MIDWEST HEALTH SYSTEM: INFORMATION SYSTEM RISKS AND

CONTROLS

Decision Sheet

Summary

In this case, a hospital's operations and information technology systems are discussed. The risks
and controls related to the billing and collection process are identified, and the concept of
residual risks is explained. Additionally, the testing of controls in the billing and collection
process is discussed.

General Information Technology Risks and Controls

The case mentions that IT general controls (ITGCs) and application controls are needed to
mitigate risks. ITGCs include areas such as access security, change management, and business
continuity. Application controls ensure that transactions are valid, properly authorized, and
accurately recorded, processed, stored, and reported.

Risks and Controls in the Billing and Collection Process

The case provides a list of risks and possible controls in the billing and collection process. Some
of the risks mentioned include unauthorized access affecting data integrity or security, inaccurate
registration inhibiting collection of patient accounts, incorrect charges or no charges for
pharmacy services, and improper write-offs of uncollectable accounts. The possible controls
include authentication processes, verification of patient information, automatic charging of
patient accounts, and regular audits of write-off processes.

Testing the Operating Effectiveness of Controls

The case mentions that it is important to test the operating effectiveness of controls to ensure that
they are functioning as designed. Each team member is asked to suggest at least one test for
assessing the operating effectiveness of each control they recommend. The objective is to reduce
the loss of revenues due to incorrect billing, fraud, and other factors.

Residual Risks
Residual risks refer to the risks that remain even after controls have been implemented. The team
acknowledges that no system of internal controls can be perfect, and thinking through residual
risks can help identify other significant risks that can be mitigated at a reasonable cost. It is
important to ensure that controls are operating as designed to achieve the objectives of reducing
revenue loss and addressing risks related to incorrect billing, fraud, and other factors.

Overall, the case highlights the importance of understanding and addressing risks in hospital
operations and information technology systems, particularly in the billing and collection process.
It emphasizes the need for effective controls and testing their operating effectiveness to mitigate
risks and ensure compliance with relevant regulations.

Q1. Identify all IT general control

(ITGC) risks as well as possible controls to mitigate
those risks.

Areas, Activity, Risk of Errors or Fraud Possible Controls to Mitigate

or Process Risks

Overall Process Data theft , Incorrect billing , 1) Limited Access of data to

Waste, Fraud and abuse. required personnel.

2) Data centre to be located in an

area with secured entry and
restrictions.

3) Weekly reviewing of logs and

reports by data owners.

4) System altering any kind of

alteration or unauthorised
access

5) Proactive security measures to

mitigate viruses, malware etc.

6) A PIX Firewall for host-based

protection.
Nebo Passport Data integrity not up to the
System mark , captured bills
inaccuracy , wrong routing of
staffs for correction.
Cerner Inaccurate default values of
Computerized drug doses, routes ,
physician order frequencies , drug allergies ,
entry (CPOE) contraindicating lab values
etc. Incorrect entry of
physician’s instructions for
patient treatment.
1) Data Validation and
Verification to ensure accuracy
and completeness.
2) Role based access controls on
specific data.
3) Data encryption and regular
backups,
4) Automated validation and
Error handling.
1) Clinical Decision support rules
to alert with respect to potential
issues with default values of
Drug doses , routes etc.
2) Clinical Oversight and review
the CPOE system drug
libraries.
3) Dual verification and
authentication.
4) Data validation and integration
, ensuring external systems is
linked accurately with the
CPOE system reducing risk of
incorrect information entry.
5) Regulatory compliance with
require medical healthcare
standards and regulations.
Current Mismatch in coding language , 1) Regular audits and reviews of
procedural uniformity in code entered not
terminology(CPT) maintained , accessibility of
coding codes via various
stakeholders.
McKesson STAR Wrong patient’s details
System( Billing recorded , non-uniform coding
System for of patient services, in proper
patient’s accounts) collating patient medical
records , mistakes in
processing and generating
medical claims
the system.
2) Documentation of
improvement process to
improve quality of patient’s
records.
3) Coding validation rules to
prevent coding errors and early
detection of errors.
4) Standardize and training to
provide uniformity and
accuracy of codes and easy
understanding.
1) Access controls and user
authentication to restrict data
breach and safety of data.
2) Data validation and patient
identity verification to avoid
entry error.
3) Centralized system to keep all
related data of patient and past
records to track and easy
access.
4) Review and validation on
timely basis.
5) Have system to retrieve stored
information for returning
patients.
6) It’s a centralized system so all
other systems of healthcare
should be interlinked and data
should be easily accessible.
IT General Control (ITGC) Risks and Possible Controls:

Overall Security:

● Unauthorized access might affect data integrity or data security. Controls to mitigate this
risk include implementing processes and procedures to authenticate users and limit their
physical and logical access. This includes securing the data center, monitoring network
and system activities for malicious activities, and enforcing an active directory security
policy.

Application Control Registration:

● Risks include inaccurate registration due to fake identification or errors by staff. Controls
to mitigate this risk include verifying patient identification, double-checking information,
and verbally verifying accuracy with the patient. Additionally, the registration sheet
should be printed and given to the patient for verification, and stored information should
be retrieved for returning patients.

Provision of Services: Pharmacy Charges:

● Risks include incorrect or missing charges for medication. Controls to mitigate this risk
include automatically charging the patient's account when the order is filled, ensuring
medication is dispensed only if there is a charge, and reconciling the patient's chart with
the charges.

Claim Processing:

● Risks include outdated edit routines and delayed coding. Controls to mitigate this risk
include verifying that edit routines are updated timely, examining patient accounts billed
after eight days following discharge on a sample basis, and investigating underlying
reasons for delays in coding.

Write-Offs:

● Risks include improper write-offs due to diverted or incorrect remittances from the
collection agency. Controls to mitigate this risk include requiring different levels of
authorization based on the amount, and testing the write-off process on an annual basis.
Q2. Identify all application risks and possible application controls related to the billing and
collection cycle. Add as many rows as necessary. Use case Exhibit 7 as a guide. Please
include a completed version of case Exhibit 7 with your submission.

Application Risks and Controls Related to the Billing and Collection Cycle

1. Provision of services: Pharmacy charges

● Risk: Incorrect charges or no charges for medications dispensed.
● Possible Control: Implement an automated system to charge the patient's account when
the order is filled. Ensure medication is dispensed only if there is a charge to the patient's
account. Reconcile the patient's chart with the charges.

2. Claim processing
● Risk: Claims produced after a five-day waiting period may have outdated edit routines or
delayed coding.
● Possible Control: Independently verify that edit routines are updated in a timely manner.
Examine patient accounts billed after eight days following discharge on a sample basis
and investigate underlying reasons for delays.

3. Write-offs
● Risk: Improperly written off uncollectable accounts due to diverted or incorrect
remittances from the collection agency.
● Possible Control: Require different levels of authorization based on the amount to write
off accounts. Test the write-off process annually.

4. IT general controls: Overall security

● Risk: Unauthorized access affecting data integrity or security.
● Possible Control: Implement processes and procedures to authenticate users and limit
their physical and logical access. Ensure the data center has secured entry. Monitor
network and system activities for malicious activities and policy violations. Enforce an
active directory security policy, including regular patching and anti-virus updates. Use a
PIX firewall for host-based protection.

5. Application control registration

 ● Risk: Inaccurate registration due to fake identification or errors by staff, hindering the
collection of patient accounts.
● Possible Control: Require registration staff to check patient identification, double-check
information including insurance details, and verbally verify accuracy with the patient.
Print and give the registration sheet to the patient for verification. Retrieve stored
information for returning patients from the system.

Q3. Identify at least three residual risks and a possible control for each. (Hint: Residual
risks are risks that remain after controls are implemented. They exist due to the inherent
limitations of controls, factors such as human error and collusion, and the cost of
implementing controls relative to the benefit of controls.)

Residual Risks and Possible Controls

1. Residual Risk: Unauthorized access might affect data integrity or data security.
● Possible Control: Ensure various processes and procedures are in place to
authenticate users and limit their physical and logical access according to their
responsibilities. This includes securing the data center, monitoring network and
system activities for malicious activities, and implementing proactive security
measures such as patching and anti-virus updates.
2. Residual Risk: Errors or fraud in the registration process may result in inaccurate
patient identification and billing.
● Possible Control: Ensure registration staff check patient identification, double
check information including insurance details, and verbally verify the accuracy of
information with the patient. Additionally, have the system retrieve stored
information for returning patients to minimize errors.
3. Residual Risk: Incorrect charges or no charges in the pharmacy process may lead to
revenue loss.
● Possible Control: Implement an automated system that charges the patient's
account when the order is filled. Ensure medication is dispensed only if there is a
charge to the patient's account. Reconcile the patient's chart with the charges to
minimize errors.

Q4. For each recommended control, list at least one test of operating effectiveness. Use the
completed rows in case Exhibit 8 as a guide. Please include a completed version of case
Exhibit 8 with your submission. (Hint: Testing the operating effectiveness of controls
involves determining whether the controls are working as designed. Means of testing such
effectiveness include inquiry of personnel, observation, inspection of documentation, and
reperformance.)

RISKS, CONTROLS, AND TESTS OF CONTROLS

Risks of Errors or Fraud:

● Unauthorized access
● Failure to verify benefits or obtain pre-certification

Possible Controls to Mitigate Risks:

● Only two administrative passwords, with very strong login credentials, were employed.
● The insurance benefits were verified, and 100% of all scheduled admissions and
procedures were pre-certified.

Possible Tests of Controls:

● Ask the information security officer, Van Horde, whether administrative passwords are
limited and strong.
● Ask registration staff about the verification process.
● Using a sample, test whether insurance benefits and scheduled admissions were verified.
● Observe financial counseling of patients admitted through the ER.
● Using a sample of ER admissions, test whether financial counselors verified benefits and
the timing of verification.

Q5. Do you agree with the audit team’s conclusion that the only significant areas of concern
in ITGCs are access security and change management? Please explain why other areas of
general controls do or do not present significant risks. Explanations should include a
discussion of the strengths and weaknesses of existing controls.

The audit team concluded that the only significant areas of concern in ITGCs are access security
and change management. This conclusion was based on the team's assessment of the risks and
controls related to ITGCs. Access security is important because unauthorized access could affect
data integrity and security. The existing controls, such as authentication processes and physical
safeguards, were considered strengths in mitigating these risks. Change management was also
identified as a significant area of concern because it ensures that changes to the system are
properly authorized, tested, and documented. The existing controls, including change request
procedures and approvals, were seen as strengths in managing these risks. Other areas of general
controls were not mentioned as presenting significant risks in the given document. Therefore, it
can be inferred that the audit team did not identify any significant risks or weaknesses in those
areas.

Q6. (Optional) Assess the overall risk of the billing and collection process, taking into
consideration your answers to the previous questions. In your report’s concluding section,
you must include a statement explicitly stating your overall risk assessment. Please attach
your completed version of case Exhibit 7.

Overall Risk Assessment of the Billing and Collection Process

Based on the information provided in the document, the overall risk assessment of the billing and
collection process can be considered as significant. The document highlights the potential risks
related to incorrect billing, fraud, and other factors that can lead to loss of revenues. It also
mentions the need for better security processes to mitigate these risks and ensure compliance
with various regulations such as HIPAA, the Gramm-Leach-Bliley Act, and the Sarbanes-Oxley
Act of 2002.

To mitigate these risks, the document suggests implementing controls such as automatic charging
of patient accounts for dispensed medications, reconciliation of patient charts with charges,
timely updating of edit routines for claims processing, and periodic testing of the write-off
process.

However, it is important to note that the document does not provide specific details on the
frequency or magnitude of these risks, making it difficult to provide a precise quantitative
assessment of the overall risk. Nevertheless, considering the potential impact on revenues,
patient satisfaction, and compliance with regulations like HIPAA, it is advisable for the
organization to prioritize the implementation of effective controls to mitigate these risks.

In conclusion, while the document does not explicitly state the overall risk assessment, the
information provided suggests that the billing and collection process carries significant risks that
need to be addressed through the implementation of appropriate controls.

Q7. What course(s) of action do you recommend Nelson take, based on your analysis of
identified risks and suggested controls?

Based on the analysis of identified risks and suggested controls, I recommend that Nelson take
the following courses of action:

1. Implement the identified controls as soon as possible: Nelson should prioritize the
implementation of the controls identified by the team to mitigate the risks associated with
 the billing and collection process. This will help ensure the accuracy of financial
information and reduce the potential for incorrect billing, fraud, and other factors.
2. Conduct regular audits: Nelson should plan and complete audits to identify inadequate,
inefficient, or ineffective internal controls. These audits will help ensure the accuracy of
financial information, especially revenues and receivables, and identify any areas where
controls need to be strengthened.
3. Monitor and evaluate information security and privacy: Nelson should evaluate
information security, privacy, and associated exposures related to HIPAA compliance.
This will help ensure that Midwest is in compliance with HIPAA regulations and protect
the confidentiality and integrity of patient information.
4. Test the operating effectiveness of controls: Nelson should ensure that controls are
operating as designed by conducting tests to assess their effectiveness. This will help
verify that the controls are functioning properly and achieving their intended objectives.
5. Collaborate with IS compliance and other personnel: Nelson should work in cooperation
with IS compliance and other personnel to conduct a HIPAA Security Rule
Administrative Safeguards audit. This collaborative effort will help ensure that Midwest
is meeting the necessary security requirements to protect patient information.

By taking these actions, Nelson can strengthen the controls in place, mitigate risks, and ensure
compliance with relevant regulations, ultimately improving patient satisfaction and reducing the
loss of revenues due to incorrect billing, fraud, and other factors.