By Tony Collins
Adult care systems are a cinderella IT service for councils.
It’s rare for journalists to write about them, for good or ill, perhaps because they help council staff deal with vulnerable adults. Such systems help with payments to care home and hospice providers. They help staff organise facilities for adults with learning disabilities or dementia, and respite care for adults at risk of abuse.
One such system has 775 users in Somerset. It’s a “critical” application according to the county council there. The Adults Integrated Solution was originally supplied by Northgate. The system became IBM’s responsibility under a 10-year outsourcing and joint venture, Southwest One.
The latest in a series of excellent reports on the system’s enduring problems by auditors the South West Audit Partnership goes to Somerset County Council’s Audit Committee today (2 July 2015).
How bad is bad?
The report says the system’s response times have been so poor that audit trails and logs have been disabled. So how can IBM and the council trace and attribute user activity in the system – particularly one handling sensitive and personal data?
The report says this disabling of the audit trial and logs is “worrying”.
Auditors reported on the system’s weaknesses in their 2012/2013 audit report. Since then there has been only “limited progress” in implementing recommendations, says today’s report.
On some of their priority recommendations, auditors say they have been unable to obtain documentary evidence to support implementation. They have received verbal assurances – but they remain concerned.
The report says that AIS performance and response times “can still be less than adequate for users’ needs” and IBM is unwilling to develop a service level agreement specifically for the AIS application.
Indeed IBM has refused to give the county council a copy of the AIS contract with Northgate and it was not made available to the South West Audit Partnership for its audit of the system.
This may prompt councillors to ask how the council can properly manage a critical application if it has no control over the system or the outsourcer.
Repeated audit reports on the problems appear to have left matters unresolved.
Below are some of the concerns of the South West Audit Partnership as mentioned in its 2012/2013 audit report. It reports today that it has received only “partial” assurances that these problems have been solved.
Applications could be unavailable a month or more
Said the South West Audit Partnership: “We have identified in previous audit reports that there is no tested IT disaster recovery strategy. This is a strategy that would be put into effect in the event the Somerset County Council data centre was unavailable for any reason. Although a contract has been signed with Adam Continuity, applications could still be unavailable for a month or even more.”
No formally-named business system owner
“As of November 2014, Helen Wakeling (AIS System Owner) has left Somerset County Council. The responsibility of AIS system ownership needs to be reassigned and formalised.”
Payments to care providers not properly checked?
“… there does not appear to be a process to ensure payments are authorised, appropriate, complete and accurate…
IBM has no contractual duty to provide a good system
“There is no contractual requirement or service level for Southwest One [IBM] to provide a platform that delivers performance and response time that is acceptable to ASC [Adult Social Care] Operations.”
“Data quality in AIS data is undermined by the lack of robust input validation within the AIS application.
“Client records can be created with a minimum of information. Key personal identifiers such as data of birth, NI number and NHS number do not need to be entered and this both increases the risk of duplicate records and provides less data with which to identify those that have been created…”
Is IBM hiding AIS contract from the council?
“Southwest One currently owns the contract with Northgate and would not provide SWAP with a copy. As a result SWAP [South West Audit Partnership] was not able to evaluate Northgate’s compliance with the terms of the contract including licensing requirements…”
Personal data at risk?
“It was noted that developers have access to the production environment, unmasked live production data is used by developers and vendors for testing purposes and desktops are not locked down.”
Potential for fraud?
“In addition the authorise function, a security feature available in AIS has not been implemented resulting in all authorisations occurring outside of AIS. As a result data loss, potential corruption of data, incorrect and potentially fraudulent use of the application, missed, inappropriate or additional payments, will not be identified and acted upon.”
“In spite of a recent security incident that appeared to result in some data corruption, there is no reporting in place or review of user, super user or generic user access for appropriateness.”
Can former staff still log on?
“Terminated users were identified with valid AIS access credentials. Just less than 10% of managers with access were found to be no longer employed. In addition user ids are not disabled after not being used for a period of time.”
“The time-out for the application is 1 hour. Although users typically leave the application on and lock the screen when they go out to lunch, this process is inefficient, leaving sessions unavailable for others and insecure, since the user could forget to lock their screen and allow bypass of all security.”
“We also identified in our capacity management audit that desktop lock-down is not in effect and as a result AIS data can be downloaded and copied to USB flash storage. SWAP recommended data security policies be developed and implemented …”
Dave Orr who has followed events at Somerset closely since the county council signed the Southwest One contract in 2007 has written to audit committee councillors about the AIS system.
One of his questions is how the council could have transferred a critical application to IBM without its being protected by any specific service level agreement.
Orr says: “I do not believe that an in-house IT service, with a head of IT in the direct employ of this council, would be allowed to leave these serious shortcomings in performance, audit logging and disaster recovery unaddressed.”
So much for the claims back in 2007, when the council and IBM formed Southwest One, that the services would be “beyond excellence”.
If this is the worst outsourced system in the UK where does that leave the 775 council users who no doubt are trying to do their best for the vulnerable adults in their community?
Thank you to Dave Orr for providing the information on which this article is based.
The architect of South West One and former Chief Executive of Somerset County Council has just emailed me (from his public business email address) about this article (see below).
When the contract with IBM for South West One was signed in the early hours of a September 2007 Saturday morning, Alan Jones promised £192m of savings plus “World Class IT” and that the Council would reach new heights which he hubristically called “Beyond Excellence”.
Alan Jones now lives in Devon, so he will never suffer from all the problems identified in two official audits of this critical Adult Social Care system for people who live in Somerset and contributed to his £340k deal to go:
From: Alan Jones
To: David Orr
Sent: Thursday, 2 July 2015, 15:20
Subject: Re: “Pity the 775 users who use this outsourced council system?” South West One – The Story that Keeps on Giving…..
Pity the people who read and write this stuff. The saddos that just stopped living.
David Orr Statement & Questions for Audit Committee 2nd July 2015 – Item 6 AIS audit follow-up 2014-15 with a “partial” opinion.
Report on: http://www1.somerset.gov.uk/council/meetings/reports.asp?item=1283
Adult Social Care is a key duty of this Council and one that could potentially involve harm to vulnerable and elderly people, as well as helping to join up the NHS to Social Care to, for example, avoid “bed blocking”.
This is the 2nd adverse audit report on the AIS system in 2 years and the fundamental problems remain unaddressed.
I do not believe that an in-house IT service, with a Head of IT in the direct employ of this Council, would be allowed to leave these serious shortcomings in performance, audit logging and disaster recovery unaddressed.
Q1. Has any independent report been commissioned that identifies the reasons for poor performance of the AIS application? If so, what was reported? If not, why not?
Q2. How can a critical service IT application like AIS have been transferred to South West One (75% IBM-owned) and been operated there for almost 8 years without a Service Level Agreement?
Q3. When will the issues over a lack of disaster recovery, leading to service continuity loss without a key IT application for a month or more, be addressed and will the Audit Committee review those arrangements?
Q4. After 2 years and two poor “partial” audits, has this Council self-reported the significant issues in the AIS application to the regulator the Care Quality Commission (CQC)? If so, when was a report made? If not, why not and when will a self-report be made to the CQC?
Q5. What has prevented Director Williams and the Intelligent Client Function from addressing the serious issues within AIS for the past 2 years with South West One, despite clearly identified problems in two audits?
In the light of the unaddressed IT issues in AIS over 2 years, should Councillors now be concerned that the same team (led by Director Williams) will be able to “re-commission” effectively the whole of the complex IT Service in South West One by November 2017?