Several Western Australian hospitals use a patient medical record system (the Application) to make patient medical records digitally available. This Application stores sensitive information such as patient identity and medical records.
The Department of Health (DoH) is still to decide if all medical health records will be digitised across Western Australia. This has impacted the realisation of expected efficiency gains and improvements in patient care records across the Health system from the implementation of the Application.
Poor contract management means the DoH does not know if the vendor is effectively delivering the Application and how it is tracking against the $20 million contract. To make fully informed decisions about its future use the DoH needs to understand the total cost of providing the application.
The Application allows users to store and access medical records for patients. However, there are multiple management issues, including manual workarounds and storage limitations, that have led to inefficient use of the Application. Security vulnerabilities also have the potential to expose confidential patient information to inappropriate access and misuse.
A small number of hospitals across the Health system use the Application. It is used to create electronic progress notes during care and to scan paper medical records and store them, typically at the end of a patient’s episode of care.
The Department of Finance procured the Application on behalf of the DoH. The vendor was awarded a contract for just over $20 million in total (including GST) in 2013. The contract was for an initial 5-year period with 2 options to extend for a total of another 5 years.
The procurement plan stated the anticipated objectives of the system were to:
- reduce reliance on and cost of maintaining paper records
- increase patient safety by providing rapid concurrent access to medical records
- streamline business processes by introducing more efficient record capture practices.
Health Support Services provide the infrastructure to support the Application across all hospitals.
Unclear decision-making and lack of digitisation strategy has impacted the implementation of the Application
A lack of strategic direction and operational oversight has impacted the efficient and effective implementation of the Application. The DoH is yet to decide if all medical health records will be digitised across Western Australia as they are still in the process of developing a digital strategy. As a result, decisions regarding the Application’s design and deployment are made at individual hospitals without consideration of whole of Health needs. This increases the risk that the Application may not deliver against the stated objectives of:
- reduced reliance on and cost of maintaining paper records
- rapid and concurrent access to medical records
- more efficient record capture practices.
The Application provides digital access to historical medical records. Every patient has a paper file/record created which is scanned into the Application at the end of their episode of care. Efficiencies arise from having digital access to these records during subsequent episodes of care.
We found no evidence to show a reduction in the cost of maintaining paper records since deployment of the Application. To reduce the consumption rate of disk storage, medical records are being scanned at a resolution less than that required by the State Records Office to destroy the physical record. As a result, even after scanning, the DoH incurs costs to store physical records at an offsite storage location. This is inefficient, costly and contrary to the Application’s stated objectives.
In addition, the Application’s electronic storage consumption has greatly exceeded initial estimates, resulting in recurring system outages and additional costs. When storage limits are reached users are unable to access the system when treating patients and patient records cannot be scanned. This may cause a reliance on historical paper records and create a scanning backlog.
The DoH has not carried out a proper root cause analysis to identify and resolve the system outages. This is required to limit disruption to clinical workflows and enable informed decisions about future roll out strategies for the Application.
Lack of appropriate contract management means the DoH cannot be certain if it is on budget and getting what it paid for
The DoH does not know if the vendor is meeting the needs of the business or if contractual costs are being managed effectively. We identified weaknesses in how the DoH manages the vendor contract. In particular, lack of defined roles and responsibilities for managing the vendor, no routine reporting by the vendor and monitoring by the DoH staff of service level agreements, and no monitoring of contract costs.
In addition, the DoH does not know the total cost of providing the Application to the hospitals. The current $20 million contract does not include the cost of the hardware, vendor licences and support fees, staff resources responsible for scanning documents, and offsite storage of the original medical records. To make fully informed commercial decisions about contract extension the DoH needs to know the total cost of service performance of the Application.
We expected, but did not find, by May 2018 that the DoH had started to review future needs and whether to invoke the option to extend the vendor contract as the initial contract period is due to end in August 2018.
Manual processes could compromise the efficient use of the Application
We identified opportunities for the DoH to improve the use of the Application through better alignment to business workflows and report functionality.
The Application has not been appropriately aligned to all clinical workflows. This has resulted in the use of manual workarounds and in some instances the need for new workarounds and repetitive manual entry of patient information. This is inefficient and increases the likelihood of errors.
We were advised by staff of manual workarounds to compensate for system instability. Activities being manually tracked in spreadsheets rather than using the reporting module include clinical coding for medical rebates and the correction of medical record entry errors.
The Application does provide the reporting functionality to track these activities, however staff reported that the system becomes unresponsive and unstable when running reports. In addition, we were not able to obtain information on the number of records manually scanned into the Application each month, to understand the use of the system, due to staff concerns that running reports would cause the system to crash.
Weak information security controls place sensitive records at risk of inappropriate access and misuse
We identified gaps in the controls to secure confidential patient records. These included:
- Inadequate vulnerability management – The DoH does not have an effective process in place to identify, assess and address known software vulnerabilities in a timely manner. These vulnerabilities could be used to gain unauthorised access to sensitive data or disrupt systems. We conducted vulnerability scans on key Application servers and identified 54 critical and 102 high severity vulnerabilities as a result of software updates that had not been applied.
- Weak password configuration – Analysis of the network accounts identified that around 40% have weak passwords, including a high number of privileged accounts. Access to the Application requires an enabled Application account and access to the WA Health network. Weak password configuration makes the system susceptible to password guessing attacks. This could lead to unauthorised access to patient information and further exploitation of DoH systems.
- Ineffective user account management – There is no process to routinely review who has access to the Application and to monitor user activity.
Analysis of Application accounts identified approximately 5,500 accounts (15%) that have not logged on to the system for over 12 months. Without appropriate user account management controls, there is an increased risk of unauthorised or inappropriate access to patient information.
- Insufficient continuity management processes – Health Support Services has not developed appropriate business continuity or disaster recovery management processes. In addition, the maximum acceptable unavailability times and priority for the Application to be restored in the event of an incident has not been defined. Without an up to date and tested Business Continuity Plan (BCP) and Disaster Recovery Plans (DRP) there is an increased risk that key business functions and processes will not be restored in a timely manner after a disruption.
- Application risks are not being formally managed – There is no framework in place that outlines how the Application’s risks are to be identified, assessed, managed and escalated on a routine basis. In addition, there is no mechanism to ensure the Application’s risks are appropriately considered in the risk frameworks across the Health system. Without an effective risk management process, applications, may fail to meet business needs.
While an Application risk analysis was conducted during the commissioning of Fiona Stanley Hospital, it has not been reviewed since. In addition, there were multiple ‘High’ application risks that were still present when the system went live.
- Out of date design documentation – Documentation created as part of the Fiona Stanley Hospital commissioning in 2014 has not been updated and does not capture alterations in the system design or new interfaces to other systems (internal and external to WA Health). Without a clear understanding of system interfaces and functionality, there is an increased risk of system failure in the event of changes, incidents or a disaster recovery event. Further, there is a risk of inappropriate access to information by exploiting weaknesses in the interfacing systems.
The DoH should:
- embed appropriate contract management practices
- develop appropriate processes to support future decisions to deploy applications, including approving business cases which are supported by appropriate cost models
- review its information security policies to apply appropriate controls to protect sensitive information. Embed the policy across WA Health.
- DoH response: Agreed
- Implementation timeframe: by 31 December 2018
- develop, approve and communicate a digital strategy to guide WA Health’s approach to digitising medical records
- DoH response: Agreed
- Implementation timeframe: by 30 June 2019
- conduct analysis to determine the business needs and assess if the Application is capable of meeting those needs
- clearly communicate the roles and responsibilities for the management of the Application, including who has the authority to analyse, prioritise and approve operational activity.
- DoH response: Agreed
- Implementation timeframe: by 31 December 2019.
The Department of Health (DOH) welcomes the application control and management review by the Auditor General as a means of identifying areas for improvement across the system. The benefits of a digital medical record for the WA health system cannot be underestimated and its implementation across several health sites has shown its value in providing quality and timely patient care.
The DOH is in the process of developing a Digital Health Strategy to guide the appropriate investment and implementation of core systems including digital medical records.
Contract management processes for applications will be subject to continuous improvement reviews to ensure all costs are identified, tracked and managed.
The DOH notes that Health Service Providers provide different clinical services and is committed to working with clinicians to improve the use of applications in clinical workflows. This may require variation in application use between sites where applicable.
The DOH acknowledges the weak information security controls that were identified and notes that a Digital Information Security Program is now in place to address the issues raised.