Oregon Health Authority Audit Release: Constraints on Oregon’s Prescription Drug Monitoring Program Limit the State’s Ability to Help Address Opioid Drug Misuse and Abuse


Report Highlights

The Prescription Drug Monitoring Program provides an important tool to address prescription drug abuse, including opioid abuse, and help improve health outcomes. Oregon’s laws have put constraints on the program that limit its effectiveness and impact. Restrictions are placed on what data are collected, analyses that can be done with the data, and with whom information can be shared. Correcting weaknesses in Oregon’s program will maximize its potential and help address opioid and other substance abuse issues the state faces.

Background

Oregon has the highest rate in the nation of seniors hospitalized for opioid-related issues such as overdose, abuse, and dependence. The state also has the sixth highest percentage of teenage drug users. The Oregon Health Authority (OHA) manages the state’s Prescription Drug Monitoring Program (PDMP), which collects information on controlled substance prescriptions within the state. The program was designed to promote public health and safety and to help improve patient care. It was also developed to support the appropriate use of prescription drugs.

Purpose

The purpose of this audit was to determine if Oregon can better leverage its PDMP to help with the opioid epidemic.

Key Findings

  1. OHA could better use PDMP data to analyze trends in prescribed drugs, including identifying patterns of possible opioid misuse and abuse. State laws prevent OHA from sharing information with key stakeholders, such as health licensing boards and law enforcement, on questionable activity. Our analysis found people who have received opioid prescriptions from excessive numbers of prescribers, as well as instances of dangerous drug combinations and prescriptions for excessive dosages of drugs. One person who received an excessive amount of opioid prescriptions had some of those prescriptions paid for by Medicaid.
  2. Oregon is one of only nine states that does not require prescribers or pharmacies to use the PDMP database before an opioid prescription is written or dispensed. Mandating use can be effective in reducing opioid misuse and other health related outcomes.
  3. Due to statutory restrictions, Oregon’s PDMP does not collect some prescription information that could be critical in preventing prescription drug abuse. This includes prescriptions filled by pharmacies other than only retail, veterinarian prescribed prescriptions, prescriptions for Schedule V drugs and drugs known to be abused or misused such as gabapentin, and prescription details such as method of payment, lock-in status, and diagnosis information.

Recommendations

Our report includes 12 recommendations to OHA for optimizing the state’s PDMP. OHA can implement some of
these within existing statutes and rules, and for others it needs to work with the Legislature. OHA agreed with
all of the recommendations, but stated that because seven fall outside the scope of its statutory authority, its
ability to implement them is limited. The agency’s response can be found at the end of the report.

Read full report here.

Featured New Audit Release Performance Audit

Audit Release: ODOT Effectively Implementing Two Keep Oregon Moving Programs, but Could Do More to Enhance These Efforts


Report Highlights

Oregon House Bill 2017 (Keep Oregon Moving) is estimated to produce $5.2 billion in net revenue for the Oregon Department of Transportation (ODOT) to target congestion, public transportation and safety, and infrastructure repairs throughout the state. In addition to other initiatives, Keep Oregon Moving established two new programs: the Statewide Transportation Improvement Fund and Safe Routes to Schools infrastructure program. ODOT has developed and implemented frameworks to fulfill its statutory obligations for these two programs, but areas for improvement remain.

Background

Keep Oregon Moving was passed in 2017 as a significant investment in needed improvements to the state’s highway system, public transportation services, and routes for pedestrians, cyclists, and students. Its legislative intent is to increase the overall availability of public transit throughout the state, reduce congestion, increase safety, and provide public accountability. ODOT is charged with overseeing its implementation.

Purpose

The purpose of this audit was to examine ODOT’s strategic planning activities, governance approach, and control framework for implementing the state transportation investment package. The objective of the audit was to assess the accountability, equity, and transparency of the Statewide Transportation Improvement Fund (STIF) and Safe Routes to Schools (SRTS) programs established by Keep Oregon Moving. This real-time audit was conducted in alignment with our strategic focus of being timely and responsive. Real-time auditing focuses on evaluating front-end strategic planning, service delivery processes, controls, and performance measurement frameworks before or at the onset of signficant program or public policy implementations by state agencies.

Key Findings

We found ODOT has developed effective frameworks to meet its obligations for the STIF and SRTS programs. For example, ODOT developed timelines, engaged participants, and established milestones in order to meet Keep Oregon Moving requirements. However, ODOT still needs to refine the following areas:

  1. The STIF and SRTS programs lack performance measures to track the success of either program.
  2. The agency does not have documented internal policies and procedures for monitoring the use of STIF funds or for the review, approval, and monitoring process of submitted SRTS applications.
  3. Active Transportation Liaisons, who coordinate SRTS projects within ODOT regions, need better defined expectations and job duties as they relate to administering the SRTS program.

Recommendations

We include seven recommendations for ODOT intended to enhance the efficiency and effectiveness of the STIF and SRTS programs.

ODOT agreed with all of our recommendations. The agency’s response can be found at the end of the report.

Read the full report here.

Featured New Audit Release

Audit Recommendation Follow-Up: Department of Administrative Services Should Enhance Succession Planning to Address Workforce Risks and Challenges


Recommendation Follow-Up Results

The Department of Administrative Services (DAS) agreed with the original audit, which identified eight recommendations for implementing a succession planning framework. Our follow-up work shows DAS has fully implemented six of those recommendations since the initial report. This significant progress still requires a little more work to implement the remaining two recommendations.

Highlights from the Original Audit

The Secretary of State’s Audits Division found that DAS should play a stronger leadership role in addressing key workforce risks and challenges within the state executive branch through enhanced workforce succession planning.  Multiple factors indicate these risks and challenges are important including changing workforce demographics, and citizens’ needs for essential services that require skilled and experienced staff.

Background

Our original audit reviewed succession planning within Oregon’s executive branch. Succession planning is an ongoing management process used to ensure workforce continuity and effectiveness, particularly in key leadership and technical functions.

Purpose

The purpose of the audit was to determine if and how the State of Oregon could better plan for future key workforce needs, including preparing state employees to fill key roles.  The purpose of this follow-up report is to provide a status on the auditee’s efforts to implement our recommendations.

Key Findings

Within the context that effective succession planning is difficult, complex, and is frequently not a priority within the public sector, we found:

  1. DAS has not developed or implemented a state-level succession planning framework, despite recognizing the importance of succession planning.
  2. The lack of a succession planning framework increases workforce risks, such as not developing or retaining knowledgeable and skilled employees to perform critical functions.
  3. These risks are exacerbated by demographic and economic trends, including increasing retirement rates, and a lack of formal succession planning processes within state agencies.
  4. State agencies also report challenges, including inaccessible workforce information that may hinder strategic human capital management practices and should be addressed at a state level.

Read the full report here.

Audit Recommendation Follow-Up Featured New Audit Release

TEDx Reblog: How do you get from diversity to inclusion? Ask these 4 questions about your meetings

Many organizations and companies today track diversity in sex, gender, race, ethnicity, sexual orientation and religion, among other factors. For some of their leaders, numerical diversity is seen as the most important — and at times, the only — thing needed to create a varied and vibrant community. But by focusing on headcount, they are making the mistake of believing that diversity and inclusion are the same.

Dolly Chugh, a social psychologist at the NYU Stern School of Business, lays down some words of advice on how to tailor your meetings to create pathways to genuine inclusion. She recommends asking the following four questions, and explains why they should be asked:

Question #1: Who speaks at meetings?

Question #2: Who sits next to whom?

Question #3: Who is listened to?

Question #4: Who gets the credit?

While pathway moments may seem relatively small — those moments when we feel like we’re more or less part of the meeting, when we’re more or less listened to, when we’re more or less credited for our work — they are the ones that help determine whether we’re given greater chances for success and effectiveness, or held back. We can all cultivate the capacity to notice failures of inclusion if and when they happen, and then try to do better going forward.

Read more here, or watch the TED talk below.

 

 

Accountability and Media Featured

Audit Release: Progress has been Made to Address Security Weaknesses at the State Data Center, but Improvements are Still Needed


Report Highlights

Security at the Enterprise Technology Services State Data Center (data center) has improved due to organizational and staffing changes and the increased role of the Enterprise Security Office. Several longstanding security challenges have been addressed, yet more work remains to further refine and improve security capabilities and to address other areas where roles are not sufficiently defined. The operating environment for the data center remains stable and appropriately controlled. Disaster recovery capabilities have improved, although prioritization of recovery order needs to occur to ensure that the most critical state systems can be restored timely in the event of a major disaster.

Background

The data center is comprised of an extensive inventory of computer operating system platforms and networks. It provides centralized computer services such as networking, email, backup, and server services for more than 100 state agencies, boards, and commissions. Since the creation of the data center in 2006, numerous prior audits have identified significant security weaknesses. Starting in 2015, organizational changes moved overall responsibility for the data center to the Office of the State Chief Information Officer (OSCIO) and expanded the staffing and role of the Enterprise Security Office.

Purpose

Because of the critical services the data center provides, we audit it every two to three years. This audit followed up on the status of prior audit findings and evaluated the current security framework and stability of the operating environment.

Key Findings

We found:

  1. The OSCIO has made significant progress in improving security at the data center through security planning and staffing, vulnerability assessments, security event monitoring, and anti-malware and patching processes. Further progress is needed to refine these processes and better track vulnerability remediation.
  2. Some security areas require improvement, including privileged access, asset and configuration management, and security incident response. Work is underway to improve Windows privileged access.
  3. Day-to-day computing remains stable and disaster recovery capabilities have improved. While additional disaster recovery capabilities are being built, data center customers need to prioritize which systems should be recovered first in the event of disaster.

Recommendations

We recommend improvements in defining roles and responsibilities, refining vulnerability scanning and security event monitoring, monitoring privileged access, and disaster recovery prioritization.

The Department of Administrative Services and the OSCIO agreed with all of our recommendations. The agency’s response can be found at the end of the report.

Read the full report here.

Featured New Audit Release

Internal Auditor Reblog: The Conditions in Which You Think

The unwitting participants in the study were eight parole judges in Israel. They spend entire days reviewing applications for parole. The cases are presented in random order, and the judges spend little time on each one, an average of 6 minutes. (The default decision is denial of parole; only 35% of requests are approved. The exact time of each decision is recorded, and the times of the judges’ three food breaks — morning break, lunch, and afternoon break — during the day are recorded as well.) The authors of the study plotted the proportion of approved requests against the time since the last food break. The proportion spikes after each meal, when about 65% of requests are granted. During the two hours or so until the judges’ next feeding, the approval rate drops steadily, to about zero just before the meal. As you might expect, this is an unwelcome result and the authors carefully checked many alternative explanations. The best possible account of the data provides bad news: tired and hungry judges tend to fall back on the easier default position of denying requests for parole. Both fatigue and hunger probably play a role.

Mike Jacka writing for Internal Auditor explores the effect that our working conditions and environment have on our thinking, and the different roles that fast and slow thinking play in our work. He asks that the reader be aware of how the conditions in which they are thinking can affect (often unintentionally) the decisions they make.

As auditors (and as humans), honing a degree of self-awareness about how we are affected by the weather (or the bad traffic, or the argument we had last week with a family member, or the timing of lunch- whatever it may be) will help us look critically at our own thoughts. Are we actually making sound decisions? Or are we making rash and unfair decisions? What effect might this have on our work? And just as importantly, how can we counterbalance our fast thinking with slow thinking to make better decisions?

Read more here.

Accountability and Media Featured

Audit Release: Severe Deficiencies in Disaster Recovery Program and Insufficient Information Technology Planning Pose Substantial Risks to Beneficiaries and the State


Report Highlights

The agency charged with administering the Public Employees Retirement System, or PERS, should improve Information Technology (IT) strategic planning efforts to ensure that IT investments return the most value and minimize risk. Additionally, PERS should immediately correct deficiencies with existing disaster recovery plans so the agency can effectively respond to catastrophic events that would prevent the use of existing IT hardware and software. PERS is working to update current plans and implement a recovery site, but a more urgent effort is needed.

This audit includes an assessment of critical security controls and the agency’s IT security management practices. PERS should improve security management roles and training, as well as correct weaknesses in inventory management, configuration change management, vulnerability management, and controlling administrative accounts.

Background

PERS has over 365,000 members and is responsible for administering employee pension programs for state agencies as well as approximately 900 local governments. PERS provides $310 million in retirement benefits each month. The agency’s Information Services Division provides PERS with information technology, such as pension benefit calculation software, to support agency operations.

Purpose

The purpose of this audit was to determine whether PERS could improve IT security and IT strategic planning efforts and to assess the agency’s preparedness to restore critical IT systems in response to a disaster.

Key Findings

PERS’s IT strategic planning lacks sufficient detail to help ensure IT investments return the most value, pose the least amount of risk, and are completed timely. Insufficient planning has contributed to mismanagement of some agency initiatives.

While PERS has identified a method to issue most pension payments in the event of a disaster, it has not fully addressed changes in payment processing by the Oregon State Treasury. The agency’s disaster recovery plans pose serious risks because they are insufficient to restore critical IT systems. Furthermore, the agency has not tested those plans and has not yet complied with legislative mandates to acquire an alternative recovery site and improve disaster recovery planning. The agency’s strategy to re-issue the prior month’s payments poses risk of benefit payment errors and has never been tested.

Recommendations

Our report includes ten recommendations to PERS to implement improved IT strategic planning and to take immediate action to remedy weaknesses in its disaster recovery plans. In addition, we make six recommendations to PERS and the Office of the State Chief Information Officer related to Critical Security Controls.

PERS agreed with all of our recommendations. The agency’s response can be found at the end of the report.

Read full report here.

Featured New Audit Release