Major flaws in €60 million HSE computer system
By John Burke and Ian Kehoe
A patient records system built by the Health Service Executive (HSE) at a cost of €60 million has been plagued by security flaws and operational problems.
In one case, HSE auditors discovered that catering staff had access codes allowing them to read confidential personal details of hospital patients.
The Integrated Patient Management System (IPMS) is used by ten acute hospitals and 20 other HSE centres to manage patient records and was originally intended to link up all HSE records nationwide to aid treatment of patients.
However, internal audits conducted in June last year uncovered a series of five ‘‘high level’’ security risks within the IPMS system, adding that controls to support the system were ‘‘inadequate’’. As a result, the key patient management system is now being rolled out differently in each location across the country, rather than centrally.
The audit states that the differences between how hospitals operated the system were ‘‘fundamental’’ and would cause considerable difficulties if the HSE ever tried to link IPMS into a national database of patient records.
Crucially, there was no national roll-out strategy for the system, despite the HSE committing €60 million to the project, according to the audit information obtained under the Freedom of Information Act.
The audit said there was no assurance that the IPMS could meet its stated requirements for a single nationally integrated system, while files could not be shared between hospitals. The audit said that its findings could have ‘‘a significant impact’’ on the roll-out of a national shared patient records system and the quality of information contained on that system.
The audit looked at the IPMS system in two hospitals in the HSE’s South and West regions, and the final report was overseen by consultancy firm Mazars. In its reply to the audit, the lead officer of the HSE’s technology directorate said that work on the development of an ICT strategy in the HSE had been ‘‘stalled’’ for some time. It added that the national healthcare agency ‘‘did not have a national director of ICT in post for a lengthy period’’.
One audit, in Kerry General Hospital, found that hospital catering staff had access to ‘‘patient activity history, including admission, discharge; name, address, GP, and a patient’s clinical data’’.
However, no clinical data had been uploaded into the system when the breach was discovered by the audit team. It also emerged that there was no national security policy to instruct users within the hospitals on how to protect patient records held on IPMS.
Although the system was designed to be rolled out and integrated nationally, the audit found that hospitals were simply using the system to replace older technology, and did not have a standard implementation system.
The HSE entered into a deal with global technology provider iSoft three years ago to roll out the system to more than 50 hospitals nationwide.
ISoft said it could not comment on the contract due to a nondisclosure agreement.
Details of the confidential audits come as the HSE faces mounting pressure over its procedures and systems, following the revelation that more than 57,000 x-rays taken at Tallaght hospital between 2005 and the end of 2009 were not reviewed by a consultant.
