April 6, 2020 —
Publicly Released: April 8, 2020
The objective of this audit was to determine whether DoD medical treatment facilities (MTFs) implemented physical security controls to prevent unauthorized access to facilities, equipment, and sensitive areas.
Several past security incidents at DoD installations demonstrate the importance of physical security controls to protect personnel and equipment at DoD facilities. For example, in January 2015, an Army veteran shot and killed a Department of Veteran’s Affairs psychologist on the grounds of William Beaumont Army Medical Center at Fort Bliss, Texas. In addition to insider threats, MTFs can also be subject to criminal acts such as theft. The U.S. Drug Enforcement Agency reported that in 2018 there were 647 armed robberies of controlled substances from U.S. pharmacies. Moreover, the Occupational Safety and Health Administration reported that the rate of serious workplace violence incidents on average was four times greater for health care workers than in private industry.
In 2019, the Government Accountability Office reported that DoD installations were not monitoring the personnel access control system for access to DoD installations.
On October 25, 2019, the Deputy Secretary of Defense directed that the authority, direction, and control of MTFs in the continental United States, Alaska, Hawaii, and Puerto Rico transfer from the Military Departments to the Defense Health Agency (DHA). The DHA entered into memorandums of agreement with the Military Departments to ensure efficient and effective MTF operations until the DHA reaches full operating capability. The DHA expects to be at full operating capability for physical security functions by October 1, 2020.
We determined that DoD MTFs generally implemented physical security controls, as required by DoD Instruction 5200.08, “Security of DoD Installations and Resources and the DoD Physical Security Review Board” December 10, 2005, incorporating Change 3, Effective November 20, 2015. However, we also determined that security weaknesses existed.
We visited eight MTFs and found that all had implemented local physical security measures. However, we identified security weaknesses at all of the eight MTFs that could allow unauthorized access to DoD MTFs and controlled or restricted areas within the MTFs. Specifically:
• Personnel at six of the eight MTFs had access to restricted areas, such as pharmacies, when they were not authorized access to those areas, because MTF staff did not update access control systems and there was no requirement for them to do so. For example, we determined that three unauthorized personnel at a major medical center used a badge to access the narcotics vault.
• Personnel did not limit access to only authorized personnel for a community-based clinic and did not assess the risk of unauthorized personnel entering the community-based clinic, as required by DoD guidance, because security personnel concluded that an access control point was unnecessary. However, staff at the clinic stated that unauthorized personnel had accessed the clinic in the past. Without an access control point, an unauthorized individual can enter the clinic and proceed to sensitive areas, such as the pharmacy, unchallenged by clinic staff.
• Generator facilities and fuel storage tanks were not always protected from unauthorized access because MTF personnel did not properly secure fences in accordance with DoD guidance, and, according to MTF security personnel, MTFs lacked the resources to replace ineffective barriers. Backup generators provide emergency power to essential systems in case of main power loss. Access to backup generators and fuel tanks by unauthorized personnel increases the risk of damage, sabotage, or acts of terrorism, potentially resulting in failure of medical equipment and loss of life.
• The commanders of two MTFs granted 24-hour access for all staff, including volunteers, to all exterior doors because the commanders wanted staff to have that level of access and there was no policy restricting that level of access. This included access to rear stairwell doors that would typically be used as emergency exits. Allowing access to rear doors increases the risk that unauthorized personnel, or staff without an operational need to enter the clinic, can access the MTF undetected, where they may have access to equipment, pharmaceuticals, and personal patient information.
• Use of security guards and security monitoring procedures were inconsistent within the DoD because no standards for security guards and monitoring existed for all DoD MTFs. Also, while all of the MTFs we visited had security monitoring equipment and alarm systems in use, the use of these security devices was inconsistent. For example, some MTFs used contractor personnel to actively monitor security cameras in order to provide real-time information to base security forces, while other MTFs recorded and archived video for reference in the event of a security incident. We found no minimum standard for use of security cameras and alarm systems in DoD MTFs.
As a result of these security weaknesses, the restricted areas where medical equipment and pharmaceuticals were stored were vulnerable to unauthorized access, and the MTFs were vulnerable to incidents of violence, sabotage, or terrorism. Based on our findings at the MTFs we visited and the lack of minimum physical security standards, we concluded that these weaknesses may also exist at other DoD MTFs.
Among other recommendations, we recommend that the DHA Director:
• issue guidance for all MTFs under DHA control to require security personnel to remove access permissions for unauthorized staff, and conduct quarterly system reviews to ensure that access to sensitive areas is limited to authorized personnel;
• determine whether community-based clinics under DHA control have established a baseline level of protection for leased facilities as required by DoD guidance, and established access controls based on risk to limit entry to authorized personnel only;
• assess generator and fuel storage security at each MTF under DHA control and implement controls that meet the DoD Unified Facilities Criteria requirements for generator facilities and fuel storage tanks, working with installation commanders when necessary; and
• issue guidance that requires personnel to enter and exit MTFs through specific sets of doors, such as main entrance or emergency room doors.
Management Comments and Our Response
The DHA Director agreed with all of the recommendations and stated that the DHA will take corrective actions. Specifically, the Director stated that the DHA is creating interim policies covering access systems and for the use of specific entry doors, security guards, and video monitoring and alarm systems until the DHA updates physical security requirements. Additionally, the Director stated that the DHA will task the Military Departments to conduct physical security inspections to identify weaknesses and implement controls, immediately conduct assessments of all generator facilities and fuel storage tanks, and provide the DHA with the baseline level of protection for all community-based clinics. These proposed actions resolve all of the recommendations. We will close the recommendations when the DHA provides documentation to support these actions.
This report is the product of Proj. No. D2019-D000AW-0136.000.