CAG of India2024-07-242024-07-2404-07-2016https://resourcerepository.azimpremjiuniversity.edu.in/handle/apurr/579Hospital Management Information System (HMIS) aimed at managing vital patient records encompassing all the administrative and functional aspects of hospital operations. Department also intended to collate critical health related data from the hospitals through HMIS. The department introduced another application named Stores Management Information System (SMIS) for managing drugs and equipment logistics. Both HMIS and SMIS were implemented in all government hospitals down to the level of State General Hospitals. While HMIS was developed using SQL Server 2000 as backend RDBMS with Visual Basic in the front end having a client server architecture, SMIS was a web-based application using MS SQL Server 2000 in the back end and VB.netin the front end. The IT Audit of HMIS and SMIS was conducted between April and July 2014 covering the period 2009-14 and 2011-14 respectively, which threw light on various issues of control and data integrity as well as instances of unauthorised manipulation of data. 1. The desired benefits of improvement of the efficiency of delivery of health care services through introducing HMIS and SMIS remained largely unachieved as the department failed to operationalise these applications in all the intended hospitals. Even where these applications were running, all modules and sub-modules were not put to meaningful use. 2. Security of the systems was compromised to a great extent owing to weak logical access controls, physical access controls and absence of password policy. 3. It was also a matter of concern that privileges of system administrator were being exercised by support personnel engaged by the maintenance vendor. Lack of supervisory controls was also evident from the instances of manipulation in the system without knowledge of the hospital authorities. 4. Deficient controls coupled with absence of security certificate, antivirus, audit trail and logs have rendered the system vulnerable to unauthorised intrusions. These vulnerabilities have resulted in possibility of defalcation of government revenue, as instances of unexplained short collection of revenue were observed in many occasions. 5. Ability of the department in continuing its operations in the event of an interruption remains questionable in the absence of business continuity and disaster recovery plans. This issue assumed significance in view of instances of non-maintenance of data back-up.EnglishAudit Report