What We Did:
The objective of this audit was to determine whether DoD medical treatment facilities (MTFs) implemented physical security controls to prevent unauthorized access to facilities, equipment, and sensitive areas.
What We Found:
We determined that DoD MTFs generally implemented physical security controls, as required by DoD Instruction 5200.08, “Security of DoD Installations and Resources and the DoD Physical Security Review Board” December 10, 2005, incorporating Change 3, Effective November 20, 2015. However, we also determined that security weaknesses existed.
We visited eight MTFs and found that all had implemented local physical security measures. However, we identified security weaknesses at all of the eight MTFs that could allow unauthorized access to DoD MTFs and controlled or restricted areas within the MTFs. Specifically:
• Personnel at six of the eight MTFs had access to restricted areas, such as pharmacies, when they were not authorized access to those areas, because MTF staff did not update access control systems and there was no requirement for them to do so. For example, we determined that three unauthorized personnel at a major medical center used a badge to access the narcotics vault.
• Personnel did not limit access to only authorized personnel for a community-based clinic and did not assess the risk of unauthorized personnel entering the community-based clinic, as required by DoD guidance, because security personnel concluded that an access control point was unnecessary. However, staff at the clinic stated that unauthorized personnel had accessed the clinic in the past. Without an access control point, an unauthorized individual can enter the clinic and proceed to sensitive areas, such as the pharmacy, unchallenged by clinic staff.
• Generator facilities and fuel storage tanks were not always protected from unauthorized access because MTF personnel did not properly secure fences in accordance with DoD guidance, and, according to MTF security personnel, MTFs lacked the resources to replace ineffective barriers. Backup generators provide emergency power to essential systems in case of main power loss. Access to backup generators and fuel tanks by unauthorized personnel increases the risk of damage, sabotage, or acts of terrorism, potentially resulting in failure of medical equipment and loss of life.
• The commanders of two MTFs granted 24-hour access for all staff, including volunteers, to all exterior doors because the commanders wanted staff to have that level of access and there was no policy restricting that level of access. This included access to rear stairwell doors that would typically be used as emergency exits. Allowing access to rear doors increases the risk that unauthorized personnel, or staff without an operational need to enter the clinic, can access the MTF undetected, where they may have access to equipment, pharmaceuticals, and personal patient information.
• Use of security guards and security monitoring procedures were inconsistent within the DoD because no standards for security guards and monitoring existed for all DoD MTFs. Also, while all of the MTFs we visited had security monitoring equipment and alarm systems in use, the use of these security devices was inconsistent. For example, some MTFs used contractor personnel to actively monitor security cameras in order to provide real-time information to base security forces, while other MTFs recorded and archived video for reference in the event of a security incident. We found no minimum standard for use of security cameras and alarm systems in DoD MTFs.
As a result of these security weaknesses, the restricted areas where medical equipment and pharmaceuticals were stored were vulnerable to unauthorized access, and the MTFs were vulnerable to incidents of violence, sabotage, or terrorism. Based on our findings at the MTFs we visited and the lack of minimum physical security standards, we concluded that these weaknesses may also exist at other DoD MTFs.
What We Recommend:
Among other recommendations, we recommend that the DHA Director:
• issue guidance for all MTFs under DHA control to require security personnel to remove access permissions for unauthorized staff, and conduct quarterly system reviews to ensure that access to sensitive areas is limited to authorized personnel;
• determine whether community-based clinics under DHA control have established a baseline level of protection for leased facilities as required by DoD guidance, and established access controls based on risk to limit entry to authorized personnel only;
• assess generator and fuel storage security at each MTF under DHA control and implement controls that meet the DoD Unified Facilities Criteria requirements for generator facilities and fuel storage tanks, working with installation commanders when necessary; and
• issue guidance that requires personnel to enter and exit MTFs through specific sets of doors, such as main entrance or emergency room doors.