Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

IHS Needs To Improve Oversight of Its Hospitals' Opioid Prescribing and Dispensing Practices and Consider Centralizing Its Information Technology Functions

Issued on  | Posted on  | Report number: A-18-17-11400

Report Materials

WHY OIG DID THIS REVIEW

Prescription opioids continue to contribute to the opioid overdose epidemic. A prior OIG audit identified high volumes of opioid purchases in IHS communities. In addition, the prior OIG audit of two IHS hospitals determined that IHS did not have adequate information technology (IT) security controls to protect health information and patient safety. The audit also found significant differences in the way the two hospitals carried out their respective IT operations.

We conducted this audit to analyze and compare opioid prescribing and dispensing practices and IT operations at five other IHS hospitals.

Our objectives were to determine whether (1) the hospitals we reviewed prescribed and dispensed opioids in accordance with IHS policies and procedures and (2) IHS's decentralized IT management structure affected its ability to deliver adequate IT and information security services at its hospitals in accordance with Federal requirements.

HOW OIG DID THIS REVIEW

We reviewed IHS's opioid prescribing and dispensing practices and information system general controls at five IHS hospitals. In addition, we reviewed a judgmental sample of 150 patients' records. Also, we performed a penetration test at each hospital.

WHAT OIG FOUND

The IHS hospitals we reviewed did not always follow the Indian Health Manual when prescribing and dispensing opioids. Specifically, through our patient record review, we found that hospitals did not always review the course of patient treatment and causes of pain within required timeframes, perform the required urine drug screenings within recommended time intervals, review patient health records before filling a prescription from a non-IHS provider, and maintain pain management documents to support that provider responsibilities had been performed. We also found that these IHS hospitals did not fully use the States' prescription drug monitoring programs when prescribing or dispensing opioids.

IHS's decentralized IT management structure led to vulnerabilities and weaknesses in implementing security controls at all five hospitals. IHS's controls were not effective at preventing or detecting our penetration test cyberattacks. In addition, the hospitals implemented IT security controls to protect health information and patient safety differently. Inconsistencies in the delivery of cybersecurity services can lead to the same vulnerability being remediated at one hospital but being exploited at another hospital that did not remediate the vulnerability. As a result, IHS hospital operations and delivery of patient care could have been significantly affected.

WHAT OIG RECOMMENDS AND IHS COMMENTS

We recommend that IHS work with hospitals to ensure they follow the Indian Health Manual when prescribing and dispensing opioids. We also recommend that IHS consider centralizing its IT systems, services, and functions by conducting a cost-benefit analysis of adopting a cloud computing policy, including centralization of IT systems, services, and functions. We made other procedural recommendations, which are listed in the report. We provided more detailed information and specific recommendations to IHS so that it can address specific vulnerabilities that we identified.

In written comments on our draft report, IHS concurred with our recommendations and described actions it has taken or plans to take to address our findings.

19-A-18-114.01 to IHS - Closed Implemented
Closed on 09/07/2023
We recommend that IHS revise the IHM to include the type of action a provider should take and what documentation to include in the patient's EHR when a UDS is unfavorable.

19-A-18-114.02 to IHS - Closed Implemented
Closed on 10/30/2024
We recommend that IHS revise the IHM manual to require area offices to submit completed annual reviews to IHS headquarters.

19-A-18-114.03 to IHS - Closed Implemented
Closed on 01/17/2023
We recommend that IHS increase oversight of IT systems by IHS management, including consideration of centralizing its key IT systems (including RPMS), services, and cybersecurity functions (e.g., patch management, unsupported network equipment and contingency planning) by conducting a cost-benefit analysis and risk assessment of adopting the Cloud First Policy and other means of centralization (e.g., headquarters, area offices). Specifically, determine if a cloud solutions or other modernization approaches are most effective and cost efficient in addressing persistent cybersecurity vulnerabilities and increasing network resiliency.

19-A-18-114.04 to IHS - Closed Implemented
Closed on 01/17/2023
IHS present findings and cost savings analysis to tribal leadership and the IHS user community to get buy-in for any significant IT enterprise changes.

19-A-18-114.05 to IHS - Closed Implemented
Closed on 01/17/2023
We recommend that IHS implement a strategic and phased approach to centralization of IT systems, services and cybersecurity functions.

19-A-18-114.06 to IHS - Closed Implemented
Closed on 08/03/2022
We recommend that IHS work with hospitals to: ensure pain management and related documentation is done in accordance with IHS policies and procedures.

19-A-18-114.07 to IHS - Closed Implemented
Closed on 09/07/2023
We recommend that IHS work with hospitals to develop policies and procedures to review the EHRs of patients with opioid prescriptions from non-IHS providers and document the results of the review in the EHR, particularly for those patients who had previously violated their COT agreements.

19-A-18-114.08 to IHS - Closed Implemented
Closed on 08/03/2022
We recommend that IHS work with hospitals to ensure opioid dispensing data are complete, accurate, and submitted in a timely manner to the State PDMP for use by providers and pharmacists.

19-A-18-114.09 to IHS - Closed Implemented
Closed on 08/03/2022
We recommend that IHS work with hospitals to ensure all opioids are in a locked cabinet, safe, drawer, or other appropriate secure container at all times.

19-A-18-114.10 to IHS - Closed Implemented
Closed on 09/07/2023
We recommend that IHS work with hospitals to track all opioids prescribed at the hospital in the patient EHRs, including those being filled at an outside pharmacy.

19-A-18-114.11 to IHS - Closed Implemented
Closed on 08/03/2022
We recommend that IHS work with hospitals to analyze opioid data to make decisions and oversee providers to minimize prescribing practices that exceed daily MME guidelines established by IHS, co-prescribe opioids and benzodiazepines, and use opioids for acute pain.

19-A-18-114.12 to IHS - Open Unimplemented
Update expected on 08/28/2025
We recommend that IHS work with hospitals to remediate the IT vulnerabilities identified.

19-A-18-114.13 to IHS - Closed Implemented
Closed on 08/03/2022
We recommend that IHS work with area offices to renegotiate the MOU with Oklahoma and other States that have restrictive MOU language to allow for PDMP self-audits and collection by clinical directors.

19-A-18-114.14 to IHS - Closed Implemented
Closed on 09/07/2023
We recommend that IHS work with area offices to complete required annual reviews that are consistent in type and level of detail across all IHS hospitals.

19-A-18-114.15 to IHS - Closed Implemented
Closed on 02/28/2025
We recommend that IHS should assign a centralized team (e.g., headquarters, area office) to: Ensure patches are deployed timely to all IHS end points in accordance with NIST guidance and IHS policies and procedures.

19-A-18-114.16 to IHS - Open Unimplemented
Update expected on 08/28/2025
We recommend that IHS should assign a centralized team (e.g., headquarters, area office) to monitor and track end-of-service-life IT equipment that cannot be maintained centrally (e.g., switches or routers). IHS hospitals and area offices should provide a tracking spreadsheet to IHS headquarters on a periodic basis that highlights equipment that is reaching or has reached end of service life and replace such equipment or provide management approved justification for its continued use.

19-A-18-114.17 to IHS - Closed Implemented
Closed on 02/28/2025
We recommend that IHS should assign a centralized team (e.g., headquarters, area office) to: Securely configure and monitor wireless access points at all IHS hospitals.

19-A-18-114.18 to IHS - Open Unimplemented
Update expected on 08/28/2025
We recommend that IHS should ensure that physical IT controls are included in each hospital's risk assessment.

19-A-18-114.19 to IHS - Closed Implemented
Closed on 02/28/2025
We recommend that IHS should ensure that all devices on IHS's network are scanned for vulnerabilities, scan reports reviewed by appropriate computer personnel, track vulnerability remediation, and ensure that vulnerabilities are remediated in a timely way.

19-A-18-114.20 to IHS - Open Unimplemented
Update expected on 08/28/2025
We recommend that IHS should ensure that all hospitals Institute complete and updated contingency plans and test plans in accordance with Federal guidelines.

19-A-18-114.21 to IHS - Closed Implemented
Closed on 02/28/2025
We recommend that IHS should ensure that all hospitals: Store backup tapes off-site in accordance with Federal guidelines.

19-A-18-114.22 to IHS - Open Unimplemented
Update expected on 08/28/2025
We recommend that IHS should ensure that all hospitals: Have a complete risk assessment, to include all IT assets, for all risks, both physical and information security, in accordance with IHS and NIST guidance.

View in Recommendation Tracker
Report Type
Audit
HHS Agencies
Indian Health Service
Issue Areas
Information Technology and Cybersecurity
Target Groups
-
Financial Groups
Other Funding

Notice

This report may be subject to section 5274 of the National Defense Authorization Act Fiscal Year 2023, 117 Pub. L. 263.