`Significant risk' found in state of SDHB's IT disaster recovery plans

Peter Beirne.
Peter Beirne.
The Southern District Health Board's lack of up-to-date disaster recovery plans for its computer systems is exposing it to significant risk, Audit New Zealand says.

In its latest audit report on the board, completed in late September and released under the Official Information Act, Audit NZ said it was ''again'' highlighting the risk around this, and the lack of a disaster recovery testing regime.

Given the high reliance of the DHB on information technology systems to deliver services, ''continuity of operations is a significant business risk''.

It seems improvements in this area are not likely before the middle of this year.

Last February, board IT systems were out of action for about 36 hours as the result of a human error, but it was found the underlying cause was a lack of maintenance.

That failure came hard on the heels of the board's admission it had lost more than 3800 mammograms in 2013.

Board executive director of finance Peter Beirne said the board planned to ''enhance'' its disaster recovery systems when it joined the planned national infrastructure platform (NIP).

''Disaster recovery plans will be updated when the timing and extent of this pathway becomes certain.''

Health Benefits Ltd has been working with IT corporation IBM on planning the NIP, which aims to improve the security, reliability and service levels of boards' IT infrastructure.

An HBL spokesman said this week the service, including disaster recovery capabilities, should be established by the middle of this year and the board would have the option to access it then.

During the board audit for 2013-14, Audit NZ carried out an IT general controls review.

This looked at governance and planning, processes, organisation and relationships, the assessment and management of risks, and monitoring and evaluation of performance and internal controls.

The overall risk for these areas was assessed as medium.

''This means there is room for improvement in the process or system controls. Systems and information are exposed to risk of disruptions or unauthorised actions.''

In common with other areas, there had been an increased regional approach by boards to IT-related projects and the delivery of IT services in the South Island.

This brought a number of risks the board needed to mitigate.

These could include conflict between regional and local priorities; staff resourcing, including staff morale; project failure and single point of failure for the regional systems; and lack of standardised operating procedures.

Audit NZ said information systems project management, security and change management all needed better controls.

Most of the findings from the past years in this area had remained open, it said.

''We encourage the DHB to formally assess the risks we are raising on these findings, and allocate sufficient resources to remediate or mitigate these risks.''

Where the DHB chose to accept the risk, formal acceptance at the appropriate level of the board should be made.

The details of Audit NZ's findings on IT matters, including the status of findings it had raised in the past, were the subject of a separate report to board management that has not yet been officially released.

• In its report last year on audits of all 20 boards for 2012-13, the Auditor-general said more than half of them lacked formally documented and tested IT disaster recovery and business continuity plans.

The main technology risks for boards were aligning board plans with regional and national IT plans to avoid duplication, adequate IT governance, business continuity and IT disaster recovery, and information security.

Add a Comment

 

Advertisement