Latvijas Republikas Valsts Kontrole

State Audit Office of the Republic of Latvia (LRVK)

Is the project 'E-health in Latvia' a step towards the right direction? Read full text in English

2015 report 2.4.1-7/2014

Objective of the audit was to verify efficiency and productivity of the actions by the institutions in charge for implementation of the e-health, as well as to audit economy and productivity of use of funds invested in the project for achievement of set objectives and gaining the planned benefits. Audit covered such main questions: 1) Will the e-health policy be able to solve problems and achieve the objective? 2) Are the actual activities performed by the National Health Service justified for achievement of the set objectives? 3) Will necessary information security and personal data protection be ensured in the newly built e-health information system? 4) Has an efficient supervision and control of the project 'E-health in Latvia' been set up?

In the report page 8, 9, 10

- Although planning document for implementation of e-health was prepared timely, during a nine year time period it has not been updated and does not comply with the real situation as well all the informative reports on progress of implementing e-health have not been prepared pursuant to the regulatory enactment.

- The industry professionals were not involved in development of planning documents, no feasibility studies, research and analysis of the health care were performed;

- Responsible institution in 2015 is implementing activities of project pursuant to the plan for implementation of guidelines for 2008-2010, which was prepared in 2007.

- Project is being implemented too slowly without seeking solutions to all the identified problems, not all planned activities are being developed (45% of the activities planned in the guidelines of e-health have not been started), the financing does not comply with planned scope and time frames, financing has been invested inexpediently (more than 760 thousands of euro have been spent inefficiently and in an counterproductive manner), priorities of e-health have also changed.

- Deadlines of the project have for several times been significantly prolonged - from the initial implementation deadlines of the project in 2010 to December 2015 and now even longer. Although the deadline for implementation of the project is near, activities carried out to popularize, inform and estimate the users have not been sufficient.

- A risk persists that the aims of the e-health projects cofinanced by the European Regional Development Fund will not be achieved, thereby the funds used amounting more than 11 million euro may be found as improperly spent.

In the report page 5, 6, 104-106

- Adaptation possibilities of standard solutions have not been evaluated and there are not evaluated all possibilities of repeated use of Latvia state information and communication technology solutions.

- Procurement for different e-health modules was divided among 3 different developers and due to the lack of technological unification of e-health for various e-health solutions various development technologies have been applied.

- A unified data architecture has not been developed for individual solutions and the architecture management function has not been performed in full (implementation of projects integration management of various projects is not ensured).

- Although in nine years more than 14 million euros are spent, practically e-health system and planned e-services still are not available for users

- Developed e-health solutions are not semantically compatible and there are cooperation problems already in the integrated testing environment and addition financial resources must be spent upon improving already the initially developed e-health solutions, so overrunning set deadlines for implementation and use of system.

- Risk persists that during the implementation of e-health have not been used the most beneficial and profitable information and communication technology solutions, thereby, possibly raising the price so less functionality could be developed within available financial resources.

In the report page 10-12, 109

- Responsible institution has for a long period remained at the initial state of implementation of the e-health information system security management, and has not yet drafted all the necessary regulatory enactments establishing provisions for information systems safety management, including provisions for risk management, testing continuity of activities and user management standards.

- Audit trail creation and identifying functionality does not operate to full extent.

- There are no inbuilt automatic controls in the system, that could preventively identify and to restrict unreasoned personal data processing outside a particular treatment episode. Clear criteria have not been developed how to identify unjustified processing of data in audit trails, lists of data processing events at risk are not being created thus detailed analysis is not performed.

- Responsible institution has not commenced registration of processing of natural person data of e-health information system in the Data State Inspectorate, but security audits of the e-health information system have been carried out only in test environment system with limited functions, where results of them has yet not been summarised and assessed at the top management level, providing clear action plan for highest level deficiencies.

- All the medical data of all patients are by default freely accessible in the e-health information system for all medical personnel without assessment of all the actual needs and necessity of access to such detailed information. Plus currently there are very limited opportunities for patients to restrict access to their personal data – they have to choose whether trust their medical data to all the medical staff or restrict access to all of them (there is no middle way).

- As of now responsible institution has not been able to independently in systematically large volume identify all the cases of unjustified processing of natural person data and act accordingly.

The risk cases visible on this page are collected and described by the e-Government Subgroup of the EUROSAI IT Working Group in contact with author Supreme Audit Institutions (SAI). In the same way, analytical assumptions and headings are chosen by the Subgroup. We encourage you to read the original texts by SAIs - to be found in the linked files.