TRINITY UNIVERSITY HOSPITAL INTERNAL EXIT MEETING

Slides:

Advertisements

Similar presentations

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

Advertisements

David Assee BBA, MCSE Florida International University

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

NAU HIPAA Awareness Training

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

2014 HIPAA Refresher Omnibus Rule & HIPAA Security.

Massachusetts privacy law and your business  Jonathan Gossels, President, SystemExperts Corporation  Moderator: Illena Armstrong  Actual Topic: Intersecting.

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 10-1 Accounting Information Systems 9 th Edition Marshall.

Information Technology Control Day IV Afternoon Sessions.

The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.

Auditing Computer Systems

Probabilistic Risk Analysis Farrokh Alemi, Ph.D. April 12, 2004.

Security Controls – What Works

Laboratory Personnel Dr/Ehsan Moahmen Rizk.

Internal Control Concepts A Guide for Deans, Directors, and Department Chairs.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

Risk Management Vs Risk avoidance William Gillette.

Achieving our mission Presented to Line Staff. INTERNAL CONTROLS What are they?

Session 3 – Information Security Policies

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.

JCAHO UPDATE June The Bureau of Primary Health Care is continuing to encourage Community Health Centers to be JCAHO accredited. JCAHO’s new focus.

Rich Archer Partner, Risk Advisory Services KPMG LLP Auditing Business Continuity Plans.

Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

Appendix E – Checklist for Review of Performance Audits Presented by: Ashton Coleman Department of Defense Office of the Inspector General August 16, 2012.

Chapter 7 Control and AIS. Threats to AIS Natural disasters –DSM flood (p. 249) Political disasters –Terrorism Cyber crime (as opposed to general terrorism)

April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.

Safety Auditors Conference 2005 A Practical Approach…….

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,

College Reviews An Overview Presented by Howard Lutwak, CIA Director of Internal Audit January 2004.

Working with HIT Systems

HIPAA Security A Quantitative and Qualitative Risk Assessment Rosemary B. Abell Director, National Healthcare Vertical Keane, Inc. HIPAA Summit VII September.

IT Risks and Controls Revised on Content Internal Control  What is internal control?  Objectives of internal controls  Types of internal controls.

Energize Your Workflow! ©2006 Merge eMed. All Rights Reserved User Group Meeting “Energize Your Workflow” May 7-9, Security.

IS 630 : Accounting Information Systems Auditing Computer-based Information Systems Lecture 10.

Security Environment Assessment. Outline  Overview  Key Sources and Participants  General Findings  Policy / Procedures  Host Systems  Network Components.

INTRODUCTION TO PUBLIC FINANCE MANAGEMENT Module 4.3: Internal Control & Audit.

Copyright © 2007 Pearson Education Canada 9-1 Chapter 9: Internal Controls and Control Risk.

WESTERN PA CHAPTER OF THE AMERICAN PAYROLL ASSOCIATION – NOVEMBER 4, 2015 Risk Management for Payroll.

Chapter 3-Auditing Computer-based Information Systems.

INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.

Security Methods and Practice Principles of Information Security, Fourth Edition CET4884 Planning for Security Ch5 Part I.

©2005 Prentice Hall Business Publishing, Auditing and Assurance Services 10/e, Arens/Elder/Beasley Internal Control and Control Risk Chapter 10.

SUNY Maritime Internal Control Program. New York State Internal Control Act of 1987 Establish and maintain guidelines for a system of internal controls.

Health Insurance Portability and Accountability Act HIPAA 101

IS4680 Security Auditing for Compliance

Information Security based on International Standard ISO 27001

Audit Findings: SQL Database

Health Insurance Portability and Accountability Act

Team Member: Xiaomin Dong

The Privacy Cycle A Five-Step Process to Improve Your Privacy Culture

Technology Audit Plan ----BCSY University

Health Insurance Portability and Accountability Act

What a non-IT auditor needs to know about IT & IT controls

The Practical Side of Meaningful Use:

HIPAA Privacy and Security Summit 2018 HIPAA Privacy Rule: Compliance Plans, Training, Internal Audits and Patient Rights Widener University Delaware.

Paul T. Smith, Esq. Partner, Davis Wright Tremaine LLP

HIPAA SECURITY RULE Copyright © 2008, 2006, 2004 by Saunders an imprint of Elsevier Inc. All rights reserved.

IS4680 Security Auditing for Compliance

HIPAA Security A Quantitative and Qualitative Risk Assessment

HIPAA Compliance Services CTG HealthCare Solutions, Inc.

Auditing Compliance with the Privacy Rule

TRINITY UNIVERSITY HOSPITAL

HIPAA Compliance Services CTG HealthCare Solutions, Inc.

Anthem Data Breach Group 2: Jing Jiang, Dongjie Wang, Haitao Huang, Binju Gaire, Parneet Toor.

Accounting Information Systems & Computer Fraud

Presentation transcript:

TRINITY UNIVERSITY HOSPITAL INTERNAL EXIT MEETING HAITAO HUANG - AUDITOR-IN-CHARGE DONGJIE WANG - SENIOR IT AUDITOR XIAOZHOU YU - EXPERIENCED IT AUDITOR RAISA AHMED - EXPERIENCED IT AUDITOR DERRICK A. GYAMFI - IT AUDIT ASSOCIATE

AGENDA BACKGROUND & OVERVIEW OBJECTIVE AND SCOPE FINDINGS Risk rating, observation, standards, cause, impact and recommendation SUMMARY

BACKGROUND & OVERVIEW Trinity University Hospital is currently a 476 - bed tertiary care hospital that has been serving the Philadelphia region since 1977 Three Clinics: General Clinic, Dental Clinic, and Eye Clinic Services offered include Emergency Services, Laboratory Services, and Physiotherapy Services Trinity utilizes fully equipped healthcare specific ERP system solution - HANA RAISA, for patient records management Derrick Trinity University Hospital is a tertiary care hospital that has been serving the North Philadelphia area since 1977. The hospital has three department - The General Clinic, Dental Clinic and Eye Clinic. The hospital also offers a wide arrange of services including - Emergency Services, Laboratory Services, and Physiotherapy Services’ Now to discuss the technology environment, Trinity utilities HANA RAISA, a patient records management sytem HANA RAISA, is a fully equipped healthcare specific ERP system solution. The technology allows the hospital to Unify and integrate patient medical records across all clinics, services, and departments To discuss the purpose

OBJECTIVE AND SCOPE The main objective of the audit is to verify that the patient records management system is appropriately safeguarded and data reliability and accuracy are maintained within the environment. The scope of this audit project included reviews of the system for the following areas: Data Security (Confidentiality, Integrity, Availability) Segregation of Duties Authentication & Access Control Policies & Procedures

FINDING - ACCESS MANAGEMENT RISK - HIGH OBSERVATION Lack of access termination procedure STANDARD HIPAA HHS Security Risk Assessment Tool CAUSE The requirement is not specified in the data security policy POSSIBLE IMPACT Legal penalty for non-compliance Unauthorized access of ePHI lead to identity theft Compromise of confidentiality, integrity or availability of ePHI RECOMMENDATION Review and update the information security policy Develop and implement access termination procedures Periodically review and modify logical access

FINDING - SEGREGATION OF DUTIES RISK - HIGH OBSERVATION Inappropriate employee access to information and information systems STANDARD ISO 27001 NIST 800-53 CAUSE No proper control established for employee access POSSIBLE IMPACT Fraud and error Manipulation of statements Costs to recover from reputational damage Compromise confidentiality, integrity, and availability RECOMMENDATION Review user access to data and applications to ensure access rights remain appropriate and are adequate with job duties and responsibilities. RACI Chart

FINDING - AUTHENTICATION (PASSWORDS) RISK - HIGH OBSERVATION Weak passwords are used to access the system STANDARD NIST SP 800-63b CAUSE No standard for ensuring strong password POSSIBLE IMPACT Unauthorized access Compromise of sensitive patient information Reputation damage and lawsuits RECOMMENDATION Establish a strong password standard Use two-factor authentication Restrict access for incorrect password input Provide educational training on password security Examine password strength periodically https://www.giac.org/paper/gcux/12/security-audit-report/103579 https://www.computerworld.com/article/2493184/security0/passwords-are-the-weak-link-in-it-security.html http://blog.whoa.com/top-5-password-mistakes-and-their-impact-on-your-data-security https://pages.nist.gov/800-63-3/sp800-63b.html#sec8 Create a written password policy. It should be part of your computer usage policy. Make sure all employees are familiar with it and agree to abide by it. https://www.acunetix.com/blog/articles/weak-password-vulnerability-common-think/ Help them understand why it is important. Listen to the groans, appreciate their issues and then insist they do it. Help them understand what appropriate and inappropriate passwords are.

FINDING - POLICIES & PROCEDURES RISK - MODERATE OBSERVATION Poor System Log Management Out of Date & Irregular System Log Reviews STANDARD Internal Hospital IT System Policy NIST 800-92 Reference CAUSE Employee Forgetfulness Lack of Supervision & Oversight POSSIBLE IMPACT Access to Incorrect Information Delayed Detection of Risks & Possible Threats RECOMMENDATION Automate Review Logs Prioritizing Periodic Log Reviews Assign Hard-Deadlines & Review Supervisors Per review of system https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-92.pdf

SUMMARY Key Audit Findings Recommended Improvements Access Management Segregation of Duties Authentication Policies & Procedures Recommended Improvements Existing policies and procedures updates New standards established Periodically reviews

Thank You!

REFERENCE https://www.giac.org/paper/gcux/12/security-audit-report/103579 https://www.computerworld.com/article/2493184/security0/passwords-are-the-weak-link-in-it-security.html http://blog.whoa.com/top-5-password-mistakes-and-their-impact-on-your-data-security https://pages.nist.gov/800-63-3/sp800-63b.html#sec8 https://www.hipaajournal.com/ocr-record-hipaa-settlement-memorial-healthcare-system-8695/ https://www.hipaajournal.com/hipaa-violation-cases/ https://www.healthit.gov/topic/privacy-security/security-risk-assessment-tool https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html https://healthitsecurity.com/features/the-role-of-risk-assessments-in-healthcare https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html