oversight

Audit of Information Systems General and Application Controls at Wellmark Inc. BlueCross and BlueShield

Published by the Office of Personnel Management, Office of Inspector General on 2016-06-17.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

              U.S. OFFICE OF PERSONNEL
                    MANAGEMENT
          OFFICE OF THE INSPECTOR GENERAL
                   OFFICE OF AUDITS




               Final Audit Report

           AUDIT OF INFORMATION SYSTEMS GENERAL AND
                    APPLICATION CONTROLS AT
                         WELLMARK INC.
                  BLUE CROSS AND BLUE SHIELD

                                            Report Number 1A-10-31-15-058
                                                    June 17, 2016


                                                            -- CAUTION --
This audit report has been distributed to Federal officials who are responsible for the administration of the audit program. This audit report may
contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available under the Freedom of
Information Act and made available to the public on the OIG webpage (http://www.opm.gov/our-inspector-general), caution needs to be exercised
before releasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy.
             EXECUTIVE SUMMARY 

                   Audit of Information Systems General and Application Controls at                         

                                Wellmark Inc. Blue Cross and Blue Shield 

Report No. 1A-10-31-15-058                                                                           June 17, 2016


 Why Did We Conduct the Audit?             What Did We Find?

  The objectives of this audit were        Our audit identified several minor control weaknesses where
  to evaluate controls over the            Wellmark could implement additional IT security controls or improve
  confidentiality, integrity, and          upon existing controls. However, we do not believe that these issues
  availability of Federal Employees        are indicative of systemic control problems, and we conclude that
  Health Benefits Plan (FEHBP)             Wellmark generally has a comprehensive and mature IT security
  data processed and maintained in         program in place. Specifically, we determined that:
  the Wellmark Inc. Blue Cross and
  Blue Shield (Wellmark)                 	 Wellmark has established an adequate security management

  information technology (IT)               program.

  environment.                           	 Wellmark has implemented controls to prevent unauthorized
                                            physical access to its facilities, as well as logical controls to protect
 What Did We Audit?                         sensitive information.
                                        	 Wellmark has implemented an incident response and network
 The scope of this audit centered on        security program. However, Wellmark does not have an adequate
 the information systems used by            methodology in place to ensure that unsupported or out-of-date
 Wellmark to process medical                software is not utilized.
 insurance claims for FEHBP              	 Wellmark has implemented a configuration management program
 members, with a primary focus on           with documented program and change management policies
 the claims adjudication applications..     including baseline standards for operating platforms.
                                         	 Wellmark has established a risk based contingency planning

                                            program including multiple plans and regular testing of its plans.

                                         	 The systems used to process FEHBP claims for Wellmark had edits
                                            in place to catch many of our test claims, but could potentially
                                            benefit from additional controls related to medical edits and patient
                                            history.




 _______________________
 Michael R. Esser
 Assistant Inspector General
 for Audits
                                                         i
                          ABBREVIATIONS

the Act           The Federal Employees Health Benefits Act
the Association   Blue Cross Blue Shield Association
BCBS              Blue Cross Blue Shield
BCBSA             Blue Cross Blue Shield Association
CFR               Code of Federal Regulations
DO                Director’s Office
FEHBP             Federal Employees Health Benefits Plan
FEP               Federal Employee Program
FISCAM            Federal Information Systems Control Audit Manual
GAO               U.S. Government Accountability Office
IT                Information Technology
NIST SP           National Institute of Standards and Technology’s Special Publication
OIG               Office of the Inspector General
OMB               U.S. Office of Management and Budget
OPM               U.S. Office of Personnel Management
The Plan          Wellmark Inc. Blue Cross and Blue Shield
Wellmark          Wellmark Inc. Blue Cross and Blue Shield




                                           ii
IV. MAJOR CONTRIBUTORS TO THIS REPORT
          TABLE OF CONTENTS
                                                                                                             Page 

         EXECUTIVE SUMMARY ........................................................................................ i


         ABBREVIATIONS ..................................................................................................... ii 


  I.     BACKGROUND ..........................................................................................................1 


  II.    OBJECTIVES, SCOPE, AND METHODOLOGY ..................................................2 


  III.   AUDIT FINDINGS AND RECOMMENDATIONS.................................................5

         A. Security Management ..............................................................................................5 

         B. Access Controls .......................................................................................................5 

         C. Network Security .....................................................................................................8 

         D. Configuration Management ...................................................................................11 

         E. Contingency Planning............................................................................................11 

         F. Claims Adjudication ..............................................................................................12 


  IV.    MAJOR CONTRIBUTORS TO THIS REPORT ..................................................16 


         APPENDIX: Wellmark Inc. Blue Cross and Blue Shield’s March 2, 2016 response to
                   the Draft Audit Report, issued January 8, 2016.

         REPORT FRAUD, WASTE, AND MISMANAGEMENT
            I. BACKGROUND
IV. MAJOR CONTRIBUTORS TO THIS REPORT

This final report details the findings, conclusions, and recommendations resulting from the audit
of general and application controls over the information systems responsible for processing
Federal Employees Health Benefits Program (FEHBP) claims by Wellmark, Inc. Blue Cross and
Blue Shield (Wellmark).

The audit was conducted pursuant to FEHBP contract CS 1039; 5 U.S.C. Chapter 89; and 5 Code
of Federal Regulations (CFR) Chapter 1, Part 890. The audit was performed by the U.S. Office
of Personnel Management’s (OPM) Office of the Inspector General (OIG), as established by the
Inspector General Act of 1978, as amended.

The FEHBP was established by the Federal Employees Health Benefits Act (the Act), enacted on
September 28, 1959. The FEHBP was created to provide health insurance benefits for federal
employees, annuitants, and qualified dependents. The provisions of the Act are implemented by
OPM through regulations codified in Title 5, Chapter 1, Part 890 of the CFR. Health insurance
coverage is made available through contracts with various carriers that provide service benefits,
indemnity benefits, or comprehensive medical services.

The Blue Cross Blue Shield Association (the Association), on behalf of participating Blue Cross
and Blue Shield (BCBS) plans, has entered into a Government-wide Service Benefit Plan
contract (CS 1039) with OPM to provide a health benefit plan authorized by the FEHB Act. The
Association delegates authority to participating local BCBS plans throughout the United States,
such as Wellmark, to process the health benefit claims of its federal subscribers.

The Association has established a Federal Employee Program (FEP1) Director’s Office (DO) in
Washington, D.C. to provide centralized management for the Service Benefit Plan. The FEP DO
coordinates the administration of the contract with the Association, member BCBS plans, and
OPM.

All Wellmark personnel that worked with the auditors were helpful and open to ideas and
suggestions. They viewed the audit as an opportunity to examine practices and to make changes
or improvements as necessary. Their positive attitude and helpfulness throughout the audit was
greatly appreciated.



1
 Throughout this report, when we refer to “FEP”, we are referring to the Service Benefit Plan lines of business at
Wellmark. When we refer to the “FEHBP”, we are referring to the program that provides health benefits to federal
employees.



                                                         1                               Report No. 1A-10-31-15-058
II.
IV. OBJECTIVES, SCOPE, ANDTO
     MAJOR CONTRIBUTORS   METHODOLOGY
                             THIS REPORT

 Objectives

 The objectives of this audit were to evaluate controls over the confidentiality, integrity, and 

 availability of FEHBP data processed and maintained in Wellmark’s information technology (IT) 

 environment. We accomplished these objectives by reviewing the following areas:

  Security management; 

  Access controls; 

  Network security; 

  Configuration management; 

  Contingency planning; and 

  Application controls specific to Wellmark’s claims processing systems. 


 Scope and Methodology

 This performance audit was conducted in accordance with generally accepted government
 auditing standards issued by the Comptroller General of the United States. Accordingly, we
 obtained an understanding of Wellmark’s internal controls through interviews and observations,
 as well as inspection of various documents, including IT and other related organizational policies
 and procedures. This understanding of Wellmark’s internal controls was used in planning the
 audit by determining the extent of compliance testing and other auditing procedures necessary to
 verify that the internal controls were properly designed, placed in operation, and effective.

 The scope of this audit centered on the information systems used by Wellmark to process
 medical insurance claims for FEHBP members, with a primary focus on the claims adjudication
 process. Wellmark processes FEP claims through both a local claims system maintained by
 Wellmark and through FEP Direct, the Association’s nation-wide claims adjudication system.
 The business processes reviewed are primarily located in Wellmark’s Des Moines, Iowa facility.

 The on-site portion of this audit was performed in July and August of 2015. We completed
 additional audit work before and after the on-site visit at our office in Washington, D.C. The
 findings, recommendations, and conclusions outlined in this report are based on the status of
 information system general and application controls in place at Wellmark as of November 2015.

 In conducting our audit, we relied to varying degrees on computer-generated data provided by
 Wellmark. Due to time constraints, we did not verify the reliability of the data used to complete
 some of our audit steps but we determined that it was adequate to achieve our audit objectives.




                                                 2                           Report No. 1A-10-31-15-058
However, when our objective was to assess computer-generated data, we completed audit steps 

necessary to obtain evidence that the data was valid and reliable. 


In conducting this review we: 

 Gathered documentation and conducted interviews; 

 Reviewed Wellmark’s business structure and environment; 

 Performed a risk assessment of Wellmark’s information systems environment and 

    applications, and prepared an audit program based on the assessment and the U.S.
    Government Accountability Office’s (GAO) Federal Information System Controls Audit
    Manual (FISCAM); and
	 Conducted various compliance tests to determine the extent to which established controls and
    procedures are functioning as intended. As appropriate, we used judgmental sampling in
    completing our compliance testing.

Various laws, regulations, and industry standards were used as a guide to evaluating Wellmark’s 

control structure. These criteria include, but are not limited to, the following publications: 

 Title 48 of the Code of Federal Regulations; 

 U.S. Office of Management and Budget (OMB) Circular A-130, Appendix III; 

 OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of 

   Personally Identifiable Information;
 COBIT 5: A Business Framework for the Governance and Management of Enterprise IT
   GAO’s FISCAM;
 National Institute of Standards and Technology’s Special Publication (NIST SP) 800-12,
   Introduction to Computer Security: The NIST Handbook;
 NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information
   Technology Systems;
 NIST SP 800-30, Revision 1, Guide for Conducting Risk Assessments;
 NIST SP 800-34, Revision 1, Contingency Planning Guide for Federal Information Systems;
 NIST SP 800-41, Revision 1, Guidelines on Firewalls and Firewall Policy;
 NIST SP 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems
   and Organizations; and
 NIST SP 800-61, Revision 2, Computer Security Incident Handling Guide.

Compliance with Laws and Regulations

In conducting the audit, we performed tests to determine whether Wellmark’s practices were
consistent with applicable standards. While generally compliant, with respect to the items tested,
Wellmark was not in complete compliance with all standards as described in the “Audit Findings
and Recommendations” section of this report.



                                                3	                          Report No. 1A-10-31-15-058
  IV. AUDIT
III.   MAJORFINDINGS
             CONTRIBUTORS  TO THIS REPORT
                     AND RECOMMENDATIONS

A. Security Management

   The security management component of this audit involved an                    Wellmark
   examination of the policies and procedures that are the foundation of          maintains a series
   Wellmark’s overall IT security controls. We evaluated Wellmark’s               of thorough IT
   ability to develop security policies, manage risk, assign security-related     security policies
   responsibility, and monitor the effectiveness of various system-related        and procedures.
   controls.

   Wellmark has implemented a series of formal policies and procedures that comprise its security
   management program. Wellmark has also developed an adequate risk management methodology
   that allows it to document, track, and mitigate or accept identified risks in a timely manner. We
   also reviewed Wellmark’s human resources policies and procedures related to hiring, training,
   transferring, and terminating employees.

   Nothing came to our attention to indicate that Wellmark has not implemented adequate controls
   regarding security management.

B. Access Controls

   Access controls are the policies, procedures, and techniques used to prevent or detect 

   unauthorized physical or logical access to sensitive resources. 


   We examined the physical access controls of Wellmark’s facilities and data centers located in
   Des Moines and                 , as well as a contractor data center located in          . We
   also examined the logical controls protecting sensitive data in Wellmark’s network environment
   and applications.

   The access controls observed during this audit include, but are not limited to: 

    Procedures for appropriately granting physical access to facilities and data centers; 

    Strong environmental controls over the data centers; and 

    Controls to monitor and filter email and Internet activity.


   The following sections document opportunities for improvement related to Wellmark’s physical
   and logical access controls.




                                                4                               Report No. 1A-10-31-15-058
1) Facility Access Controls

   Wellmark facilities contain turnstile access controls with electronic access card readers to
   control physical access. However, there is one auxiliary entrance at the main facility that
   only requires badge access without any piggybacking detection or prevention controls. The
   doorway leads to the claims scanning area that is used for the temporary storage of unsecured
   claims.

   We expect all FEHBP contractors to have some form of technical or physical control to
   detect or prevent piggybacking (e.g., turnstiles, piggybacking alarms, etc.) at all access
   points.

   Failure to implement adequate physical access controls increases the risk that unauthorized
   individuals can gain access to confidential data. NIST SP 800-53, Revision 4, provides
   guidance for adequately controlling physical access to information systems containing
   sensitive data.

   Recommendation 1

   We recommend that Wellmark implement some form of piggybacking controls at all facility
   entry points.

   Wellmark Response:

   “[Wellmark Inc. Blue Cross and Blue Shield (The Plan)] agrees with the recommendation.
   Implementation of piggybacking controls at the door in question will be completed by
   March 18, 2016.”

   OIG Comment:

   Evidence was provided in response to the draft audit report that indicates that Wellmark has
   implemented the recommended piggybacking controls; no further action is required.

2) Physical Access Recertification

   Wellmark’s process for removing physical access to its facilities for terminated employees
   requires managers to notify the physical security department with the individual’s expected
   termination date. On a monthly basis, lists of all employees with active access to secure
   areas are sent to the manager responsible for those areas for validation. The managers are
   required to respond regardless of whether there is a discrepancy in the list or not.



                                                5                           Report No. 1A-10-31-15-058
   However, our test work determined that Wellmark’s existing procedures to remove
   terminated individuals from access lists could be improved. We compared a list of
   employees listed as having access to facilities to a list of employees that were terminated in
   the last year, and discovered that multiple employees remained on the access lists well after
   their termination dates. Our test work did not identify the cause of this problem, but did
   reveal that Wellmark’s procedures for initial access removal and also the subsequent
   validation process are not fully successful. Wellmark should analyze this process further in
   an effort to determine the root cause of the issues we identified.

   NIST SP 800-53, Revision 4, states that an organization must review and analyze system
   audit records for indications of inappropriate or unusual activity. Failure to remove and audit
   physical access to terminated users increases the risk that a terminated employee could enter
   a facility and steal, modify, or delete sensitive and proprietary information.

   Recommendation 2

   We recommend Wellmark analyze its process for routinely auditing all active access lists to
   determine why individuals are remaining on access lists well after their termination dates.
   Subsequent action should be taken to address any problems identified in this analysis.

   Wellmark Response:

   “The Plan agrees with the recommendation. The Standard Operating Procedures related
   to terminations have been enhanced.”

   OIG Comment:
                                                                         Wellmark has enhanced
                                                                         its physical access
   Evidence was provided in response to the draft audit report that
                                                                         controls to adequately
   indicates that Wellmark has enhanced their procedures for
                                                                         secure its facilities and
   auditing physical access lists; no further action is required.
                                                                         resources.
3) Data Center Access Controls

   The main entrance to the raised floor area of Wellmark’s primary data center is protected by
   a door that requires three-factor authentication to open. However, an auxiliary door to the
   raised floor area requires only single-factor authentication via electronic access card. The
   space accessible by this auxiliary door is segregated from the rest of the data center by a
   chain link fence, but the area does contain servers that process sensitive data, and it also has
   logical and physical network connections to the main data center area.




                                                 6                           Report No. 1A-10-31-15-058
      We expect all FEHBP contractors to require multifactor authentication (e.g., cipher lock or
      biometric device in addition to an access card) at all data center entrances, and some form of
      technical or physical control to detect or prevent piggybacking (e.g., turnstiles, piggybacking
      alarms, two door “man traps”, etc.).

      NIST SP 800-53, Revision 4, provides guidance for adequately controlling physical access to
      information systems containing sensitive data.

      Failure to implement adequate physical access controls increases the risk that unauthorized
      individuals can gain access to sensitive IT resources and confidential data they contain.

      Recommendation 3

      We recommend Wellmark reassess the physical access controls at its primary data center and
      implement multi-factor authentication and piggybacking prevention controls at all entrances.

      Wellmark Response:

      “The Plan agrees with the recommendation. Multi-factor authentication has been
      implemented at the primary data center and piggybacking prevention will be implemented
      by March 18, 2016.”

      OIG Comment:

      Evidence was provided in response to the draft audit report that indicates that Wellmark has
      implemented the recommended physical access controls; no further action is required.

C. Network Security

   Network security includes the policies and controls used to prevent or monitor unauthorized
   access, misuse, modification, or denial of a computer network and network-accessible resources.

   We evaluated Wellmark’s incident response and network security program and reviewed the
   results of historical automated vulnerability scans performed by Wellmark. Additionally, we
   worked with Wellmark employees to independently perform automated vulnerability scans on a
   sample of servers, databases, and user workstations.




                                                   7                           Report No. 1A-10-31-15-058
1) Vulnerabilities Identified in Automated Scans

   The specific vulnerabilities that we identified in our scans will not be detailed in this report,
   but the issues we identified are summarized at a high level below.

   System Patching

   Wellmark has documented patch management policies and procedures. However, our scans
   detected several instances where computer servers were missing at least one critical patch or
   service pack older than the grace period allowed by Wellmark’s policy. Wellmark did
   provide evidence indicating that it was previously aware of these missing patches. However,
   Wellmark does not have a process to formally document its acceptance of risk for non-
   compliant systems. Such a process would allow Wellmark to better track and periodically
   reassess systems with missing patches, decreasing the risk of unpatched vulnerabilities being
   exploited.

   NIST SP 800-53, Revision 4, states that the organization must identify, report, and correct
   information system flaws and install security-relevant software and firmware updates
   promptly.

   Recommendation 4

   We recommend Wellmark update its patch management policy to require the formal
   acceptance of risk for any systems that are not compliant with the policy. This
   documentation should be regularly reviewed to determine whether there is an ongoing need
   to keep these patches uninstalled.

   Wellmark Response:

   “The Plan agrees with the recommendation. The patch                  Wellmark has enhanced
   management policy has been enhanced to include a formal              its patch management
   patch management exception analysis, documentation,                  policy to include exception
   approval, tracking, and periodic review.”                            tracking and approval.




                                                 8                            Report No. 1A-10-31-15-058
OIG Comment:

Evidence was provided in response to the draft audit report that indicates that Wellmark has
sufficiently updated its patch management policy; no further action is required.

Noncurrent Software

The results of the vulnerability scans indicated that several servers contained noncurrent
software applications that were no longer supported by the vendors, and have known security
vulnerabilities. Wellmark did provide evidence indicating that it was previously aware of the
unsupported software. However, no evidence has been provided that Wellmark has
documented a formal risk acceptance or that it had immediate plans to phase out this
software.

FISCAM states that “Procedures should ensure that only current software releases are
installed in information systems. Noncurrent software may be vulnerable to malicious code
such as viruses and worms.”

Failure to promptly remove outdated software increases the risk of a successful malicious
attack on the information system.

Recommendation 5

We recommend that Wellmark implement a formal software lifecycle management
methodology to ensure that only current and supported versions of system software are
installed on the production servers.

Wellmark Response:

“The Plan agrees with the recommendation. By May 15, 2016, the existing formal
technology standard will be enhanced to define that only supported versions of system
software are installed on production servers and a formal variance process will be
developed that includes the exception documentation, approval, and periodic review. The
identified noncurrent software applications will be removed, upgraded, or have a
documented variance by April 1, 2016.”




                                            9                          Report No. 1A-10-31-15-058
      OIG Comment:

      As part of the audit resolution process, we recommend that Wellmark provide OPM’s
      Healthcare and Insurance Office with evidence that it has adequately implemented this
      recommendation. This statement also applies to all subsequent recommendations in this
      report to which Wellmark agrees to implement.

D. Configuration Management

   Configuration management consists of the policies and procedures used to ensure systems are 

   configured according to approved risk-based configuration controls. 


   We evaluated Wellmark’s configuration management program as it relates to the operating 

   systems that support the processing of FEP claims, and determined that the following controls 

   were in place: 

    Documented corporate configuration policy; 

    Documented baseline configurations for all operating systems; and 

    Thorough change management procedures for system software and hardware. 


   Nothing came to our attention to indicate that Wellmark has not implemented adequate controls 

   regarding operating system configuration management. 


E. Contingency Planning

   We reviewed the following elements of Wellmark’s contingency planning program to
   determine whether controls were in place to prevent or minimize interruptions to business
   operations when disastrous events occur:
                                                                     Wellmark has
    Disaster recovery plan;
                                                                     documented
    Disaster recovery plan tests;
                                                                     contingency plans
    Business continuity plan; and
                                                                     that are tested
    Emergency response procedures.
                                                                     regularly.

   We determined that the service continuity documentation contained the critical elements
   suggested by NIST SP 800-34, Revision 1. Wellmark has identified and prioritized the systems
   and resources that are critical to business operations, and has developed detailed procedures to
   recover those systems and resources.

   Wellmark routinely tests both the disaster recovery and business continuity plans. The testing
   includes various functional and table top tests that result in recommendations for improving the
   plans.


                                                  10                           Report No. 1A-10-31-15-058
   Nothing came to our attention to indicate that Wellmark has not implemented adequate controls
   regarding the contingency planning process.

F. Claims Adjudication

   The following sections detail our review of the applications and business processes supporting
   Wellmark’s claims adjudication process. Wellmark processes all FEP claims through its local
   claims processing system and then through the Association’s FEP Direct nationwide claims
   adjudication system.

   1) Application Configuration Management

      We evaluated the policies and procedures governing application development and change
      control of Wellmark’s claims processing systems.

      Wellmark has documented system development life cycle procedures that IT personnel
      follow during routine software modifications. All changes require approval and undergo
      testing prior to migration to the production environment.

      Nothing came to our attention to indicate that Wellmark has not implemented adequate
      controls regarding the application configuration management process.

   2) Claims Processing System

      We evaluated the policies and procedures governing input, processing, and output controls
      associated with Wellmark’s claims processing system.

      Wellmark has documented procedures for its claims adjudication process to control the
      proper input, processing, and output of FEHBP claims. Additionally, there is an extensive
      quality assurance process in place to ensure accuracy at each step of claims processing.

      Nothing came to our attention to indicate that Wellmark has not implemented adequate
      controls regarding the claims processing system.

   3) Debarment

      Wellmark has adequate procedures for updating its claims system with debarred provider
      information. Wellmark receives the OPM OIG debarment list every month, makes the
      appropriate updates to the FEP Direct claims processing system, and conducts quality
      assurance reviews. Any claim submitted for a debarred provider is flagged by Wellmark to



                                                  11                          Report No. 1A-10-31-15-058
   adjudicate through the OPM OIG debarment process to include initial notification, a 15 day
   grace period, and then denial.

   Nothing came to our attention to indicate that Wellmark has not implemented adequate
   controls regarding the debarment process.

4) Application Controls Testing

   We conducted a test of Wellmark’s claims adjudication application to validate the system’s
   processing controls. The exercise involved processing test claims designed with inherent
   flaws and evaluating the manner in which Wellmark’s system adjudicated the claims. This
   included processing the claims through FEP Direct.

   Our test results indicated that Wellmark’s system has controls and     Wellmark’s claims
   system edits in place to identify many of our test scenarios.          processing system
                                                                          had edits to detect
   The sections below document opportunities for improvement related      many of our flawed
   to Wellmark’s claims application controls.                             test claims, but not
                                                                          all.
   Medical Editing

   Our claims testing exercise identified several scenarios where Wellmark’s claims processing
   system and FEP Direct failed to detect medical inconsistencies. For each of the following
   scenarios, a test claim was processed and paid without encountering any edits detecting the
   inconsistency:
    Invalid Place of Service (Professional) – a test claim was submitted with a procedure
       code for a lung biopsy with a place of service code for a residential substance abuse
       facility;
   	 Provider / Procedure Inconsistency (Professional) – (1) a test claim was submitted with a
       procedure code for a pericardiectomy performed by a nurse practitioner; and (2) a test
       claim was submitted with a procedure code for a partial nephrectomy performed by a
       nurse practitioner;
   	 Gender / Procedure Inconsistency (Institutional) – (1) a test claim was submitted with a
       procedure code for a vasectomy performed on a female; (2) a test claim was submitted
       with a procedure code for a biopsy of the scrotum performed on a female; and (3) a test
       claim was submitted with a procedure code for a transuretheral prostatectomy performed
       on a female; and
   	 Diagnosis / Procedure Inconsistency (Professional) – (1) a test claim was submitted with
       a procedure code for a spinal manipulation with a diagnosis of a heart attack; (2) a test
       claim was submitted with a procedure code for a spinal manipulation with a diagnosis of


                                              12 	                        Report No. 1A-10-31-15-058
   a malignant neoplasm; (3) a test claim was submitted with a procedure code for a toe
   amputation with a diagnosis of a headache; and (4) a test claim was submitted with a
   procedure code for a brain lesion removal with a diagnosis of abdominal pain.

Failure to detect these medical inconsistencies increases the risk that benefits are being paid
for procedures that were not actually incurred.

The Association has an ongoing project in place related to improving the medical edits within
FEP Direct. The specific scenarios identified in this audit should be analyzed as part of that
project.

Recommendation 6

We recommend that the Association review the scenarios documented above and ensure that
they are analyzed as part of the FEP Direct medical edits project.

Wellmark Response:

“[Blue Cross Blue Shield Association (BCBSA)] reviewed FEP claims history and the
Plan reviewed Plan claims history and did not identify any of the scenarios identified
during the audit. However, BCBSA submitted a request to the FEP Policy Work Group to
review the recommended enhancements on February 25, 2016 for implementation.
BCBSA will update the Contracting Office once a decision is made on implementing the
edits.”

Patient History

Our claims testing exercise identified several scenarios where Wellmark’s claims processing
system and FEP Direct failed to consider a patient’s medical history. For each of the
following scenarios, a test claim was processed and paid without encountering any edits
detecting the inconsistency:
 Once Per Lifetime Procedures (Institutional) – a test claim was submitted with a
    procedure code for a hysterectomy performed on a female member and the claim
    processed and paid appropriately. A subsequent test claim with a procedure code for a
    hysterectomy was submitted for the same member and that claim also processed and
    paid; and
	 Medical Review Claims (Institutional) – a test claim was submitted with a procedure code
    for a manually assisted delivery for a female member and the claim processed and paid
    appropriately. A subsequent test claim with a procedure code for a manually assisted




                                             13 	                         Report No. 1A-10-31-15-058
   delivery was submitted for the same member with a date of service one month after the
   initial claim and the claim processed and paid.

Failure to detect these patient history issues increases the risk that benefits are being paid for
procedures that were not actually performed.

We previously identified issues with the way in which FEP Direct analyzes a patient’s
history as part of an audit of another BCBS plan (Report No. 1A-10-49-14-021). The
specific scenarios identified in this audit should be analyzed as part of the efforts to address
that existing recommendation.

Recommendation 7

We recommend that the Association review scenarios documented above related to patient
history and ensure that they are analyzed as part of the ongoing efforts to address patient
history edits in FEP Direct.

Wellmark Response:

“BCBSA reviewed FEP claims history and the Plan reviewed Plan claims history and did
not identify any of the scenarios identified during the audit. However, BCBSA submitted a
request to the FEP Policy Work Group to review the recommended enhancements on
February 25, 2016 for implementation in the FEPExpress claims system. BCBSA will
update the Contracting Office once a decision is made on implementing the edits.”




                                              14                            Report No. 1A-10-31-15-058
IV. MAJOR CONTRIBUTORS TO THIS REPORT

Information Systems Audits Group

              , Lead IT Auditor
            , IT Auditor
                   , IT Auditor
               , Senior Team Leader
                , Group Chief




                                      15   Report No. 1A-10-31-15-058
                                  APPENDIX 



                                                                 BlueCross BlucShield
                                                                    ociation
                                                                 An Associiltloo or lndepeadc.at
                                                                 Rine 1il'Oi",.'I 1md lll11 Shiriltl P111wi
March 2, 201-6
                                                                 Feder:l!l Eoqlloyee Prog!"".am.
                                                                 1310 GSttea:, N.W.
                  , Group Chief                                  Wa.shmgto.n. D.C. 20005
lnfom1ation Systems Aud its Group                                ~02.942.1000
                                                                 Fax 101.942 .1 U5
U.S. Office of Personnel Management
1900 E Str,eet, Room 6400
Washington, D.C. 20415~1100

Reference: OPM DRAFT AUOH REPORT
           Wellmmrk, Inc. ff Audit
           Plan Codes 140/640
           Aud it Reip ort Number 1A-10-31-15-058
           (Dated January 8, 2016)

The following represents th e Plan 's res.ponse to the recommendations included in th e
draft reporl

B. Access Controts

1. Facility Acc,e ss Control:s

   Recommendation 1

   W e recommend that Wellmark implement some fo rm of piggybacking con1rols at
   all fa ci raty entry points .

   Plan Response

   The Plan agrees with the recommendation. Implementation of piggybacking
   controls at the door in question will be completed by March 18, 2016.

2. Physlc.al Recenificati·o n

   Recommendation 2

   W e recommend Wellmark analyze its process for routinely au diting all active
   access lists to detem1ine why individuals are remaining on access lists well after
   th eir tem1ination dates. Subsequent action should be taken to address any
   problems identift:ed in this analysis.




                                                                        Report No. 1A-10-31-15-058
   Plan Response

   The Plan agrees with the recommendation. The Standard Operating Procedures related
   to terminations have been enhanced.

3. 	 Data Center Access Controls

   Recommendation 3

   We recommend Wellmark reassess the physical access controls at its primary data
   center and implement multi-factor authentication and piggybacking prevention controls
   at all entrances.

   Plan Response

   The Plan agrees with the recommendation. Multi-factor authentication has been

   implemented at the primary data center and piggybacking prevention will be 

   implemented by March 18, 2016. 


C. 	Network Security

1. 	Vulnerabilities Identified in Automated Scans

   Recommendation 4

   We recommend Wellmark update its patch management policy to require the formal
   acceptance of risk for any systems that are not compliant with the policy. This
   documentation should be regularly reviewed to determine whether there is an ongoing
   need to keep these patches uninstalled.

   Plan Response

   The Plan agrees with the recommendation. The patch management policy has been
   enhanced to include a formal patch management exception analysis, documentation,
   approval, tracking, and periodic review.

   Recommendation 5

   We recommend that Wellmark implement a formal software lifecycle management
   methodology to ensure that only current and supported versions of system software are
   installed on the production servers.

   Plan Response

   The Plan agrees with the recommendation. By May 15, 2016, the existing formal
   technology standard will be enhanced to define that only supported versions of system
   software are installed on production servers and a formal variance process will be
   developed that includes the exception documentation, approval, and periodic review.



                                                              Report No. 1A-10-31-15-058
   The identified noncurrent software applications will be removed, upgraded, or have a
   documented variance by April 1, 2016.

F. Claims Adjudication

4. Application Control Testing

   Recommendation 6

   We recommend that the Association review scenarios documented above and ensure
   they are analyzed as part of the FEP Direct medical edits project.

   BCBSA Response

   BCBSA reviewed FEP claims history and the Plan reviewed Plan claims history and did
   not identify any of the scenarios identified during the audit. However, BCBSA submitted
   a request to the FEP Policy Work Group to review the recommended enhancements on
   February 25, 2016 for implementation. BCBSA will update the Contracting Office once
   a decision is made on implementing the edits.

   Recommendation 7

   We recommend that the Association review scenarios documented above related to
   patient history and ensure that they are analyzed as part of the ongoing efforts to
   address patient history edits in FEP Direct.

   BCBSA Response

   BCBSA reviewed FEP claims history and the Plan reviewed Plan claims history and did
   not identify any of the scenarios identified during the audit. However, BCBSA submitted
   a request to the FEP Policy Work Group to review the recommended enhancements on
   February 25, 2016 for implementation in the FEPExpress claims system. BCBSA will
   update the Contracting Office once a decision is made on implementing the edits.

We appreciate the opportunity to provide our response to each of the findings in this report
and request that our comments be included in their entirety and are made a part of the Final
Audit Report. If you have any questions, please contact me at                or
         at               .

Sincerely,




Managing Director, Program Assurance
cc:               , Wellmark, Inc.
           , OPM
              , FEP
             , FEP


                                                                Report No. 1A-10-31-15-058
                                                                                                                         



                                       Report Fraud, Waste, and 

                                           Mismanagement 

                                                  Fraud, waste, and mismanagement in
                                               Government concerns everyone: Office of
                                                   the Inspector General staff, agency
                                                employees, and the general public. We
                                              actively solicit allegations of any inefficient
                                                    and wasteful practices, fraud, and
                                               mismanagement related to OPM programs
                                              and operations. You can report allegations
                                                          to us in several ways:


                        By Internet:               http://www.opm.gov/our-inspector-general/hotline-to-
                                                   report-fraud-waste-or-abuse


                         By Phone:                 Toll Free Number:                              (877) 499-7295
                                                   Washington Metro Area:                         (202) 606-2423


                           By Mail:                Office of the Inspector General
                                                   U.S. Office of Personnel Management
                                                   1900 E Street, NW
                                                   Room 6400
                                                   Washington, DC 20415-1100
                     
                                                                                                                         
                                                                                                                         




                                                             -- CAUTION --
This audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit report may
contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available under the Freedom of
Information Act and made available to the public on the OIG webpage (http://www.opm.gov/our-inspector-general), caution needs to be exercised
before releasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy.