Information
and Communications Technology
– Future Directions : Management and Control
Health units are major service providers within the Department of Human Services (DHS) portfolio and are significant users of Information Technology critical to the health unit business and service delivery outcomes.
Three major health units in the portfolio are the Flinders Medical Centre (FMC), North Western Adelaide Health Service (NWAHS) and the Royal Adelaide Hospital (RAH).
Audit assessed certain key computer processing environments which support financial information and operational systems within the FMC, NWAHS and RAH health units. The review addressed aspects of organisational management, systems and associated internal controls for the following areas:
Strategic policy and planning
Business continuity planning
Security policy and procedures
Information systems operation
Aspects of database maintenance, and network and systems software support.
The critical areas of planning, policy and procedures, and security and control arrangements were considered in need of management attention to achieve a satisfactory control environment. These were communicated to each of the health units between July and August 2002.
With respect to strategic and management matters, two of the health units reviewed (FMC and NWAHS) needed to revise their IT Strategic Plans and have the plans formally endorsed by management. Audit noted that the reinstatement of formal Information Systems governance arrangements for two health units (NWAHS and RAH) needed to be considered.
Some of the more salient management and control matters requiring improvement which were consistent across the three health units reviewed are summarised as follows:
Key aspects of Business Continuity planning, procedures, implementation and testing and disaster recovery planning for all sites were not in place.
Security configuration within certain critical applications at health unit sites needs to be reviewed and improved.
Recommendations were made to two health units (FMC and RAH) to formalise documentation with respect to supporting the health unit’s systems development and maintenance methodology. Further, unrestricted access to production environments by systems support and/or analyst programmer personnel needed to be addressed at two health units (FMC and NWAHS).
A recurring issue for health units, reinforced by the reviews undertaken within the FMC, NWAHS and RAH health units, is that of formal procedures and testing to ensure business continuity and disaster recovery. Health units in general have not revisited the risk assessment in relation to their systems and facilities since the major thrust undertaken as a result of the Year 2000 millennium concern.
Health Unit Responses — All of the above health units responded in September 2002.
FMC advised that it intended to undertake and internal review and develop an IT Strategic Plan to complement the DHS 10 year IT Strategic Plan once the DHS plan is finalised. Regarding Business Continuity planning, FMC stated that review and testing of key elements of the plan would be completed by the end of the 2002-2003 financial year. Security configuration for a certain software application was to be upgraded by December 2002. Completion of documentation of the IT systems development and maintenance methodology would be completed in the first quarter of 2003.
In its response, NWAHS stated that an Information Services Committee had been reinstated and would be fully operational by the end of September 2002. NWAHS advised that development of an Information Technology and Telecommunications strategic plan depended upon the finalisation of the DHS 10 year IT Strategic Plan, the government direction for the two campus’ of the NWAHS and the IT&T restructure. Business contingency plans were in the process of updating and would be completed by the end of November 2002. Aspects of security policies, procedures and application configuration would be addressed by December 2002.
RAH advised that the reinstatement of an IT Forum was being planned. The response indicated that a number of projects were underway that addressed some of the issues raised by Audit. In addition, integration of the Prison Health Service and the Glenside Mental health Service with the RAH North Terrace facilities had commenced. An external consultant had been engaged to develop, review and exercise specific Disaster Recovery Planning by March 2003. IT Policy documentation was being updated and expanded.
Audit recently commenced follow up reviews at the three health units.
The NWAHS and RAH had responded at the time of preparation of this Report.
The NWAHS November 2003 response advised that the Information Services Committee will be reconvened. It would be instrumental in reviewing the IT&T Strategic Plan 2002-2004 and making recommendations to Executive. With regard to business continuity, Audit was advised that a TQEH risk register is being developed as is the development of a Business Continuity Plan. Security policies and procedures would be forwarded to the Operations Executive Group for consultation and endorsement. Aspects of security configurations for certain applications were being addressed.
The RAH November 2003 response advised that a draft Disaster Recovery Plan for the Patient Management System has been developed and other applications would be assessed to develop Disaster Recovery Plans for these systems. Assessment of the Oacis system as an alternative to the disaster recovery for the Patient Management System has had commenced with an anticipated outcome in early 2004. The Glenside campus contingency plan was to be developed as a component of an overall RAH plan. The RAH IT Policy documentation was being updated. Security event and Internet user access authentication and monitoring was now operational.
Follow up with FMC is still in progress.