The Southern District Health Board is managing the risk of computer outages ''very well'' in the lead-up to joining a national information technology infrastructure, its IT director, John Simpson, says.
Mr Simpson was responding to concerns raised in Audit New Zealand's IT general controls review, reported to board management last September.
The report was released under the Official Information Act, with some parts redacted on the grounds release could risk exposing the board's IT systems to illegal interference.
The auditors expressed an ongoing concern about the board's lack of an up-to-date disaster recovery plan or disaster testing regime, describing it as a significant business risk.
It noted the lack of a formalised process to test the plan, even at the minimum level through a desktop review.
Mr Simpson said the board was not in a position to ''switch the hospital off'' to test its disaster recovery procedures.
He was confident staff had learned from outages in recent years and worked out how to improve recovery times.
Planned outages, where parts of the system had to be shut down to allow upgrades and maintenance, had worked ''stunningly'' well, providing emergency recovery co-ordinators with good opportunities to test their training.
The overall reliability of the existing system was 99.99% and while it made ''a splash'' when systems went down, the reliability was high in a system that had to work around the clock.
The board will become part of the national infrastructure platform (NIP), which Mr Simpson said ''moves us away from looking at hardware and software to looking at the application itself and how important it is on a day-to-day basis''.
Under the NIP, district health boards will go from 40 data centres of varying size, age and quality to two data centres in Auckland and Christchurch with higher security classifications, managed by IBM.
Boards will be able to buy their IT infrastructure as required, meaning they pay for only what they need without having to maintain and own their own infrastructure.
Mr Simpson this would allow the board to decide which parts of the system needed to be ''gold standard'' in terms of such things as disaster recovery times and which would be adequately served by a lesser standard.
While the timing was still tentative, Mr Simpson expected the migration of the board's systems to the NIP to mainly occur next year, and new equipment would become part of it from about July this year.
Security concerns involving more than 200 generic log-on accounts were raised by the auditors. They said lack of traceability to a specific person increased the risk of unauthorised transactions being entered in the system.
Mr Simpson said there were many levels of security. For example, users logging in to the network would have to use a particular log-in and password but would require a completely different log-in and password before getting access to financial systems.
The log-on accounts referred to by the auditors were in the active directory, which was network-level security, and mostly for systems to ''connect and communicate''. All were well controlled and monitored.
Unauthorised transactions could not occur because that would require a second log-in and password and ''we most certainly do not allow that''. In a section on effective government and management, Audit NZ criticisms included the level of upward reporting on such things as incidents, system performance and availability and problems, saying this was either ''not formal, insufficient or not done''.
The monthly report to the hospital advisory committee concentrated on the financial aspects of projects.
Mr Simpson said issues that could have an impact on patient safety or service delivery were escalated to the committee. There was regular monitoring of critical systems and lower-level monitoring of servers was being progressively implemented.
Reports on this were presented to the infrastructure manager, which the board believed to be the appropriate level for this.
The board's IT project management also came in for criticism with eight weaknesses noted, including that there appeared to be no clear criteria to define what an ICT project was, to ensure that it would be overseen by the project management framework.
Lack of quality assurance mechanisms, inconsistency, projects not being properly signed off or reviewed after completion were among the other issues listed.
Mr Simpson appeared surprised by some of these criticisms, saying he took ''great pride'' in how IT projects were managed. His staff used the Prince2 (Projects in controlled environments) management system.
The board said integration to the regional project management framework under the South Island Information Systems Alliance would address many of the issues noted. A full review of the next large-scale project would help in determining the ''suitability of the remaining recommendations'' from Audit NZ.
Mr Simpson was also surprised by a section in the report questioning the level of auditing of board systems and recommending that an independent review of IT operations be performed on a regular basis. Mr Simpson pointed out Audit NZ had carried out an IT audit in each of the past two years.
He said he welcomed audits because if they found a ''hole that needs plugging'' it was much better to find it before it caused a problem. Mr Simpson expected if auditors returned to see the board's system late next year, they would find it ''significantly different'' as a result of the board's involvement in regional and national IT projects.
