Technology General Controls and HIPAA Security Compliance: Covering the Bandwidth in One Audit

Transcription

1 Technology General Controls and HIPAA Security Compliance: Covering the Bandwidth in One Audit Michael Morrow, Jennifer McGillCompany Carolinas Healthcare System 2011 AHIA Annual Conference Track D1 Wednesday, September 7, 2011

2 The Risk Environment American Reinvestment & Recovery: HITECH Act Breach Notification Meaningful Use Requirements Regulatory Enforcement

3 HIPAA Enforcement: Providence Health In December 2005, a thief stole backup discs and tapes from the vehicle of an employee of Providence Health & Services. The tapes and discs contained unencrypted information for about 365,000 patients. HHS officials negotiated a Resolution Agreement in The Resolution Agreement included a three-year Corrective Action Plan ( CAP ) that requires Providence to: improve its information security practices, train its workforce, monitor compliance with the CAP, and report any additional breaches.

4 Financial Impact on Providence Health Breach Investigation & Remediation: $ 7,106, Other changes made to comply with the Corrective Action Plan: 1. Hired a CISO 2. Created a new information security management structure 3. Increased the number of information security employees from 5 to Rewrite information security policies and procedures 5. Deployed state-of-the-art information security software Providence s annual information security costs increased from approximately $750,000 in 2005 to approximately $6.25 million in 2009 FairWarning 2010 Executive Webinar Series, Beyond the Fines: The True Cost of a Patient Privacy Breach, September 8, 2010

5 Benefits of Audits & Compliance Reviews Identifies security issues before breach occurs Demonstrates due diligence in event of breach or other regulatory violation Helps management avoid costs related to corrective actions Reinforces good practices Provides management with information to help make operational & capital budget decisions Builds opportunities to leverage technology & good practices across multiple computing environments Creates Board-level awareness of technology s role in internal control environment

6 The Challenge How do we evaluate information technology controls and HIPAA Security compliance across a multitude of environments with limited resources?

7 Who are we? Carolinas HealthCare System (CHS) is the largest healthcare system in the Carolinas, and the third largest non-profit public system in the nation. CHS provides a lifetime medical home to patients through a network of some 600 care locations that includes hospitals, freestanding emergency departments, physician practices, surgical and rehabilitation centers, home health agencies, nursing homes and other facilities. CHS Corporate Mission To create and operate a comprehensive system to provide health care and related services, including education and research opportunity, for the benefit of the people we serve.

8 Our Program: Corporate Compliance Function Chief Compliance Chief Officer Officer Chief Officer Chief Privacy Officer Facility Compliance Physician Compliance Audit Services Audit Services Corporate Privacy Cross - Functional IT Audit Team HIPAA Security 7

9 Our Audit Universe Physician Practices Corporate Operations Large Hospitals Independent IT Services Hospital A Public Health Centralized IT Services Small Hospitals Clinic Z Medical Education Nursing Homes Managed Hospitals Health System P

10 Different Environments = Different Challenges Centralized Infrastructure Stand Alone Facility Hybrid (Stand-Alone supporting facilities with centralized systems)

11 Variety of Environments Method works for any size organization Applies to all different infrastructures

12 Getting Started What s the difference between a HIPAA Security Compliance Review and an IT General Controls Audit? HIPAA Security Compliance Review Validation of compliance with law Scope: Existence of required program elements & compliance with implementation standards for those elements IT General Controls Audit Independent evaluation of controls Scope: Existence & effectiveness of key controls over the computing environment

13 What are the similarities? Steps HIPAA Security Compliance Review IT General Controls Audit Contact Administration & IT Director X X Schedule fieldwork X X Send scope document Send questionnaire X X Send documentation request list X X Prepare audit program & test steps Review questionnaire responses & documentation Perform fieldwork X X Interview key IT personnel X X Conduct walkthrough X X Document observations & conclusions X X Write report X X X X X X

14 Who is involved in this effort? Auditors Provide support to Local Hospital Collaborate with IT leaders from all hospitals to set standards & develop strategy Guide HIPAA Security compliance efforts Perform IT Audit function Corporate Information Services Collaborate with IT leaders from all hospitals to set operational priorities, share good practices, help save money on purchasing, etc. Partner with Audit & Compliance to help Local Hospital IT to prepare for audits Local Hospital Information Services Information Technology function led by CIO or IT Director Responsible for IT operations, working with hospital leadership, IT governance, etc. Hospital Administration Set budget & hospital management priorities Coordinate with IS on key initiatives & strategic planning Ensure compliance with regulations

15 Phases 1 Orientation 2 Planning 3 Fieldwork 4 Documentation 5 Reporting 6 Follow-Up

16 Phase 1: Orientation PHASE 1 Timeline 6 12 months in advance HIPAA Security Compliance Review Baseline: Conduct orientation with key Local Hospital IT contact Educate yourself about relevant regulations & guidance Repeat: Review changes to regulations & risk environment Share new tools/expectations Schedule the review IT General Controls Audit Baseline: Explain audit process to Local Hospital IT contact Discuss documents & information that will be requested prior to audit Repeat: Revisit issues from previous audit & discuss scope for follow-up audit Schedule the audit

17 HIPAA Security Rule: Overview PHASE 1 Administrative Safeguards Security Management Process Assigned Responsibility Workforce Security Information Access Management Security Awareness & Training Security Incident Procedures Contingency Plan Evaluation Business Associate Contracts Physical Safeguards Facility Access Controls Workstation Use Workstation Security Device & Media Controls Technical Safeguards Access Control Audit Controls Integrity Person or Entity Authentication Transmission Security

18 HIPAA Security Rule: Implementation Standards PHASE 1 R S A Required Standard Security Standard Addressable Standard REQUIRED REQUIRED REQUIRED Guidance from the Office for Civil Rights (OCR) - July 2010 An addressable implementation specification is not optional; rather, if an organization determines that the implementation specification is not reasonable and appropriate, the organization must document why it is not reasonable and appropriate and adopt an equivalent measure if it is reasonable and appropriate to do so. /rafinalguidancepdf.pdf What s Required?

19 HIPAA Security Rule: Risk Analysis PHASE 1 Objective: Identify vulnerabilities/threats to the security of protected health information (PHI) in order to develop an action plan to address and high risk items and mitigate impact. Who is responsible for this? Local Hospital IT Management is responsible for conducting an annual risk analysis Risk Analysis Checklist Data Collection Method(s) Potential Threats/Vulnerabilities Current Security Measures Likelihood of Threat Potential Impact of Threat Risk Level The Risk Analysis MUST be documented! OCR Guidance on Risk Assessment

20 Risk Analysis Example PHASE 1 Risk Analysis Completed by: Date: THREAT or VULNERABILITY Likelihood (1 to 5) Impact (1-5) Risk Ranking Existing countermeasures or recommendations for future Existing policy or procedure Status Air conditioning failure in Data Center Install temperature monitoring system to send alert Security checks during nightly rounds Planned for Q4 2011

21 Meaningful Use PHASE 1 Risk Analysis is required to meet Stage 1 Meaningful Use criteria Health Outcomes Policy Priority Eligible Professionals Eligible Hospitals and CAHs Stage 1 Measures Ensure adequate privacy and security protections for personal health information Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities Conduct or review a security risk analysis per 45 CFR (a)(1) and implement security updates as necessary and correct identified deficiencies as part of its risk management process

22 Phase 2: Planning PHASE 2 Timeline 4 6 weeks in advance HIPAA Security Compliance Review Baseline: Send HIPAA Security questionnaire to key Local Hospital IT contact Repeat: Prepare questionnaire with responses from last year & new column for current year responses Send to key Local Hospital IT contact IT General Controls Audit Baseline: Send IT General Controls Self-Assessment questionnaire & document request list to key Local Hospital IT contact Repeat: Prepare scope document & develop audit program Send scope document to key Local Hospital IT contact

23 Phase 3: Fieldwork PHASE 3 Timeline During Scheduled Visit HIPAA Security Compliance Review Review responses to HIPAA Security questionnaire with key Local Hospital IT contact & validate elements Conduct interviews with relevant IT personnel Conduct walkthrough to observe & validate IT General Controls Audit Review responses to IT General Controls Self- Assessment questionnaire & requested documentation Execute test steps from audit program Conduct interviews with relevant IT personnel Conduct walkthrough to observe & validate

24 HIPAA Security Review: Questionnaire PHASE 3 Objective: Evaluate your organization s HIPAA Security Program to ensure administrative, physical, and technical safeguards referenced in the HIPAA Security Rule are in place. Key Features Follows sequence of items described in regulation Includes reference numbers Uses plain language Outlines your expectations Column for their responses Column for your assessment Scoring Mechanisms

25 HIPAA Security Review: Questionnaire A policy crosswalk or other document showing how your policies that address the HIPAA Security Rule should be completed. PHASE 3 Refer to Template #1 Program Questionnaire You should be able to provide evidence that leadership has approved new policies/significant policy changes. You should be able to show that policies are reviewed as described in your policy review process. A policy crosswalk or other document showing how your policies that address the HIPAA Security Rule should be completed. You should be able to provide evidence that leadership has approved new policies/significant policy changes. You should be able to show that policies are reviewed as described in your policy review process. Use the Recommendations/Follow-Up Questions section to document Test Steps

26 HIPAA Security Review 1. Documents located on Corporate website Policy Mapping Matrix Refer to Template #2 2. Policy last updated mm/dd/yy Policy Mapping Matrix PHASE 3 1. Policy #12345 Information Security Risk Management Policy 1)Documents located on Corporate website 2)Policy last updated mm/dd/yy 2. Policy # IS Security Policy

27 IT General Controls Audit: Self Assessment Questionnaire PHASE 3 Objective: Evaluate your organization s IT control environment to ensure that key controls are present and operating effectively. Functional Area Self-Assessment Score Control Objective Internal Control Expectation Current State of Control Test Step Workpaper Documentation Key Features

28 IT General Controls Review Self-Assessment Questionnaire Business Process: Facility Name: Prepared By: 5. Information Services Refer to Template #3 ITGC Self-Assessment Questionnaire PHASE 3 Date: Reviewed By: Information about the Assessment Tool Purpose: A facility assessment of IT general controls will help evaluate the extent that five listed general control objectives exist. While the assessment tool is not inclusive of all internal control considerations, it can help identify areas that require corrective action through implementation of internal controls or refinement of existing internal control procedures. Scoring Key: Green Yellow Red General Control Objectives for Information Services: * Program changes are authorized, approved, and tested prior to implementation. * Outside vendor programs are authorized, approved, and tested prior to installation. * Access to data files is appropriately restricted to authorized users and programs. * Critical data and program applications are secure. * Physical security of critical computer hardware and servers is ensured. * Business recovery and resumption is assured. Date: Utilize green shading and type in "Green" to indicate the existence of internal controls that substantially conform to stated Internal Control (IC) Expectations. Utilize yellow shading and type in "Yellow" to indicate areas where internal controls exist in part, but need improvement to conform to stated IC Expectations. Utilize red shading and type in "Red" to indicate areas where controls may exist but are significantly deficient in meeting stated IC Expectations. Potential Risks for Information Services: * Programs that contain errors or do not meet management objectives are placed into production. * Programs with inadequate controls are placed into production. * Information in master files is accessed and/or manipulated by unauthorized personnel. * Unauthorized transactions or data are entered through inappropriate authorized user access. * Critical data is lost or unrecoverable. * Business resumption is impeded when data processing cannot be continued in a timely manner.

29 IT General Controls Audit: Self Assessment Questionnaire Refer to Template #3 ITGC Self- Assessment Questionnaire PHASE 3

30 HIPAA Security Review: Walkthrough PHASE 3 Objective: Consistently evaluate the presence of physical and logical HIPAA Security compliance requirements, as well as workforce awareness of security practices Key Features Data center safeguards Network Closet Safeguards Workstation security Mobile device security Computer on Wheels security Workforce Awareness

31 HIPAA Security Review: Walkthrough PHASE 3 Refer to Template #4 HIPAA Security Walkthrough Where do you start? What s wrong with this picture? During fieldwork, how do you decide where to look?

32 HIPAA Security Review Observation and Inspection Refer to Template #4 HIPAA Security Walkthrough PHASE 3 Present No Issues Present with Issues No Solution In Place Temperature Ventilation Fire Suppression UPS (Clean/Adequate Power) Backup Power Supply X X X dry water sprinkler X X Restricted\Locked Entry Restricted Workforce Access X 1 X 1 Entry\Visitor Log Secure Devices N/A - Escorted X Cable Management X 2

33 Convergence: Where can you save time? PHASE 3 Common Elements: Policies & Procedures Fieldwork & Observation Interviews with key IT staff Physical Security Logical Security IT Governance Risk Assessment Strategic Priorities Changes to Environment HIPAA Security Program Review IT General Controls Audit

34 Convergence Matrix Refer to Template #5 Convergence Matrix PHASE 3 IT General Controls Review Ref # Maps to HIPAA Security Compliance Review Ref # HIPAA Security Compliance Review Ref # Maps to IT General Controls Review Ref # , ,

35 Why not combine them? PHASE 3 Different functions Different scope Different goals If subject of regulatory review, limit information provided If you outsource audit function, can separate to manage budget If public company, can separate results to those relevant for financial reporting vs. compliance

36 Phase 4: Documentation PHASE 4 Timeline Immediately following Fieldwork HIPAA Security Compliance Review Document evaluation of responses to HIPAA Security questionnaire & score each element Document walkthrough observations Follow up with any remaining questions Document compliance gaps and concerns IT General Controls Audit Document evaluation of responses to IT General Controls Self-Assessment questionnaire & requested documentation Document results of tests & interviews conducted during fieldwork Follow up with any remaining questions Document control gaps and audit findings

37 Phase 5: Reporting PHASE 5 Timeline Within 30 days after Fieldwork HIPAA Security Compliance Review Describe compliance gaps and concerns Develop recommendations that address the gaps & concerns Draft a report Review with Local Hospital IT contact & leadership Prepare Management Action Plan for IT contact to complete Issue the report IT General Controls Audit Describe control gaps and audit findings Develop recommendations that address the issues Draft a report Review with Local Hospital IT contact & leadership Prepare Management Action Plan for IT contact to complete Issue the report

38 HIPAA Security Compliance Program Results Framework PHASE 5 Key No Missing or Incomplete Elements At Least One Missing or Incomplete Element High Risk or Multiple Missing or Incomplete Elements HIPAA Security Program Elements Security Management Process Facility Access Controls Assigned Security Responsibility Workstation Use Workforce Security Workstation Security Information Access Management Device & Media Controls Security Awareness & Training Access Controls Security Incident Procedures Audit Controls Contingency Plan Data Integrity Security Evaluation Person or Entity Authentication Business Associate Contracts Transmission Security

39 HIPAA Security Walkthrough Results Summary PHASE 5 No Issues Observed Issues Observed Pervasive Issues Observed Sections 1 & 2: Infrastructure (Data Center and Wiring Closets) Sections 3 & 5: Workstations and Computers On Wheels (COW) Security Section 4: Mobile Device Security Section 6: Workforce Awareness Key Facility Observation Assessment Evaluated the environmental, workforce access authorization, physical security, electrical, and installation management controls for network infrastructure equipment. Evaluated logical, physical, workforce utilization and implementation management of workstations, laptops and computers on wheels (COWs). Evaluated the compliance of workforce members with the acceptable use standards for mobile devices. Asked security questions to evaluate workforce awareness regarding general HIPAA security issues such as location of company policies, ing PHI, password protection and reporting HIPAA violations.

40 HIPAA Security Program Review Report PHASE 5 Create two sections in your report: 1. Compliance Gaps: Issues that must be remediated in order to bring the Hospital into compliance with the HIPAA Security Rule 2. Program Improvements: Hospital meets the standard for a compliance element but could improve their process or approach

41 IT General Controls Audit Results PHASE 5 Key Controls in Each Domain Status of Key Control IT Governance Computer Operations Security & Access Change Management Total Green - Designed and operating effectively Yellow Exists, but needs improvement Red Missing or significantly deficient Total

42 COBIT Maturity Model PHASE 5 The COBIT maturity model uses the following definitions: 0 Non-existent 1 Initial/Ad Hoc 2 Repeatable but Intuitive 3 Defined Process 4 Managed and Measurable 5 Optimized

43 IT General Controls Audit COBIT Maturity Assessment COBIT Domain Process IT Strategic Plan 4 Risk Assessment 3 IT Policy & Control Framework Process, Organization and Relationships Maturity Assessment Level 0-5 Description 3 / 4 3 IT Governance How do I apply it? IT strategic planning is a defined management function with senior-level responsibilities. Management is able to monitor the IT strategic planning process, make informed decisions based on it and measure its effectiveness. Both short-range and long-range IT planning occurs and is cascaded down into the organization, with updates done as needed. An organization wide risk management policy defines when and how to conduct risk assessments. Risk management follows a defined process that is documented. The methodology for the assessment of risk is convincing and sound and ensures that key risks to the business are identified. A complete information control and quality management environment is developed, documented and communicated by management and includes a framework for policies, plans and procedures. The existing policies, plans and procedures are reasonably sound and cover key issues. A positive, proactive information control environment, including a commitment to quality and IT security awareness, is established. Defined roles and responsibilities for the IT organization and third parties exist. The IT organization is developed, documented, communicated and aligned with the IT strategy. The internal controls environment is defined. Essential IT staffing requirements and expertise are defined and satisfied. PHASE 5 Report Finding 1 N/A N/A N/A

44 IT General Controls Audit Report PHASE 5 Create two sections in your report: 1. Executive Summary: Describe your scope, audit conclusion, summary of results, and COBIT maturity assessment in the first two pages 2. Audit Issues: If you issue a separate Executive Summary Report

45 Bringing it all together... Relating the Findings from Both Reviews PHASE 5 Two reports, one recipient How do they prioritize? What information gets communicated to the Board?

46 Management Action Plan PHASE 5 Objective: Provides a template for Management to use when responding to the issues reported in the HIPAA Security Program Review Report & the IT General Controls Audit Report. Key Features Answers question: What happens now? Provides structure for management to describe plan for addressing issues Allows for auditor evaluation of adequacy of management response Creates accountability for management to set a timeframe for remediation Provides basis for future follow-up audits & reviews

47 Management Action Plan Remediation of Issues Refer to Template #6 Management Action Plan Column A (Auditor) Column B (Auditor) Column C (Auditor) Prepared by Auditor: A summary of the Audit Review Summary Report Column D (Management) Facility Management: Complete and return via to: PHASE 5 Column E (Managemen t) Column F (Auditor) Review Mgt Response for each issue HIPAA Security Reference Summary of Combined Audit Finding Summary of Audit Recommendation Proposed or Completed Action (The responsible party for the response is listed in bold.) Target Completion Date Response Reviewed by Auditor 3 (Security Policies) 1.IT Policy and Control Framework The IT Director has assisted ABC management with the adoption of IT policies. The policies have not been updated to reflect the ABC IT environment but they have been approved by ABC management and posted on the public shared network drive. Communication and enforcement of the policies is planned but not completed. The IT policies should be reviewed, updated and approved to ensure standards reflect the ABC environment. The Facility Security Director should develop a policy communication plan for the workforce. This plan should involve management and should provide the location where policies are posted as well as a brief synopsis of the policies.

48 Phase 6: Follow Up & Ongoing Monitoring PHASE 6 Timeline After Final Reports have been Issued HIPAA Security Compliance Review Work with key Local Hospital IT contact to ensure that compliance gaps and concerns are being addressed Share good self-monitoring practices IT General Controls Audit Work with key Local Hospital IT contact to ensure that control gaps and audit findings are being addressed Report progress to leadership

49 Security Self-Assessment PHASE 6 ACTION ITEM DESCRIPTION DATE REVIEWED SECURITY EVALUATION Lab is properly secure when not in use. Equipment not in use properly secured (servers, etc.) POLICIES Review of IS Security OnCall Manual Review of Acceptable Use Policy A periodic technical and non-technical evaluation in response to environmental or operational changes Unsecured room not left unattended Periodic review of facility / departmental security policies Quarterly review by entire group For changes in environment FREQUENCY RESULTS OF REVIEW 9/30/2010 Monthly All compliant 9/30/2010 Monthly All compliant FOLLOW UP ITEMS 9/30/2010 Bi-Annually Next Due April /30/2010 Yearly (2) Completed - New policy was published in August 2010 Next Due Date - February 2012

50 Technical Information Security Monitoring PHASE 6 P P P P P P P Security Team Audit Frequency Reported Type Failed Logins Extraxi Monthly Uploaded Qualys Sweep Monthly Uploaded HIPAA Self Audit - Security Monthly Uploaded Available Tokens Monthly Uploaded Remote Users Monthly Uploaded Terminated User Audit Monthly Uploaded Datacenter Security Cameras Quarterly Verified Description Review of failed remote access Sweep of External IP addresses Review of IS Account Admin Inventory report of available tokens Screening terminated users Review of Terminations Review cameras are in working Order Status Complete Complete Complete Complete Complete Complete Complete P Generator Test As Needed Verified Generator Test Complete P Foundstone Scan Audit Monthly Verified Foundstone scan of servers Complete P PC Disposal Audit Quarterly Uploaded PC Disposal Audit Complete

51 Questions 5

52 Save the Date: August 26-29, st Annual Conference in Philadelphia Pennsylvania