IOD Incorporated. SOC 3 Report for IOD Incorporated

Transcription

1 SOC 3 Report for IOD Incorporated For The Period From

2 SOC 3 Report Table of Contents Section 1: Management of IOD Incorporated Service Organization s Assertion... 2 Section 2: Independent Accountant s Trust Services Report Provided by Wipfli... 4 Section 3: Description of System Provided by IOD Incorporated... 7 Company Profile... 8 Operational Overview... 8 System Overview... 9 Infrastructure... 9 Software People Procedures Data Confidential and Proprietary to Wipfli LLP and IOD Incorporated Page 1 of 12

3 Section 1 Management of IOD Incorporated Service Organization s Assertion Confidential and Proprietary to Wipfli LLP and IOD Incorporated Page 2 of 12

4 December10,2013 WipfliLLP 10000InnovationDr.Suite250 Milwaukee,WI53226 ManagementofIOD sassertionregardingtheeffectivenessofitscontrolsoverthehimsolution SystemBasedontheTrustServicesSecurity,ProcessingIntegrityandConfidentialityCriteria IODIncorporated(IOD)maintainedeffectivecontrolsoverthesecurity,processingintegrityand confidentialityofiod shimsolutionsystem( thesystem )toprovidereasonableassurancethat: 1. TheSystemwasprotectedagainstunauthorizedaccess(bothphysicalandlogical); 2. TheSystemprocessingwascomplete,accurate,timely,andauthorized;and 3. InformationdesignatedasconfidentialwasprotectedbytheSystemascommittedoragreed, and; DuringtheperiodMay1,2013throughOctober31,2013,basedontheAmericanInstituteofCertified PublicAccountants( AICPA )andthecanadianinstituteofcharteredaccountants( CICA )Trust ServicesCriteriaforSecurity,ProcessingIntegrityandConfidentialitywhichareavailableat TheattachedsystemdescriptionofIOD sinformationsystemsenvironmentandhimssolutionsystem summarizesthoseaspectsofthissystemcoveredbyourassertion. Sincerely, IOD Signature: Title:ChiefTechnologyOfficer Confidential and Proprietary to Wipfli LLP and IOD Incorporated 1 3 of 12

5 Section 2 Independent Accountant s Trust Services Report Provided by Wipfli Confidential and Proprietary to Wipfli LLP and IOD Incorporated Page 4 of 12

6 Independent Accountants Trust Services Report To the Management of IOD Incorporated We have examined management s assertion that during the period May 1, 2013 to October 31, 2013, IOD Incorporated (IOD) maintained effective controls over the Health Information Management (HIM) Solution System based on the AICPA and CICA trust services security, processing integrity, and confidentiality criteria to provide reasonable assurance that The system was protected against unauthorized access (both physical and logical); The system processing was complete, accurate, timely, and authorized; and Information designated as confidential was protected by the system as committed or agreed. IOD s management is responsible for this assertion. Our responsibility is to express an opinion based on our examination. Management s description of the aspects of the HIM Solution System covered by its assertion is attached. We did not examine this description, and accordingly, we do not express an opinion on it. Our examination was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants and, accordingly, included (1) obtaining an understanding of IOD s relevant controls over the security, processing integrity, and confidentiality of the HIM Solution System; (2) testing and evaluating the operating effectiveness of the controls; and (3) performing such other procedures as we considered necessary in the circumstances. We believe that our examination provides a reasonable basis for our opinion. Because of the nature and inherent limitations of controls, IOD s ability to meet the aforementioned criteria may be affected. For example, controls may not prevent or detect and correct error or fraud, unauthorized access to systems and information, or failure to comply with internal and external policies or requirements. Also, the projection of any conclusions based on our findings to future periods is subject to the risk that changes may alter the validity of such conclusions. Confidential and Proprietary to Wipfli LLP and IOD Incorporated Page 5 of 12

7 In our opinion, management s assertion related to is fairly stated, in all material respects, based on the AICPA and CICA trust services security, processing integrity, and confidentiality criteria. Wipfli LLP Milwaukee, Wisconsin December 10, 2013 Confidential and Proprietary to Wipfli LLP and IOD Incorporated Page 6 of 12

8 Section 3 Description of System Provided by IOD Incorporated Confidential and Proprietary to Wipfli LLP and IOD Incorporated Page 7 of 12

9 Description of System Provided by IOD Incorporated Company Profile IOD provides full a suite of Health Information Management (HIM) solutions ranging from secure document imaging, coding, abstraction, record storage, Release of Information(ROI), auditing, consulting and education services. IOD has both onsite and offsite release of information (ROI) processing services, with three central processing centers located in Green Bay, WI, Trevose, PA, and Bellevue, WA. Founded in 1983, IOD employs more than 1,700 HIM associates nationwide. IOD s Green Bay, WI location serves as its corporate site. Operational Overview As part of its operations, IOD has established procedures and policies to ensure confidentiality in handling sensitive user entity information. IOD secures its facilities through limited access to the buildings via access cards, utilizing associate identification on the premises, tracking visitors, data encryption, and physically securing systems, media, and other technology via locked cabinets and rooms. Additionally, confidentiality agreements for information sharing between user entities and vendors are upheld in daily business operations. Across all lines of business the access to systems is protected via network and application security policies and procedures, and the system users (associates) are assigned tiered access based on their roles. Moreover, the access is modified in a timely manner and withheld at the time of associate termination. IOD adheres to industry standards for utilizing Secure Sockets Layer (SSL), Transport Layer Security (TLS), Advanced Encryptions Standard (AES) encryption, Virtual Private Network (VPN), and secure Electronic Data Interchange (EDI) or Secure File Transfer Protocol (SFTP) standards to protect the electronic transmission of user entity data and utilizes National Institute of Standards and Technology (NIST) recommended and Centers for Medicare & Medicaid Services (CMS) approved for Meaningful Use encryption algorithms when handling Protected Health Information (PHI). Operational effectiveness and processing integrity are achieved via the use of formal change management processes for new and existing systems to authorize, test, approve, and implement changes in business processes and systems. Policies and procedures are reviewed and approved annually and to minimize disruption of business operations, procedures have been defined in the event of a disaster situation. IOD ensures its private cloud will provide business continuity in the event of a disaster via backups, recovery, removal, and restoration of data at an off site location. Confidential and Proprietary to Wipfli LLP and IOD Incorporated Page 8 of 12

10 Description of System Provided by IOD Incorporated System Overview This description covers IOD s HIM Solution System (the System ) including its data center and processing facilities; security (both logical and physical); environmental controls; processing integrity, confidentiality, monitoring and maintenance; and change management. IOD s core platform, PRISM is a multiuser, transaction-based custom developed software platform that facilitates IOD s coding, abstracting, imaging and Release of Information (ROI) services. Specifically as it relates to ROI, PRISM enables the processing of release of information requests and delivery of records their requestor. The PRISM ROI request tracking and reporting system is coupled with technologies such as SecureCapture document scanning and imaging and SecureDelivery electronic document delivery system for release of information services. PRISM software is coupled with additional functionality for customer service management. The System is comprised of the following five components: 1. Infrastructure 2. Software 3. People 4. Procedures 5. Data The following sections describe each of these five components comprising the System. Infrastructure Associates access the PRISM platform via a company supplied desktop computers or encrypted laptops. IOD uses IPSec 3DES MD5 bit encryption with its Virtual Private Networking (VPN) software and Active Directory VPN User Group Configuration. These technologies restrict access and use Advanced Encryption Standard AES256 bit encryption to protect data and intra company communications. IOD uses the AES256 bit encryption to secure additional types of transmissions with its customers, they include: SSL 256 AES bit encryption for Web based SSL data transfers SSL 256 AES bit encryption for File Transfer Protocol Secure (FTPS) file transfers SSH 2048 bit encryption for SFTP file transfers Confidential and Proprietary to Wipfli LLP and IOD Incorporated Page 9 of 12

11 Description of System Provided by IOD Incorporated Infrastructure (Continued) Database and file servers are housed in IOD s secured data center in its Green Bay, WI corporate site. Software PRISM order processing software is developed and maintained by IOD s in house software development engineers. PRISM tracks information in real-time. The information is immediately stored in the database and is accessible for daily operations, service authorization, quality assurance, service billing and report generation. Information can be retrieved, reviewed, and reported as needed and the application creates a complete history of entries, reviews, approvals and releases of the associated records. PRISM platform software 6.0 has received the Office of the National Coordinator Authorized Testing and Certification Body (ONC ATCB) certification. PRISM is certified for both the ambulatory and inpatient practice types. PRISM platform software has been tested against the Electronic Submission of Medical Documentation (esmd) criteria for transacting medical record information electronically with the Recovergae Audit Contractor (RAC) and Medicare Administrative Contractor (MAC) CMS audit contactors, and has been approved for electronic transmission. IOD uses a defined and documented Systems Development Life Cycle (SDLC) and change management process with defined and distinct steps. These steps include user requirement definition, technical design, coding, unit test, independent QA testing, user acceptance testing (UAT) and release management to deploy custom developed software. An Agile development approach is used. PRISM platform software and the IOD Green Bay infrastructure is regularly penetration tested by Trustwave in support of the infrastructure s certification and IOD s classification as a Level 3 Payment Card Industry (PCI) Merchant. Confidential and proprietary to Wipfli LLP and IOD Incorporated Page 10 of 12 Not to be Reproduced without Permission

12 Description of System Provided by IOD Incorporated People IOD has a staff of over 1,700 associates organized in the following functional areas: Corporate: Executives, senior operations staff, and administrative support staff, such as legal, training, contracting, accounting, sales, marketing, finance and human resources. Operations: Managers and supervisor provide scheduling and operational oversight of both onsite site and central processing facilities. Processing associates provide capacity for transaction processing across all lines of business. ROI Quality Assurance: Associates validate order entry and processing accuracy and verify that release of information requests meet compliance requirements Technology Operations: Associates with responsibility for the following functions: help desk, infrastructure, system administration, software development and support, information security, and IT operations, business implementation support and telecom. Procedures IOD standards for conducting business are documented in its standard operating policies, procedures, and business process work flow diagrams. Its controls are detailed in its procedures and formal risk assessments. The policies and procedures reflect the assignment of specific compliance responsibilities to specific functions and personnel within IOD. Specific examples of the relevant policies and procedures include the following: Confidentiality and non-disclosure Health Insurance Portability and Accountability Act (HIPAA) Security Management Information Security Personnel Security Emergency Change Management System Monitoring Problem Management Data Backup and Recovery System Account Management Monitoring Confidential and proprietary to Wipfli LLP and IOD Incorporated Page 11 of 12 Not to be Reproduced without Permission

13 Description of System Provided by IOD Incorporated Data Data as defined by IOD constitutes the following: Customer and user master file data Input data (scanned images, electronic records from Electronic Health Records (her) via SecureCapture and Software Security Assurance (SSA) Globally Unique Identified (GUID) numbers) Order transaction data Electronic download and upload files Output reports System files Error logs Confidential and Proprietary to Wipfli LLP and IOD Incorporated Page 12 of 12