confessions of an internal auditor: it edition
TRANSCRIPT
1
TODAY’S OBJECTIVES
• Review risks related to information technology facilities, system access, data integrity, and system maintenance.
• Describe techniques for the non-technical professional to evaluate controls of information technology and systems.
2
ABOUT VANDERBILT UNIVERSITY MEDICAL CENTER
• $2.3 Billion Annual Healthcare Operating Expenses (excludes academics and research)
• $471.6 Million Annual Sponsored Research Budget
• $843.6 Million Annual Charity Care, Community Benefits, and other Unrecovered Costs
3
4
INTEGRATED IT AUDITING
FOCUSED IT AUDITS
5
IT AUDIT PLANNING - REQUESTS
• HIPAA Security Risk Assessment
• External auditor’s report and management letter
• Consulting reports
• IT policies and procedures
6
SYSTEM/APPLICATION LIST
• System or application name
• Vendor
• System purpose
• The business and IT owners
• Location(s) where the system is physically housed
• Service Criticality (they can’t all be Mission Critical)
C S M K T Z A L S M
I T E R F M V L N B
P P D O O E A E E I
E I I N S D I C M C
E R T O O A L I E E
L C E S R S I N I R
C S C L C S T M S N
A L H O I E Y O S E
R L T R M T S A P R
O A H O C S I C M E
ALLSCRIPTS
AVAILITY
CERNER
CISCO
EMC
EPIC
IBM
ITIL
KRONOS
MEDASSETS
MEDITECH
MICROSOFT
OMNICELL
ORACLE
SAP
SIEMENS
7
THE CLAW HAS SPOKEN
8
USER SECURITY & ADMINISTRATION
• Account administration
• User authentication and passwords
• Session controls
Audit Objectives
9
ACCOUNT ADMINISTRATION
• Process to request and approve accounts
• How are accounts inactivated or deleted
• Documentation of requests
• Monitoring for non-use, change in employment status, etc.
10
USER AUTHENTICATION & PASSWORDS
• Minimum password length and composition
• Periodic password changes
• Multi-factor authentication
• Lockouts and resetsKillerInfographics.com
11
SESSION CONTROLS
• Session length
• Maximum inactivity
• Concurrent logins
12
CHANGE MANAGEMENT
• Documented processes and policies (including emergency changes)
• Segregated environment and testing
• Production access
Audit Objectives
www.ibiblio.org/Dave/drfun.html
13
AN ICQ FOR EACH APPLICATION
• Are change requests logged?
• Is version control software used?
• What logical environments exist?
• Are all changes required to be tested?
• Who is responsible for migrating changes?
• Are back-out procedures required prior to implementation?
• How are emergency changes communicated to business owners?
14
TESTING CHANGE
• Emergency Change
• Tech Approval
• Business Approval
• CAB Approval
• Programmed in Dev
• Tested Outside Production
• Testing Completed
• User Testing Complete
• Programmer Deployed Change
• Back-out Procedures
• Documentation Updated
• # of Resulting Issues
15
DATA CENTER PHYSICAL SECURITY
• Physical access for both individuals and equipment
• Power configurations
• Environmental controls and monitoring
Audit Objectives
16
ACCESS CONTROLS
• Access logs - who, when, and why
• Approvals and pre-approvals
• Monitoring and oversight
17
POWER
• Sources and configurations
• Redundancy and back-up
• Capacity Planning
• Joint Commission
18
ENVIRONMENT
• Cooling
• Humidity
• Fire suppression
• Water (and other wet stuff)
• Raised floors
19
INTEGRATING IT INTO FINANCIAL AND OPERATIONAL AUDITS
20
COMMON ISSUES: IT• Storage of PHI on
unsecured media
• CD/DVD with Medical Images
• Department File Servers, Local PCs, Laptops, etc.
• Inadequate Password Policy/Enforcement
• Unsecured/Sharing of Clinic Workstations
• Disaster Recovery
• Documented Downtime Procedures
• Oversight/Security of Portable Devices (e.g., iPads)
21
ADDITIONAL READING
512 pages 1.8 pounds 696 pages
3.0 pounds2,000 pages 7.6 pounds
22
