The federal Department of Health failed to obtain assurance from third party providers like Salesforce and Amazon Web Services that outsourced vaccine administration systems had adequate IT controls in place, an audit has revealed.
The oversight means the department cannot be certain of the “completeness and accuracy of the data” in the systems, the Australian National Audit Office (ANAO) said in a report into the vaccine rollout first flagged in August 2021 and tabled on Wednesday.
Health is now planning to undertake an independent review of its “IT controls and application of its internal quality assurance framework” in a bid to obtain greater assurance over its externally managed systems.
According to the report, the department used several key systems to manage and monitor the ordering of vaccines during the rollout including the COVID-19 Vaccine Administration System (CVAS) and the Vaccine Data Solution (VDS).
The CVAS, a Salesforce and Amazon Web Services-based system for managing the “ordering, allocation, delivery and receipt of COVID-19 vaccines and record any wastage,” was introduced in March 2021.
Data from CVAS, as well as the existing Australian Immunisation Register (AIR) and Vaccine Administration System (VAS) is surfaced in VDS, which was brought online by Accenture in February 2021 to “provide reports on vaccine delivers and immunisations”.
Since Accenture was awarded the contract to develop and maintain the VDS, the contract has ballooned from $6.7 million to just under $23.5 million, a quadrupling in value.
But despite having systems in place to monitor the vaccine rollout, the ANAO said there is no “assurance that third parties have IT controls in place to ensure the confidentiality, integrity and availability of data” in outsourced systems.
This is despite the department being responsible for the “confidentiality, privacy and security of the data collected using these systems” under the Privacy Act and Public Governance, Performance and Accountability Act.
Instead, the department “relies on point of time assessments, contractual obligations and management statements from entities”, which the ANAO said is “not sufficient to demonstrate that IT controls have been implemented and were operating effectively over the vaccine rollout”.
“This increases the risk that third party providers do not have appropriate IT controls in place over the security of this data,” the audit said.
In the case of AWS, the ANAO said it is aware that the cloud services provider provides certification of its IT controls, but that “Health did not request and has not reviewed this certification”.
Health is also yet to formally review the data entered into the systems, which the audit said has “resulted in undetected and undisclosed inaccuracies in the data, particularly in the AIR and CVAS systems”.
The audit recommended the department “ensure it regularly obtains and reviews assurance over the data quality and IT controls in place in externally managed systems on a risk basis, including IT security, change management and batch processing”, to which Health agreed.
“The department acknowledges it has responsibility for maintaining appropriate IT controls, including quality and assurance of data for Commonwealth contracted vendor managed systems,” it said.
“The externally managed systems of other jurisdictions, medical software industry and private practitioner and providers, that interface with Commonwealth managed systems, are outside the control of the department and adoption of data standards and interoperability across these systems remains a challenge for data quality and completeness”.
In response to the audit, the department promised a “review of IT controls for data received from externally managed systems”.
“The audit found some shortcomings on assurance received over the completeness and accuracy of the data and third-party systems that underpinned the vaccine rollout,” it said.
Do you know more? Contact James Riley via Email.