corporate compliance division - isaca · tar & idx . carolinas healthcare system . carolinas...
TRANSCRIPT
User Accounts: Using Data Analytics to Evaluate
Account Administration
Tom Valiquette, Program Manager, Compliance Advanced Data Analytics
TAR & IDX
Carolinas HealthCare System Carolinas HealthCare System (CHS) is the largest healthcare system in the Carolinas, and the second largest non-profit public system in the nation. CHS provides a lifetime medical home to patients through a network of more than 600 care locations including
hospitals, freestanding emergency departments, physician practices, surgical and rehabilitation centers, home health agencies, nursing homes and other facilities.
CHS Corporate Mission
To create and operate a comprehensive system to provide health care and
related services, including education and research
opportunity, for the benefit of the people we serve.
2
Compliance Advanced Data Analytics Corporate
Compliance Division
Facility Compliance
Physician Compliance
Corporate Privacy
Audit Services
Hospital Services
Billing
Physician Services
Billing
Privacy of Patient
Information
Construction Corporate Operations
Hospitals Technology
Physician Practices
Partnership allows Corporate Compliance Division to leverage
common resources
Key Considerations
• Decide your end-game • What is your corporate standard • Source of truth • Data normalization • Known data exceptions • Reports • Error validation • Continuous auditing
What is your end game? 1. Evaluate for key risks (one-time audit)
– Active user accounts of terminated employees/contractors
– Ghost accounts – fraudulent transactions
2. Continuous Audit/Monitor active improvement process – User identification standard
3. Build case for corporate identity management solution
Corporate Standard
Application Administrators
assign identification Some
Administrators mimic a
“standard”
Policy-driven identity
management
Unique
Informal Uniform
Program Example User Accounts
• Individual system installations
• Individual systems do not communicate with each other.
• Not integrated with Windows Active Directory
• Manual user account administration managed at each hospital
Hospital 1
Hospital 5
Hospital 6
Hospital 2
Hospital 3
Hospital 4
Hospital 7
Hospital 8
Program Example, cont.
Risks • External Regulator sanctions due to active
user account for terminated employee. (JCAHO – Joint Commission on Accreditation of Healthcare Organizations)
• System access using terminated employee account
Program Example, cont.
Program Example, cont.
Current State • Monitor hospital user
account administration (Timely account termination)
• Identify new user account ID errors
• Compliance with external regulation
Future State • Profile user role
behavior • Assess user behavior
for outlier events • Transfer user account
monitoring to business unit
Source of “Truth” • Central list used to identify personnel • Maintained to some standard • Contains unique identifier • Customer and Audit agree
Active Directory
Employee Roster
Corporate “standard” for application user identification.
Active Directory Example
First Initial, First Five Last Name, two digit number Sharon Smith
α ααααα ## ssmith72
Source of “Truth”
PeopleSoft – Human Resources Example
Six digit number
###### 123456
CAATs Data Preparation • Provision data on same schedule • Remove application-specific known user ID modifications • Target and isolate approved administrative accounts • Only ACTIVE target system user accounts
TargetSystem
User ID ComputedID
(used for matching) TargetSystem
User Last Name TargetSystem
User First Name
5309 5309 JOHNSON ELLIOT
EJOHNS01 EJOHNS01 JOHNSON ELLIOT
EJOHNS01W EJOHNS01 JOHNSON TIM
ID Modification
Identity Identification TESTs C01a Match unique corporate identity source C01b Find user first name in corporate identity source OR C01b Fuzzy match user first name with corporate identity source (Levenshtein distance - is th minimum number of single-character edits (insertion, deletion, substitution) required to change one word into the other)
TargetSystem User ID
ComputedID (used for matching)
TargetSystem User Last Name
TargetSystem User First Name
SourceSytem EmployeeID
SourceSystem UserName
5309 5309 JOHNSON ELLIOT
EJOHNS01 EJOHNS01 JOHNSON ELLIOT EJOHNS01 JOHNSON,ELLIOT
EJOHNS01W EJOHNS01 JOHNSON TIM EJOHNS01 JOHNSON,ELLIOT
Termination Status TEST C01c UserID active status dates are between employment start and end dates
TargetSystem User ID
ComputedID (used for matching)
TargetSystem ActiveDate
TargetSystem TermDate
SourceSytem EmployeeID
SourceSystem TerminationDate
5309 5309 12/12/2009
EJOHNS01 EJOHNS01 05/24/2010 EJOHNS01
EJOHNS01W EJOHNS01 05/24/2010
Only EJOHNS01 is testable (other accounts failed in previous tests).
Other Considerations TESTs C01d No activity with UserID in greater than X days C01e Terminated Employee account activity since termination C01f Behavior Analysis - role-based controls - Outlier event identification (e.g.: Intensive Care Nurse)
These tests require additional target system data : C02 Next System : C## Cross Target System testing
Reports • Identify primary audience (audit management, customer?)
• Summary vs. Detail • Facilitate exception management process
Report #1 Report #2
System TestCode ErrorReason Error Count
STAR C01a Application userID not found in PeopleSoft 1 STAR C01b Application userID first name does not match first name in PeopleSoft 1
STAR C01c Application userID has active status in application but PeopleSoft status is not active 0
STAR C02a Application userID not found in Active Directory 1 STAR C02b Application userID first name does not match first name in Active Directory 1
STAR C02c Application userID has active status in application but Active Directory status is not active 1
Error Validation UserID Test ErrorReason ErrorValidation ValidationReason
5309 C01a Application userID not found in PeopleSoft EC99 - Valid Error
RC99 - Remediation Plan
EJOHNS01W C01b Application userID first name does not match first name in PeopleSoft EC01 - Not Error
RC02 - False Positive - Positive Teammate ID
• Allows customer opportunity to participate in audit process
• Demonstrates to senior leadership the customers willingness to correct problems
• Approved false-positives accounted for in continuous auditing program
• Remediation plans confirmed by continuous auditing program
Continuous Auditing/Monitoring • Provides evidence for “end-game”
– Identify root cause(s) – Monitor process improvement – Need for central Identity Management System
• Transition auditing to business unit • Monitor process improvement gains
– Monitoring provides re-audit signals • Allows for key system comparison
Questions?
Tom Valiquette, Program Manager Compliance Advanced Data Analytics Corporate Compliance [email protected] O: 704-512-5903