testing for segregation of dutiessegregation of duties … · 1 testing for segregation of...
TRANSCRIPT
1
Testing for Segregation of DutiesSegregation of Duties and User Access in Epic Systemin Epic System
Joanna Encallado CIAJoanna Encallado, CIASenior AuditorRenown Health
AHIA 32nd Annual Conference – August 25-28, 2013 – Chicago, Illinois
www.ahia.org
Overview2
Background information on Renown Background information on Epicg p Testing for SOD in computer system
Typical challenges Typical challenges Steps Possible recommendations Possible recommendations
Additional Testing for User Access Steps Steps
Renown Health
2 acute care facilities (884 licensed beds)3
2 acute care facilities (884 licensed beds) Including Children’s Hospital, Trauma Center
Rehab, Skilled Nursing, Home Care, g, 6 urgent care locations, 16 medical group locations 7 physician offices; 12 imaging locationsp y ; g g 10 lab draw locations Various joint venturesj Institutes for neuroscience, chest pain, heart &
vascular, robotic surgery, and cancer
Background Info on Epic g p4
Mid-size to large medical groups, hospitals and integrated healthcare organizations
Integrated software: registration systemg y scheduling system clinical systemsy billing systems MyChart (patient view of their records)
Background Info on Epicg p5
In Epic, users are generally assigned a:
Template which is linked to aTemplate, which is linked to a
Security class, which is assigned various
Security points, which are the functions within Epic that users can perform
Background Info on Epic g p6
* it i t b li d t i it l **a security point can be applied to various security classes*
Challenges of Testing SOD in a Computer Systemin a Computer System
N b f th t h t th t
7
Number of users that have access to the system
Users performing multiple functions (roles) in the p g p ( )system
Language barrier between auditors and IT Language barrier between auditors and IT
Auditors “don’t know what they don’t know”
Testing for SOD i C t S tin a Computer System
8
Obtain the data
U d t d th d t Understand the data
Organize the data Organize the data
Evaluate the data
Validate results
Obtaining the Datag
* From IT *
9
* From IT *List of active Epic users and their assigned
Template Name
template and security class
Epic User IDSecurity Class IDSecurity Class Name
User Name Template ID
List of security points for each security class
Li t f th it i t d i tiList of the security points description
Obtaining the Datag
* From HR *10
From HR
List of current employees:
Employee IDEmployee Namep yDepartment IDDepartment NamePosition Description
Obtaining the Datag
Combine:11
Combine: List of active users List of current employees List of current employees
Import files to database program and run a queryImport files to database program and run a query using a common field UserID from list of active users Employee ID from list of current employees
Obtaining the Datag
UnMatched Query12
UnMatched Query Non-employees (vendors, consultants) Generic access Generic access Terminated employees
Understanding the Datag13
Not understandingNot understanding the data can lead to faulty conclusions!
Understanding the Datag14
Schedule a meeting with IT staff
Become familiar with data Become familiar with data Prepare questions Arrange for computer and data access Arrange for computer and data access Clarify fields/data Discuss audit steps Discuss audit steps Restate understanding
Understanding the Datag15
Understand the description of each security point.
Some of the security points:Some of the security points: restrict user access “cannot access adjustment posting” or “restricts the cannot access adjustment posting or restricts the
ability to edit…” grants view-only access may not be activated
Organizing the Datag g16
Identify risks related to segregation of Identify risks related to segregation of duties: * See handout 1*
every organization is exposed to numerous risks
focus on risks that are important to your focus on risks that are important to your organization
Organizing the Datag g17
Categorize security points by type of access
adjustment payment posting
Categorize security points by type of access
adjustment bad debt charging
payment posting refund miscellaneous activityg g
claims processing coding
miscellaneous activity (i.e. print account letters) restrictive
financial/clinical information force claim/charges
view only inactive
Organizing the Datag g
Eliminate from testing the following types of18
Eliminate from testing the following types of security points:
i i ll t in miscellaneous category restricts user access provides view only access provides view only access are inactivated
* Make copy of original data and only make changes to the replicated data *
Evaluating the Datag19
For each risk identified, determine the security point categories * See handout 1*
Must have at least 2 different categories
For each security point categories determine For each security point categories, determine which security classes are assigned those security points * See handout 2*security points * See handout 2*
Evaluating the Datag
Users under a security class with incompatible20
Users under a security class with incompatible security point categories will allow the users to perform conflicting duties * See handouts 3 & 4*
Evaluating the Datag21
Security classes with incompatible security points doesn’t necessarily mean access is inappropriateinappropriate
This means that the access requires a mitigating control. * See handout 1*
Evaluating the Datag22
Evaluating the Datag23
You save time by determining which security classes are assigned incompatible security points:
I t d f l i th d f Instead of analyzing thousands of users
you are only looking at a number of it lsecurity classes
Validating Resultsg
Ensure accuracy!24
Ensure accuracy!
Validate results with individuals from:Validate results with individuals from:IT
O tiOperations
Possible Recommendations
Identify whether users assigned security25
Identify whether users assigned security classes with incompatible security points have a business need to perform those functions
If so, what mitigating controls are in place incontrols are in place in
their current process.
Possible Recommendations
If there is no business reason26
If there is no business reason we recommended that the access be revised
If there is a business reason but no mitigating control in placecontrol in place we recommended that a mitigating control be put in
place * See handout 1*p See handout 1
Additional
Testing for User AccessTesting for User Access
Unnecessar access to Epic
27
Unnecessary access to Epic i.e. HR Recruiter, Marketing Rep, Cook
Unnecessary access to billing functions i.e. Credentialing Coordinator
Inappropriate leadership access i e Supervisor Manager Director etc i.e. Supervisor, Manager, Director, etc
Additional
Testing for User AccessTesting for User Access
IT access
28
IT access To production other than view only
Master File access Not restricted
Generic access
Multiple access
Terminated employees & non-employees Terminated employees & non-employees
Additional
Testing for User AccessTesting for User Access Overrides
29
Overrides Appropriate?
U ith t l t Users with no templates Unable to determine access
New user access Not used within 30 days
User IDs not used In the past 180 days In the past 180 days
Questions30
Save the DateS b 2 2 2September 21-24, 2014
33rd Annual Conference Austin, Texas
31