Audit Report

After the audit team issued its report, RH issued its response, which states that: It welcomes the application control and management review by the audit team as a means of identifying areas for improvement across the system. The benefits of a digital medical record for the company's health system cannot be underestimated and its implementation across several health sites has shown its value in providing quality and timely patient care. It is in the process of developing a digital health strategy to guide the appropriate investment and implementation of core systems, including digital medical records. Contract management processes for applications will be subject to continuous improvement reviews to ensure all costs are identified, tracked, and managed. It notes that Health Service Providers provide different clinical services and are committed to working with clinicians to improve the use of applications in clinical workflows. This may require variation in application use between sites where applicable. It acknowledges the weak information security controls identified and notes that a Digital Information Security Program is now in place to address the issues raised. Required: Prepare an audit report based on the given scenario. Your audit report must contain the following (5 items x 10 points): Introduction Conclusion Background Audit Findings Recommendations Refer to Audit Report.pdf for examples on how to write an information system audit report.RH does not know if the vendor is meeting the needs of the business or if contractual costs are being managed effectively. The audit team identified weaknesses in how RH manages the vendor contract, which includes lack of defined roles and responsibilities for managing the vendor, no routine reporting by the vendor and monitoring by the RH staff of service level agreements, and no monitoring of contract costs. Also, RH does not know the total cost of providing the application to the hospitals. The current P20 million contract does not include the cost of the hardware, vendor licenses and support fees, staff resources responsible for scanning documents, and offsite storage of the original medical records. To make fully informed commercial decisions about contract extension, RH needs to know the total cost of service performance of the application. Furthermore, the audit team found the following gaps in the controls of securing confidential records: . Inadequate vulnerability management. RH does not have an effective process to identify, assess and address known software vulnerabilities promptly. These vulnerabilities could be used to gain unauthorized access to sensitive data or disrupt systems. We conducted vulnerability scans on key application servers and identified 54 critical and 102 high severity vulnerabilities due to software updates that had not been applied. Weak password configuration. Analysis of the network accounts identified that around 40% have weak passwords, including a high number of privileged accounts. Access to the application requires an enabled application account. Weak password configuration makes the system susceptible to password guessing attacks. This could lead to unauthorized access to patient information and further exploitation of RH systems. Ineffective user account management. There is no process to routinely review who has access to the application and to monitor user activity. Analysis of the application accounts identified approximately 5,500 accounts or 15% of the total accounts that have not logged on to the system for over 12 months. Without appropriate user account management controls, there is an increased risk of unauthorized or inappropriate access to patient information. Insufficient continuity management processes. Health support services have not developed appropriate business continuity or disaster recovery management processes. Also, the maximum acceptable unavailability times and priority for the application to be restored in the event of an incident have not been defined. Without an up-to-date and tested Business Continuity Plan (BCP) and Disaster Recovery Plans (DRP), there is an increased risk that key business functions and processes will not be restored promptly after a disruption. Application risks are not being formally managed. There is no framework in place that outlines how the Application's risks are identified, assessed, managed, and escalated on a routine basis. Moreover, there is no mechanism to ensure the application's risks are appropriately considered in the risk frameworks across its branches. Without an effective risk management process, the application may fail to meet the business needs. From the above findings, the audit team recommended Romero Hospital to: Embed appropriate contract management practices. Develop appropriate processes to support future decisions to deploy applications, including approving business cases that are supported by appropriate cost models. Review its information security policies to apply appropriate controls to protect sensitive information. Develop, approve and communicate a digital strategy to guide the other branches, specifically in Mindanao and Luzon, in digitizing their medical records. Conduct analysis to determine the business needs and assess if the application is capable of meeting those needs. Communicate the roles and responsibilities for the management of the application, including who has the authority to analyze, prioritize, and approve the operational activity.AUDIT REPDRT {5c points: 5 items 1 1c polnta] Direction: Read the case below and give what is asked. Romero Hospital {RH} is one of the leading providers of health care services in the Philippines. It has 15 branches across the country. On January 2 last year, its management decided to procure a new system that can make patient medical records digitally available. It costs around FED million, which will be used by the company for five {5} years, as stipulated in the contract. The said system will be used to create electronic progress notes during care and scan paper medical records and store them, typically at the end of a patient's episode of care. As stated in the procurement plan of the company, the system was procured to meet the following specific objectives: 0 Reduce reliance on and cost of maintaining paper records; Increase patient safety by providing rapid concurrent access to medical records; and Streamline business processes by introducing more efficient record capture practices. Cln January 5, the application has been deployed to its branches in Luzon. At the end of the year, an audit has been conducted for the implementation of the said system. The audit team found out that the lack of strategic direction and operational oversight has impacted the efficient and effective implementation of the new system. The hospital is yet to decide if all medical health records will be digitized across the country as they are still in the process of developing a digital strategy. As a result, decisions regarding the application's design and deployment are made at individual hospitals without consideration of the needs of the company as a whole. This increases the risk that the application may not meet the stated objectives in the procurement plan. The audit team also find out that the application provides digital access to historical medical records. Every patient has a paper filefrecord created. which is scanned into the application at the end of their episode of care. Efficiencies arise from having digital access to these records during subsequent episodes of care. However, the audit team also found no evidence to show a reduction in the cost of maintaining paper records since the deployment of the application. To reduce the consumption rate of disk storage, medcal records are being scanned at a resolution less than that required by the authority to eliminate the physical record. As a result, even after scanning. RH incurs costs to store physical records at an cffsite storage location. This is inefficient, costly, and contrary to the application's stated objectives. Also, the application's electronic storage consumption has greatly exceeded initial estimates, resulting in recurring system outages and additional costs. When storage limits are reached, users are unable to access the system when treating patients and patient records cannot be scanned. This may cause a reliance on historical paper records and create a scanning backlog. RH has not carried out a proper root cause analysis to identify and resolve the system outages. This is required to limit the disruption to clinical workflcws and enable informed decisions about the future roll-out strategies for the application