control, and governance
Assessing IT Risks in the Health-care Industry
Assessing general IT control and high-risk areas can enable auditors to perform risk assessments that address key security issues in the health-care sector.
Director of IT Audit
CHAN Healthcare Auditors
Compared to other industries, the health-care community in the United States has often lagged behind in the adoption of workplace technology advancements. Operating primarily in a paper-based clinical process environment ― in which documentation was captured on a clipboard in the patients' room, physicians wrote pharmaceutical prescriptions and test results on paper, and x-rays were captured on film ― the health-care sector has been operating in the digital dark ages. "Technology has changed every other industry on the face of the Earth but this one," said Craig Barrett, chief executive officer of Intel, at a Sept. 2006 eHealth Initiative Meeting in Washington, D.C.
However, that's all changing now. Health-care providers are rapidly deploying IT systems to dramatically change business processes, create new opportunities, and reduce costs. While the adoption of new technology offers a number of benefits and gives health-care providers the opportunity to gain a competitive advantage, it also introduces new risks into the environment that must be managed appropriately. Because failures in health-care technology can be life threatening, internal auditors need to become aware of the different technology-related risks in the health-care field and learn about potential audit approaches to address identified problem areas.
WHY AUDITS ARE IMPORTANT
As part of their work, health-care providers collect and maintain non-clinical personal information that could be used for identity theft purposes, such as Social Security numbers and credit card and insurance account information. In addition, many organizations are adopting automated health information systems, thus highlighting the importance of continuous system availability and decreased downtime. Hence, data integrity remains a critical factor that is necessary to ensure better patient care (as shown in figure 1) and is an area that is regulated more and more through different national and industry-specific regulations.
Figure 1. Sample of news stories illustrating health-care provider incidents
Furthermore, the proliferation of health-care systems is on the rise. For instance, the Health Information and Management System Society's (HIMSS's) 18th Annual Leadership Survey (PDF, 572 KB) found that disaster recovery tools were ranked as the highest security technology that chief information officers (CIOs) planned to use or implement in the next two years. The survey provided insight into the priorities of CIOs in the health-care sector, their areas of perceived risks, and the tools used to mitigate those risks. (Refer to figures 2, 3, and 4 for more survey results.) One reason for this high ranking can be attributed to the increased presence of advanced clinical systems and the fact that many of the most important applications identified in the HIMSS survey are clinical in nature. Clinical systems are used to support patient care processes and include tools such as computerized physician order entry forms, electronic medical records, and bar-coded medication management systems.
Figures 2 (top), 3 (middle), and 4 (bottom). Summary of the top IT security concerns according to the HIMSS 2007 Leadership Survey
WHERE TO AUDIT
Considering the different IT security risks that are affecting organizations and the technologies used in the health-care field, where should internal auditors and organizations focus their audit activities? A good starting point is to conduct an IT enterprise risk assessment. Ideally, this risk assessment should be revisited and updated as necessary on a continuous basis.
An example of this kind of risk assessment was developed by CHAN Healthcare Auditors. The risk assessment uses industry-recognized frameworks and standards to associate control objectives with identified audit areas. Frameworks and standards used include the IT Governance Institute's Control Objectives for Information and related Technology, the UK Office of Government Commerce's IT Infrastructure Library, and the International Organization for Standardization's 27002: 2005 Standard.
The Risk Assessment
Health-care providers have hundreds of applications that can make the organization vulnerable to a security breach. As part of the risk assessment, CHAN created a list of audit universe areas where applications are present to better assess the IT risks of health-care providers. Risk areas identified in CHAN's audit universe include:
The audit universe also identified general control areas that should be examined during the assessment. These areas include:
Finally, besides identifying general control areas, the audit universe pinpoints a number of common IT security high-risk areas, including Web applications, medical devices connected to the network, wireless networks, and application interfaces. Below is a description of each high risk and its associated audit universe area.
Web Applications (Health Information Management Application Risk Area)
Many health-care providers have implemented Web-based physician and patient portals to allow visibility into their organization's clinical and financial data. A physician portal can be used for a number of purposes, such as viewing laboratory and radiology results, completing charts, and accessing an electronic medical record. Patient portals also can provide access to the patient's billing information, test results, scheduled appointments, bill payments, prescribed medications, and information on various medical conditions. If the Web application is not coded securely, vulnerabilities (e.g., cross-site scripting, SQL injections, etc.) could be exploited by an unauthorized user via the Internet to compromise the confidentiality of sensitive information.
Common tools that can be used to identify risks associated with health-care IT practices performed online include Hewlett Packard's WebInspect scanner, IBM's Watchfire AppScan, and Acunetix's Web Vulnerability Scanner. For instance, after performing a comprehensive application vulnerability assessment of a recently deployed patient portal using a Web scanning tool, CHAN found that a number of the application forms did not properly validate input and were vulnerable to a SQL-injection attack. This vulnerability allowed the audit group to capture and display all of the tables in the application database, including the table that contained user IDs and passwords, from the Internet.
Medical Devices Connected to the Network (Network Infrastructure General Control Risk Area)
A number of medical devices such as monitors, intravenous or IV pumps, and radiology devices must now be connected to the organization's IT network. These devices often run on commercial, off-the-shelf operating systems and must be patched to protect them against malicious software and unauthorized access. In addition, these applications are typically managed by the clinical engineering department, not the IT department, so coordination is critical to ensure that roles and responsibilities are clearly defined and risks are mitigated.
Using MDS2 Forms
To help health-care providers better assess risks, many manufacturers of medical devices are providing Manufacturer Disclosure Statement for Medical Device Security (MDS2) forms. The purpose of these forms is to give health-care providers important information that can assist them in assessing the vulnerability and risks associated with electronically protected health information (ePHI) that is transmitted or maintained by a medical device. For example, if risks associated with medical devices are mitigated inappropriately, the applications could become infected with malicious software that can spread across the network, thus impacting other critical devices on the network or allowing unauthorized access to sensitive information.
A sample MDS2 form can be downloaded from the HIMSS Web site (PDF, 419 KB).
To assess the risks associated with medical devices that are connected to the network, auditors can perform an inventory that indicates the type of device being reviewed; who is responsible for managing the application; the tool's maintenance history, location, and IP address (if connected); and whether a Manufacturer Disclosure Statement for Medical Device Security (MDS2) form was obtained from the manufacturer. For devices that have an MDS2 form, the auditor should review that the organization understands the type of information stored on the device and any associated administrative, technical, and physical safeguards that are part of the application.
Internal auditors also should determine if recommended security practices identified in the MDS2 forms are addressed and scan each medical device with a vulnerability scanner to ensure appropriate patches have been installed and their configuration is secure. Scanning should take place only after obtaining permission from the person responsible for the device that will be scanned. Finally, many hospitals isolate medical devices on a virtual local area network (VLAN) to reduce risks. In cases such as these, the auditor should review the network configuration to ensure medical devices are appropriately isolated.
Wireless Networks (Network Infrastructure General Control Risk Area)
Many advanced clinical systems are designed to use wireless networks that capture and present information at the point-of-care (i.e., patient bedside). As a result, most hospitals have implemented or are planning to implement a wireless network infrastructure. Regulatory demands placed on the health-care environment are requiring that these wireless networks ensure the confidentiality, integrity, and availability of patient information. This is because if the wireless network is not properly secured, it could be used as a launching point for an attack on the hospital's internal systems.
A wireless audit typically starts with a review of policies and procedures, the company's wireless applications, and all wireless network security and performance logs. Performing these steps enables the auditor to understand the wireless authentication and encryption mechanisms in use. There are several open source and commercial wireless scanners (e.g., NetStumbler, Kismet, and AirMagnet) that can help auditors to determine whether the health-care provider's wireless infrastructure is configured according to established policies and procedures. Using a wireless scanning tool, for example, can help auditors to identify the location of rogue or unauthorized access points connected to the network as well as determine whether the service set identifier (SSID) is being broadcast and strong encryption is being used.
In addition, many hospitals now offer free public wireless access to patients and guests. If this is the case, auditors should assess:
Application Interfaces (Application Risk Area)
Many health-care providers use a combination of "best-of-breed" application strategies that require a large number of application interfaces. Consequently, interface engines are typically used to control and process the interface data. In such scenarios, auditors need to determine whether controls and processes are in place to ensure data integrity is maintained and that data is completely and accurately exchanged among applications. If interface controls are not designed and operating effectively, data may not be accurately and completely transferred among different applications, thus significantly impacting the organization's financial and clinical outcomes.
To perform an interface audit review, auditors need to first understand what interfaces are significant to the application being reviewed. Factors to consider include:
Detailed tests should then be designed and executed to determine if the interface is operating as intended. CHAN used this approach to perform an interface audit and identified approximately US $2.5 million a year in charges that were not being properly transmitted from the surgery application to the final patient bill.
As the health-care provider industry applies more IT solutions to improve patient care and the financial bottom line, the importance of an effective IT audit function becomes more critical. A deep understanding of IT and health-care processes and controls is required to ensure risk is appropriately mitigated. In addition, because specialized audit tools and techniques are needed in many cases to efficiently and effectively perform risk assessments, audit departments should look for external help if the expertise is not available in-house.
For more information, auditors can visit the following Web sites:
Tom Tharp, CISA, is senior director of IT audit for CHAN Healthcare Auditors and has more than 20 years' experience in IT and IT audit. Tharp has spoken on IT audit and control issues at several national conferences, including MISTI's HealthSec 2005 conference, ISACA's 2006 CACS conference, and The IIA's 2007 Information Technology Conference. In his role at CHAN, Tharp oversees a group of more than 30 IT auditors and CAAT specialists that provide audit services to health-care providers in the United States, representing more than 350 hospitals across the country.
COMMENT ON THIS ARTICLE
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.