The auditor general’s report for the financial years ended 31st December 2021 and 2022 has revealed that the National Health Insurance Management Authority (NHMA), put confidential customer data (who are mostly patients) at a risk of being breached because of the authority’s failure to secure a software source code for their operational infrastructure system.
A software source code is a set of instructions and statements written by a programmer using a computer programming language and when it comes to software development, owning the source code is a crucial aspect that should not be overlooked because the ownership of the source code determines who has the right to modify, distribute and sell the software.
But according to the AG report, an examination of financial and other relevant records maintained at NHIMA for the financial years ended 31st December 2021 and 2022 revealed that the authority on 13th February 2020, awarded a K790 million contract to ZSIC Life Limited for the supply their operational infrastructure system which included its design, implementation, deployment and support.
The report revealed that as at 30th September 2023, NHIMA paid ZSIC Life Ltd over K517 million for the contract and were left with a balance of over K272 million.
The report further revealed that the contract stated that the consultant would be required to provide a fully customizable integrated Enterprise Resource Planning (ERP) information system to support the implementation of NHI scheme of which the core system was to be wholly owned by NHIMA
However, it was observed that as at September 2023, NHIMA had not secured the source code for the HIP system which put the customer’s data at a risk of being breached.
“On 13th February 2020, NHIMA awarded a contract to ZSIC Life Limited for the supply of a system. The scope of works included design, implementation, deployment and support of the operational infrastructure for NHIMA at a contract sum of K790, 000,000. Among the modules to be implemented were member registrations, payment portal and benefit management modules,” the report revealed.
“The contract was for a period of five (5) years from the effective date of the contract. As at 30th September 2023, NHIMA had paid the ZSIC Life Ltd amounts totaling K517, 365,000 leaving a balance of K272, 635,000. Appendix A, Section 3.6 (a) of the contract stated that the consultant would be required to provide a fully customizable integrated Enterprise Resource Planning (ERP) information system to support the implementation of NHI scheme. The core system would be wholly owned by the NHIMA including its source code and all the data was to be hosted in Zambia. No license fees were to apply beyond the initial procurement and deployment of the system by NHIMA. However, it was observed that as at September 2023, NHIMA had not secured the source code for the HIP system. Not owning the source code may lead to several risks, such as Security risks: An Institution may not be able to fix security vulnerabilities or bugs in the software which could lead to breach of customer data. This implies that NHIMA will forever rely on the developer for any modification, bug fix, upgrade to the system and the developer may raise the price for such services. revealed the report.
Meanwhile, the report also revealed that the authority’s failure to secure the source code also put the system at vendor lock risks and the authority having limited control of the system.
“Not owning the source code may also lead to several risks, such as: Vendor lock-in: where an institution becomes dependent on the vendor who developed the software and may not be able to switch to another vendor if they are not satisfied with their services. Limited control: An institution may not have full control over the software and may not be able to customize it according to their needs or upgrade it. This implies that NHIMA will forever rely on the developer for any modification, bug fix, upgrade to the system and the developer may raise the price for such services,” revealed the report.
