U.S. OFFICE OF PERSONNEL
MANAGEMENT
OFFICE OF THE INSPECTOR GENERAL
OFFICE OF AUDITS
Final Audit Report
AUDIT OF INFORMATION SYSTEMS GENERAL AND
APPLICATION CONTROLS AT
WELLMARK INC.
BLUE CROSS AND BLUE SHIELD
Report Number 1A-10-31-15-058
June 17, 2016
-- CAUTION --
This audit report has been distributed to Federal officials who are responsible for the administration of the audit program. This audit report may
contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available under the Freedom of
Information Act and made available to the public on the OIG webpage (http://www.opm.gov/our-inspector-general), caution needs to be exercised
before releasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy.
EXECUTIVE SUMMARY
Audit of Information Systems General and Application Controls at
Wellmark Inc. Blue Cross and Blue Shield
Report No. 1A-10-31-15-058 June 17, 2016
Why Did We Conduct the Audit? What Did We Find?
The objectives of this audit were Our audit identified several minor control weaknesses where
to evaluate controls over the Wellmark could implement additional IT security controls or improve
confidentiality, integrity, and upon existing controls. However, we do not believe that these issues
availability of Federal Employees are indicative of systemic control problems, and we conclude that
Health Benefits Plan (FEHBP) Wellmark generally has a comprehensive and mature IT security
data processed and maintained in program in place. Specifically, we determined that:
the Wellmark Inc. Blue Cross and
Blue Shield (Wellmark) Wellmark has established an adequate security management
information technology (IT) program.
environment. Wellmark has implemented controls to prevent unauthorized
physical access to its facilities, as well as logical controls to protect
What Did We Audit? sensitive information.
Wellmark has implemented an incident response and network
The scope of this audit centered on security program. However, Wellmark does not have an adequate
the information systems used by methodology in place to ensure that unsupported or out-of-date
Wellmark to process medical software is not utilized.
insurance claims for FEHBP Wellmark has implemented a configuration management program
members, with a primary focus on with documented program and change management policies
the claims adjudication applications.. including baseline standards for operating platforms.
Wellmark has established a risk based contingency planning
program including multiple plans and regular testing of its plans.
The systems used to process FEHBP claims for Wellmark had edits
in place to catch many of our test claims, but could potentially
benefit from additional controls related to medical edits and patient
history.
_______________________
Michael R. Esser
Assistant Inspector General
for Audits
i
ABBREVIATIONS
the Act The Federal Employees Health Benefits Act
the Association Blue Cross Blue Shield Association
BCBS Blue Cross Blue Shield
BCBSA Blue Cross Blue Shield Association
CFR Code of Federal Regulations
DO Director’s Office
FEHBP Federal Employees Health Benefits Plan
FEP Federal Employee Program
FISCAM Federal Information Systems Control Audit Manual
GAO U.S. Government Accountability Office
IT Information Technology
NIST SP National Institute of Standards and Technology’s Special Publication
OIG Office of the Inspector General
OMB U.S. Office of Management and Budget
OPM U.S. Office of Personnel Management
The Plan Wellmark Inc. Blue Cross and Blue Shield
Wellmark Wellmark Inc. Blue Cross and Blue Shield
ii
IV. MAJOR CONTRIBUTORS TO THIS REPORT
TABLE OF CONTENTS
Page
EXECUTIVE SUMMARY ........................................................................................ i
ABBREVIATIONS ..................................................................................................... ii
I. BACKGROUND ..........................................................................................................1
II. OBJECTIVES, SCOPE, AND METHODOLOGY ..................................................2
III. AUDIT FINDINGS AND RECOMMENDATIONS.................................................5
A. Security Management ..............................................................................................5
B. Access Controls .......................................................................................................5
C. Network Security .....................................................................................................8
D. Configuration Management ...................................................................................11
E. Contingency Planning............................................................................................11
F. Claims Adjudication ..............................................................................................12
IV. MAJOR CONTRIBUTORS TO THIS REPORT ..................................................16
APPENDIX: Wellmark Inc. Blue Cross and Blue Shield’s March 2, 2016 response to
the Draft Audit Report, issued January 8, 2016.
REPORT FRAUD, WASTE, AND MISMANAGEMENT
I. BACKGROUND
IV. MAJOR CONTRIBUTORS TO THIS REPORT
This final report details the findings, conclusions, and recommendations resulting from the audit
of general and application controls over the information systems responsible for processing
Federal Employees Health Benefits Program (FEHBP) claims by Wellmark, Inc. Blue Cross and
Blue Shield (Wellmark).
The audit was conducted pursuant to FEHBP contract CS 1039; 5 U.S.C. Chapter 89; and 5 Code
of Federal Regulations (CFR) Chapter 1, Part 890. The audit was performed by the U.S. Office
of Personnel Management’s (OPM) Office of the Inspector General (OIG), as established by the
Inspector General Act of 1978, as amended.
The FEHBP was established by the Federal Employees Health Benefits Act (the Act), enacted on
September 28, 1959. The FEHBP was created to provide health insurance benefits for federal
employees, annuitants, and qualified dependents. The provisions of the Act are implemented by
OPM through regulations codified in Title 5, Chapter 1, Part 890 of the CFR. Health insurance
coverage is made available through contracts with various carriers that provide service benefits,
indemnity benefits, or comprehensive medical services.
The Blue Cross Blue Shield Association (the Association), on behalf of participating Blue Cross
and Blue Shield (BCBS) plans, has entered into a Government-wide Service Benefit Plan
contract (CS 1039) with OPM to provide a health benefit plan authorized by the FEHB Act. The
Association delegates authority to participating local BCBS plans throughout the United States,
such as Wellmark, to process the health benefit claims of its federal subscribers.
The Association has established a Federal Employee Program (FEP1) Director’s Office (DO) in
Washington, D.C. to provide centralized management for the Service Benefit Plan. The FEP DO
coordinates the administration of the contract with the Association, member BCBS plans, and
OPM.
All Wellmark personnel that worked with the auditors were helpful and open to ideas and
suggestions. They viewed the audit as an opportunity to examine practices and to make changes
or improvements as necessary. Their positive attitude and helpfulness throughout the audit was
greatly appreciated.
1
Throughout this report, when we refer to “FEP”, we are referring to the Service Benefit Plan lines of business at
Wellmark. When we refer to the “FEHBP”, we are referring to the program that provides health benefits to federal
employees.
1 Report No. 1A-10-31-15-058
II.
IV. OBJECTIVES, SCOPE, ANDTO
MAJOR CONTRIBUTORS METHODOLOGY
THIS REPORT
Objectives
The objectives of this audit were to evaluate controls over the confidentiality, integrity, and
availability of FEHBP data processed and maintained in Wellmark’s information technology (IT)
environment. We accomplished these objectives by reviewing the following areas:
Security management;
Access controls;
Network security;
Configuration management;
Contingency planning; and
Application controls specific to Wellmark’s claims processing systems.
Scope and Methodology
This performance audit was conducted in accordance with generally accepted government
auditing standards issued by the Comptroller General of the United States. Accordingly, we
obtained an understanding of Wellmark’s internal controls through interviews and observations,
as well as inspection of various documents, including IT and other related organizational policies
and procedures. This understanding of Wellmark’s internal controls was used in planning the
audit by determining the extent of compliance testing and other auditing procedures necessary to
verify that the internal controls were properly designed, placed in operation, and effective.
The scope of this audit centered on the information systems used by Wellmark to process
medical insurance claims for FEHBP members, with a primary focus on the claims adjudication
process. Wellmark processes FEP claims through both a local claims system maintained by
Wellmark and through FEP Direct, the Association’s nation-wide claims adjudication system.
The business processes reviewed are primarily located in Wellmark’s Des Moines, Iowa facility.
The on-site portion of this audit was performed in July and August of 2015. We completed
additional audit work before and after the on-site visit at our office in Washington, D.C. The
findings, recommendations, and conclusions outlined in this report are based on the status of
information system general and application controls in place at Wellmark as of November 2015.
In conducting our audit, we relied to varying degrees on computer-generated data provided by
Wellmark. Due to time constraints, we did not verify the reliability of the data used to complete
some of our audit steps but we determined that it was adequate to achieve our audit objectives.
2 Report No. 1A-10-31-15-058
However, when our objective was to assess computer-generated data, we completed audit steps
necessary to obtain evidence that the data was valid and reliable.
In conducting this review we:
Gathered documentation and conducted interviews;
Reviewed Wellmark’s business structure and environment;
Performed a risk assessment of Wellmark’s information systems environment and
applications, and prepared an audit program based on the assessment and the U.S.
Government Accountability Office’s (GAO) Federal Information System Controls Audit
Manual (FISCAM); and
Conducted various compliance tests to determine the extent to which established controls and
procedures are functioning as intended. As appropriate, we used judgmental sampling in
completing our compliance testing.
Various laws, regulations, and industry standards were used as a guide to evaluating Wellmark’s
control structure. These criteria include, but are not limited to, the following publications:
Title 48 of the Code of Federal Regulations;
U.S. Office of Management and Budget (OMB) Circular A-130, Appendix III;
OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of
Personally Identifiable Information;
COBIT 5: A Business Framework for the Governance and Management of Enterprise IT
GAO’s FISCAM;
National Institute of Standards and Technology’s Special Publication (NIST SP) 800-12,
Introduction to Computer Security: The NIST Handbook;
NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information
Technology Systems;
NIST SP 800-30, Revision 1, Guide for Conducting Risk Assessments;
NIST SP 800-34, Revision 1, Contingency Planning Guide for Federal Information Systems;
NIST SP 800-41, Revision 1, Guidelines on Firewalls and Firewall Policy;
NIST SP 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems
and Organizations; and
NIST SP 800-61, Revision 2, Computer Security Incident Handling Guide.
Compliance with Laws and Regulations
In conducting the audit, we performed tests to determine whether Wellmark’s practices were
consistent with applicable standards. While generally compliant, with respect to the items tested,
Wellmark was not in complete compliance with all standards as described in the “Audit Findings
and Recommendations” section of this report.
3 Report No. 1A-10-31-15-058
IV. AUDIT
III. MAJORFINDINGS
CONTRIBUTORS TO THIS REPORT
AND RECOMMENDATIONS
A. Security Management
The security management component of this audit involved an Wellmark
examination of the policies and procedures that are the foundation of maintains a series
Wellmark’s overall IT security controls. We evaluated Wellmark’s of thorough IT
ability to develop security policies, manage risk, assign security-related security policies
responsibility, and monitor the effectiveness of various system-related and procedures.
controls.
Wellmark has implemented a series of formal policies and procedures that comprise its security
management program. Wellmark has also developed an adequate risk management methodology
that allows it to document, track, and mitigate or accept identified risks in a timely manner. We
also reviewed Wellmark’s human resources policies and procedures related to hiring, training,
transferring, and terminating employees.
Nothing came to our attention to indicate that Wellmark has not implemented adequate controls
regarding security management.
B. Access Controls
Access controls are the policies, procedures, and techniques used to prevent or detect
unauthorized physical or logical access to sensitive resources.
We examined the physical access controls of Wellmark’s facilities and data centers located in
Des Moines and , as well as a contractor data center located in . We
also examined the logical controls protecting sensitive data in Wellmark’s network environment
and applications.
The access controls observed during this audit include, but are not limited to:
Procedures for appropriately granting physical access to facilities and data centers;
Strong environmental controls over the data centers; and
Controls to monitor and filter email and Internet activity.
The following sections document opportunities for improvement related to Wellmark’s physical
and logical access controls.
4 Report No. 1A-10-31-15-058
1) Facility Access Controls
Wellmark facilities contain turnstile access controls with electronic access card readers to
control physical access. However, there is one auxiliary entrance at the main facility that
only requires badge access without any piggybacking detection or prevention controls. The
doorway leads to the claims scanning area that is used for the temporary storage of unsecured
claims.
We expect all FEHBP contractors to have some form of technical or physical control to
detect or prevent piggybacking (e.g., turnstiles, piggybacking alarms, etc.) at all access
points.
Failure to implement adequate physical access controls increases the risk that unauthorized
individuals can gain access to confidential data. NIST SP 800-53, Revision 4, provides
guidance for adequately controlling physical access to information systems containing
sensitive data.
Recommendation 1
We recommend that Wellmark implement some form of piggybacking controls at all facility
entry points.
Wellmark Response:
“[Wellmark Inc. Blue Cross and Blue Shield (The Plan)] agrees with the recommendation.
Implementation of piggybacking controls at the door in question will be completed by
March 18, 2016.”
OIG Comment:
Evidence was provided in response to the draft audit report that indicates that Wellmark has
implemented the recommended piggybacking controls; no further action is required.
2) Physical Access Recertification
Wellmark’s process for removing physical access to its facilities for terminated employees
requires managers to notify the physical security department with the individual’s expected
termination date. On a monthly basis, lists of all employees with active access to secure
areas are sent to the manager responsible for those areas for validation. The managers are
required to respond regardless of whether there is a discrepancy in the list or not.
5 Report No. 1A-10-31-15-058
However, our test work determined that Wellmark’s existing procedures to remove
terminated individuals from access lists could be improved. We compared a list of
employees listed as having access to facilities to a list of employees that were terminated in
the last year, and discovered that multiple employees remained on the access lists well after
their termination dates. Our test work did not identify the cause of this problem, but did
reveal that Wellmark’s procedures for initial access removal and also the subsequent
validation process are not fully successful. Wellmark should analyze this process further in
an effort to determine the root cause of the issues we identified.
NIST SP 800-53, Revision 4, states that an organization must review and analyze system
audit records for indications of inappropriate or unusual activity. Failure to remove and audit
physical access to terminated users increases the risk that a terminated employee could enter
a facility and steal, modify, or delete sensitive and proprietary information.
Recommendation 2
We recommend Wellmark analyze its process for routinely auditing all active access lists to
determine why individuals are remaining on access lists well after their termination dates.
Subsequent action should be taken to address any problems identified in this analysis.
Wellmark Response:
“The Plan agrees with the recommendation. The Standard Operating Procedures related
to terminations have been enhanced.”
OIG Comment:
Wellmark has enhanced
its physical access
Evidence was provided in response to the draft audit report that
controls to adequately
indicates that Wellmark has enhanced their procedures for
secure its facilities and
auditing physical access lists; no further action is required.
resources.
3) Data Center Access Controls
The main entrance to the raised floor area of Wellmark’s primary data center is protected by
a door that requires three-factor authentication to open. However, an auxiliary door to the
raised floor area requires only single-factor authentication via electronic access card. The
space accessible by this auxiliary door is segregated from the rest of the data center by a
chain link fence, but the area does contain servers that process sensitive data, and it also has
logical and physical network connections to the main data center area.
6 Report No. 1A-10-31-15-058
We expect all FEHBP contractors to require multifactor authentication (e.g., cipher lock or
biometric device in addition to an access card) at all data center entrances, and some form of
technical or physical control to detect or prevent piggybacking (e.g., turnstiles, piggybacking
alarms, two door “man traps”, etc.).
NIST SP 800-53, Revision 4, provides guidance for adequately controlling physical access to
information systems containing sensitive data.
Failure to implement adequate physical access controls increases the risk that unauthorized
individuals can gain access to sensitive IT resources and confidential data they contain.
Recommendation 3
We recommend Wellmark reassess the physical access controls at its primary data center and
implement multi-factor authentication and piggybacking prevention controls at all entrances.
Wellmark Response:
“The Plan agrees with the recommendation. Multi-factor authentication has been
implemented at the primary data center and piggybacking prevention will be implemented
by March 18, 2016.”
OIG Comment:
Evidence was provided in response to the draft audit report that indicates that Wellmark has
implemented the recommended physical access controls; no further action is required.
C. Network Security
Network security includes the policies and controls used to prevent or monitor unauthorized
access, misuse, modification, or denial of a computer network and network-accessible resources.
We evaluated Wellmark’s incident response and network security program and reviewed the
results of historical automated vulnerability scans performed by Wellmark. Additionally, we
worked with Wellmark employees to independently perform automated vulnerability scans on a
sample of servers, databases, and user workstations.
7 Report No. 1A-10-31-15-058
1) Vulnerabilities Identified in Automated Scans
The specific vulnerabilities that we identified in our scans will not be detailed in this report,
but the issues we identified are summarized at a high level below.
System Patching
Wellmark has documented patch management policies and procedures. However, our scans
detected several instances where computer servers were missing at least one critical patch or
service pack older than the grace period allowed by Wellmark’s policy. Wellmark did
provide evidence indicating that it was previously aware of these missing patches. However,
Wellmark does not have a process to formally document its acceptance of risk for non-
compliant systems. Such a process would allow Wellmark to better track and periodically
reassess systems with missing patches, decreasing the risk of unpatched vulnerabilities being
exploited.
NIST SP 800-53, Revision 4, states that the organization must identify, report, and correct
information system flaws and install security-relevant software and firmware updates
promptly.
Recommendation 4
We recommend Wellmark update its patch management policy to require the formal
acceptance of risk for any systems that are not compliant with the policy. This
documentation should be regularly reviewed to determine whether there is an ongoing need
to keep these patches uninstalled.
Wellmark Response:
“The Plan agrees with the recommendation. The patch Wellmark has enhanced
management policy has been enhanced to include a formal its patch management
patch management exception analysis, documentation, policy to include exception
approval, tracking, and periodic review.” tracking and approval.
8 Report No. 1A-10-31-15-058
OIG Comment:
Evidence was provided in response to the draft audit report that indicates that Wellmark has
sufficiently updated its patch management policy; no further action is required.
Noncurrent Software
The results of the vulnerability scans indicated that several servers contained noncurrent
software applications that were no longer supported by the vendors, and have known security
vulnerabilities. Wellmark did provide evidence indicating that it was previously aware of the
unsupported software. However, no evidence has been provided that Wellmark has
documented a formal risk acceptance or that it had immediate plans to phase out this
software.
FISCAM states that “Procedures should ensure that only current software releases are
installed in information systems. Noncurrent software may be vulnerable to malicious code
such as viruses and worms.”
Failure to promptly remove outdated software increases the risk of a successful malicious
attack on the information system.
Recommendation 5
We recommend that Wellmark implement a formal software lifecycle management
methodology to ensure that only current and supported versions of system software are
installed on the production servers.
Wellmark Response:
“The Plan agrees with the recommendation. By May 15, 2016, the existing formal
technology standard will be enhanced to define that only supported versions of system
software are installed on production servers and a formal variance process will be
developed that includes the exception documentation, approval, and periodic review. The
identified noncurrent software applications will be removed, upgraded, or have a
documented variance by April 1, 2016.”
9 Report No. 1A-10-31-15-058
OIG Comment:
As part of the audit resolution process, we recommend that Wellmark provide OPM’s
Healthcare and Insurance Office with evidence that it has adequately implemented this
recommendation. This statement also applies to all subsequent recommendations in this
report to which Wellmark agrees to implement.
D. Configuration Management
Configuration management consists of the policies and procedures used to ensure systems are
configured according to approved risk-based configuration controls.
We evaluated Wellmark’s configuration management program as it relates to the operating
systems that support the processing of FEP claims, and determined that the following controls
were in place:
Documented corporate configuration policy;
Documented baseline configurations for all operating systems; and
Thorough change management procedures for system software and hardware.
Nothing came to our attention to indicate that Wellmark has not implemented adequate controls
regarding operating system configuration management.
E. Contingency Planning
We reviewed the following elements of Wellmark’s contingency planning program to
determine whether controls were in place to prevent or minimize interruptions to business
operations when disastrous events occur:
Wellmark has
Disaster recovery plan;
documented
Disaster recovery plan tests;
contingency plans
Business continuity plan; and
that are tested
Emergency response procedures.
regularly.
We determined that the service continuity documentation contained the critical elements
suggested by NIST SP 800-34, Revision 1. Wellmark has identified and prioritized the systems
and resources that are critical to business operations, and has developed detailed procedures to
recover those systems and resources.
Wellmark routinely tests both the disaster recovery and business continuity plans. The testing
includes various functional and table top tests that result in recommendations for improving the
plans.
10 Report No. 1A-10-31-15-058
Nothing came to our attention to indicate that Wellmark has not implemented adequate controls
regarding the contingency planning process.
F. Claims Adjudication
The following sections detail our review of the applications and business processes supporting
Wellmark’s claims adjudication process. Wellmark processes all FEP claims through its local
claims processing system and then through the Association’s FEP Direct nationwide claims
adjudication system.
1) Application Configuration Management
We evaluated the policies and procedures governing application development and change
control of Wellmark’s claims processing systems.
Wellmark has documented system development life cycle procedures that IT personnel
follow during routine software modifications. All changes require approval and undergo
testing prior to migration to the production environment.
Nothing came to our attention to indicate that Wellmark has not implemented adequate
controls regarding the application configuration management process.
2) Claims Processing System
We evaluated the policies and procedures governing input, processing, and output controls
associated with Wellmark’s claims processing system.
Wellmark has documented procedures for its claims adjudication process to control the
proper input, processing, and output of FEHBP claims. Additionally, there is an extensive
quality assurance process in place to ensure accuracy at each step of claims processing.
Nothing came to our attention to indicate that Wellmark has not implemented adequate
controls regarding the claims processing system.
3) Debarment
Wellmark has adequate procedures for updating its claims system with debarred provider
information. Wellmark receives the OPM OIG debarment list every month, makes the
appropriate updates to the FEP Direct claims processing system, and conducts quality
assurance reviews. Any claim submitted for a debarred provider is flagged by Wellmark to
11 Report No. 1A-10-31-15-058
adjudicate through the OPM OIG debarment process to include initial notification, a 15 day
grace period, and then denial.
Nothing came to our attention to indicate that Wellmark has not implemented adequate
controls regarding the debarment process.
4) Application Controls Testing
We conducted a test of Wellmark’s claims adjudication application to validate the system’s
processing controls. The exercise involved processing test claims designed with inherent
flaws and evaluating the manner in which Wellmark’s system adjudicated the claims. This
included processing the claims through FEP Direct.
Our test results indicated that Wellmark’s system has controls and Wellmark’s claims
system edits in place to identify many of our test scenarios. processing system
had edits to detect
The sections below document opportunities for improvement related many of our flawed
to Wellmark’s claims application controls. test claims, but not
all.
Medical Editing
Our claims testing exercise identified several scenarios where Wellmark’s claims processing
system and FEP Direct failed to detect medical inconsistencies. For each of the following
scenarios, a test claim was processed and paid without encountering any edits detecting the
inconsistency:
Invalid Place of Service (Professional) – a test claim was submitted with a procedure
code for a lung biopsy with a place of service code for a residential substance abuse
facility;
Provider / Procedure Inconsistency (Professional) – (1) a test claim was submitted with a
procedure code for a pericardiectomy performed by a nurse practitioner; and (2) a test
claim was submitted with a procedure code for a partial nephrectomy performed by a
nurse practitioner;
Gender / Procedure Inconsistency (Institutional) – (1) a test claim was submitted with a
procedure code for a vasectomy performed on a female; (2) a test claim was submitted
with a procedure code for a biopsy of the scrotum performed on a female; and (3) a test
claim was submitted with a procedure code for a transuretheral prostatectomy performed
on a female; and
Diagnosis / Procedure Inconsistency (Professional) – (1) a test claim was submitted with
a procedure code for a spinal manipulation with a diagnosis of a heart attack; (2) a test
claim was submitted with a procedure code for a spinal manipulation with a diagnosis of
12 Report No. 1A-10-31-15-058
a malignant neoplasm; (3) a test claim was submitted with a procedure code for a toe
amputation with a diagnosis of a headache; and (4) a test claim was submitted with a
procedure code for a brain lesion removal with a diagnosis of abdominal pain.
Failure to detect these medical inconsistencies increases the risk that benefits are being paid
for procedures that were not actually incurred.
The Association has an ongoing project in place related to improving the medical edits within
FEP Direct. The specific scenarios identified in this audit should be analyzed as part of that
project.
Recommendation 6
We recommend that the Association review the scenarios documented above and ensure that
they are analyzed as part of the FEP Direct medical edits project.
Wellmark Response:
“[Blue Cross Blue Shield Association (BCBSA)] reviewed FEP claims history and the
Plan reviewed Plan claims history and did not identify any of the scenarios identified
during the audit. However, BCBSA submitted a request to the FEP Policy Work Group to
review the recommended enhancements on February 25, 2016 for implementation.
BCBSA will update the Contracting Office once a decision is made on implementing the
edits.”
Patient History
Our claims testing exercise identified several scenarios where Wellmark’s claims processing
system and FEP Direct failed to consider a patient’s medical history. For each of the
following scenarios, a test claim was processed and paid without encountering any edits
detecting the inconsistency:
Once Per Lifetime Procedures (Institutional) – a test claim was submitted with a
procedure code for a hysterectomy performed on a female member and the claim
processed and paid appropriately. A subsequent test claim with a procedure code for a
hysterectomy was submitted for the same member and that claim also processed and
paid; and
Medical Review Claims (Institutional) – a test claim was submitted with a procedure code
for a manually assisted delivery for a female member and the claim processed and paid
appropriately. A subsequent test claim with a procedure code for a manually assisted
13 Report No. 1A-10-31-15-058
delivery was submitted for the same member with a date of service one month after the
initial claim and the claim processed and paid.
Failure to detect these patient history issues increases the risk that benefits are being paid for
procedures that were not actually performed.
We previously identified issues with the way in which FEP Direct analyzes a patient’s
history as part of an audit of another BCBS plan (Report No. 1A-10-49-14-021). The
specific scenarios identified in this audit should be analyzed as part of the efforts to address
that existing recommendation.
Recommendation 7
We recommend that the Association review scenarios documented above related to patient
history and ensure that they are analyzed as part of the ongoing efforts to address patient
history edits in FEP Direct.
Wellmark Response:
“BCBSA reviewed FEP claims history and the Plan reviewed Plan claims history and did
not identify any of the scenarios identified during the audit. However, BCBSA submitted a
request to the FEP Policy Work Group to review the recommended enhancements on
February 25, 2016 for implementation in the FEPExpress claims system. BCBSA will
update the Contracting Office once a decision is made on implementing the edits.”
14 Report No. 1A-10-31-15-058
IV. MAJOR CONTRIBUTORS TO THIS REPORT
Information Systems Audits Group
, Lead IT Auditor
, IT Auditor
, IT Auditor
, Senior Team Leader
, Group Chief
15 Report No. 1A-10-31-15-058
APPENDIX
BlueCross BlucShield
ociation
An Associiltloo or lndepeadc.at
Rine 1il'Oi",.'I 1md lll11 Shiriltl P111wi
March 2, 201-6
Feder:l!l Eoqlloyee Prog!"".am.
1310 GSttea:, N.W.
, Group Chief Wa.shmgto.n. D.C. 20005
lnfom1ation Systems Aud its Group ~02.942.1000
Fax 101.942 .1 U5
U.S. Office of Personnel Management
1900 E Str,eet, Room 6400
Washington, D.C. 20415~1100
Reference: OPM DRAFT AUOH REPORT
Wellmmrk, Inc. ff Audit
Plan Codes 140/640
Aud it Reip ort Number 1A-10-31-15-058
(Dated January 8, 2016)
The following represents th e Plan 's res.ponse to the recommendations included in th e
draft reporl
B. Access Controts
1. Facility Acc,e ss Control:s
Recommendation 1
W e recommend that Wellmark implement some fo rm of piggybacking con1rols at
all fa ci raty entry points .
Plan Response
The Plan agrees with the recommendation. Implementation of piggybacking
controls at the door in question will be completed by March 18, 2016.
2. Physlc.al Recenificati·o n
Recommendation 2
W e recommend Wellmark analyze its process for routinely au diting all active
access lists to detem1ine why individuals are remaining on access lists well after
th eir tem1ination dates. Subsequent action should be taken to address any
problems identift:ed in this analysis.
Report No. 1A-10-31-15-058
Plan Response
The Plan agrees with the recommendation. The Standard Operating Procedures related
to terminations have been enhanced.
3. Data Center Access Controls
Recommendation 3
We recommend Wellmark reassess the physical access controls at its primary data
center and implement multi-factor authentication and piggybacking prevention controls
at all entrances.
Plan Response
The Plan agrees with the recommendation. Multi-factor authentication has been
implemented at the primary data center and piggybacking prevention will be
implemented by March 18, 2016.
C. Network Security
1. Vulnerabilities Identified in Automated Scans
Recommendation 4
We recommend Wellmark update its patch management policy to require the formal
acceptance of risk for any systems that are not compliant with the policy. This
documentation should be regularly reviewed to determine whether there is an ongoing
need to keep these patches uninstalled.
Plan Response
The Plan agrees with the recommendation. The patch management policy has been
enhanced to include a formal patch management exception analysis, documentation,
approval, tracking, and periodic review.
Recommendation 5
We recommend that Wellmark implement a formal software lifecycle management
methodology to ensure that only current and supported versions of system software are
installed on the production servers.
Plan Response
The Plan agrees with the recommendation. By May 15, 2016, the existing formal
technology standard will be enhanced to define that only supported versions of system
software are installed on production servers and a formal variance process will be
developed that includes the exception documentation, approval, and periodic review.
Report No. 1A-10-31-15-058
The identified noncurrent software applications will be removed, upgraded, or have a
documented variance by April 1, 2016.
F. Claims Adjudication
4. Application Control Testing
Recommendation 6
We recommend that the Association review scenarios documented above and ensure
they are analyzed as part of the FEP Direct medical edits project.
BCBSA Response
BCBSA reviewed FEP claims history and the Plan reviewed Plan claims history and did
not identify any of the scenarios identified during the audit. However, BCBSA submitted
a request to the FEP Policy Work Group to review the recommended enhancements on
February 25, 2016 for implementation. BCBSA will update the Contracting Office once
a decision is made on implementing the edits.
Recommendation 7
We recommend that the Association review scenarios documented above related to
patient history and ensure that they are analyzed as part of the ongoing efforts to
address patient history edits in FEP Direct.
BCBSA Response
BCBSA reviewed FEP claims history and the Plan reviewed Plan claims history and did
not identify any of the scenarios identified during the audit. However, BCBSA submitted
a request to the FEP Policy Work Group to review the recommended enhancements on
February 25, 2016 for implementation in the FEPExpress claims system. BCBSA will
update the Contracting Office once a decision is made on implementing the edits.
We appreciate the opportunity to provide our response to each of the findings in this report
and request that our comments be included in their entirety and are made a part of the Final
Audit Report. If you have any questions, please contact me at or
at .
Sincerely,
Managing Director, Program Assurance
cc: , Wellmark, Inc.
, OPM
, FEP
, FEP
Report No. 1A-10-31-15-058
Report Fraud, Waste, and
Mismanagement
Fraud, waste, and mismanagement in
Government concerns everyone: Office of
the Inspector General staff, agency
employees, and the general public. We
actively solicit allegations of any inefficient
and wasteful practices, fraud, and
mismanagement related to OPM programs
and operations. You can report allegations
to us in several ways:
By Internet: http://www.opm.gov/our-inspector-general/hotline-to-
report-fraud-waste-or-abuse
By Phone: Toll Free Number: (877) 499-7295
Washington Metro Area: (202) 606-2423
By Mail: Office of the Inspector General
U.S. Office of Personnel Management
1900 E Street, NW
Room 6400
Washington, DC 20415-1100
-- CAUTION --
This audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit report may
contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available under the Freedom of
Information Act and made available to the public on the OIG webpage (http://www.opm.gov/our-inspector-general), caution needs to be exercised
before releasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy.
Audit of Information Systems General and Application Controls at Wellmark Inc. BlueCross and BlueShield
Published by the Office of Personnel Management, Office of Inspector General on 2016-06-17.
Below is a raw (and likely hideous) rendition of the original report. (PDF)