In-depth technical knowledge and experience isn’t necessary when auditing and accessing risks related to information technology and systems. Learn from a former internal auditor how remove barriers preventing meaningful IT reviews.
1. 1
TODAY’S OBJECTIVES
• Review risks related to information technology
facilities, system access, data integrity, and system
maintenance.
• Describe techniques for the non-technical
professional to evaluate controls of information
technology and systems.
2
2. ABOUT VANDERBILT UNIVERSITY
MEDICAL CENTER
• $2.3 Billion Annual
Healthcare Operating
Expenses (excludes
academics and research)
• $471.6 Million Annual
Sponsored Research
Budget
• $843.6 Million Annual
Charity Care,
Community Benefits,
and other Unrecovered
Costs
3
4
3. INTEGRATED IT AUDITING
FOCUSED IT AUDITS
5
IT AUDIT PLANNING - REQUESTS
• HIPAA Security Risk
Assessment
• External auditor’s report
and management letter
• Consulting reports
• IT policies and
procedures
6
4. SYSTEM/APPLICATION LIST
• System or application name
• Vendor
• System purpose
• The business and IT owners
• Location(s) where the
system is physically housed
• Service Criticality (they
can’t all be Mission Critical)
C S M K T Z A L S M
I T E R F M V L N B
P P D O O E A E E I
E I I N S D I C M C
E R T O O A L I E E
L C E S R S I N I R
C S C L C S T M S N
A L H O I E Y O S E
R L T R M T S A P R
O A H O C S I C M E
ALLSCRIPTS
AVAILITY
CERNER
CISCO
EMC
EPIC
IBM
ITIL
KRONOS
MEDASSETS
MEDITECH
MICROSOFT
OMNICELL
ORACLE
SAP
SIEMENS
7
THE CLAW HAS SPOKEN
8
5. USER SECURITY & ADMINISTRATION
• Account administration
• User authentication and
passwords
• Session controls
Audit Objectives
9
ACCOUNT ADMINISTRATION
• Process to request and approve accounts
• How are accounts inactivated or deleted
• Documentation of requests
• Monitoring for non-use, change in employment
status, etc.
10
6. USER AUTHENTICATION & PASSWORDS
• Minimum password
length and
composition
• Periodic password
changes
• Multi-factor
authentication
• Lockouts and resets KillerInfographics.com
11
SESSION CONTROLS
• Session length
• Maximum inactivity
• Concurrent logins
12
7. CHANGE MANAGEMENT
• Documented processes
and policies (including
emergency changes)
• Segregated environment
and testing
• Production access
Audit Objectives
www.ibiblio.org/Dave/drfun.html
13
AN ICQ FOR EACH APPLICATION
• Are change requests
logged?
• Is version control
software used?
• What logical
environments exist?
• Are all changes required
to be tested?
• Who is responsible for
migrating changes?
• Are back-out procedures
required prior to
implementation?
• How are emergency
changes communicated
to business owners?
14
8. TESTING CHANGE
• Emergency Change
• Tech Approval
• Business Approval
• CAB Approval
• Programmed in Dev
• Tested Outside
Production
• Testing Completed
• User Testing Complete
• Programmer Deployed
Change
• Back-out Procedures
• Documentation Updated
• # of Resulting Issues
15
DATA CENTER PHYSICAL SECURITY
• Physical access for both
individuals and
equipment
• Power configurations
• Environmental controls
and monitoring
Audit Objectives
16
9. ACCESS CONTROLS
• Access logs - who,
when, and why
• Approvals and pre-
approvals
• Monitoring and
oversight
17
POWER
• Sources and
configurations
• Redundancy and
back-up
• Capacity Planning
• Joint Commission
18
10. ENVIRONMENT
• Cooling
• Humidity
• Fire suppression
• Water (and other wet
stuff)
• Raised floors
19
INTEGRATING IT INTO FINANCIAL
AND OPERATIONAL AUDITS
20
11. COMMON ISSUES: IT
• Storage of PHI on
unsecured media
• CD/DVD with Medical
Images
• Department File Servers,
Local PCs, Laptops, etc.
• Inadequate Password
Policy/Enforcement
• Unsecured/Sharing of
Clinic Workstations
• Disaster Recovery
• Documented Downtime
Procedures
• Oversight/Security of
Portable Devices (e.g.,
iPads)
21
ADDITIONAL READING
512 pages
1.8 pounds 696 pages
3.0 pounds
2,000 pages
7.6 pounds
22