The National Audit Office (NAO) has issued an audit report on the overall operational effectiveness of the Information Technology (IT) and Information Systems currently being used at the Mater Dei Hospital (MDH).

The principal aim of this report was to collect and analyse evidence to determine whether MDH has the necessary controls in place to ensure that their IT and Information Systems maintain data integrity; safeguard assets; allow organisational goals to be achieved effectively; and assist in making efficient use of the Government IT related resources.

During this audit, the NAO reviewed 14 software applications presently used by the Hospital as well as the entity's website and Facebook page. This report includes a number of key findings and recommendations related to the need to decommission one of the servers at MDH, which hosts the stock control software application that caters for the Sir Anthony Mamo Oncology Centre and the Pharmacy, Stores and Materials, Management and Logistics departments at the MDH, and migrate this to MITA's Segregated Hosted Environment.

They also relate to the complete extraction of all relevant data from the previous Patient Administration System to update the current Clinical Patient Administration System (CPAS), in view of the latter's relevance since this is integrated with various other software applications.

The key findings and recommendations also relate to the reactivation of the payroll system's audit trail functionality and review of this system, so as to increase automation in the payroll process and reduce dependence on manual input and manual processing by the end users; and development of an IT strategy which promotes further integration of IT software applications within MDH such as the integration of the Day Care Unit software application with CPAS.

Furthermore, the NAO examined the IT operations at MDH and made recommendations regarding the need to develop an internal policy for the secure disposal of devices which may contain confidential data, and implement necessary controls to ensure greater adherence with Government password policies in some of the systems. In this report NAO also recommended that users are given clear guidelines on the management of offline e-mail boxes.

NAO also noted that MDH officials had drafted a number of standard operating and downtime procedures for various software applications. NAO commends this initiative and recommended that similar procedures are drafted for the remaining software applications. 

Among its findings the NAO said that it was informed that the Medical Records department is running out of space and will soon be finding it difficult to stack more patients’ files. In this regard, the NAO was informed that the Medical Records department, together with the Director Health Informatics and the MEH are looking for options to provide a simpler way of storing patients’ health information, including digitisation. The NAO therefore recommends that MDH analyses the options being considered without delay, whereby patient’s health information may be scanned and saved electronically thus reducing the volume of the physical files and the related storage space required.

It also found that the IT Technical Support team does not securely wipe hard disks whenever a Personal Computer (PC) or laptop is transferred to a different user or is disposed of.

The NAO also observed that whilst blank passwords are not allowed, most of the IT systems selected for the purpose of this IT audit including Access Dimensions, CPAS, DCU and Dakar amongst others, do not adhere to password management best practices.

In this regard, these IT systems do not offer sufficient password security controls, in terms of password complexity, password expiry, and password history, nor do they force the user to change the password upon first logon. The NAO is of the opinion that IT systems, which do not offer sufficient password security controls, should be enhanced and adhere to the GMICT Password policy2 . Furthermore, the NAO recommends that Information Security Awareness guidelines and training should be ongoing, whereby officials within MDH are provided with regular updates to foster security awareness and compliance with security policies and procedures.

At the time of the IT audit, the NAO observed that an official and unofficial MDH Facebook page existed. Since the general public might not be aware that two different MDH Facebook pages exist, the NAO is of the opinion that the MDH Customer Care department should promote the official MDH Facebook page by providing links on the MDH website and ensure that these pages are continuously updated. Furthermore, the NAO is concerned on the presence of the unofficial MDH Facebook page and is of the opinion that the MDH Customer Care department should also seek advice on the presence of this page as it is misleading the general public in thinking that this is the official MDH Facebook page.

The NAO also noted that in the majority of the IT software applications reviewed, only one ICT Application officer was supporting a particular system.

The report can be read here.