The Lemuel Shattuck Hospital
September 14, 2011 · Lemuel Shattuck Hospital · Read the full official report (PDF) ↗
source
“However, as noted in the Audit Results section of this report, we found that LSH’s controls over physical security and inventory controls over computer equipment needed to be enhanced.”
Read the plain-English breakdown
This is a state audit of selected information technology controls at Lemuel Shattuck Hospital in Boston, covering July 1, 2008 through January 31, 2011.
“In accordance with Chapter 11, Section 12, of the General Laws, we performed an audit of selected information technology (IT) related controls at the LSH for the period July 1, 2008 through January 31, 2011.”
Auditors reviewed whether the hospital’s IT environment was controlled well enough to protect systems, equipment, data, and operations that support patient care and hospital work.
“The primary audit objective regarding the examination of IT-related controls was to determine whether the IT environment was sufficiently controlled to support the automated systems and provide reasonable assurance that control objectives would be achieved to support the LSH’s mission.”
Weak key controls could allow people who should not have access to enter sensitive hospital areas, including places with patients, staff, resources, or confidential information.
“As a result, the LSH cannot ensure that only authorized employees have access to areas housing patients, staff, and resources or containing critical and sensitive information.”
For an ordinary Massachusetts resident, this matters because the hospital uses public funds and serves vulnerable patients, so its equipment, records, and secure areas need to be protected and accounted for.
“The LSH received $72.1 million in state funds for fiscal year 2009, $69.7 million for fiscal year 2010, and $69.5 million for fiscal year 2011.”
The hospital had two main problems: it did not reliably track who still had keys, and it did not keep a fully reliable inventory of computer equipment.
“Our audit disclosed that the LSH’s inventory control practices over computer equipment needed to be strengthened to ensure that IT resources would be properly accounted for in the LSH’s system of record for property and equipment.”
The hospital said it had started checking outstanding keys, updating its key database, revising procedures, and tightening equipment tracking; auditors still emphasized ongoing monitoring and annual reconciliation.
“The Facilities Management Department has begun an inventory of all outstanding keys in conjunction with Human Resources and Campus Registration.”
The findings are significant because poor inventory records make it harder for the hospital to know whether computer equipment is missing, misplaced, or properly used.
“The absence of a sufficiently reliable inventory of computer equipment hinders the LSH’s ability to properly account for IT resources, evaluate the allocation of equipment, identify missing equipment, and meet IT configuration objectives.”
A “perpetual inventory record” means a running, up-to-date list of equipment that should show what the hospital owns and where it is.
“Specifically, we determined that adequate controls were not in effect to provide reasonable assurance that a current, accurate, and complete perpetual inventory record of computer equipment was being maintained.”
What the Auditor checked
- Partially Determine whether the IT environment was sufficiently controlled to support the automated systems and provide reasonable assurance that control objectives would be achieved to support the LSH’s mission.
What the Auditor found
Why it matters: Unauthorized individuals could access areas containing patients, staff, resources, or sensitive information.
Standard: LSH Policy No. I.39 requires Facilities Management to administer, track, distribute, cut, and maintain keys and lock systems. ( LSH’s Policy No. I.39 )
3 recommendations
- Reconcile the authorized key record to a listing of current employees, medical interns and residents, and contractors.
- Retrieve keys from people who left employment or replace locks to designated secure areas.
- Improve communication between Facilities Management and Human Resources and enforce key-management policies.
Agency response & Auditor reply
Agency: "The Facilities Management Department has begun an inventory of all outstanding keys in conjunction with Human Resources and Campus Registration."
Auditor: "In addition to the procedures it has outlined in its response, the LSH should continue to evaluate potential physical security risks of outstanding keys and ensure that appropriate procedures are in place to sufficiently monitor compliance with the established security requirements and standards."
Why it matters: The hospital could not properly account for IT resources, evaluate equipment allocation, identify missing equipment, or meet IT configuration objectives.
Standard: Office of the State Comptroller Accounting and Management Policy requires annual reconciliation of fixed asset inventory; Chapter 647 of the Acts of 1989 requires accountability for custody and use of resources. ( Office of the State Comptroller Accounting and Management Policy; Chapter 647 of the Acts of 1989 )
3 recommendations
- Immediately reconcile equipment deployed at the hospital to the inventory system of record.
- Perform an annual physical inventory and reconciliation of the inventory system.
- Add inventory fields for cost, condition, acquisition date, and installation date.agency: already implemented
Agency response & Auditor reply
Agency: "DPH IT Operations has implemented several changes effective immediately."
Auditor: "In addition to the actions initiated by the LSH to improve its fixed-asset inventory controls, we reiterate our recommendation that the inventory system of record for computer equipment be reconciled at least annually."