve a greater rural population. 

Share This Article: