Other Matters

According to the Suffolk County Sheriff’s Department’s (SCSD’s) Policy S623 (Serious Illness, Injury or Death of Any Person on Site or on the Job), which relates to the death-in-custody process,

IX. Inmate Suicide

A.   Following an attempted or completed suicide, the [health services administrator, or HSA] will direct a clinical review.

B.   The clinical review committee, comprised at a minimum of the HSA, the Medical Director, and the Director of Mental Health, will conduct an in-depth clinical review to determine whether changes in the clinical psychiatric management could have prevented the result.

C.   The findings, recommendations and actions of the committee shall be summarized in a confidential communication to the Superintendent that will include:

1. a summary of pertinent findings;
2. recommendations regarding possible changes in existing procedures or protocols;
3. recommendations on dissemination of information to staff on the detection and prevention of future incidents; and
4. future training recommendations.

D.   The committee’s summary report, together with reports secondary to the incident and a summary completed by the Superintendent, will be forwarded to the Special Sheriff.

SCSD could not provide us with any documentation to substantiate that the health services administrator and SCSD superintendent retained copies of the Clinical Review Committee’s Summary Report or related reports, which cover the required postmortem reviews, and that those reports were forwarded to SCSD’s Special Sheriff, regarding the one inmate who died in SCSD’s custody during the audit period. We requested copies of these reports from SCSD officials, but SCSD officials stated that the healthcare vendor’s policy was to collect the copies of the reports that were distributed to SCSD officials after the meeting where the results of the postmortem reviews were discussed with SCSD management. Without copies of these reports, SCSD cannot effectively track the implementation of recommendations that the Clinical Review Committee made, which would have been documented in these reports.

During the course of our audit, SCSD management told us that the postmortem reviews in question were conducted, and we were able to subsequently corroborate this information through emails and meeting minutes. To substantiate compliance with this requirement and the extent to which any recommendations were implemented, SCSD needs to develop a policy requiring that copies of the Clinical Review Committee’s Summary Report, and related reports, be retained.

The Department provided the auditors with copies of the agenda, the detailed meeting minutes of the Morbidity and Mortality Review Meeting, and the sign-in sheet with signatures of each of the attendees. The meeting minutes documented that the review meeting included discussions about the facts of the inmate’s death by suicide, the physician and HSA clinical summaries, a review of the incident reports, the procedures followed, whether staff responded appropriately, a review of the suicide assessment tools utilized, a review of the time-keeping during the medical emergency, a root-cause analysis, and recommendations to address any concerns identified.

The Audit found that the Department should have retained copies of the [reports covering the] postmortem reviews generated by the medical provider. This . . . is at odds with the peer review privilege created by [Section 204 of Chapter 111 of the Massachusetts General Laws], which provides that written mortality review findings are not subject to disclosure or subpoena except in legal or administrative proceedings brought by the boards of registration for medicine, pharmacy, social work, or psychology. Additionally, requiring the medical provider to disseminate these reports would chill the frank exchange of information concerning the demise of the patient, which would undermine the central purpose of these review meetings.

The Department is audited multiple times each year by a variety of correctional and medical professionals and government agencies to ensure its compliance with the law, industry best practices, and its internal policies. These auditing agencies include the American Correctional Association, the National Commission on Correctional Health Care, Massachusetts Department of Corrections, the Massachusetts Department of Public Health, the US Immigration and Custom Enforcement, and various independent auditing firms. None of these agencies with correctional expertise has ever disputed the Department’s full compliance with these provisions.

Going forward, the Department’s General Counsel will generate an internal document summarizing their impression of the mortality review to better document the discussion in accordance with the standards.

The Office of the State Auditor (OSA) acknowledged that SCSD provided documentation (i.e., emails and meeting minutes) to substantiate that both of the reviews in question were actually conducted. However, in terms of the clinical review, in OSA’s opinion, this documentation is not an acceptable substitute for the official records or reports (e.g., the Clinical Review Committee’s Summary Report) that were required to be generated and sent to the Special Sheriff. These reports would contain more detailed information about the incident and the related discussions, conclusions, and recommendations of the Clinical Review Committee. OSA’s audit testing was conducted based on SCSD’s existing policies and procedures. During our testing, OSA found that SCSD did not have copies of the reports in question and therefore could not demonstrate compliance with its Policy S623. Based on this, OSA recommends that SCSD improve its internal controls over this activity by developing a policy requiring that copies of these reports be retained. We believe that this is a sound business practice that will not only allow SCSD to document compliance with this policy but also serve as a tool that can be used by SCSD management to monitor the implementation of the recommendations made by the Clinical Review Committee.

We cannot comment on any audits conducted on SCSD by other agencies as we were not provided with copies of any of these reports to review during our audit. Regardless, our concern was that SCSD lacked adequate internal controls over this activity, and in our opinion, SCSD would be better served if it implemented our recommendation to address this issue.

SCSD has not established adequate internal controls over its information technology (IT) system, the Offender Management System. Specifically, SCSD has no written policies and procedures for administering critical aspects of this system, such as the following:

• IT system access
• IT system cybersecurity awareness training
• IT system audit and accountability
• IT system identification and authentication
• IT system user rights

Further, SCSD does not have an IT continuity of operations plan or disaster recovery plan that provides a framework to ensure the continuity of its IT operations systems if an emergency affects them. In comparison, standards established by the National Institute of Standards and Technology’s (NIST’s) Special Publication 800-53r5 include developing IT policies and procedures that contain IT continuity of operations and disaster recovery plans.

In addition to not having the aforementioned policies and procedures, SCSD does not conduct certain critical IT system control activities. Specifically, SCSD does not provide cybersecurity awareness training to any of its employees who have access to its IT systems and does not periodically review employees’ system user rights. In comparison, standards established by NIST Special Publication 800-53r5 include conducting IT system control activities, such as regular cybersecurity awareness training for all employees and periodic review of IT system user rights for employees.

In the opinion of the Office of the State Auditor, SCSD should take immediate measures to improve the internal controls over its IT systems. Inadequate or nonexistent controls make the information in SCSD’s IT systems more vulnerable to unauthorized access and use by employees and to cyberattacks that could result in financial and/or reputational losses. 

The Offender Management System (OMS) is a statewide application used by most correctional agencies in the Commonwealth, and it is managed jointly by the Executive Office of Public Safety and Security (EOPSS) and the Executive Office of Technology Services and Security (EOTSS). The Department will forward the findings of this audit relative to OMS to those agencies and will develop an internal policy and training program consistent with the recommendations of EOPSS, EOTTS and this report.

Based on its response, SCSD is taking measures to address this issue. We urge SCSD to prioritize the development of its IT policy to improve internal controls over its IT systems.