3/17/2015. Healthcare Technology Audit Basics. Session Objectives. Jennifer McGill, CIA, CISA, CGEIT April 20, 2015

Transcription

1 Healthcare Technology Audit Basics Jennifer McGill, CIA, CISA, CGEIT April 20, 2015 Session Objectives Review information technology basic concepts. Use real world examples to identify and understand healthcare technology risks. Discuss the IT control areas that apply to all healthcare organizations. See the basic building blocks of an IT General Controls audit. 75 Years of Caring

2 At this very moment in a hospital Wouldn t this be easier? 2

3 DESKTOP Technology View of Scenario LAPTOP SCANNER BARCODE Wired DESKTOP Behind the Scenes LAPTOP SCANNER BARCODE Wireless Peripheral Device Even Further Behind the Scenes Hospital Data Center Wired Wireless PRIVATE PUBLIC PRIVATE or SHARED 3

4 What are we trying to accomplish? Correctly record information related to our work Securely and accurately transmit the information to its storage place Keep the information confidential Make sure the information is available when it is needed Control access and changes to the information to ensure that it has integrity and can be trusted What could go wrong? IT Risk is Healthcare Business Risk 4

5 Where to begin? Threat 1. a stated intention to inflict injury, damage, or other hostile action on someone. 2. a person or thing likely to cause damage or danger. 3. the possibility of trouble or danger. Vulnerability The existence of a weakness, design, or implementation error that can lead to an unexpected, undesirable event compromising the security of the computer system, network, application, or protocol involved Which risks should be addressed? ISACA, The Risk IT Framework, USA, 2009, General IT Control Categories Governance of IT Management, Planning, and Organization of IT Technical Infrastructure and Operational Practices Protection of Information Assets Disaster Recovery and Business Continuity Application Systems Development, Acquisition, Implementation, and Maintenance 5

6 Business Process: Facility Name: Prepared By: Reviewed By: Preparing to Audit IT General Controls 5. Information Services Information about the Assessment Tool Begin with a Self- Assessment Date: Questionnaire Purpose: A facility assessment of IT general controls will help evaluate the extent that five listed general control objectives exist. While the assessment tool is not inclusive of all internal control considerations, it can help identify areas that require corrective action through implementation of internal controls or refinement of existing internal control procedures. Date: Scoring Key: Green Yellow Utilize green shading and type in "Green" to indicate the existence of internal controls that substantially conform to stated Internal Control (IC) Expectations. Utilize yellow shading and type in "Yellow" to indicate areas where internal controls exist in part, but need improvement to conform to stated IC Expectations. Utilize red shading and type in "Red" to indicate areas where controls may exist but Red are significantly deficient in meeting stated IC Expectations. General Control Objectives for Information Services: Potential Risks for Information Services: * Program changes are authorized, approved, and tested prior to * Programs that contain errors or do not meet management implementation. objectives are placed into production. * Outside vendor programs are authorized, approved, and tested prior to * Programs with inadequate controls are placed into production. installation. * Information in master files is accessed and/or manipulated by * Access to data files is appropriately restricted to authorized users and unauthorized personnel. programs. * Unauthorized transactions or data are entered through * Critical data and program applications are secure. inappropriate authorized user access. * Physical security of critical computer hardware and servers is ensured. * Critical data is lost or unrecoverable. * Business recovery and resumption is assured. * Business resumption is impeded when data processing cannot be continued in a timely manner. Preparing to Audit IT General Controls This is where management scores themselves on how they think they are doing This is the basic control we would expect to see in place This is where management describes what they are actually doing This is where audit evaluates the responses prior to doing an audit Audit Approach 1. Use information from the self-assessment questionnaire to determine what audit work is needed in each area. If management acknowledges that they don t have a policy, procedure, technology, or function in place then there is nothing there to audit. Acknowledge the gap and move on. 2. Plan a walkthrough of the data center and the building or work space where IT personnel are located. 3. Interview key personnel in each area of the IT organization. 6

7 Audit Approach 4. Identify specific processes or systems where demonstration of controls by IT personnel is needed to validate management s assumptions. 5. Verify that regulatory and legal requirements are considered when management designs and implements controls. Use Trained IT Audit Professionals Internal Audit professional standards require that audits be conducted by auditors with sufficient training and experience. Technology is highly specialized. Consider outsourcing or co-sourcing to get the expertise that you need. When organizations skimp on investments in IT audit expertise, they increase the likelihood that uncontrolled risks in their computing environment will be exploited and their business disrupted. Speaker Contact Information Jennifer McGill, Technology Audit Director Jennifer.McGill@carolinashealthcare.org