User Accounts: Using Data Analytics to Evaluate

Account Administration

Tom Valiquette, Program Manager, Compliance Advanced Data Analytics

TAR & IDX

Carolinas HealthCare System Carolinas HealthCare System (CHS) is the largest healthcare system in the Carolinas, and the second largest non-profit public system in the nation. CHS provides a lifetime medical home to patients through a network of more than 600 care locations including

hospitals, freestanding emergency departments, physician practices, surgical and rehabilitation centers, home health agencies, nursing homes and other facilities.

CHS Corporate Mission

To create and operate a comprehensive system to provide health care and

related services, including education and research

opportunity, for the benefit of the people we serve.

2

Compliance Advanced Data Analytics Corporate

Compliance Division

Facility Compliance

Physician Compliance

Corporate Privacy

Audit Services

Hospital Services

Billing

Physician Services

Billing

Privacy of Patient

Information

Construction Corporate Operations

Hospitals Technology

Physician Practices

Partnership allows Corporate Compliance Division to leverage

common resources

Key Considerations

• Decide your end-game • What is your corporate standard • Source of truth • Data normalization • Known data exceptions • Reports • Error validation • Continuous auditing

What is your end game? 1. Evaluate for key risks (one-time audit)

– Active user accounts of terminated employees/contractors

– Ghost accounts – fraudulent transactions

2. Continuous Audit/Monitor active improvement process – User identification standard

3. Build case for corporate identity management solution

Corporate Standard

Application Administrators

assign identification Some

Administrators mimic a

“standard”

Policy-driven identity

management

Unique

Informal Uniform

Program Example User Accounts

• Individual system installations

• Individual systems do not communicate with each other.

• Not integrated with Windows Active Directory

• Manual user account administration managed at each hospital

Hospital 1

Hospital 5

Hospital 6

Hospital 2

Hospital 3

Hospital 4

Hospital 7

Hospital 8

Program Example, cont.

Risks • External Regulator sanctions due to active

user account for terminated employee. (JCAHO – Joint Commission on Accreditation of Healthcare Organizations)

• System access using terminated employee account

Program Example, cont.

Program Example, cont.

Current State • Monitor hospital user

account administration (Timely account termination)

• Identify new user account ID errors

• Compliance with external regulation

Future State • Profile user role

behavior • Assess user behavior

for outlier events • Transfer user account

monitoring to business unit

Source of “Truth” • Central list used to identify personnel • Maintained to some standard • Contains unique identifier • Customer and Audit agree

Active Directory

Employee Roster

Corporate “standard” for application user identification.

Active Directory Example

First Initial, First Five Last Name, two digit number Sharon Smith

α ααααα ## ssmith72

Source of “Truth”

PeopleSoft – Human Resources Example

Six digit number

###### 123456

CAATs Data Preparation • Provision data on same schedule • Remove application-specific known user ID modifications • Target and isolate approved administrative accounts • Only ACTIVE target system user accounts

TargetSystem

User ID ComputedID

(used for matching) TargetSystem

User Last Name TargetSystem

User First Name

5309 5309 JOHNSON ELLIOT

EJOHNS01 EJOHNS01 JOHNSON ELLIOT

EJOHNS01W EJOHNS01 JOHNSON TIM

ID Modification

Identity Identification TESTs C01a Match unique corporate identity source C01b Find user first name in corporate identity source OR C01b Fuzzy match user first name with corporate identity source (Levenshtein distance - is th minimum number of single-character edits (insertion, deletion, substitution) required to change one word into the other)

TargetSystem User ID

ComputedID (used for matching)

TargetSystem User Last Name

TargetSystem User First Name

SourceSytem EmployeeID

SourceSystem UserName

5309 5309 JOHNSON ELLIOT

EJOHNS01 EJOHNS01 JOHNSON ELLIOT EJOHNS01 JOHNSON,ELLIOT

EJOHNS01W EJOHNS01 JOHNSON TIM EJOHNS01 JOHNSON,ELLIOT

Termination Status TEST C01c UserID active status dates are between employment start and end dates

TargetSystem User ID

ComputedID (used for matching)

TargetSystem ActiveDate

TargetSystem TermDate

SourceSytem EmployeeID

SourceSystem TerminationDate

5309 5309 12/12/2009

EJOHNS01 EJOHNS01 05/24/2010 EJOHNS01

EJOHNS01W EJOHNS01 05/24/2010

Only EJOHNS01 is testable (other accounts failed in previous tests).

Other Considerations TESTs C01d No activity with UserID in greater than X days C01e Terminated Employee account activity since termination C01f Behavior Analysis - role-based controls - Outlier event identification (e.g.: Intensive Care Nurse)

These tests require additional target system data : C02 Next System : C## Cross Target System testing

Reports • Identify primary audience (audit management, customer?)

• Summary vs. Detail • Facilitate exception management process

Report #1 Report #2

System TestCode ErrorReason Error Count

STAR C01a Application userID not found in PeopleSoft 1 STAR C01b Application userID first name does not match first name in PeopleSoft 1

STAR C01c Application userID has active status in application but PeopleSoft status is not active 0

STAR C02a Application userID not found in Active Directory 1 STAR C02b Application userID first name does not match first name in Active Directory 1

STAR C02c Application userID has active status in application but Active Directory status is not active 1

Error Validation UserID Test ErrorReason ErrorValidation ValidationReason

5309 C01a Application userID not found in PeopleSoft EC99 - Valid Error

RC99 - Remediation Plan

EJOHNS01W C01b Application userID first name does not match first name in PeopleSoft EC01 - Not Error

RC02 - False Positive - Positive Teammate ID

• Allows customer opportunity to participate in audit process

• Demonstrates to senior leadership the customers willingness to correct problems

• Approved false-positives accounted for in continuous auditing program

• Remediation plans confirmed by continuous auditing program

Continuous Auditing/Monitoring • Provides evidence for “end-game”

– Identify root cause(s) – Monitor process improvement – Need for central Identity Management System

• Transition auditing to business unit • Monitor process improvement gains

– Monitoring provides re-audit signals • Allows for key system comparison

Questions?

Tom Valiquette, Program Manager Compliance Advanced Data Analytics Corporate Compliance Tom.Valiquette@CarolinasHealthCare.org O: 704-512-5903