WA Health’s management of its electronic medical record system has received a scathing appraisal by the state’s Auditor General, with data security vulnerabilities, storage gluts and clinical staff manually working around the digital system among the problems identified.

The Information Systems Audit Report 2018 assessed key business applications at five West Australian government agencies, including the patient medical record system at the Department of Health, and found management was to blame for a litany issues.

“Common weaknesses across all our information systems audits indicate agencies are not taking risks to information systems seriously enough. Most of the issues raised can be easily addressed and it appears that risks are simply not properly understood. They are certainly not being effectively managed.”

The report, which was designed to reveal information system weaknesses that could seriously affect the operations of government and potentially compromise sensitive information held by agencies, found numerous concerns with the Department of Health’s management of the electronic medical record system, which has been deployed to varying extents at Bunbury, Busselton, Royal Perth, Fremantle and Fiona Stanley hospitals.

According to the audit, WA Health’s delay in deciding whether to go digital state-wide is part of the problem.

“A lack of strategic direction and operational oversight has impacted the efficient and effective implementation of the Application. The DoH is yet to decide if all medical health records will be digitised across Western Australia as they are still in the process of developing a digital strategy. As a result, decisions regarding the Application’s design and deployment are made at individual hospitals without consideration of whole of Health needs.”

The audit report also claims the DoH has taken a hands-off management approach to the project, which was awarded in 2013, including its cost.

“Poor contract management means the DoH does not know if the vendor is effectively delivering the Application and how it is tracking against the $20 million contract. To make fully informed decisions about its future use the DoH needs to understand the total cost of providing the application.”

It claimed the department was unaware of the total price-tag of providing the system to hospitals, with hardware, vendor licences and support fees, staff resources for scanning documents, and offsite storage of paper medical records in addition to the contract.

The system was designed to reduce the reliance on paper records, increase patient safety and streamline business processes by introducing more efficient record capture practices, but the audit found the efficiency of the system had been compromised by poor oversight.

“The Application allows users to store and access medical records for patients. However, there are multiple management issues, including manual workarounds and storage limitations that have led to inefficient use of the Application. Security vulnerabilities also have the potential to expose confidential patient information to inappropriate access and misuse.”

The damning report says the use of paper records together with the electronic patient record system is creating waste and duplication.

“We found no evidence to show a reduction in the cost of maintaining paper records since deployment of the Application. To reduce the consumption rate of disk storage, medical records are being scanned at a resolution less than that required by the State Records Office to destroy the physical record. As a result, even after scanning, the DoH incurs costs to store physical records at an offsite storage location. This is inefficient, costly and contrary to the Application’s stated objectives.”

Document scanning is also creating data storage burdens that can cause outages.

“[T]he Application’s electronic storage consumption has greatly exceeded initial estimates, resulting in recurring system outages and additional costs. When storage limits are reached users are unable to access the system when treating patients and patient records cannot be scanned. This may cause a reliance on historical paper records and create a scanning backlog.

“The DoH has not carried out a proper root cause analysis to identify and resolve the system outages. This is required to limit disruption to clinical workflows and enable informed decisions about future roll out strategies for the Application.”

[Read more: WA Health’s “poor” IT delivery has created “culture of distrust,” report finds]

The audit also found the system had not been appropriately aligned to all clinical workflows, leading to problems.

“This has resulted in the use of manual workarounds and in some instances the need for new workarounds and repetitive manual entry of patient information. This is inefficient and increases the likelihood of errors.

“We were advised by staff of manual workarounds to compensate for system instability. Activities being manually tracked in spreadsheets rather than using the reporting module include clinical coding for medical rebates and the correction of medical record entry errors.

“The Application does provide the reporting functionality to track these activities, however staff reported that the system becomes unresponsive and unstable when running reports.

“In addition, we were not able to obtain information on the number of records manually scanned into the Application each month, to understand the use of the system, due to staff concerns that running reports would cause the system to crash.”

The report says weak information security controls place sensitive records at risk of inappropriate access and misuse, including inadequate vulnerability management and weak password configuration.

Out-of-date design documentation has also contributed to the risk of system failure and data security flaws.

“Documentation created as part of the Fiona Stanley Hospital commissioning in 2014 has not been updated and does not capture alterations in the system design or new interfaces to other systems (internal and external to WA Health). Without a clear understanding of system interfaces and functionality, there is an increased risk of system failure in the event of changes, incidents or a disaster recovery event. Further, there is a risk of inappropriate access to information by exploiting weaknesses in the interfacing systems.”

Within its recommendations, the report says the DoH should embed improved contract management practices, and develop new processes for making future decisions to deploy applications that include business cases supported by appropriate cost models.

WA Health has agreed to review its information security policies to apply better controls to protect sensitive information and implement across WA Health by the end of the year. The department has also said it will “clearly communicate the roles and responsibilities for the management of the Application, including who has the authority to analyse, prioritise and approve operational activity” by December 31, 2019.

In its response to the audit, the DoH said it welcomes the application control and management review by the Auditor General as a means of identifying areas for improvement across the system.

“The benefits of a digital medical record for the WA health system cannot be underestimated and its implementation across several health sites has shown its value in providing quality and timely patient care.”

The department said its digital health strategy, which is under development and is expected to be delivered on June 30, 2019, will guide the appropriate investment and implementation of core systems including digital medical records.

Other efforts are also underway to address problems.

“Contract management processes for applications will be subject to continuous improvement reviews to ensure all costs are identified, tracked and managed.

“The DOH notes that Health Service Providers provide different clinical services and is committed to working with clinicians to improve the use of applications in clinical workflows. This may require variation in application use between sites where applicable.

“The DOH acknowledges the weak information security controls that were identified and notes that a Digital Information Security Program is now in place to address the issues raised.”

To share tips, news or announcements, contact the HITNA editor on lynne.minion@himssmedia.com




White papers