In 2006-07, we examined processes of the Health Information Solutions Centre of the Ministry of Health (HISC) to protect the confidentiality, integrity, and availability of client information technology systems and data. We made six recommendations to help HISC improve its processes.
Our 2007 Report – Volume 3 describes our work, findings, and recommendations. In January 2008, PAC agreed with our recommendations.
We did our first follow-up in September 2009 to assess the progress HISC made to address our recommendations. Our 2009 Report – Volume 3 describes the result of our work. At that time HISC had implemented two of our six recommendations.
In September 2010, we did a second follow-up to assess HISC’s progress towards addressing the four remaining recommendations. We describe below our recommendations (in italics) and what HISC has done to implement them.
We recommended that the Health Information Solutions Centre of the Ministry of Health meet its service level commitments to its clients related to firewall management and disaster recovery.
HISC uses service level agreements to manage client expectations.
These agreements set out the responsibilities of HISC and its clients.
HISC has implemented processes to monitor firewalls to help it identify threats. HISC does not have an approved and tested disaster recovery plan as required in its service level commitments to clients (see disaster recovery plans below). HISC has partially met this recommendation.
We recommended that the Health Information Solutions Centre of the Ministry of Health follow its procedures for controlling user access to systems and data.
HISC has improved its management of user accounts and passwords to better control user access to systems. HISC has fully met this
recommendation.
We recommended that the Health Information Solutions Centre of the Ministry of Health protect systems and data from security threats by adequately configuring, updating, and monitoring its computers and network equipment.
HISC has implemented processes and equipment to allow it to better monitor for security threats. HISC has fully met this recommendation.
We recommended that the Health Information Solutions Centre of the Ministry of Health have an approved and tested disaster recovery plan for systems and data.
HISC does not have an approved and tested disaster recovery plan for its data centre. Management told us that HISC continues to make progress in developing a second data centre for disaster recovery purposes.
We continue to recommend that the Health Information Solution Centre of the Ministry of Health have an approved and tested disaster recovery plan for systems and data.
Status of other outstanding recommendations of the Standing Committee on Public Accounts
The following table provides an update on recommendations previously made by PAC that are not yet implemented and are not discussed earlier in this chapter.8
PAC REPORT
YEAR9
OUTSTANDING RECOMMENDATION STATUS
Saskatchewan Association of Health Organizations – Payroll System Security
2007 PAC concurs:
2E-1 that the Saskatchewan Association of Health Organizations monitor the security controls of its Internet Personnel Front End (IPFE) service provider to protect systems and data.
Partially implemented (as at March 31, 2009).
We plan to do a follow-up in 2012.
8For the definitions of the key terms used in the table, see Chapter 24 – Standing Committee on Public Accounts.
9PAC Report Year refers to the year that PAC first made the recommendation in its report to the Legislative Assembly.
Main points ... 157 Introduction ... 159 Audit conclusions and findings ... 160 Controlling bank accounts... 161 Protecting information technology (IT) systems and data... 162 Disaster recovery planning ... 163 Establishing complete policies and procedures... 164 Assessing the need for internal audit function... 165 Controlling capital assets... 166 Changing accounting records ... 166 Improving hiring practices ... 167 Relocation incentive policies... 168 Improving human resource plans... 168 Other matters – Loss of public money... 170 Cypress RHA’s processes to secure IT systems and data—a follow-up ... 170 Assess risks... 171 Monitor IT security ... 171 Control user access ... 172 Configure computer systems and data... 172 Protect computer systems and data... 173 Complete and test disaster recovery plan ... 173 Manage IT changes ... 174 Five Hills RHA’s processes to achieve planned outcomes—a follow-up... 174
Preparing progress reports and analyzing results... 175 Learning new management skills ... 175 Status of other outstanding recommendations of the Standing Committee on
Public Accounts ... 176
Main points
Regional Health Authorities (RHAs) continue to make progress towards improving how they safeguard public money. Two RHAs still need to control bank accounts when making payments to their employees and vendors. Some RHAs need to do more work to have complete and tested disaster recovery plans and some still do not have complete information technology (IT) processes. They need disaster recovery plans and IT processes to ensure the security, integrity and availability of their systems and data.
Sun Country RHA needs to follow its established policies when hiring management personnel. Lack of compliance with policies could result in inappropriate hiring decisions. Sun Country RHA also needs to establish processes for administering its relocation incentives. Lack of clear processes resulted in the loss of public money.
Cypress RHA has implemented three of our past recommendations to secure its information technology systems and data and needs to do more to fully address the remaining four. Five Hills RHA has fully addressed all of our past recommendations to improve its processes to achieve planned results.
Introduction
The Regional Health Services Act(the Act) makes the 12 Regional Health Authorities (RHAs) responsible for the planning, organization, delivery, and evaluation of health services in their health regions.
In 2010, the RHAs had revenues totalling $2.9 billion ($2.5 billion from the Ministry of Health). They had a combined annual deficit of $147 million (2009 - $317 million surplus). At March 31, 2010, the RHAs held total assets of $1.6 billion (2009 - $1.6 billion). Each RHA’s annual report includes its audited financial statements.
Under the Act, RHAs have the authority to appoint auditors. We work with appointed auditors using the framework recommended in theReport of the Task Force on Roles, Responsibilities and Duties of Auditors (www.auditor.sk.ca/rrd.html).
The following lists the RHAs and their appointed auditors. We audit the Regina Qu’Appelle RHA directly.
RHA Appointed Auditor
Cypress Stark & Marsh
Five Hills Virtus GroupLLP
Heartland KPMGLLP
Kelsey Trail Neupath Group, PC Inc.
Keewatin Yatthé Meyers Norris PennyLLP
Mamawetan Churchill River Deloitte & ToucheLLP
Prairie North Menssa Baert Cameron
Oldershaw
Prince Albert Parkland Meyers Norris PennyLLP
Saskatoon KPMGLLP
Sun Country Virtus GroupLLP
Sunrise Parker QuineLLP
This chapter reports the results of our annual audits of RHAs, and our follow-up work on the RHAs described below:
Cypress – processes to secure (i.e., protect confidentiality, integrity, and availability) its information technology systems and data
Five Hills – processes to achieve planned results
We also provide an update on the status of recommendations that the Standing Committee on Public Accounts made in the past that the RHAs have not yet implemented and are not discussed elsewhere in this chapter.
Audit conclusions and findings
In our opinion, for the year ended March 31, 2010:
the RHAs had adequate rules and procedures to safeguard public resources except for the matters reported in this chapter
the RHAs complied with the authorities governing their activities relating to financial reporting, safeguarding public resources, revenue raising, spending, borrowing, and investing except for the matter reported in this chapter
the RHAs’ financial statements are reliable
To complete our work, we relied on the work and reports of appointed auditors, except for the work and report of the appointed auditor of Sun Country. We did not rely on the appointed auditor’s work and report related to the RHA’s information technology polices including disaster recovery processes. We describe this matter later in this chapter under the heading “Protecting Information technology (IT) systems and data”.
When we do not rely on the work and reports of an appointed auditor,The Provincial Auditor Actrequires us to do additional work and report the results of our work. Our additional work consisted of examining Sun Country’s information technology policies, disaster recovery processes, and discussions with management.