WIXLIB

CentralEuropean Conference on Information and Intelligent SystemsPage 206through those measures that are based on enabling theachievement of corporate health strategy. In thisbusiness case the business contribution of IT isespecially related to the improved invoicing systemservices, increased employee productivity, a betterflow of patients through the hospital, reducing thecost of treatment.IT BSC is a measurement and management systemvery suitable for supporting the IT Governanceprocess and the IT/Business Alignment process [11].The essence of IT Governance is to ensure themechanism which will link business and informationsystems (strategy alignment), initiate continualimprovement of IT in order to extend theorganization’s strategy and objectives [1].4 IT/IS auditing within the healthcare organization using the Cobit 5An audit of information systems is the process ofthe evaluation of the established control mechanismsand procedures as well as the assessment ofcompliance with “good practices”, standards andmethods; identification the weaknesses and risks.For the purpose of this study we selected twoprocesses of IT function within the healthorganization and applied some of the managementguidelines according to the Cobit 5 in order to identifythe weaknesses and risk and suggest the adeqauteimprovements. The process Ensure risk optimisationis the governance process (EDM process domain)from the Cobit 5 Process Reference Model. Theprocess Manage quality is the management process(APO process domain).Process goalsRelated metrics(1)The thresholds of risk aredefined and key IT risks areknownThe number of potential ITrisks that are identified andcontrolledThe level of evaluation ofrisk factorsThe level of relationsbetween IT risks andenterprise riskThe percentage of companyprojects that consider ITrisksPercentage of IT risks plansthat are carried out on timeThe percentage of criticalrisks wich were effectivelymitigatedThe percentage of IT risksthat exceed the tolerance forriskLevel of unexpected impacton the company(2) The company managescritical IT risks effectivelyand efficiently(3) IT risks of the companydo not exceed the tolerancefor risk and the impact of ITrisk to the value of thecompany is identified andcontrolledTable 4. Process goals and related metrics - Ensurerisk optimisation (Cobit 5 framework)For audit of these processes, we applied twoCobit techniques. The first technique is related tothe process goals and their measurement by meansof the relevant metrics. Other technique is related tothe RACI matrix for the specific process.The process Ensure risk optimisation shouldenable that risks and risk tolerance are understoodand that the risks associated with the creation ofenterprise value by using IT are identified andmanaged. The purpose of the process is to ensure thatthe impact of IT risk on the value of the company isidentified and that the errors are reduced .According to the Cobit 5 framework, thisprocess has three process goals and related metrics(shown in Table 4) [5].We explored the process goals and metrics for therisk management within the hospital and got thefollowing results (shown in Table 5).Process goals(1)Reduce the number ofinterruptions or difficultiesin business functioningMetricsThe monthly numberof businessinterruptions due tothe decline of theinformation system(2)Reduce the risk ofattacks on informationsystem propertyNumber of irruptionsin the informationsystem(3) Secure sensitiveinformation from theftNumber of stealingsensitive data(4)Reduce risk due toinadequate protection ofcryptographic keysThe level ofprotection ofcryptographic keys(5)Prevent illegaldownloading and use ofsoftwareNumber of illegallydownloaded software(6)Better protection ofinformation systempasswordsLevel of passwordprotection ininformation system(7)Monthly testing oferrors and viruses in theinformation systemNumber of founderrors and virusesTable 5. Process goals and related metrics - Ensurerisk optimisation in the hospitalBased on the auditing of the Ensure riskoptimisation within the health care organization, afew deficiencies were found. The first lack is relatedto the number of crashs of the information system.Namely, that it is a newly introduced system, thenumber of falls and the monthly businessinterruptions due to system crashes are quite common.Varaždin, CroatiaFaculty of Organization and InformaticsSeptember 23-25, 2015

CentralEuropean Conference on Information and Intelligent SystemsPage 207COOLead programmerCIOHead of AccountingIT security directorCFORACI matrix of the process Ensure riskoptimisation within the hospital practice hasseveral disadvantages. The hospital has its own headof information security and he is, along with the headof IT, in charge of the risk management. The role ofthe hospital board in the risk management is minorand it should be, according to the Cobit, increased.However, there is a problem in accountablity, becausetoo many people are accountable forriskoptimisation, leading to frequent confusion. Due tothe large number of informed people there is thequestion of whether everyone should be informed?Hospital director-Responsible (person who has operationalresponsibility for the performance of work );-Accountable ( a person who is personallyresponsible and gives final approval );-Consulted ( the person giving support in the formof reviews, tips and explanations);-Informed ( the person who reports about theevents).PracticeBoardAll departments and patients in the hospital depend onthe work of the information system.It is recommended to test the system and usetroubleshooting on the system during the lateafternoon hours, when there are less patients in thehospital , and not, as now, in the early morning hours.Furthermore, the lack is found associated with theweak password protection. Although this is highlysensitive data, password management in the hospitalis bad. The security of the passwords is on a low leveland includes mostly four random characters.Password changes on a monthly basis don't exist,which means that the information system security isendangered due to inadequate management of thepasswords.Monthly testing of errors and viruses is not carriedout although there is NOD program to prevent theviruses, most of the medical and non-medical staff arenot trained to work with him, leading to a largenumber of viruses and errors. Program running andcleaning computer from viruses is carried out once ayear which is too little .Better information system security would improvethe quality of treatment of the patient and there wouldbe less interruptions in the operation of the system .Based on the our assessments, we can concludethat the process goals relative to the Cobit 5standard are partially implemented - up to 15 % .The hospital should improve the IT risk managementin order to avoid disruption of the system. It isnecessary to control the impact of IT risk to the onsetof security holes in the system.Another technique that we used is the RACImatrix (shown in Table 6). It consists of the acronymswhich mean [5]:Evaulate riskmanagementIACCR C C RDirect riskmanagementIAIIA C C RMonitor ITriskmanagementIAIIA C C RTable 6. RACI matrix for Ensure risk optimisationin the hospitalFurther, the next process, at the management level,which we analyzed, is the process APO11 – ManageQuality. This process serves to define requirementsfor quality in all processes, procedures and relatedoutcomes of the hospital including the control,supervision and the use of standards and practices inthe continuous improvement. It serves to ensure theconsistent delivery of solutions and services that meetthe quality requirements of the hospital and the needsof stakeholders .Process goals(1)Stakeholders aresatisfied with thequality solutions andserviceRelated metricsPercentage of stakeholderssatisfied with IT qualityNumber of services with aformal plan of qualitymanagementThe average rating of thestakeholders satisfaction withsolutions and service(2)Results of theThe percentage of solutionsproject and servicesand services delivered withdelivery arethe official certificatepredictableThe number of detecteddefects before productionThe percentage of inspectedprojects that meet the desiredquality goals(3) QualityNumber of processes withrequirements aredefined requirements forimplemented in allqualityprocessesNumber of processes withformal report on the qualityNumber of SLAs that includeeligibility criteria for qualityTable 7. Process goals and related metrics forManage quality (Cobit 5 framework)Varaždin, CroatiaFaculty of Organization and InformaticsSeptember 23-25, 2015

CentralEuropean Conference on Information and Intelligent SystemsPage 208Qualitymanagement teamThe hospital has a quality management plan.However, the role of information technology andIT department in the plan is minor. It is necessaryto maintain the IT quality at the appropriate level toenable better support for other processes of thehospital .Another of the deficiencies found is linked to thecollection of proposals for improvement anddevelopment of the hospital information system.Suggestions are always welcome, and they show thatthe IT department works as a team to improve thesystem. However, in practice interest of IT staff forpresenting such proposals was not found. Proposalsthat were present were not implemented in realitybecause of weak mutual communication andemployee resistance to it. It is necessary to work onteamwork to enable quality business.The lack was found in documenting the software.Documenting helps with better software maintenance.There has not been found satisfactory softwaredocumentation in the hospital. The documentation isdone in an unprotected Excel table that is not storedanywhere permanently. Based on the ourassessments, we can conclude that the processgoals relative to the Cobit 5 standard are alsopartially implemented - up to 15 % .The results of the analysis related to theorganizational structures and their responsibilitiesCOOTable 8. Process goals and related metrics forManage quality in the hospitalLead ProgrammerpppprogrammeprogCIOrammer(5)Maintain hospitalapplicationsPercentage of completedimplementation of nursingdocumentation in theinformation systemThe amount ofdocumented hospitalsoftwareNumber of wellmaintained hospitalapplicationHead ofAccounting(2)Collect proposals forthe development andimprovement of theHospital InformationSystem(3)Implementation ofnursing documentationin the informationsystem(4)Document all hospitalsoftwareThe percentage ofinformatics involvementin "Quality managementplan of the hospital "Number of proposals forHospital InformationSystem improvementCFO(1)Involve IT service in"Quality managementplan of the hospital“MetricsHospital directorProcess GoalsPracticeBoardThe process - Manage quality according to the Cobit5 framework has three process goals and relatedmetrics (shown in Table 7) [5]. Process goals andrelated metrics for Manage quality were exploredwithin the hospital practice (shown in Table 8).through the practices of the Manage Quality areshown in the Table 9.I CIIA C I AEstablish aqualitymanagementsystemI CIIA C I ADefine andmanagequalitystandards,practices andproceduresIIR C I AFocus quality I Cmanagementon customersI IIIR C I APerformqualitymonitoring,control andreviewsI IIIR C I AIntegratequalitymanagementinto solutionsfordevelopmentand servicedeliveryI CIIR C I AEnsurecontinuousimprovemntTable 9. RACI matrix for Manage qualityin the hospitalAs can be seen from the RACI matrix, the mainresponsibility for the quality management has thequality management team at the hospital as well as thehead of IT (CIO). Their roles often lead to theconfusion within the decision-making.5 ConclusionThe goal of the paper was to analyze how theapplication of the Cobit 5 framework within thehealth organization can be useful for the e-healthmanagement in order to improve the maturity of ehealth governance and strategic alignment with healthcare.Cobit 5 framework provides different tools forincreasing the maturity of enterprise governance ofVaraždin, CroatiaFaculty of Organization and InformaticsSeptember 23-25, 2015

CentralEuropean Conference on Information and Intelligent SystemsPage 209IT. Some of them we applied for this study in order tocompare the actual maturity level of e-healthgovernance within the observed organization with thetarget level of the maturity.The business-to-e-health strategic alignment wasconducted within the health care organization usingthe Cobit 5 management guidelines and the BalancedScorecard strategy maps. It is very importantmeasurement and management mechanism to supportthe e-health governance. Using this mechanism, wecould analyse how the hospital and the board evaluatethe business value of IT and how much IT is involvedinto the health care services.The purpose of the IT/IS auditing within the healthcare was to identify existing weaknesses and risks andsuggest the needed improvements. We used alsoCobit 5 management guidelines for the IT processes(process goals and metrics and RACI matrix). Weselected the governance process from Cobit 5 processreference model (Ensure Risk Optimisation) and themanagement process (Manage Quality). The obtainedresults showed that the capability of these processes isvery low.Through the methods and tools that we used, wecan make the conclusion that IT function has goodbasis for the improvements.The improvementprojects within the hospital are primarly focused onthe implementation of the information securitymanagement system as well as on the implementationquality management system within IT function.Furthermore, the hospital should improve thealignment between business and IT objectives,include more IT solutions/ IT services into thebusiness processes, to improve the central hospital ISas well as the responsibilities of business and ITmanagers in the field of IT investments.[4] Harmer, G.: Governance of Enterprise IT basedon Cobit 5, ITGI, UK, 2013.[5] ISACA Cobit 5: Process Reference Guide,ISACA, 2011.[6] ISACA CGEIT Review Manual 2015, 2015.[7] Kapur, R.:Use of the Balanced Scorecard for ITRisk Management, ISACA, 2010.[8] Lambeth, J.:Using Cobit as a Tool to LeadEnterprise IT Organizations, ISACA, 2007.[9] Selig, Gad J.: Implementing Effective ITGovernance and IT Management, Van HarenPublishing, (Second Edition) 2015.[10] Thorp J.:Enterprise Value: Governance of ITinvestments,The Val IT Framework“,ITGI, 2008.[11]Van Grembergen,W., De Haes, S.: IT Governancead its mechanisms, Information Systems ControlJournal, vol.1., 2004.References[1] De Haes, S.,Van Grembergen,W.: IT sms: Achieving IT/Business Alignment ina Major Belgian Financial Group, Proceedingsof the 38th Hawaii International Confernce onSystem Sciences, 2005.[2] Gregor, S, Fernandez.: Achieving value from ICT:key management strategies, Department ofCommunications Information Technology ublic docs/Achieving Value from ICT Key Management Strategies.pdf,Accessed:2015-05-04.[3] Guldentops, E.:Value Management Principles,ISACA, 2007.Varaždin, CroatiaFaculty of Organization and InformaticsSeptember 23-25, 2015

Table 1. Cobit 5 Process Capability Levels . Fig. 2. Cobit 5 cascade goals overview . There are 37 processes within the Cobit 5 framework. These processes can be divided into five logical domains. Each of these processes has its own detailed controls. Domains and processes are