Waiting lists at risk of doctoring, auditor says
Public hospital surgery waiting time data is vulnerable to manipulation and and some ACT government accounts and payments could be susceptible to fraud, the Auditor-General has warned.
In her 2011-12 Financial Audits, ACT Auditor-General Maxine Cooper has raised several concerns about computer and data security across the territory public service.
The Health Directorate was rocked this year by the revelation that then Canberra Hospital executive Kate Jackson and other unidentified individuals had doctored emergency department data to make waiting times results appear better.
Dr Cooper warned in her report that elective surgery waiting time results could be also be vulnerable.
She said patients were assessed but the time they waited was only recorded as beginning when they were electronically added to a list.
''While this method is consistent with the description of the indicator and national standards for the reporting of similar indicators, the waiting time for a patient would be understated whenever there is a delay in recording that patient on the electronic waiting lists,'' Dr Cooper said. ''The use of a listing date is susceptible to fraudulent manipulation.''
A Health Directorate spokesman acknowledged Dr Cooper's concern about the waiting list process but said the same system was used in all states and territories.
''The Health Directorate will contribute to an ACT government response to the report within three months of the report's release,'' the spokesman said.
Dr Cooper also issued warnings about the use in several government agencies of generic ''administrator''' accounts and simple passwords for computer systems.
One potentially vulnerable area was the Cashlink system used to process payments to some government agencies.
''Several individual users of Cashlink may perform incompatible duties which enable them to initiate, process and approve transactions,'' Dr Cooper said. ''The failure to segregate these incompatible duties increased the risk of erroneous and fraudulent transactions.''
The documents used to prepare financial reports could be susceptible to ''inappropriate, and possibly fraudulent access''.
User access levels were not regularly reviewed and many user accounts still existed for former ACT government employees.
There was often no evidence of approval for the granting of or changing of a user's access to the government network.
Some agency systems could not be promptly restored after disruption without the loss of data.
Earlier audits revealed shared generic logins and passwords such as ''nurse'' on the Canberra Hospital emergency department system allowed people to tamper with information without the risk of detection. Police are still investigating.
A review of the Health Directorate's governance by Professor Mick Reid was recently completed but is yet to be publicly released.
Deputy Chief Minister Andrew Barr said audits were an important part of creating a more efficient, open and robust government.
''Consultation with agencies will be undertaken to formulate a position on each recommendation,'' he said.