Education

Audit finds security lapses at University of Iowa Children's Hospital

UI has not reported yet whether it has fixed the worrisome problems cited

The University of Iowa Stead Family Children’s Hospital is seen from Kinnick Stadium in Iowa City on Friday, Apr. 21, 2017. (Stephen Mally/The Gazette)
The University of Iowa Stead Family Children’s Hospital is seen from Kinnick Stadium in Iowa City on Friday, Apr. 21, 2017. (Stephen Mally/The Gazette)

IOWA CITY — A year after internal auditors found numerous security lapses at the new University of Iowa Stead Family Children’s Hospital — including the potential for worrisome building access — administrators have either failed to correct the issues or produce a report showing they’ve made the recommended fixes.

Among deficiencies revealed in the audit was a lack of background checks for construction workers, some of whom continued working on site after the 14-floor hospital began treating patients in February 2017.

“During construction of (Stead Family Children’s Hospital), two registered sex offenders were discovered working at SFCH for contracted construction companies,” according to the audit, produced in November 2017, which did not give a more specific time frame for when the lapse was found. “At the time of discovery, these persons were asked to leave the premises.”

A summary of audits at the UI, Iowa State University and the University of Northern Iowa campuses — set for discussion at this week’s Board of Regents meeting in Cedar Falls — shows insufficient follow-up on Children’s Hospital recommendations that were supposed to have been addressed by March.

UI Hospitals and Clinics officials did not respond to The Gazette’s questions Wednesday about whether the cited problems had been resolved. In the initial audit report, UI managers indicated some changes recommended by the audit had occurred or were being addressed.

“Auditors will provide an update on that subject to the Board of Regents, State of Iowa, at its upcoming meeting,” UIHC spokesman Tom Moore said Wednesday.

The security audit highlighted recommendations or improvements in 11 areas, including visitor screening, which it found contradicted policy and posed a risk.

ARTICLE CONTINUES BELOW ADVERTISEMENT

“With the influx of social media use and association to (Stead Family Children’s Hospital) and UIHC, members of the public can more easily obtain a patient’s name from social media and use it during the visitor screening process to gain access to the inpatient units,” according to the audit, citing an example.

“In one instance, a community member utilized a patient name from social media to gain access to the inpatient floor and was directed back to the patient’s room, before the patient’s parent indicated they did not know the person.”

The audit also stressed a need for better management of access badges as some construction contractors and employees held working badges months after the project’s completion.

“Management should immediately review active construction badges and deactivate badges for contractors who no longer have a business need,” the audit said.

The audit said its review of records found that of 127 active badges assigned to construction contractors, 49 no longer had a business reason to keep such access.

Additionally, the university’s process did not require construction crews to be under contract with UIHC to attend orientation and get an access badge.

“There is risk that a person with malicious intent could complete the orientation, obtain a badge, and keep it after project completion,” according to the audit.

UIHC previously did not require contractors or vendors to get new background checks before or while working on the campus, prompting auditors to recommend it do so “especially for projects within proximity or access to pediatric patient care.”

ARTICLE CONTINUES BELOW ADVERTISEMENT

Thank you for signing up for our e-newsletter!

You should start receiving the e-newsletters within a couple days.

The new Children’s Hospital — while receiving international praise for its health care mission — also has been criticized by contractors for mismanagement and overspending.

The UI is embroiled in disputes with at least two contractors, including one that’s resulted in a $21.5 million decision — mostly from the hospital project — against the UI, which is under appeal.

The audit also addressed some construction-related issues prompting security concerns, including a finding that some doors were not operating as planned.

During the audit period, according to the report, about 20 percent of tested interior doors and 10 percent of tested exterior doors were found unlocked or open “when the door schedule indicated the doors should be closed and locked.”

UI managers, in the report, noted door lock and unlock schedules had changed and they would update the plans.

Auditors found as many as 60 doors and up to 30 surveillance cameras had not been commissioned or weren’t operating properly. According to the university’s contract, a contractor was to complete installation and ensure operation before occupancy.

“Management should address, as soon as possible, all doors and surveillance cameras in the original design package in (the Children’s Hospital) that have not been commissioned and ensure they are operating and tested,” the audit recommended.

UI officials committed to do that by Dec. 1, 2017.

They also vowed to revoke permissions for staff members who should not have access to medication rooms.

ARTICLE CONTINUES BELOW ADVERTISEMENT

Auditors found 79 people with badge access “who do not appear to have a business reason for access to the (Children’s Hospital) medication rooms.”

Because badge readers record every time one is rejected, auditors found attempts and rejections by people without apparent business needs — including people “without an active UIHC appointment,” custodians and a food worker.

“Management should immediately review badge rejections at each medication room and highly restricted areas in (the hospital) for repetitive rejections, periodic badge rejections, and other suspicious activity,” the audit said.

l Comments: (319) 339-3158; vanessa.miller@thegazette.com

Give us feedback

We value your trust and work hard to provide fair, accurate coverage. If you have found an error or omission in our reporting, tell us here.

Or if you have a story idea we should look into? Tell us here.

CONTINUE READING

Give us feedback

We value your trust and work hard to provide fair, accurate coverage. If you have found an error or omission in our reporting, tell us here.

Or if you have a story idea we should look into? Tell us here.