![Page 1: Testing for Segregation of DutiesSegregation of Duties … · 1 Testing for Segregation of DutiesSegregation of Duties and User Access in Epic Systemin Epic System Joanna Encallado](https://reader033.vdocument.in/reader033/viewer/2022050902/5adabdc87f8b9a137f8de90f/html5/thumbnails/1.jpg)
1
Testing for Segregation of DutiesSegregation of Duties and User Access in Epic Systemin Epic System
Joanna Encallado CIAJoanna Encallado, CIASenior AuditorRenown Health
AHIA 32nd Annual Conference – August 25-28, 2013 – Chicago, Illinois
www.ahia.org
![Page 2: Testing for Segregation of DutiesSegregation of Duties … · 1 Testing for Segregation of DutiesSegregation of Duties and User Access in Epic Systemin Epic System Joanna Encallado](https://reader033.vdocument.in/reader033/viewer/2022050902/5adabdc87f8b9a137f8de90f/html5/thumbnails/2.jpg)
Overview2
Background information on Renown Background information on Epicg p Testing for SOD in computer system
Typical challenges Typical challenges Steps Possible recommendations Possible recommendations
Additional Testing for User Access Steps Steps
![Page 3: Testing for Segregation of DutiesSegregation of Duties … · 1 Testing for Segregation of DutiesSegregation of Duties and User Access in Epic Systemin Epic System Joanna Encallado](https://reader033.vdocument.in/reader033/viewer/2022050902/5adabdc87f8b9a137f8de90f/html5/thumbnails/3.jpg)
Renown Health
2 acute care facilities (884 licensed beds)3
2 acute care facilities (884 licensed beds) Including Children’s Hospital, Trauma Center
Rehab, Skilled Nursing, Home Care, g, 6 urgent care locations, 16 medical group locations 7 physician offices; 12 imaging locationsp y ; g g 10 lab draw locations Various joint venturesj Institutes for neuroscience, chest pain, heart &
vascular, robotic surgery, and cancer
![Page 4: Testing for Segregation of DutiesSegregation of Duties … · 1 Testing for Segregation of DutiesSegregation of Duties and User Access in Epic Systemin Epic System Joanna Encallado](https://reader033.vdocument.in/reader033/viewer/2022050902/5adabdc87f8b9a137f8de90f/html5/thumbnails/4.jpg)
Background Info on Epic g p4
Mid-size to large medical groups, hospitals and integrated healthcare organizations
Integrated software: registration systemg y scheduling system clinical systemsy billing systems MyChart (patient view of their records)
![Page 5: Testing for Segregation of DutiesSegregation of Duties … · 1 Testing for Segregation of DutiesSegregation of Duties and User Access in Epic Systemin Epic System Joanna Encallado](https://reader033.vdocument.in/reader033/viewer/2022050902/5adabdc87f8b9a137f8de90f/html5/thumbnails/5.jpg)
Background Info on Epicg p5
In Epic, users are generally assigned a:
Template which is linked to aTemplate, which is linked to a
Security class, which is assigned various
Security points, which are the functions within Epic that users can perform
![Page 6: Testing for Segregation of DutiesSegregation of Duties … · 1 Testing for Segregation of DutiesSegregation of Duties and User Access in Epic Systemin Epic System Joanna Encallado](https://reader033.vdocument.in/reader033/viewer/2022050902/5adabdc87f8b9a137f8de90f/html5/thumbnails/6.jpg)
Background Info on Epic g p6
* it i t b li d t i it l **a security point can be applied to various security classes*
![Page 7: Testing for Segregation of DutiesSegregation of Duties … · 1 Testing for Segregation of DutiesSegregation of Duties and User Access in Epic Systemin Epic System Joanna Encallado](https://reader033.vdocument.in/reader033/viewer/2022050902/5adabdc87f8b9a137f8de90f/html5/thumbnails/7.jpg)
Challenges of Testing SOD in a Computer Systemin a Computer System
N b f th t h t th t
7
Number of users that have access to the system
Users performing multiple functions (roles) in the p g p ( )system
Language barrier between auditors and IT Language barrier between auditors and IT
Auditors “don’t know what they don’t know”
![Page 8: Testing for Segregation of DutiesSegregation of Duties … · 1 Testing for Segregation of DutiesSegregation of Duties and User Access in Epic Systemin Epic System Joanna Encallado](https://reader033.vdocument.in/reader033/viewer/2022050902/5adabdc87f8b9a137f8de90f/html5/thumbnails/8.jpg)
Testing for SOD i C t S tin a Computer System
8
Obtain the data
U d t d th d t Understand the data
Organize the data Organize the data
Evaluate the data
Validate results
![Page 9: Testing for Segregation of DutiesSegregation of Duties … · 1 Testing for Segregation of DutiesSegregation of Duties and User Access in Epic Systemin Epic System Joanna Encallado](https://reader033.vdocument.in/reader033/viewer/2022050902/5adabdc87f8b9a137f8de90f/html5/thumbnails/9.jpg)
Obtaining the Datag
* From IT *
9
* From IT *List of active Epic users and their assigned
Template Name
template and security class
Epic User IDSecurity Class IDSecurity Class Name
User Name Template ID
List of security points for each security class
Li t f th it i t d i tiList of the security points description
![Page 10: Testing for Segregation of DutiesSegregation of Duties … · 1 Testing for Segregation of DutiesSegregation of Duties and User Access in Epic Systemin Epic System Joanna Encallado](https://reader033.vdocument.in/reader033/viewer/2022050902/5adabdc87f8b9a137f8de90f/html5/thumbnails/10.jpg)
Obtaining the Datag
* From HR *10
From HR
List of current employees:
Employee IDEmployee Namep yDepartment IDDepartment NamePosition Description
![Page 11: Testing for Segregation of DutiesSegregation of Duties … · 1 Testing for Segregation of DutiesSegregation of Duties and User Access in Epic Systemin Epic System Joanna Encallado](https://reader033.vdocument.in/reader033/viewer/2022050902/5adabdc87f8b9a137f8de90f/html5/thumbnails/11.jpg)
Obtaining the Datag
Combine:11
Combine: List of active users List of current employees List of current employees
Import files to database program and run a queryImport files to database program and run a query using a common field UserID from list of active users Employee ID from list of current employees
![Page 12: Testing for Segregation of DutiesSegregation of Duties … · 1 Testing for Segregation of DutiesSegregation of Duties and User Access in Epic Systemin Epic System Joanna Encallado](https://reader033.vdocument.in/reader033/viewer/2022050902/5adabdc87f8b9a137f8de90f/html5/thumbnails/12.jpg)
Obtaining the Datag
UnMatched Query12
UnMatched Query Non-employees (vendors, consultants) Generic access Generic access Terminated employees
![Page 13: Testing for Segregation of DutiesSegregation of Duties … · 1 Testing for Segregation of DutiesSegregation of Duties and User Access in Epic Systemin Epic System Joanna Encallado](https://reader033.vdocument.in/reader033/viewer/2022050902/5adabdc87f8b9a137f8de90f/html5/thumbnails/13.jpg)
Understanding the Datag13
Not understandingNot understanding the data can lead to faulty conclusions!
![Page 14: Testing for Segregation of DutiesSegregation of Duties … · 1 Testing for Segregation of DutiesSegregation of Duties and User Access in Epic Systemin Epic System Joanna Encallado](https://reader033.vdocument.in/reader033/viewer/2022050902/5adabdc87f8b9a137f8de90f/html5/thumbnails/14.jpg)
Understanding the Datag14
Schedule a meeting with IT staff
Become familiar with data Become familiar with data Prepare questions Arrange for computer and data access Arrange for computer and data access Clarify fields/data Discuss audit steps Discuss audit steps Restate understanding
![Page 15: Testing for Segregation of DutiesSegregation of Duties … · 1 Testing for Segregation of DutiesSegregation of Duties and User Access in Epic Systemin Epic System Joanna Encallado](https://reader033.vdocument.in/reader033/viewer/2022050902/5adabdc87f8b9a137f8de90f/html5/thumbnails/15.jpg)
Understanding the Datag15
Understand the description of each security point.
Some of the security points:Some of the security points: restrict user access “cannot access adjustment posting” or “restricts the cannot access adjustment posting or restricts the
ability to edit…” grants view-only access may not be activated
![Page 16: Testing for Segregation of DutiesSegregation of Duties … · 1 Testing for Segregation of DutiesSegregation of Duties and User Access in Epic Systemin Epic System Joanna Encallado](https://reader033.vdocument.in/reader033/viewer/2022050902/5adabdc87f8b9a137f8de90f/html5/thumbnails/16.jpg)
Organizing the Datag g16
Identify risks related to segregation of Identify risks related to segregation of duties: * See handout 1*
every organization is exposed to numerous risks
focus on risks that are important to your focus on risks that are important to your organization
![Page 17: Testing for Segregation of DutiesSegregation of Duties … · 1 Testing for Segregation of DutiesSegregation of Duties and User Access in Epic Systemin Epic System Joanna Encallado](https://reader033.vdocument.in/reader033/viewer/2022050902/5adabdc87f8b9a137f8de90f/html5/thumbnails/17.jpg)
Organizing the Datag g17
Categorize security points by type of access
adjustment payment posting
Categorize security points by type of access
adjustment bad debt charging
payment posting refund miscellaneous activityg g
claims processing coding
miscellaneous activity (i.e. print account letters) restrictive
financial/clinical information force claim/charges
view only inactive
![Page 18: Testing for Segregation of DutiesSegregation of Duties … · 1 Testing for Segregation of DutiesSegregation of Duties and User Access in Epic Systemin Epic System Joanna Encallado](https://reader033.vdocument.in/reader033/viewer/2022050902/5adabdc87f8b9a137f8de90f/html5/thumbnails/18.jpg)
Organizing the Datag g
Eliminate from testing the following types of18
Eliminate from testing the following types of security points:
i i ll t in miscellaneous category restricts user access provides view only access provides view only access are inactivated
* Make copy of original data and only make changes to the replicated data *
![Page 19: Testing for Segregation of DutiesSegregation of Duties … · 1 Testing for Segregation of DutiesSegregation of Duties and User Access in Epic Systemin Epic System Joanna Encallado](https://reader033.vdocument.in/reader033/viewer/2022050902/5adabdc87f8b9a137f8de90f/html5/thumbnails/19.jpg)
Evaluating the Datag19
For each risk identified, determine the security point categories * See handout 1*
Must have at least 2 different categories
For each security point categories determine For each security point categories, determine which security classes are assigned those security points * See handout 2*security points * See handout 2*
![Page 20: Testing for Segregation of DutiesSegregation of Duties … · 1 Testing for Segregation of DutiesSegregation of Duties and User Access in Epic Systemin Epic System Joanna Encallado](https://reader033.vdocument.in/reader033/viewer/2022050902/5adabdc87f8b9a137f8de90f/html5/thumbnails/20.jpg)
Evaluating the Datag
Users under a security class with incompatible20
Users under a security class with incompatible security point categories will allow the users to perform conflicting duties * See handouts 3 & 4*
![Page 21: Testing for Segregation of DutiesSegregation of Duties … · 1 Testing for Segregation of DutiesSegregation of Duties and User Access in Epic Systemin Epic System Joanna Encallado](https://reader033.vdocument.in/reader033/viewer/2022050902/5adabdc87f8b9a137f8de90f/html5/thumbnails/21.jpg)
Evaluating the Datag21
Security classes with incompatible security points doesn’t necessarily mean access is inappropriateinappropriate
This means that the access requires a mitigating control. * See handout 1*
![Page 22: Testing for Segregation of DutiesSegregation of Duties … · 1 Testing for Segregation of DutiesSegregation of Duties and User Access in Epic Systemin Epic System Joanna Encallado](https://reader033.vdocument.in/reader033/viewer/2022050902/5adabdc87f8b9a137f8de90f/html5/thumbnails/22.jpg)
Evaluating the Datag22
![Page 23: Testing for Segregation of DutiesSegregation of Duties … · 1 Testing for Segregation of DutiesSegregation of Duties and User Access in Epic Systemin Epic System Joanna Encallado](https://reader033.vdocument.in/reader033/viewer/2022050902/5adabdc87f8b9a137f8de90f/html5/thumbnails/23.jpg)
Evaluating the Datag23
You save time by determining which security classes are assigned incompatible security points:
I t d f l i th d f Instead of analyzing thousands of users
you are only looking at a number of it lsecurity classes
![Page 24: Testing for Segregation of DutiesSegregation of Duties … · 1 Testing for Segregation of DutiesSegregation of Duties and User Access in Epic Systemin Epic System Joanna Encallado](https://reader033.vdocument.in/reader033/viewer/2022050902/5adabdc87f8b9a137f8de90f/html5/thumbnails/24.jpg)
Validating Resultsg
Ensure accuracy!24
Ensure accuracy!
Validate results with individuals from:Validate results with individuals from:IT
O tiOperations
![Page 25: Testing for Segregation of DutiesSegregation of Duties … · 1 Testing for Segregation of DutiesSegregation of Duties and User Access in Epic Systemin Epic System Joanna Encallado](https://reader033.vdocument.in/reader033/viewer/2022050902/5adabdc87f8b9a137f8de90f/html5/thumbnails/25.jpg)
Possible Recommendations
Identify whether users assigned security25
Identify whether users assigned security classes with incompatible security points have a business need to perform those functions
If so, what mitigating controls are in place incontrols are in place in
their current process.
![Page 26: Testing for Segregation of DutiesSegregation of Duties … · 1 Testing for Segregation of DutiesSegregation of Duties and User Access in Epic Systemin Epic System Joanna Encallado](https://reader033.vdocument.in/reader033/viewer/2022050902/5adabdc87f8b9a137f8de90f/html5/thumbnails/26.jpg)
Possible Recommendations
If there is no business reason26
If there is no business reason we recommended that the access be revised
If there is a business reason but no mitigating control in placecontrol in place we recommended that a mitigating control be put in
place * See handout 1*p See handout 1
![Page 27: Testing for Segregation of DutiesSegregation of Duties … · 1 Testing for Segregation of DutiesSegregation of Duties and User Access in Epic Systemin Epic System Joanna Encallado](https://reader033.vdocument.in/reader033/viewer/2022050902/5adabdc87f8b9a137f8de90f/html5/thumbnails/27.jpg)
Additional
Testing for User AccessTesting for User Access
Unnecessar access to Epic
27
Unnecessary access to Epic i.e. HR Recruiter, Marketing Rep, Cook
Unnecessary access to billing functions i.e. Credentialing Coordinator
Inappropriate leadership access i e Supervisor Manager Director etc i.e. Supervisor, Manager, Director, etc
![Page 28: Testing for Segregation of DutiesSegregation of Duties … · 1 Testing for Segregation of DutiesSegregation of Duties and User Access in Epic Systemin Epic System Joanna Encallado](https://reader033.vdocument.in/reader033/viewer/2022050902/5adabdc87f8b9a137f8de90f/html5/thumbnails/28.jpg)
Additional
Testing for User AccessTesting for User Access
IT access
28
IT access To production other than view only
Master File access Not restricted
Generic access
Multiple access
Terminated employees & non-employees Terminated employees & non-employees
![Page 29: Testing for Segregation of DutiesSegregation of Duties … · 1 Testing for Segregation of DutiesSegregation of Duties and User Access in Epic Systemin Epic System Joanna Encallado](https://reader033.vdocument.in/reader033/viewer/2022050902/5adabdc87f8b9a137f8de90f/html5/thumbnails/29.jpg)
Additional
Testing for User AccessTesting for User Access Overrides
29
Overrides Appropriate?
U ith t l t Users with no templates Unable to determine access
New user access Not used within 30 days
User IDs not used In the past 180 days In the past 180 days
![Page 30: Testing for Segregation of DutiesSegregation of Duties … · 1 Testing for Segregation of DutiesSegregation of Duties and User Access in Epic Systemin Epic System Joanna Encallado](https://reader033.vdocument.in/reader033/viewer/2022050902/5adabdc87f8b9a137f8de90f/html5/thumbnails/30.jpg)
Questions30
![Page 31: Testing for Segregation of DutiesSegregation of Duties … · 1 Testing for Segregation of DutiesSegregation of Duties and User Access in Epic Systemin Epic System Joanna Encallado](https://reader033.vdocument.in/reader033/viewer/2022050902/5adabdc87f8b9a137f8de90f/html5/thumbnails/31.jpg)
Save the DateS b 2 2 2September 21-24, 2014
33rd Annual Conference Austin, Texas
31