Top 5 Must Do IT Audits

Similar documents
A Marketing Makeover Changing the Perception and Image of Your Internal Audit Department AHIA Annual Conference

The Evolution of the Referral Process

How to Finish the HIPAA Security Risk Analysis and Meaningful Use Risk Assessment

Big Data, Security and Privacy: The EHR Vendor View

Driving Down Network Cost Through Enhanced Interoperability

MOBILE TECHNOLOGY TRENDS FOR HOME HEALTH CARE

Operational Recovery in Healthcare Using Virtual Technologies. CareTech Solutions

3/16/2016. How to Implement a Monitoring Program Presented by: Kelly Nueske April 2016 OBJECTIVES AGENDA

Success in Joint Ventures: Sustained Compliance and Audit Oversight

ASSESSMENT AND EVALUATION OF THE CITY OF PHILADELPHIA S INFORMATION TECHNOLOGY GENERAL CONTROLS FISCAL 2016

ADDING VALUE BY AUDITING HEALTH INFORMATION IMPLEMENTATIONS ALEX ROBISON DAVID ZAVALA

IT Due Diligence in an Era of Mergers and Acquisitions

Preparing for an OCR Audit: What is Expected of You

Convergence of Clinical Engineering and Information Technology: Trends, Opportunities & Challenges

Navigating the Payments Landscape:

External Supplier Control Obligations. Information Security

EFFECTIVE STRATEGIES IN PLANNING AND EXECUTING A SUCCESSFUL INTERNAL AUDIT

GOVERNANCE AES 2012 INFORMATION TECHNOLOGY GENERAL COMPUTING CONTROLS (ITGC) CATALOG. Aut. / Man. Control ID # Key SOX Control. Prev. / Det.

Securing Intel s External Online Presence

Security overview. 2. Physical security

Infor Cloverleaf Integration Suite

Ensuring Organizational & Enterprise Resiliency with Third Parties

Health Care Compliance Association

PREDICTIVE INTELLIGENCE SECURITY, PRIVACY, AND ARCHITECTURE

CORPORATE COMPLIANCE AND INTERNAL AUDIT WORKING CLOSER RESULTS VP-CHIEF AUDIT, COMPLIANCE, EXECUTIVE SCRIPPS HEALTH, SAN DIEGO

LogLogic. Open Log Management. LogLogic LX and LogLogic ST for Enterprise. LogLogic LX Enterprise- Class Log Data Capture and Processing

Recommendation: Directory Services Architecture and Future IAM Governance Model

A-9: Audit Committee Effectiveness

Testing: The Critical Success Factor in the Transition to ICD-10

Strategic Planning FY

ARE YOU GOING DIGITAL WITHOUT A NET?

A Guide to IT Risk Assessment for Financial Institutions. March 2, 2011

Operational Level Agreement: SQL Server Database Incidents and Requests

what it takes to connect Professional Service with world-class, predictable outcomes Predictable Outcomes

HEALTHCARE CASE STUDY

CRISC EXAM PREP COURSE: SESSION 4

THE FIVE ELEMENTS OF AN EFFECTIVE HIPAA AUDIT PREPARATION PROGRAM

Reimagine: Healthcare

Proactively Managing ERP Risks. January 7, 2010

CEBOS CLOUD PROGRAM DOCUMENT

Quality Assessments what you need to know

Emerging & disruptive technology risks

RSA. Sustaining Trust in the Digital World. Gintaras Pelenis

Privacy Officer s Guide to Evaluating Cloud Vendors

HEALTHCARE ACTIVITIES FROM ANYWHERE ANYTIME

County of Sutter. Management Letter. June 30, 2012

SRISESHAA IN HEALTHCARE

Ensuring the health of endpoints in healthcare IT

Securing Access of Health Information Using Identity Management

SSL ClearView Reporter Data Sheet

IDENTITY AND ACCESS MANAGEMENT SOLUTIONS

Rapidly Reduce Segregation of Duty Violations in Oracle EBS R12 Responsibilities Session ID#: 15042

Alcatel-Lucent OmniVista Cirrus Simple, secure cloud-based network management as a service

HIPAA Summit VII. Preconference III. Advanced Strategies to Achieve ROI in Implementing HIPAA

Testing: The critical success factor in the transition to ICD-10

Written Questions and Answers

North Shore LIJ Health System, Inc.

How to Secure Your Healthcare Communications in a World of Security and Compliance Threats

ENTERPRISE OPERATIONS SERVICES

THE CLOUD, RISKS AND INTERNAL CONTROLS. Presented By William Blend, CPA, CFE

Audit Committee Presentation FY2011 Audit Plan (annual risk assessment) August 16, 2010

ENABLE DIGITAL - % COMPLETE ENGAGED WORKFORCE - % COMPLETE

Alcatel-Lucent OmniVista Cirrus Simple, secure cloud-based network management as a service

View the Recording. Webinar: Accounting of Disclosures: Practical Approaches & Enforcement Update. November 17 th, FairWarning, Inc.

ORACLE ADVANCED ACCESS CONTROLS CLOUD SERVICE

Business Benefits by Aligning IT best practices

INVESTOR PRESENTATION. November 2012

Audit of Departmental Security

STATEMENT ON RISK MANAGEMENT AND INTERNAL CONTROL

Is your ERP ready for COSO 2013?

Mastering new and expanding financial services regulations and audits

IT Plan Instructions for FY18-FY19

Improving Information Security by Automating Provisioning and Identity Management WHITE PAPER

a physicians guide to security risk assessment

The Importance of Independent Quality Assurance for Patient Safety and Quality Care

Delivered by Sandra Fuller, MA, RHIA, FAHIMA. April 29, 2009

ITIL Qualification: MANAGING ACROSS THE LIFECYCLE (MALC) CERTIFICATE. Sample Paper 2, version 5.1. To be used with Case Study 1 QUESTION BOOKLET

FIVE STEPS TO AN ENTERPRISE IMAGING STRATEGY. Jon DeVries, Vice President, Solutions Management Merge Healthcare October 18 th, 2013

Gartner IT Key Metrics Data

TOP 20 QUESTIONS TO ASK BEFORE SELECTING AN ENTERPRISE IAM VENDOR

Presentation for INCC LUMS 2008 May 2, 2008 Presented by Shahed Latif, KPMG LLP, Silicon Valley

IBM Content Foundation on Cloud

PCI COMPLIANCE PCI COMPLIANCE RESPONSE BREACH VULNERABLE SECURITY TECHNOLOGY INTERNET ISSUES STRATEGY APPS INFRASTRUCTURE LOGS

Securing SaaS at Scale

IBM Case Manager on Cloud

From the Front Lines: Navigating the OCR Phase 2 HIPAA Audits

The University of Texas MD Anderson Cancer Center Internal Audit Annual Report for FY2016

ICT budget and staffing trends in Germany

Technology evolution. Managing the risk in four key areas

2018 Budget Presentation Information Technology. Jeff Eckhart IT Director November 14, 2017

Legacy Health Data Management, an Overview of Data Archiving & System Decommissioning with Rick Adams

Intelligent automation and internal audit

Application Retirement Planning: Compliance, Cost & Access

Reducing EMR and Clinical System Downtime

Certified Identity Governance Expert (CIGE) Overview & Curriculum

Active Record Retention and Legacy System Decommissioning:

HCCA 2006 Compliance Institute April 25, 2006

Epic Integrated Consulting Services Seamless integration for system implementation, transition, optimization, legacy support and training

On the Alert: Incident Response Plan for Healthcare 111/13/2017

Achieve Continuous Compliance via Business Service Management (BSM)

Transcription:

Top 5 Must Do IT Audits Mike Fabrizius, Sharp HealthCare, VP, Internal Audit DJ Wilkins, KPMG, Partner, IT Advisory 2011 AHIA Annual Conference www.ahia.org

Background on Sharp HealthCare Sharp s Co-sourcing Arrangement with KPMG Current IT Landscape and Trends Typical Profile of IT Departments in HealthCare New and Changing Regulatory Environment Changes to Patient Care Technologies Five Must Do IT Audits Contents www.ahia.org 2

Serves the 3 million residents of San Diego County Largest health care system in San Diego 2,060 Licensed Beds Largest private employer in San Diego 15,000 Employees 2,600 Affiliated Physicians Full spectrum of health care programs and services Home Health, Hospice, 2 Medical Groups, Health Plan Key Sharp HealthCare Facts www.ahia.org 3

2007 Malcolm Baldrige National Quality Award Magnet Designation for Nursing Excellence at Sharp Memorial and Sharp Grossmont Hospitals "Most Wired" Health Care System 11 years out of 12 Top integrated health care network in California and sixth in the nation as ranked by Modern Healthcare in 2010 Sharp Highlights www.ahia.org 4

Reports to Board Audit Committee (functionally) and CEO (administratively) 6.5 FTEs (VP, Manager, & Senior Internal Auditors) Emphasis on operational, financial and IS audits Annual participation with external auditors Successful external Quality Assessment in 2007 Co-sourcing for information systems auditing About Sharp HealthCare Internal Audit 2011 AHIA Annual Conference www.ahia.org 5

Centralized Information Systems services CIO directing all staff and services Single data center Multitude of systems Common Enterprise Systems Hospital EMR: Cerner Clinic EHR: Allscripts Touchworks ERP: Lawson (GL, Payroll, MM, AP) Patient registration & billing: GE Centricity Patient Portal Board of Directors oversight is provided through its committees for Technology and Audit and Compliance. Sharp HealthCare - IS Overview www.ahia.org 6

Minimal internal auditing IT expertise Significant organizational IT investment in-process and planned Technology proliferating rapidly Lacked an IT risk assessment many inherent risks obvious residual risks largely unknown Urgency to do something Sharp s IT Auditing Situation in 2007 www.ahia.org 7

Issued an RFP for IT Risk Assessment Received six responses Evaluated responses: Description Weight 1. Ability to execute 30% 2. Comprehension of scope 15% 3. Cost 10% 4. Reputation/history 20% 5. Local IT expertise 5% 6. Healthcare IT expertise 20% Total 100% Chose KPMG First Step IT Risk Assessment www.ahia.org 8

KPMG completed IT risk assessment Provided roadmap for a 3-year IT auditing plan Reviewed IT risk assessment with Audit Committee Process demonstrated competency, expertise and fit of KPMG Contracted with KPMG for IT auditing services Sharp s Co-sourcing Assessment www.ahia.org 9

KPMG Works as an extension of Internal Audit Matches staffing skills with specific project needs Consults with Sharp IA on staff assignments Manages arrangement locally Established and maintains credibility with IS and Audit Committee Sharp HealthCare IA Management Involved in planning of each engagement Participates in kick-off and wrap-up meetings Participates in weekly status meetings Reviews all report drafts Obtains IS Department client feedback Our Key Success Factors www.ahia.org 10

Healthcare industry is constantly forced to innovate to comply with the demands of the market and legislation Must incorporate security in a way that does not compromise valuable patient data Patient safety concerns and compliance mandates act as viable investment drivers Wireless technologies play a vital role in healthcare industry Improving healthcare quality and preventing medical errors reduces healthcare costs and increases efficiency Current IT Landscape in HealthCare www.ahia.org 11

HIPAA: The healthcare component focuses on a broad range of improvements that range from amendments to HIPAA s privacy and security rules to construction, and provides incentives to entice provider organizations to adopt HIT systems as quickly as possible. HITECH Act: Incentives related to health care information technology in general (e.g. creation of a national health care infrastructure) and contains specific incentives designed to accelerate the adoption of electronic health record (EHR) systems among providers. ICD-10: The International Classification of Disease (ICD) version 10 (ICD-10) represents the tenth version of diagnosis and procedure coding for the healthcare industry. The change in formatting expands the number of codes thereby allowing far greater flexibility in detailing and classifying diseases and procedures. The Changing Regulatory Environment www.ahia.org 12

Number 5: Business Continuity Business Continuity Audits analyze the current state of readiness of the organization when faced with a natural or man-made disaster. Five Must Do IT Audits www.ahia.org 13

Business Continuity Audits analyze the current state of readiness of the organization when faced with a natural or man-made disaster. Risks: Lack of a disaster recovery plan can significantly impact the companies ability to provide quality patient care. Increased reliance on technology raises the importance of high availability business continuity. Lack of a comprehensive, well communicated crisis management and business continuity plan will negatively impact employee and patient health and safety. Business Continuity www.ahia.org 14

Audit Steps: Evaluate scope and framework for BC and DR plans Evaluate prioritization of key systems, resources and assessment / response procedures Evaluate technology architecture for redundancies, failover capabilities, back-ups and alternative recovery sites Review the disaster recovery plans, evaluate scope, testing methodology and results of plans, employee training/knowledge of plan Evaluate the IT Disaster Recovery Plan and the effectiveness of it to meet business and customer needs Business Continuity www.ahia.org 15

Number 4: Security Monitoring Security event logging and monitoring becomes increasingly important to identify when unauthorized security-related activities have been attempted or performed on a system or application that processes, transmits or stores confidential information. Five Must Do IT Audits www.ahia.org 16

Security event logging and monitoring is a process that organizations perform by examining electronic audit logs for indications that unauthorized security-related activities have been attempted or performed on a system or application that processes, transmits or stores confidential information. Key Risks: Unauthorized users may gain access to confidential health information and the breach may not be detected by Management in a timely manner. Logging is not enabled to create audit trails and/or logging lacks detail to allow for effective security monitoring. Lack of device monitoring (e.g. medical devices) is connected to the organizations IT network and can create vulnerabilities to impact data integrity and security. Security Monitoring www.ahia.org 17

Audit Steps Review security policies and procedures relevant to Information Security. Example policies: responsibility for security, security awareness and training, provisioning, elevated access, segregation of duties and incident response procedures; Review activities to promote security awareness, including Computer Based Training (CBT) and the Information Security intranet website; Inspect the configuration of security applications used to monitor the IT environment; Security Monitoring www.ahia.org 18

Audit Steps Review Information Security s procedures to monitor security logs and reports; Review security assessment activities performed to identify IT security threats; Review procedures to manage the resolution of security incidents; and Review system development and change control processes to understand Information Security s role in the acquisition and deployment of IT systems. Security Monitoring www.ahia.org 19

Number 3: External and Wireless Networks As the user base grows and mobile applications become increasingly mission-critical, the need for effective security and management of these networks becomes a top priority. Five Must Do IT Audits www.ahia.org 20

As the user base grows and mobile applications become increasingly mission-critical, the need for effective security and management of these networks becomes a top priority. Creates cost effective redundancy capabilities Migration to Electronic Health Records Evolution of mobile devices and mobile health technology Ability to provide patients and guests internet access Wireless Network drivers www.ahia.org 21

Risks: Rogue wireless access points unauthorized access points added to the wireless network Performance optimization monitoring performance and capacity Secure architecture encryption, redundancy and segmentation RF Broadcast strength potential device interference and external visibility Malicious hackers security monitoring and patch management External and Wireless Networks www.ahia.org 22

Audit Steps Review wireless policy to gain an understanding of how Sharp manages and secures their wireless environment. Inspect the wireless network configuration to determine how wireless local area networks are segregated from Sharp s internal network. Perform internal electronic scanning of in-scope locations by walking through facilities with wireless testing tools. Compare a listing of scanning results against authorized wireless access points (APs) provided by IT. The comparison is made to identify unauthorized or rogue APs. External and Wireless Networks www.ahia.org 23

Audit Steps Perform external electronic network scans of in-scope locations to determine the broadcast range of Sharp s wireless network. Results of the external scans are exported from the scanning tools to a graphical map. Perform penetration testing against public wireless network, Portal, to determine if the Portal wireless network is properly segregated from the rest of Sharp s network. Assess monitoring processes over unauthorized APs and unauthorized access attempts. External and Wireless Networks www.ahia.org 24

Number 2: Patient Portals Due to the increased usage of Patient portals, protecting access to confidential health information and management of this data becomes more and more important. Five Must Do IT Audits www.ahia.org 25

Patient portals provide access to confidential health information such as billing information, test results, scheduled appointments, bill payments, prescribed medications, etc. Risks: Unauthorized access to portal content and/or lack of data security controls Patient Portal Access is not restricted to minimum use access as required under HIPAA Privacy Policy Data at rest and data in motion do not meet encryption standards under HIPAA privacy policy Insecure web applications could create vulnerabilities (e.g. portal attacks, cross-site scripting, etc.) that could be exploited by an unauthorized user through the internet allowing access to confidential data Audit trails are not maintained for Portal Events to allow for Security Monitoring Patient Portals www.ahia.org 26

Audit Steps Gain an understanding of functionality design and architecture Evaluate overall portal security through analysis of the following key areas: Patient Web Portal (e.g. 2 factor authentication, encrypted passwords) Network (e.g. firewall configurations, use of secure VPN tunnels, use of non-standard ports, use of egress filtering) Operating system (e.g. patches are up to date) Applications and Data sources Identify and evaluate access controls to ensure access to create, modify, add, or delete portal content is controlled Patient Portals www.ahia.org 27

Audit Steps Perform a web application vulnerability assessment to identify potential technical vulnerabilities (e.g. input validation, user authentication, user authorization, session management, error handling and data protection). Review access controls for systems and applications storing, receiving or transmitting ephi. Evaluate whether access is appropriately restricted to minimum use data. Review audit logging capabilities and evaluate controls regarding management review for critical events (e.g. unauthorized access, access to sensitive data, suspicious activity). Patient Portals www.ahia.org 28

Number 1: Patient Care Technologies There are increasingly strong private and public incentives as a result of the HITECH act to implement electronic exchange of health information and allow for interoperability while still preserving security. Five Must Do IT Audits www.ahia.org 29

There are increasingly strong private and public incentives as a result of the HITECH act to implement electronic exchange of health information and allow for interoperability while still preserving security. Risks: Not meeting new requirements of ICD-10 transaction standards Data encryption does not meet the definition in the HIPAA Security Rule for data at rest and data in motion Lack of monitoring for application interfaces that ensure data integrity as it s exchanged among applications and can significantly impact the organization s financial and clinical outcomes Electronic Health Records systems do not promote data integrity and data security Data destruction/sanitization procedures are not in accordance with HIPAA privacy rules Patient Care www.ahia.org 30

Audit Steps: Evaluate the project plan and scope of ICD 10 implementation and scope audit(s) to address highest risk remediation elements. These include elements related to: people, processes and technology. Review existing electronic health records (EHR) systems and their ability to promote the use and exchange of the health information. Audit activities might include: Review of data security for electronic health information Compare current systems/processes to industry best practices for protecting health information Patient Care www.ahia.org 31

Audit Steps: Identify and evaluate system configurations/controls using certain EDI healthcare transactions against upcoming ICD requirements (i.e. ASC X12 version 5010). Evaluate impact of third-party vendors storing, receiving or transmitting such transactions. Identify key interfaces and evaluate interface controls over error handling activities, reconciliations, testing procedures and coding change controls. Review procedures and evaluate controls over data destruction/sanitization for media devices containing ephi. Patient Care www.ahia.org 32

Questions? www.ahia.org 33

Save the Date: August 26-29, 2012 31 st Annual Conference in Philadelphia Pennsylvania

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback