Sunday, April 27, 2014

It Looks Like We Have Some Serious Computer Issues At Medicare and Human Services. A Serious Refresh Is Needed Soon And Will Be Expensive!

A very interesting audit was published a few days ago by the Australian National Audit Office.

Integrity of Medicare Customer Data

Introduction

1. Medicare is Australia’s universal healthcare system, which provides people with access to free or subsidised health and hospital care, with options to also choose private health services. Medicare is one of a range of Australian Government health programs administered through the Department of Human Services (Human Services).1
2. In its 2012–13 Annual Report, Human Services reported that as at 30 June 2013, there were 23.4 million people enrolled in Medicare, including 618 533 new enrolments. For an individual to enrol in Medicare, they need to reside in Australia and be either an Australian or New Zealand citizen2; a permanent resident visa holder; or an applicant for a permanent resident visa (excluding a parent visa). Australia has Reciprocal Health Care Agreements with 10 countries and visitors from these countries may also be eligible to enrol.3 Some eligibility types, for example, visitors from Reciprocal Health Care Agreement countries, are only eligible to use Medicare for a limited period of time.
3. In 2012–13, Human Services processed payments totalling $18.6 billion for over 344 million Medicare services. Expenditure under Medicare is expected to continue to grow, with payments estimated to reach $23.7 billion by 2016–17.4
4. In administering Medicare, Human Services collects personal information from customers at the time of their enrolment and amends this information to reflect changes in their circumstances.5 The main repository for this data is the Medicare customer record database, the Consumer Directory.
5. Maintaining the integrity of customer data assists to mitigate key risks associated with Medicare including access to benefits by ineligible people who are enrolled without an entitlement or who are enrolled for a period beyond their entitlement. There is also a risk that ineligible people may obtain an active Medicare card and use it fraudulently to access services and/or make fraudulent claims. In addition, the fraudulent use of Medicare cards as a form of identification is a risk to Medicare and the broader community.6
6. Customer data integrity assists in mitigating these risks and contributes to the effective and efficient administration of Medicare. To maintain data integrity, Human Services has implemented both ‘upstream’ controls at the enrolment stage, and post‑enrolment measures to manage updates to its records arising from changed customer circumstances. The department has also implemented measures to protect the privacy and security of customer data.

Audit objective, criteria and scope

7. The objective of the audit was to examine the effectiveness of the Department of Human Services’ management of Medicare customer data and the integrity of this data.
8. To assist in evaluating the department’s performance in terms of the audit objective, the ANAO developed the following high level criteria:
  • Human Services has adequate controls and procedures for the collection and recording of high quality customer data;
  • Medicare customer data as recorded on Human Services systems is complete, accurate and reliable; and
  • customer data recorded on Human Services systems is subject to an effective quality assurance program and meets relevant privacy and security requirements.
9. The audit scope focused on the integrity of Medicare customer data and included related testing of all Medicare customer records. It did not examine Healthcare Provider Information, the allocation or management of Individual Healthcare Identifiers (IHI) or the operation of Personally Controlled Electronic Health Records.
10. The audit also considered the extent to which Human Services had implemented the six recommendations from ANAO Performance Audit Report No.24 of 2004–05 Integrity of Medicare Enrolment Data.

Overall conclusion

11. Medicare has been in place for 30 years7 and is accessed by almost all Australians and some visa holders and visitors. In 2012­­–13, Human Services reported over 23 million people enrolled in Medicare, including 618 533 new enrolments.8
12. The department’s administration of Medicare is supported by a long‑established database, the Consumer Directory, which contains all Medicare customer records. As the repository of a large and evolving data set incorporating, on an ongoing basis, both new enrolments and changes to customer information, the Consumer Directory requires active management to maintain the integrity, security and privacy of customer data; essential prerequisites for the effective administration of Medicare.
13. Human Services’ framework for the management of Medicare customer data, including procedures and input controls for the entry of new enrolment information and changes to customer information, has not been fully effective in maintaining the integrity of data in the Consumer Directory. ANAO analysis of the department’s Medicare customer data holdings identified9:
  • at least 18 000 possible duplicate enrolments—an ongoing data integrity issue in the Medicare customer database10;
  • active records for customers without an entitlement as well as inactive records and some with unusual activity; and
  • records which had customer information inconsistently, inaccurately and incompletely recorded.
14. In addition, the department advised the ANAO of instances where the records of two different customers are combined (‘intertwined records’)11, giving rise to privacy and clinical safety12 risks.
15. While the number of compromised records held in the database is not significant given the scale of the department’s data holdings, the data integrity issues referred to above indicate that departmental procedures and key elements of the data input control framework require management attention to improve operational efficiency, better protect customer privacy and clinical safety, and reduce the risk of fraudulent activity. The extent of the data integrity issues highlighted by the audit and the length of time these issues have been evident also indicate a need for the department to periodically assess the underlying causes of data integrity issues and implement necessary treatments.
16. The audit identified that additional attention should be given to: the tightening of data input controls, including the full and accurate completion of mandatory data fields in accordance with system and business rules; the adequacy and consistency of staff training and written guidance; addressing duplicate and ‘intertwined records’; and undertaking data integrity testing on a targeted risk basis. Further, Human Services’ procedures for managing the security of Medicare customer data do not comply fully with some mandatory requirements of the Australian Government’s Information Security Manual (ISM)13; significantly reducing the level of assurance of the relevant systems’ ability to withstand security threats from external and internal sources. The department should implement whole‑of‑government requirements in relation to system security.
17. Positive elements of Human Services’ approach to managing Medicare customer data include: unique customer reference numbers within the Consumer Directory, which have a high degree of integrity14; a well‑developed privacy framework which contributes to maintaining the confidentiality of sensitive Medicare customer records; and a Quality Framework comprising a daily program of random checks on completed transactions by customer service officers. As discussed however, a fully effective approach to managing the integrity of data holdings requires that attention be given to the development and consistent implementation of the full suite of procedures and controls.
18. The ANAO last examined the integrity of Medicare enrolment data in 2004–05, making six recommendations.15 Human Services could demonstrate implementation of two recommendations16 but could not demonstrate implementation of the remainder, which were aimed at addressing data integrity issues, including duplicate enrolments, prior to the migration of Medicare customer data to the Consumer Directory. As discussed, the ANAO’s analysis in this audit indicates that the issue of duplicate enrolments has persisted17; and, more broadly, the department has foregone an opportunity to enhance its performance by implementing a number of the earlier ANAO recommendations targeted at improving data integrity.18
19. The ANAO has made five recommendations in the current audit aimed at enhancing the management and integrity of Medicare customer data by Human Services. The recommendations relate to improving training and guidance for customer service officers, addressing data integrity issues and their causes, and complying with the mandatory requirements of the ISM.
The link to more of the Summary is here:
There is a link to the full 98 page report here:
There is some reporting on the Audit here:

Audit uncovers Medicare data snafus

Problems with Medicare data integrity remain
An audit of Medicare's customer database has found a small number of cases of 'intertwined' customer records where two people's records have been combined, giving rise to "privacy and clinical safety risks", according to an auditor-general report tabled today.
According to the Department of Human Services, 34 instances of 'intertwining' have been discovered since the department started maintaining records on the issue in 2011. The DHS has a working group dedicated to eliminating the issue.
More than 23 million people were part of the Medicare system in 2012-13, including 618,533 new enrolments, the auditor-general's report notes. There were 29.3 million customer records when the Australian National Audit Office (ANAO) accessed the database in September last year.
Details of users of Medicare services are stored in a database called the Consumer Directory. The audit found that the DHS has "not been fully effective in maintaining the integrity of data" in the database.
An analysis by the ANAO found at least 18,000 "possible" duplicate customers, "active records for customers without an entitlement as well as inactive records and some with unusual activity" and "records which had customer information inconsistently, inaccurately and incompletely recorded."
"While the number of compromised records held in the database is not significant given the scale of the department’s data holdings, the data integrity issues referred to above indicate that departmental procedures and key elements of the data input control framework require management attention to improve operational efficiency, better protect customer privacy and clinical safety, and reduce the risk of fraudulent activity," the report states.
Lots more here:
Given the reliance if the compulsory IHI Service on the data integrity and security of the Medicare database it is vital more work is done. It is interesting to note a previous 2005 audit covering the same topic got largely ignored by the Department.
I note the population report from the ABS currently suggests there are 23.469M people in Australia so I am not sure why Medicare holds 29.3 million customer records. Must be six million or so (20%+) who have departed this life or have left the country?
 At almost the same time we have this.

Centrelink computer broken: Hockey

JOE Hockey has warned of a shock multi-billion-dollar hit to the budget to fix the 31-year-old Centrelink computer system, which is in “bad shape” and a drag on productivity that is holding back crucial policy change.
Human Services Minister Marise Payne said the system, based on 1980s technology, was also hampering the government’s efforts to cut red tape and shift Centrelink into the digital world.
The Treasurer said the biggest surprise he had received since coming into power was the ­deterioration in government infra­structure, particularly the Centrelink computer system in Canberra, which would cost “billions” to improve.
Mr Hockey, who is preparing a structural overhaul of welfare and payments in the budget next month, said changes were being stymied by the system.
“My overwhelming concern is that it is inhibiting the capacity of the government, to some degree, to roll out policy that properly ­addresses the problems in the economy and the budget,” he told radio station 3AW.
Centrelink’s Income Security Integrated System is vital to the delivery of $400 million in social security payments every day.
Lots more here:
I have to say I am frequently told about issues of inflexibility and other problems in the Medicare environment. Does anyone know if the PCEHR runs on this platform or just the IHI Service?
I note the M204 DMBS is coded in assembler for the IBM System 360 architecture and it 30+ years old but great at transaction processing.
There is useful background found in a useful article from late last year.

Sterrenberg calm in the face of an uphill battle

Human Services CIO shares his to-do list.

Human Services CIO Gary Sterrenberg speaks with an impossible calm about the ageing systems he is responsible for, including one that administers more than $500 million worth of essential payments to Australia’s most vulnerable citizens each day.
That system was built on technology implemented by the department before the technology veteran had even finished university.
He has found himself having to explain to a new government staunchly committed to a ‘budget emergency’ why it should spend tens – if not hundreds – of millions of dollars to replace the system, which for all intents and purposes appears to be working fine.
Sterrenberg's demeanour is such that it all feels part of a well-conceived plan - a plan that aims to deliver online services that will satisfy a demanding modern citizen who refuses to tolerate anything other than instant and pain-free electronic gratification.
All in all - given it seems both Centrelink and Medicare share the same systems and very old data-base management systems running on old IBM and compatible hardware this does all sound just a little brittle towards the end of its useful life.
It is also clear that a lot of the health system relies for money on this elderly ‘big iron’!
Given this environment is similar in complexity to one of the big four banks what it might cost to modernise may very well worry Mr Hockey!
David.

5 comments:

Anonymous said...

It gets worse....

http://www.smh.com.au/it-pro/government-it/australians-private-government-details-at-mercy-of-hackers-say-it-security-experts-20140427-zqzkg.html

Anonymous said...

What a shame that the massive resources invested into the white elephant PCeHR were not directed at something useful like replacing/upgrading the Medicare and DHS systems

Anonymous said...

Maybe they have decided to sell Medibank because it is cheaper than fixing their IT systems???

Dr David More MB PhD FACHI said...

I doubt Medibank Private uses the same computers and systems the Medicare etc. If they did their IPO would not be happening I would suggest!

David.

Anonymous said...

Medibank have their own computer systems. They didn't used to - they were part of HIC until Medibank got split off into a government owned enterprise.

I'm just wondering if the Medibank systems have been built to the same exacting standards as those of Centrelink, Medicare and mygov.au