Biometric access by unauthorized personnel found at DOD medical treatment facilities

Department of Defense (DoD) medical treatment facilities (MTFs) have deployed a variety of physical security controls, including biometric access. Still, a recently redacted, 32-page For Official Use Only DOD Inspector General report said an audit “identified security weaknesses at all of the eight MTFs [the IG investigated] that could allow unauthorized access to DoD MTFs and controlled or restricted areas within the MTFs.”

The IG emphasized the seriousness of the problem by noting the Government Accountability Office reported that in 2019, DOD installations were not monitoring personnel access control systems for access to DOD installations.

The IG’s audit report further noted the U.S. Drug Enforcement Agency reported 647 armed robberies of controlled substances from U.S. pharmacies in 2018. It also pointed out “the Occupational Safety and Health Administration said the rate of serious workplace violence incidents on average was four times greater for health care workers than in private industry.“

DOD MTFs’ electronic systems for access to sensitive, restricted, and controlled areas require badges, biometric readers such as fingerprint scanners, standard access cards with personal identification numbers, or a combination of these “to prevent unauthorized access to facilities, equipment, and sensitive areas.”

According to the IG’s redacted FOUO report, “MTFs generally implemented physical security controls, as required by DoD Instruction 5200.08, Security of DoD Installations and Resources and the DoD Physical Security Review Board December 10, 2005, incorporating Change 3, Effective November 20, 2015 … however, we … determined that security weaknesses existed.

Of the eight MTFs examined by IG investigators, they determined “personnel at six of the eight MTFs had access to restricted areas, such as pharmacies, when they were not authorized to access to those areas because MTF staff did not update access control systems and there was no requirement for them to do so”

For example, the IG’s report stated, “we determined that three unauthorized personnel at a major medical center used a badge to access the narcotics vault,” and that “personnel did not limit access to only authorized personnel for a community-based clinic and did not assess the risk of unauthorized personnel entering the community-based clinic, as required by DoD guidance.”

That was “because security personnel concluded that an access control point was unnecessary. However, the staff at the clinic stated that unauthorized personnel had accessed the clinic in the past.” And “without an access control point,” the IG investigation found, “an unauthorized individual can enter the clinic and proceed to sensitive areas, such as the pharmacy, unchallenged by clinic staff.”

Furthermore, the names of personnel who had been granted “access to restricted and sensitive areas were maintained in electronic access control systems, and when authorized personnel scanned their badges or entered their identification numbers, the system allowed access. Each MTF had procedures for adding personnel to access control systems, but did not have procedures to ensure” their “access was revoked when no longer authorized.”

As a result of these security weaknesses, the IG reported that “the restricted areas where medical equipment and pharmaceuticals were stored were vulnerable to unauthorized access, and… incidents of violence, sabotage, or terrorism.”

The Military Health System employs more than 144,000 at 51 hospitals, 424 clinics, 248 dental clinics, and 251 veterinary facilities across the nation and around the world, as well as in contingency and combat-theater operations worldwide.

It is unclear whether DOD’s IG or GAO will be investigating other DOD MTFs

Additionally, the IG’s investigators found “commanders of two MTFs granted 24-hour access for all staff, including volunteers, to all exterior doors because the commanders wanted staff to have that level of access and there was no policy restricting that level of access. This included access to rear stairwell doors that would typically be used as emergency exits.”

But by “allowing access to rear doors increases the risk that unauthorized personnel, or staff without an operational need to enter the clinic, can access the MTF undetected, where they may have access to equipment, pharmaceuticals, and personal patient information,” the IG concluded.

Equally as disturbing, the IG found “generator facilities and fuel storage tanks were not always protected from unauthorized access because MTF personnel did not properly secure fences in accordance with DoD guidance, and, according to MTF security personnel, MTFs lacked the resources to replace ineffective barriers.”

The IG noted the backup generators are criticial for supplying emergency power in the event of a main power loss, and that “access to backup generators and fuel tanks by unauthorized personnel increases the risk of damage, sabotage, or acts of terrorism, potentially resulting in failure of medical equipment and loss of life.”

In general, the IG reported that the “use of security guards and security monitoring procedures were inconsistent within the DOD because no standards for security guards and monitoring existed for all DOD MTFs.”

Also, while all of the MTFs IG investigators “visited had security monitoring equipment and alarm systems in use, the use of these security devices was inconsistent. For example, some MTFs used contractor personnel to actively monitor security cameras in order to provide real-time information to base security forces, while other MTFs recorded and archived video for reference in the event of a security incident. We found no minimum standard for the use of security cameras and alarm systems in DOD MTFs.”

In summary, access to restricted areas, building entrances, and power supplies, as well as security systems and monitoring procedures are inconsistent at DoD medical facilities, and now that the problem has been detailed, changes are likely coming.

Article Topics

access control  |  biometrics  |  credentials  |  Department of Defense  |  fingerprint readers  |  United States