1

Testing for Segregation of DutiesSegregation of Duties and User Access in Epic Systemin Epic System

Joanna Encallado CIAJoanna Encallado, CIASenior AuditorRenown Health

AHIA 32nd Annual Conference – August 25-28, 2013 – Chicago, Illinois

www.ahia.org

Overview2

Background information on Renown Background information on Epicg p Testing for SOD in computer system

Typical challenges Typical challenges Steps Possible recommendations Possible recommendations

Additional Testing for User Access Steps Steps

Renown Health

2 acute care facilities (884 licensed beds)3

2 acute care facilities (884 licensed beds) Including Children’s Hospital, Trauma Center

Rehab, Skilled Nursing, Home Care, g, 6 urgent care locations, 16 medical group locations 7 physician offices; 12 imaging locationsp y ; g g 10 lab draw locations Various joint venturesj Institutes for neuroscience, chest pain, heart &

vascular, robotic surgery, and cancer

Background Info on Epic g p4

Mid-size to large medical groups, hospitals and integrated healthcare organizations

Integrated software: registration systemg y scheduling system clinical systemsy billing systems MyChart (patient view of their records)

Background Info on Epicg p5

In Epic, users are generally assigned a:

Template which is linked to aTemplate, which is linked to a

Security class, which is assigned various

Security points, which are the functions within Epic that users can perform

Background Info on Epic g p6

* it i t b li d t i it l **a security point can be applied to various security classes*

Challenges of Testing SOD in a Computer Systemin a Computer System

N b f th t h t th t

7

Number of users that have access to the system

Users performing multiple functions (roles) in the p g p ( )system

Language barrier between auditors and IT Language barrier between auditors and IT

Auditors “don’t know what they don’t know”

Testing for SOD i C t S tin a Computer System

8

Obtain the data

U d t d th d t Understand the data

Organize the data Organize the data

Evaluate the data

Validate results

Obtaining the Datag

* From IT *

9

* From IT *List of active Epic users and their assigned

Template Name

template and security class

Epic User IDSecurity Class IDSecurity Class Name

User Name Template ID

List of security points for each security class

Li t f th it i t d i tiList of the security points description

Obtaining the Datag

* From HR *10

From HR

List of current employees:

Employee IDEmployee Namep yDepartment IDDepartment NamePosition Description

Obtaining the Datag

Combine:11

Combine: List of active users List of current employees List of current employees

Import files to database program and run a queryImport files to database program and run a query using a common field UserID from list of active users Employee ID from list of current employees

Obtaining the Datag

UnMatched Query12

UnMatched Query Non-employees (vendors, consultants) Generic access Generic access Terminated employees

Understanding the Datag13

Not understandingNot understanding the data can lead to faulty conclusions!

Understanding the Datag14

Schedule a meeting with IT staff

Become familiar with data Become familiar with data Prepare questions Arrange for computer and data access Arrange for computer and data access Clarify fields/data Discuss audit steps Discuss audit steps Restate understanding

Understanding the Datag15

Understand the description of each security point.

Some of the security points:Some of the security points: restrict user access “cannot access adjustment posting” or “restricts the cannot access adjustment posting or restricts the

ability to edit…” grants view-only access may not be activated

Organizing the Datag g16

Identify risks related to segregation of Identify risks related to segregation of duties: * See handout 1*

every organization is exposed to numerous risks

focus on risks that are important to your focus on risks that are important to your organization

Organizing the Datag g17

Categorize security points by type of access

adjustment payment posting

Categorize security points by type of access

adjustment bad debt charging

payment posting refund miscellaneous activityg g

claims processing coding

miscellaneous activity (i.e. print account letters) restrictive

financial/clinical information force claim/charges

view only inactive

Organizing the Datag g

Eliminate from testing the following types of18

Eliminate from testing the following types of security points:

i i ll t in miscellaneous category restricts user access provides view only access provides view only access are inactivated

* Make copy of original data and only make changes to the replicated data *

Evaluating the Datag19

For each risk identified, determine the security point categories * See handout 1*

Must have at least 2 different categories

For each security point categories determine For each security point categories, determine which security classes are assigned those security points * See handout 2*security points * See handout 2*

Evaluating the Datag

Users under a security class with incompatible20

Users under a security class with incompatible security point categories will allow the users to perform conflicting duties * See handouts 3 & 4*

Evaluating the Datag21

Security classes with incompatible security points doesn’t necessarily mean access is inappropriateinappropriate

This means that the access requires a mitigating control. * See handout 1*

Evaluating the Datag22

Evaluating the Datag23

You save time by determining which security classes are assigned incompatible security points:

I t d f l i th d f Instead of analyzing thousands of users

you are only looking at a number of it lsecurity classes

Validating Resultsg

Ensure accuracy!24

Ensure accuracy!

Validate results with individuals from:Validate results with individuals from:IT

O tiOperations

Possible Recommendations

Identify whether users assigned security25

Identify whether users assigned security classes with incompatible security points have a business need to perform those functions

If so, what mitigating controls are in place incontrols are in place in

their current process.

Possible Recommendations

If there is no business reason26

If there is no business reason we recommended that the access be revised

If there is a business reason but no mitigating control in placecontrol in place we recommended that a mitigating control be put in

place * See handout 1*p See handout 1

Additional

Testing for User AccessTesting for User Access

Unnecessar access to Epic

27

Unnecessary access to Epic i.e. HR Recruiter, Marketing Rep, Cook

Unnecessary access to billing functions i.e. Credentialing Coordinator

Inappropriate leadership access i e Supervisor Manager Director etc i.e. Supervisor, Manager, Director, etc

Additional

Testing for User AccessTesting for User Access

IT access

28

IT access To production other than view only

Master File access Not restricted

Generic access

Multiple access

Terminated employees & non-employees Terminated employees & non-employees

Additional

Testing for User AccessTesting for User Access Overrides

29

Overrides Appropriate?

U ith t l t Users with no templates Unable to determine access

New user access Not used within 30 days

User IDs not used In the past 180 days In the past 180 days

Questions30

Save the DateS b 2 2 2September 21-24, 2014

33rd Annual Conference Austin, Texas

31