Assessing the IT Health of Your Hospital

Center Voices

By Bill Johnson

If you don’t believe that information technology (IT) is critical to the operation of your hospital, just ask the physicians on your board to describe the impact of unexpected downtime in a clinical information system. They will probably tell you that their ability to provide quality patient care would be compromised because they would be unable to access laboratory or other test results, for example, in a timely manner.

Because patient care suffers when hospital computer systems do not function properly, trustees must become more proficient in assessing the IT health of their organizations. For instance, if the hospital uses a computer system to enter physicians’ orders for X-rays and prescriptions, patients might not receive the diagnostic and therapeutic services they need as quickly as they should.

In the March “Center Voices,” I wrote about IT as a strategic asset equally as important as an organization’s financial or facilities assets. Boards can improve their ability to assess IT health by adopting the same techniques they use to monitor other strategic assets.

For example, how does the board assess its organization’s financial health? First, it reviews financial performance reports, usually presented by the CFO to the board and its finance committee. The board also reviews the financial audits performed by an independent organization. These audits assess how well the hospital’s financial system complies with Generally Accepted Accounting Principles (GAAP). The GAAP is a common set of accounting principles, standards and procedures that dictate how an organization’s financial system should operate. They are established and maintained by the Financial Accounting Standards Board (FASB), a nationally recognized organization whose mission is “to establish and improve standards of financial accounting and reporting.”

The Information Systems Audit and Control Association (ISACA), performs an IT function analogous to the one FASB performs for accounting and finance. ISACA has been instrumental in developing a set of best practices called “Control Objectives for Information and Related Technology” or COBIT. COBIT is, in many ways, the IT counterpart to GAAP. It includes the various kinds of IT processes and activities in which IT auditors are (and boards should be) interested.

The COBIT framework consists of four domains, described in the chart below. Each domain contains multiple processes and activities, ranging from managing IT projects to project approval. The framework is comprehensive and includes best practices that relate to the universe of IT functions, systems and processes required of an IT department.

Using the COBIT framework as a guide, boards may take these seven actions at board or committee meetings to assess their hospital’s IT health:

1. Have the chair of the hospital’s IT steering committee provide an annual report and explain the hospital’s IT plan.

2. Have the CIO review his or her department’s staffing.

3. Have the CFO review the IT budget during the board’s annual budget deliberations.

4. Require semiannual board meeting attendance by a key IT system stakeholder, such as the team leader of an initiative to install a computerized physician order entry system, to review the hospital’s processes for identifying user requirements and for selecting and implementing the system. By reviewing the selection criteria and processes for the most recent implementation, the board will get an idea of how the hospital approaches the selection of other IT systems. If the key stakeholder cannot effectively do this, it’s an indication that your hospital does not have a good process for involving stakeholders in system implementations.

5. Ask the CIO to make periodic presentations of key performance indicators used to assess performance in each of the following areas critical to IT success—service delivery, infrastructure capacity, security, financial performance and user satisfaction.

6. Ask the CIO to present results of the most recent computer network security tests. This testing is done to see how easy it is for an unauthorized person to gain access to your hospital’s computer network. Unauthorized access to your network could result in confidential patient information being leaked onto the Internet.

7. Have an external IT auditor perform an annual IT audit/assessment and present the results to the board.

While this is not an exhaustive list of actions that the board can take to assess its hospital’s IT health, it’s a good start. Board members should become familiar with key techniques they can use to judge how well their hospital’s IT organization is functioning. COBIT provides a framework for doing just that.

Bill Johnson is senior manager for Calif.-based First Consulting Group. He can be reached at wcjohnso@fcg.com.

The COBIT Framework
Domain	Description
Planning and organization	Best practices for organizing IT functions, planning for and managing IT investments, developing IT strategies that align with hospital strategies, improving IT quality, and assessing risks.
Acquisition and Implementation	Best practices for identifying information needs and acquiring systems and the technological infrastructure to satisfy those needs.
Delivery and support	Best practices for managing IT systems and resources currently in use.
Monitoring	Best practices for monitoring the health of the previous three domains.

This article 1st appeared in the December 2099 issue of Trustee Magazine.

To respond to this article, please click here.

Hospitals & Health Networks | Healthcare's Most Wired | Trustee | Health Facilities Management
Materials Management in Health Care | Buyer's Guide for the Healthcare Market

Copyright ©2010 Health Forum. All rights reserved. Please report problems to webmaster@healthforum.com Trustee Magazine is published by Health Forum, Inc. an American Hospital Association information company.

This website contains links to sites which are not owned or maintained by the American Hospital Association(AHA). The AHA is not responsible for the content of non-AHA linked sites, and the views expressed on non-AHA sites do not necessarily reflect the views of the American Hospital Association.