• No results found

User Accounts: Using Data Analytics to Evaluate Account Administration

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "User Accounts: Using Data Analytics to Evaluate Account Administration"

Copied!
21
0
0

Loading.... (view fulltext now)

Download now ( 21 Page )

Full text

(1)

User Accounts:

Using Data Analytics to Evaluate Account Administration

Tom Valiquette, Program Manager, Compliance Advanced Data Analytics

(2)

TAR & IDX

Carolinas HealthCare System

Carolinas HealthCare System (CHS) is the largest healthcare system in the Carolinas, and the second largest non-profit public system in the nation. CHS provides a lifetime medical home to patients through a network of more than 600 care locations including

hospitals, freestanding emergency departments, physician practices, surgical and rehabilitation centers, home health agencies, nursing homes and other facilities.

CHS Corporate Mission To create and operate a comprehensive system to

provide health care and related services, including

education and research opportunity, for the benefit of

the people we serve.

(3)

Compliance Advanced Data Analytics

Corporate Compliance Division Facility Compliance Physician Compliance Corporate Privacy Audit Services Hospital Services Billing Physician Services Billing Privacy of Patient Information Construction Corporate Operations Hospitals Technology Physician Practices Partnership allows Corporate

Compliance Division to leverage common resources

(4)

Key Considerations

• Decide your end-game

• What is your corporate standard

• Source of truth

• Data normalization

• Known data exceptions

• Reports

• Error validation

(5)

What is your end game?

1. Evaluate for key risks

(one-time audit) – Active user accounts of terminated

employees/contractors

– Ghost accounts – fraudulent transactions

2. Continuous Audit/Monitor active

improvement process

– User identification standard

3. Build case for corporate identity

management solution

(6)

Corporate Standard

Application Administrators assign identification Some Administrators mimic a “standard” Policy-driven identity management

Unique

Informal

Uniform

(7)

Program Example

User Accounts

• Individual system

installations

• Individual systems do not communicate with each other.

• Not integrated with

Windows Active Directory • Manual user account

administration managed at each hospital Hospital 1 Hospital 5 Hospital 6 Hospital 2 Hospital 3 Hospital 4 Hospital 7 Hospital 8

(8)

Program Example, cont.

Risks

• External Regulator sanctions due to active

user account for terminated employee.

(JCAHO – Joint Commission on Accreditation of Healthcare Organizations)

System access using terminated employee

(9)
(10)

Program Example, cont.

Current State

• Monitor hospital user

account administration

(Timely account termination)

• Identify new user

account ID errors

• Compliance with

external regulation

Future State

• Profile user role

behavior

• Assess user behavior

for outlier events

• Transfer user account

monitoring to business

unit

(11)

Source of “Truth”

• Central list used to identify personnel • Maintained to some standard

• Contains unique identifier • Customer and Audit agree

Active Directory

(12)

Corporate “standard” for application user identification.

Active Directory Example

First Initial, First Five Last Name, two digit number Sharon Smith

α

ααααα

##

ssmith72

Source of “Truth”

PeopleSoft – Human Resources Example

Six digit number

(13)

CAATs

Data Preparation

• Provision data on same schedule

• Remove application-specific known user ID modifications • Target and isolate approved administrative accounts

• Only ACTIVE target system user accounts

TargetSystem

User ID (used for matching)ComputedID

TargetSystem User Last Name

TargetSystem User First Name

5309 5309 JOHNSON ELLIOT

EJOHNS01 EJOHNS01 JOHNSON ELLIOT

EJOHNS01W EJOHNS01 JOHNSON TIM

(14)

Identity Identification

TESTs

C01a Match unique corporate identity source

C01b Find user first name in corporate identity source OR

C01b Fuzzy match user first name with corporate identity

source (Levenshtein distance - is th minimum number of single-character edits (insertion, deletion, substitution) required to change one word into the other)

TargetSystem User ID

ComputedID

(used for matching)

TargetSystem User Last Name

TargetSystem User First Name

SourceSytem

EmployeeID SourceSystem UserName

5309 5309 JOHNSON ELLIOT

EJOHNS01 EJOHNS01 JOHNSON ELLIOT EJOHNS01 JOHNSON,ELLIOT

(15)

Termination Status

TEST

C01c UserID active status dates are between employment start and end dates

TargetSystem User ID

ComputedID

(used for matching)

TargetSystem ActiveDate

TargetSystem TermDate

SourceSytem

EmployeeID TerminationDate SourceSystem

5309 5309 12/12/2009

EJOHNS01 EJOHNS01 05/24/2010 EJOHNS01

EJOHNS01W EJOHNS01 05/24/2010

(16)

Other Considerations

TESTs

C01d No activity with UserID in greater than X days C01e Terminated Employee account activity since

termination

C01f Behavior Analysis

- role-based controls

- Outlier event identification (e.g.: Intensive Care Nurse)

These tests require additional target system data

:

C02 Next System :

(17)

Reports

• Identify primary audience (audit management, customer?)

• Summary vs. Detail

• Facilitate exception management process

Report #1 Report #2

System TestCode ErrorReason Count Error

STAR C01a Application userID not found in PeopleSoft 1 STAR C01b Application userID first name does not match first name in PeopleSoft 1 STAR C01c Application userID has active status in application but PeopleSoft status is not active 0 STAR C02a Application userID not found in Active Directory 1 STAR C02b Application userID first name does not match first name in Active Directory 1 STAR C02c Application userID has active status in application but Active Directory status is not active 1

(18)

Error Validation

UserID Test ErrorReason ErrorValidation ValidationReason

5309 C01a Application userID not found in PeopleSoft EC99 - Valid Error RC99 - Remediation Plan

EJOHNS01W C01b Application userID first name does not match first name in PeopleSoft EC01 - Not Error RC02 - False Positive - Positive Teammate ID

• Allows customer opportunity to participate in audit process

• Demonstrates to senior leadership the customers willingness to correct problems

• Approved false-positives accounted for in continuous auditing program

• Remediation plans confirmed by continuous auditing program

(19)

Continuous Auditing/Monitoring

• Provides evidence for “end-game”

– Identify root cause(s)

– Monitor process improvement

– Need for central Identity Management System

• Transition auditing to business unit

• Monitor process improvement gains

– Monitoring provides re-audit signals

(20)
(21)

Tom Valiquette, Program Manager

Compliance Advanced Data Analytics Corporate Compliance

[email protected] O: 704-512-5903

References

Download now ( PDF - 21 Page - 1.65 MB )

Related documents