Wade

All things tech

Welcome to the Blog

Implementing Controls

Midwest Health System

Midwest health system is a significant health care provider in a town in the central United States. Led by Steve Nelson, the Midwest internal audit group was tasked to create controls, assess risks, and design and implement controls to meet the goals and objectives of the organization. In addition, Nelson wanted to ensure that the organization met federal, state, and industry regulations and compliance expectations with respect to revenues, collection, and operational costs. This analysis was originally written for Dr. Joshua Davis's course on information security at Missouri State University.

Controls

The IT general controls (ITGCs) are Applied to all applications, as shown in appendix A (Harvard coursepack). In their second meeting, the Midwest internal audit group concluded that the two main areas of Control needed were access security and change management. In addition, controls need to work to reduce the loss of revenue from incorrect billing, fraud, and other factors.

The first control risk of securing access security and preventing unauthorized access had many possible controls to mitigate risks. The possible tests of Control recommended by the team were to check administrative password integrity. This Control is vague and should be accompanied by other controls. Users should only have access to the data and resources they need to complete their job and nothing more. Data integrity is an important reason to limit access. Unauthorized access to data would hinder its integrity. They must ensure processes and procedures work correctly to authenticate users' physical and logical access according to their responsibilities.

Additionally, intrusion detection systems to scan for malicious activities and policy violations should be put into place. Access security also involves physical security to safeguard physical assets. These assets consisted of computer equipment and data centers.

The second control risk and area of concern was change management. Not verifying benefits and obtaining pre-certification could cause billing issues from third-party payers and patients. A loss of revenue could be generated from fraud and incorrect billing. Methodist health had three categories of patients inpatient, outpatient, and emergency. Inpatient and outpatient billing information and collection started in the registration process. This ensured the correct identity, demographic, and insurance information was collected from the patient. However, the financial counselors verified benefits for emergency room visits as soon as possible. This left room for error, and there are a few possible test controls the team recommended.

Ask registration staff about the verification process
By using a sample test, whether insurance benefits and scheduled admissions were verified
Observe financial counseling of patients admitted through the ER
Using a sample of ER admissions to test whether financial counselors verified benefits and the timing of verification

From the possible tests of controls from the team, I could believe all of these could work. However, options one and four would have a more considerable impact on accessing the verification process. The first one would work because the staff doing the verification would know of any gray areas and could tell where errors are susceptible from their first-hand experience. Additionally, the last option would be a healthy control to test. Putting the process of verifying benefits and timing of verification to the test first hand would bring to light any problems.

Residual Risk

Residual risk is the amount and type of risk left after controls are accounted for. Residual risk remains after the proper controls are put into place. In this analysis, it is essential to note that every decision has an impact and every Control has residual risk. The Control the Midwest internal audit group put into place regarding unauthorized access was to check with the information security officer if administrative passwords were limited and strong. This is where the first residual risk becomes apparent in this analysis. If the administrator password is not strong and long enough, they would have to change them and possibly add administrative password policy requirements. Additionally, if too many administrative passwords existed, they would need to reduce the number of existing passwords.

A second residual risk would be from the Control above when asking registration staff about the verification process. The answers from the staff would depend on the outcome of the Control. For example, when asking the registration staff about previous times where they have failed to verify benefits or where they have seen errors and a gray area in verifying benefits. These types of questions could lead the staff to lie in fear of negative consequences from their answers. This would harm the test control and financial counselors when asking about the verification process.

Additionally, asking the correct staff in the verification process is critical. There is a large amount of registration staff, and asking the wrong staff members is another part of this residual risk. Some staff may have experienced problems collecting information about third-party payers and insurance information from the patients. In contrast, other staff may not have experienced those problems.

Lastly, another residual risk could also be caused by the Control listed above using a sample in the ER room. This Control has many gray areas because there are numerous reasons verifying a patient's benefits could be delayed. For example, if the patient is unconscious or in a coma and cannot answer questions about benefits. In addition, controls could be skewed based on how the ER and Financial counselors treat the sample. For example, if the staff is aware that the ER admission was a test, they would treat the situation differently and of higher importance regarding registration and verification. Additionally, it would depend on the time the sample was admitted. For example, if the sample was submitted at a high volume time.

Concerns

I agree with the Midwest internal audit group's conclusion that access security and change management were significant areas of concern. However, I'm not at all convinced that they are the only two significant areas of concern. Another significant area of concern that I believe the team missed was business continuity. According to the publishing, Business continuity refers to an entity's ability to timely recover its processing capability in the case of system failure or a catastrophic event. I believe this should be a significant concern for two reasons. First, Midwest does not have a written business continuity or a disaster recovery plan because they deemed it was not cost-effective for its size. Any organization is susceptible to a catastrophic event, whether it's a natural disaster or another type of failure. Although Midwest is located in a central town in the United States, it is still susceptible to natural disasters and failure. Additionally, one of the internal audit group's key responsibilities is to "conduct critical incident responses, monitoring and remediation them as needed." A natural disaster would be a critical incident in this scenario.

Secondly, the decision not to have such a business continuity or disaster plan was because management believed it would be cost-prohibitive for an organization of its size. In 2016 the total revenue was over $400 million. With the large amount of data they are storing compared with their income, I believe a business continuity and disaster recovery plan is undoubtedly within their budget and cost-effective. Additionally, one of the critical responsibilities of the audit group is to "evaluate information security, privacy, and associated exposures related to HIPAA compliance." I am not a HIPPA-compliant professional; however, according to US Signal, disaster recovery is crucial for HIPPA compliance (1).

Recommendations

I would recommend two things from the case analysis for Chief Information Officer Steve Nelson. The first recommendation I would make extends from the above business continuity and disaster recovery plan. According to US signal, the Health Insurance Portability and Accountability Act requires this of Midwest Health. They are a significant health provider and possess IT systems containing protected health information (ePHI). HIPPA requires contingency plan components to be met. One of which is called an emergency mode operation plan, which "establishes procedures to ensure you can continue the necessary business processes for protecting the security of ePHI while you're operating in emergency mode" (1). Depending on how the backups are configured at Midwest, this requirement may already be met. However, I would recommend Mr. Nelson reconsider and revisit the business continuity plan.

Additionally, I would also recommend that Mr. Nelson provide more details on the test controls proposed by the audit team. Exhibit 8 from the publishing of the audit group's possible test control was to "ask the information security officer, Van Horde, whether administrative passwords are limited and strong." This test control looks pretty vague and has a gray area. While this is beneficial, I would recommend adding more detail to the possible tests of controls or adding additional controls to assist in the risk category of unauthorized access. Finally, I would suggest to Mr. Nelson that the Midwest internal audit group hold a third meeting to discuss authorized access and overall IT security in more depth.

Sources:

Harvard Business Review

(1) "The Disaster Recovery Component of HIPAA Compliance." US Signal, 7 Apr. 2021, ussignal.com/blog/the-disaster-recovery-component-of-hipaa-compliance#:~:text=In%20simple%20terms%2C%20they%20are,in%20the%20HIPAA%20Omnibus%20Rule.