IHS Needs To Improve Oversight of Its Hospitals' Opioid Prescribing and Dispensing Practices and Consider Centralizing Its Information Technology Functions

View Report

Date Issued

Wednesday, July 17, 2019

Submitting OIG

Department of Health & Human Services OIG

Other Participating OIGs

Department of Health & Human Services OIG

Agencies Reviewed/Investigated

Department of Health & Human Services

Components

Indian Health Service

Report Number

A-18-17-11400

Report Description

Prescription opioids continue to contribute to the opioid overdose epidemic. A prior OIG audit identified high volumes of opioid purchases in IHS communities. In addition, the prior OIG audit of two IHS hospitals determined that IHS did not have adequate information technology (IT) security controls to protect health information and patient safety. The audit also found significant differences in the way the two hospitals carried out their respective IT operations.

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Additional Details

https://oig.hhs.gov/oas/reports/region18/181711400.asp

Open Recommendations

This report has 10 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
267148	Yes	$0	$0
IHS should work with hospitals to ensure that they follow the Indian Health Manual when prescribing and dispensing opioids;
267185	No	$0	$0
IHS should ensure that all hospitals: Institute complete and updated contingency plans and test plans in accordance with Federal guidelines.
267182	No	$0	$0
IHS should assign a centralized team (e.g., headquarters, area office) to: Securely configure and monitor wireless access points at all IHS hospitals.
267144	No	$0	$0
IHS revise the IHM manual to require area offices to submit completed annual reviews to IHS headquarters;
267181	No	$0	$0
IHS should assign a centralized team (e.g., headquarters, area office) to: Monitor and track end-of-service-life IT equipment that cannot be maintained centrally (e.g., switches or routers). IHS hospitals and area offices should provide a tracking spreadsheet to IHS headquarters on a periodic basis that highlights equipment that is reaching or has reached end of service life and replace such equipment or provide management approved justification for its continued use.
267183	No	$0	$0
IHS should: Ensure that physical IT controls are included in each hospital’s risk assessment.
267154	No	$0	$0
IHS work with hospitals to remediate the IT vulnerabilities identified.
267186	No	$0	$0
IHS should ensure that all hospitals: Store backup tapes off-site in accordance with Federal guidelines.
267187	No	$0	$0
IHS should ensure that all hospitals: Have a complete risk assessment, to include all IT assets, for all risks, both physical and information security, in accordance with IHS and NIST guidance.
267180	No	$0	$0
IHS should assign a centralized team (e.g., headquarters, area office) to: Ensure patches are deployed timely to all IHS end points in accordance with NIST guidance and IHS policies and procedures.