Almost nine in every ten Victorian public hospitals don’t have information classification procedures in place that are adequate to protect the sensitive data they hold, the State’s Auditor-General has found.
Information security was one of the primary areas of concern raised following a financial audit of 87 Victorian public hospitals and another 25 entities that they control, which was released on 9 November 2011.
The Auditor-General also found that:
- 74 per cent of Victorian public hospitals had not conducted an internal audit of their IT security within the past three years;
- 61 per cent had not established arrangements to monitor compliance with policies and procedures; and
- 55 per cent had not incorporated an IT steering committee into their governance structure.
Some of these findings are in contradiction with the Standing Directions of the Minister for Finance, which mandates that public hospital boards are required to assess IT risks and their impact on financial management at least once annually.
In addition to its IT security and risk assessment, the report also raised concerns about the absence of specialist IT steering committees at 17 unnamed regional hospitals, some of which have ICT expenditure costs of up to $508 million per annum.
These committees are responsible for advising hospital management on IT investment and services and avoiding unnecessary spending on otherwise wasteful IT purchases. The Auditor-General described the establishment of IT steering committees for public sector IT environments as “the best practice across the public sector.”
The Auditor-General’s report also recommended that hospitals develop comprehensive policies and procedures for procurement and tendering.
It found that 91 per cent of all state hospitals did not benchmark their procurement outcomes and costs against external standards. Another 58 per cent of public hospitals also failed to specify reporting requirements or frequency in their procurement policies, and over half of all hospitals also failed to commission internal audits of their procurement activities.
These recommendations on procurement echo the findings of another Auditor-General’s report released in late October 2011, which investigated the Victorian public hospital sector’s procurement practices. The procurement report focused on the procurement and probability shortcomings of Health Purchasing Victoria (HPV), the State’s central procurement agency for the public hospital sector.
Whilst the procurement report commended HPV’s central procurement operations, the report found that HPV neglected its other roles and responsibilities, most notably its failure to assure the probity of public hospital procurement practices. The report attributed this finding to the agency’s lack of information and knowledge necessary to understand whether procurement practices are properly conducted.
The procurement report also found that HPV did not measure the actual savings generated through HPV contracts, leaving public hospitals unaware of any savings potential that could be further exploited. Instead, HPV provided an estimated savings figure of $40 million for 2010-11, which was labelled as “reasonable” by the Auditor General.
In addition to IT security and procurement, the Auditor-General also commended the public hospital sector on other areas of IT management more positive performances were recorded. These include a 100 per cent pass rate for all Victorian hospitals on the basis of adequate backup and recovery procedures, and a 92 percent success rate for the establishment of adequate IT risk management policies.