Top 5 Must Do IT Audits Mike Fabrizius, Sharp HealthCare, VP, Internal Audit DJ Wilkins, KPMG, Partner, IT Advisory 2011 AHIA Annual Conference www.ahia.org
Background on Sharp HealthCare Sharp s Co-sourcing Arrangement with KPMG Current IT Landscape and Trends Typical Profile of IT Departments in HealthCare New and Changing Regulatory Environment Changes to Patient Care Technologies Five Must Do IT Audits Contents www.ahia.org 2
Serves the 3 million residents of San Diego County Largest health care system in San Diego 2,060 Licensed Beds Largest private employer in San Diego 15,000 Employees 2,600 Affiliated Physicians Full spectrum of health care programs and services Home Health, Hospice, 2 Medical Groups, Health Plan Key Sharp HealthCare Facts www.ahia.org 3
2007 Malcolm Baldrige National Quality Award Magnet Designation for Nursing Excellence at Sharp Memorial and Sharp Grossmont Hospitals "Most Wired" Health Care System 11 years out of 12 Top integrated health care network in California and sixth in the nation as ranked by Modern Healthcare in 2010 Sharp Highlights www.ahia.org 4
Reports to Board Audit Committee (functionally) and CEO (administratively) 6.5 FTEs (VP, Manager, & Senior Internal Auditors) Emphasis on operational, financial and IS audits Annual participation with external auditors Successful external Quality Assessment in 2007 Co-sourcing for information systems auditing About Sharp HealthCare Internal Audit 2011 AHIA Annual Conference www.ahia.org 5
Centralized Information Systems services CIO directing all staff and services Single data center Multitude of systems Common Enterprise Systems Hospital EMR: Cerner Clinic EHR: Allscripts Touchworks ERP: Lawson (GL, Payroll, MM, AP) Patient registration & billing: GE Centricity Patient Portal Board of Directors oversight is provided through its committees for Technology and Audit and Compliance. Sharp HealthCare - IS Overview www.ahia.org 6
Minimal internal auditing IT expertise Significant organizational IT investment in-process and planned Technology proliferating rapidly Lacked an IT risk assessment many inherent risks obvious residual risks largely unknown Urgency to do something Sharp s IT Auditing Situation in 2007 www.ahia.org 7
Issued an RFP for IT Risk Assessment Received six responses Evaluated responses: Description Weight 1. Ability to execute 30% 2. Comprehension of scope 15% 3. Cost 10% 4. Reputation/history 20% 5. Local IT expertise 5% 6. Healthcare IT expertise 20% Total 100% Chose KPMG First Step IT Risk Assessment www.ahia.org 8
KPMG completed IT risk assessment Provided roadmap for a 3-year IT auditing plan Reviewed IT risk assessment with Audit Committee Process demonstrated competency, expertise and fit of KPMG Contracted with KPMG for IT auditing services Sharp s Co-sourcing Assessment www.ahia.org 9
KPMG Works as an extension of Internal Audit Matches staffing skills with specific project needs Consults with Sharp IA on staff assignments Manages arrangement locally Established and maintains credibility with IS and Audit Committee Sharp HealthCare IA Management Involved in planning of each engagement Participates in kick-off and wrap-up meetings Participates in weekly status meetings Reviews all report drafts Obtains IS Department client feedback Our Key Success Factors www.ahia.org 10
Healthcare industry is constantly forced to innovate to comply with the demands of the market and legislation Must incorporate security in a way that does not compromise valuable patient data Patient safety concerns and compliance mandates act as viable investment drivers Wireless technologies play a vital role in healthcare industry Improving healthcare quality and preventing medical errors reduces healthcare costs and increases efficiency Current IT Landscape in HealthCare www.ahia.org 11
HIPAA: The healthcare component focuses on a broad range of improvements that range from amendments to HIPAA s privacy and security rules to construction, and provides incentives to entice provider organizations to adopt HIT systems as quickly as possible. HITECH Act: Incentives related to health care information technology in general (e.g. creation of a national health care infrastructure) and contains specific incentives designed to accelerate the adoption of electronic health record (EHR) systems among providers. ICD-10: The International Classification of Disease (ICD) version 10 (ICD-10) represents the tenth version of diagnosis and procedure coding for the healthcare industry. The change in formatting expands the number of codes thereby allowing far greater flexibility in detailing and classifying diseases and procedures. The Changing Regulatory Environment www.ahia.org 12
Number 5: Business Continuity Business Continuity Audits analyze the current state of readiness of the organization when faced with a natural or man-made disaster. Five Must Do IT Audits www.ahia.org 13
Business Continuity Audits analyze the current state of readiness of the organization when faced with a natural or man-made disaster. Risks: Lack of a disaster recovery plan can significantly impact the companies ability to provide quality patient care. Increased reliance on technology raises the importance of high availability business continuity. Lack of a comprehensive, well communicated crisis management and business continuity plan will negatively impact employee and patient health and safety. Business Continuity www.ahia.org 14
Audit Steps: Evaluate scope and framework for BC and DR plans Evaluate prioritization of key systems, resources and assessment / response procedures Evaluate technology architecture for redundancies, failover capabilities, back-ups and alternative recovery sites Review the disaster recovery plans, evaluate scope, testing methodology and results of plans, employee training/knowledge of plan Evaluate the IT Disaster Recovery Plan and the effectiveness of it to meet business and customer needs Business Continuity www.ahia.org 15
Number 4: Security Monitoring Security event logging and monitoring becomes increasingly important to identify when unauthorized security-related activities have been attempted or performed on a system or application that processes, transmits or stores confidential information. Five Must Do IT Audits www.ahia.org 16
Security event logging and monitoring is a process that organizations perform by examining electronic audit logs for indications that unauthorized security-related activities have been attempted or performed on a system or application that processes, transmits or stores confidential information. Key Risks: Unauthorized users may gain access to confidential health information and the breach may not be detected by Management in a timely manner. Logging is not enabled to create audit trails and/or logging lacks detail to allow for effective security monitoring. Lack of device monitoring (e.g. medical devices) is connected to the organizations IT network and can create vulnerabilities to impact data integrity and security. Security Monitoring www.ahia.org 17
Audit Steps Review security policies and procedures relevant to Information Security. Example policies: responsibility for security, security awareness and training, provisioning, elevated access, segregation of duties and incident response procedures; Review activities to promote security awareness, including Computer Based Training (CBT) and the Information Security intranet website; Inspect the configuration of security applications used to monitor the IT environment; Security Monitoring www.ahia.org 18
Audit Steps Review Information Security s procedures to monitor security logs and reports; Review security assessment activities performed to identify IT security threats; Review procedures to manage the resolution of security incidents; and Review system development and change control processes to understand Information Security s role in the acquisition and deployment of IT systems. Security Monitoring www.ahia.org 19
Number 3: External and Wireless Networks As the user base grows and mobile applications become increasingly mission-critical, the need for effective security and management of these networks becomes a top priority. Five Must Do IT Audits www.ahia.org 20
As the user base grows and mobile applications become increasingly mission-critical, the need for effective security and management of these networks becomes a top priority. Creates cost effective redundancy capabilities Migration to Electronic Health Records Evolution of mobile devices and mobile health technology Ability to provide patients and guests internet access Wireless Network drivers www.ahia.org 21
Risks: Rogue wireless access points unauthorized access points added to the wireless network Performance optimization monitoring performance and capacity Secure architecture encryption, redundancy and segmentation RF Broadcast strength potential device interference and external visibility Malicious hackers security monitoring and patch management External and Wireless Networks www.ahia.org 22
Audit Steps Review wireless policy to gain an understanding of how Sharp manages and secures their wireless environment. Inspect the wireless network configuration to determine how wireless local area networks are segregated from Sharp s internal network. Perform internal electronic scanning of in-scope locations by walking through facilities with wireless testing tools. Compare a listing of scanning results against authorized wireless access points (APs) provided by IT. The comparison is made to identify unauthorized or rogue APs. External and Wireless Networks www.ahia.org 23
Audit Steps Perform external electronic network scans of in-scope locations to determine the broadcast range of Sharp s wireless network. Results of the external scans are exported from the scanning tools to a graphical map. Perform penetration testing against public wireless network, Portal, to determine if the Portal wireless network is properly segregated from the rest of Sharp s network. Assess monitoring processes over unauthorized APs and unauthorized access attempts. External and Wireless Networks www.ahia.org 24
Number 2: Patient Portals Due to the increased usage of Patient portals, protecting access to confidential health information and management of this data becomes more and more important. Five Must Do IT Audits www.ahia.org 25
Patient portals provide access to confidential health information such as billing information, test results, scheduled appointments, bill payments, prescribed medications, etc. Risks: Unauthorized access to portal content and/or lack of data security controls Patient Portal Access is not restricted to minimum use access as required under HIPAA Privacy Policy Data at rest and data in motion do not meet encryption standards under HIPAA privacy policy Insecure web applications could create vulnerabilities (e.g. portal attacks, cross-site scripting, etc.) that could be exploited by an unauthorized user through the internet allowing access to confidential data Audit trails are not maintained for Portal Events to allow for Security Monitoring Patient Portals www.ahia.org 26
Audit Steps Gain an understanding of functionality design and architecture Evaluate overall portal security through analysis of the following key areas: Patient Web Portal (e.g. 2 factor authentication, encrypted passwords) Network (e.g. firewall configurations, use of secure VPN tunnels, use of non-standard ports, use of egress filtering) Operating system (e.g. patches are up to date) Applications and Data sources Identify and evaluate access controls to ensure access to create, modify, add, or delete portal content is controlled Patient Portals www.ahia.org 27
Audit Steps Perform a web application vulnerability assessment to identify potential technical vulnerabilities (e.g. input validation, user authentication, user authorization, session management, error handling and data protection). Review access controls for systems and applications storing, receiving or transmitting ephi. Evaluate whether access is appropriately restricted to minimum use data. Review audit logging capabilities and evaluate controls regarding management review for critical events (e.g. unauthorized access, access to sensitive data, suspicious activity). Patient Portals www.ahia.org 28
Number 1: Patient Care Technologies There are increasingly strong private and public incentives as a result of the HITECH act to implement electronic exchange of health information and allow for interoperability while still preserving security. Five Must Do IT Audits www.ahia.org 29
There are increasingly strong private and public incentives as a result of the HITECH act to implement electronic exchange of health information and allow for interoperability while still preserving security. Risks: Not meeting new requirements of ICD-10 transaction standards Data encryption does not meet the definition in the HIPAA Security Rule for data at rest and data in motion Lack of monitoring for application interfaces that ensure data integrity as it s exchanged among applications and can significantly impact the organization s financial and clinical outcomes Electronic Health Records systems do not promote data integrity and data security Data destruction/sanitization procedures are not in accordance with HIPAA privacy rules Patient Care www.ahia.org 30
Audit Steps: Evaluate the project plan and scope of ICD 10 implementation and scope audit(s) to address highest risk remediation elements. These include elements related to: people, processes and technology. Review existing electronic health records (EHR) systems and their ability to promote the use and exchange of the health information. Audit activities might include: Review of data security for electronic health information Compare current systems/processes to industry best practices for protecting health information Patient Care www.ahia.org 31
Audit Steps: Identify and evaluate system configurations/controls using certain EDI healthcare transactions against upcoming ICD requirements (i.e. ASC X12 version 5010). Evaluate impact of third-party vendors storing, receiving or transmitting such transactions. Identify key interfaces and evaluate interface controls over error handling activities, reconciliations, testing procedures and coding change controls. Review procedures and evaluate controls over data destruction/sanitization for media devices containing ephi. Patient Care www.ahia.org 32
Questions? www.ahia.org 33
Save the Date: August 26-29, 2012 31 st Annual Conference in Philadelphia Pennsylvania