oversight

Audit of Information Systems General And Application Controls at BlueCross BlueShield of Florida

Published by the Office of Personnel Management, Office of Inspector General on 2010-05-21.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                                                      u.s. OFFICE OF PERSONNEL MANAGEMENT
                                                                  OFFICE OF THE INSPECTOR GENERAL
                                                                                   OFFICE OF AUDITS




                                    Final Audit Report
                                                                                                                                         -
 Sub;ect:

                AUDIT OF INFORMATION SYSTEMS

             GENERAL AND APPLICATION CONTROLS AT

               BLUECROSS BLUESHIELD OF FLORlDA



                                             Report No. IA-IO-41-09-063

                                             Date:                 May 21,           2010




                                                         . --CAUTION-­
  This audit r-eporl has b.:en distributed 10 Federal and Non-Fedenl ollicials who He responsible for lhe administration of lhe audited
  eontneL This audit report may conlain propriclary data which is protecled by I'ed':rallaw (18 U.S.c. 1905). Therefore, while Ihis audit
  report is available under the Freedom of Jnformation Ad and made a~·aibbll· 1o Ihe public on the OIG ,,"cbpag.:, eaulion needs 10 be
  exercised before releasing the reporl to the genual publi~ as it ma~' conlain proprietary ;nform3tion lhat was redacled from the publicly
. distributed copy.                                                                                                .


                                                                   ...
                        UNITED STATES OFFICE OF PERSONNEL MANAGEMENT
                                        Washington, DC 20415


   Office of the
Inspector General


                                        Audit Report


                    FEDERAL EMPLOYEES HEALTH BENEFITS PROGRAM

                                 CONTRACT CS 1039

                          BLUECROSS BLUESHIELD OF FLORIDA

                                 PLAN CODES 090/590

                                JACKSONVILLE, FLORIDA





                                Report No. IA-IO-41-09-063


                                Date:         May 21, 2010





                                                               Michael R. Esser
                                                               Assistant lnspector General
                                                                 for Audits




        www.opm.goy                                                               www.usajobs.goY
                         UNITED STATES OFFICE OF PERSONNEL MANAGEMENT

                                                Washington, DC 20415



   Office of the
InspeclOf General




                                           Executive Summary


                    FEDERAL EMPLOYEES HEALTH BENEFITS PROGRAM

                                 CONTRACT CS 1039

                             BLUECROSS BLUESHIELD OF FLORIDA

                                    PLAN CODES 090/590

                                      JACKSONVILLE, FLORIDA





                                       Report No. lA-lO-41-09-063

                                       Date:           May 21«     2010


        This final report discusses the results of our audit of general and application controls over the
        infonnation systems at BlueCross BlueShield of Florida (BCBSFL).

        Our audit focused on the claims processing applications used to adjudicate Federal Employees
        Health Benefits Program (FEHBP) claims for BCBSFL, as well as the various processes and
        information technology (IT) systems used to support these applications. We documented
        controls in place and opportunities for improvement in each of the areas below.

        Security Management
       BCBSFL has established a comprehensive series of IT policies and procedures to create an
       awareness of IT security at the Plan. We verified that BCBSFL's policies and procedures are
       maintained on the Plan's intranet site in a manner that is easily accessible by employees.

       Access Controls
       We found that BCBSFL has implemented numerous physical controls to prevent unauthorized
       access to its facilities, as well as logical controls to prevent unauthorized access to its
       information systems. However, the logical access controls for one application critical to the
       claims adjudication process could be improved. In addition, BCBSFL is analyzing the
       etIectiveness of its current controls related to the secure transmission of electronic data.



                                               ---       -'-------~-~----~._-~---------
        www.opm.gov                                                                              www.usajobs.go..
Configuration Management
BCBSFL has developed formal policies and procedures providing guidance to ensure that system
software is appropriately configured and updated, as well as for controlling system software
configuration changes.

Contingency Planning
We reviewed BCBSFL's business continuity plans and concluded that they contained most of the
key elements suggested by relevant guidance and publications. We also determined that these
documents are reviewed, updated, and tested on a periodic basis.

Application Controls
BCBSFL has implemented many controls in its claims adjudication process to ensure that
FEHBP claims are processed accurately. However, we recommended that BCBSFL implement
several system modifications to ensure that its claims processing systems adjudicate FEHBP
claims in a maImer consistent with the aPM contract and other regulations.

Health Insurance Portability and Accountability Act (HIPAA)
Nothing came to our attention that caused us to believe that BCBSFL is not in compliance with
the HIPAA security, privacy, and national provider identifier regulations.




                                              11
                                          Contents

                                                                                            Page
   Executive Sun1mary	                                                                         i

I.	 Introduction                                                       -                       1

   Background                                                                                  I

   Objectives                                                                                  I

   Scope                                                                                       2

   Methodology                                                                                 2

   Compliance with Laws and Regulations                                                        3

II.	 Audit Findings and Recommendations                                                       .4

   A. Security Management	                                                                     4

   B. Access Controls	                                                                         4

   C. Configuration Management..	                                                              7

   D.	 Contingency Planning                                                                    7

   E. Application Controls	                                                                    8

   F. Health Insurance Portability and Accountability Act..                                   12

Ill. Major Contributors to This Report                                                        14


Appendix: BJueCross BJueShieJd Association's February 3, 2010 response to the draft audit
report issued December 3,2009.
                                       I. Introduction

This final report details the findings, conclusions, and recommendations resulting from the audit
of general and application controls over the information systems responsible for processing
Federal Employees Health Benefits Program (FEHBP) claims at BIueCross BlueShield of
Florida (BCBSFL or Plan).

The audit was conducted pursuant to Contract CS 1039; 5 U.S.C. Chapter 89; and 5 Code of
Federal Regulations (CFR) Chapter 1, Part 890. The audit was performed by the U.S. Office of
Personnel Management's (OPM) Office of the Inspector General (DIG), as established by the
Inspector General Act of 1978, as amended.

Background
The FEHBP was established by the Federal Employees Health Benefits Act (the Act), enacted on
September 28, 1959. The FEHBP was created 10 provide health insurance benefits for federal
employees, annuitants, and qualified dependents. The provisions of the Act are implemented by
aPM through regulations codified in Title 5, Chapter t', Part 890 of the CFR. Health insurance
coverage is made available through contracts with various carriers that provide service benefits,
indemnity benefits, or comprehensive medical services.

BCBSFL headquarters is located in Jacksonville, Florida. Employees responsible for processing
P'EHBP (also, Federal Employee Program or FEP) claims are also located in Jacksonville,
Florida.

This was the DIG's second audit of general and application controls at BCBSFL. During this
audit we verified that the audit findings from the first audit, conducted in 2003, have been
closed.

All BCBSFL personnel that worked with the auditors were particularly helpful and open to ideas
and suggestions. They viewed the audit as an opportunity to examine practices and to make
changes or improvements as necessary. Their positive attitude and helpfulness throughoutlhe
audit was greatly appreciated.

Objectives
The objectives of this audit were to evaluate controls over the confidentiality, integrity, and
availability ofFEHBP data processed and maintained in BCBSFL's IT environment.
These objectives were accomplished by reviewing the following areas:
 •   Security management;
 •   Access controls;
 •   Configuratipn management;
 •   Segregation of duties;
 •   Contingency planning;
 •   Application controls specific to BCBSFL' s claims processing systems; and
 •	 Health Insurance Portability and Accountability Act (HIPAA) compliance.

Scope
This performance audit was conducted in accordance with generally accepted government
auditing standards issued by the Comptroller General of the United States. Accordingly, the GIG
obtained an understanding ofBCBSFL's internal controls through interviews and observations,
as well as inspection of various documents, including information technology and other related
organizational policies and procedures. This understanding of BCBSFL's internal controls was
used in planning the audit by detennining the extent of compliance testing and other auditing
procedures necessary to verify that the internal controls were properly designed, placed in
operation, and effective.

The OIG evaluated the confidentiality, integrity, and availability ofBCBSFL's computer-based
information systems used to process FEHBP claims, and found that there are opportunities for
improvement in the information systems' internal controls. These areas are detailed in the
"'Audit Findings and Recommendations" section of this report.

The scope of this audit centered on the claims processing systems that process FEHBP claims for
BCBSFL, as well as the business structure and control environment in which they operate.
These systems include the "Diamond" local claims processing system owned and operated by
BCBSFL, and the FEP Express system owned and operated by the BlueCross BlueShield
Association
,          '
            (BCBSA). BCBSFL is an independent licensee of the BCBSA.

In conducting our audit, we relied to varying degrees on computer-generated data provided by
BCBSFL. Due to time constraints, we did not verify the reliability of the data used to complete
some of our audit steps, but we determined that it was adequate to achieve our audit objectives.
However, when our objective was to assess computer-generated data, we completed audit steps
necessary to obtain evidence that the data was valid and reliable.

The audit was performed at BCBSFL offices in Jacksonville, Florida. These on-site activities
were performed in September and October 2009. The GIG completed additional audit work
before and after the on-site visits at OPM's office in Washington, D.C. The findings,
recommendations, and conclusions outlined in this report are based on the status of information
system general and application controls in place at BCBSFL as of November 6, 2009.

Methodology
In conducting this review the DIG:
•	 Gathered documentation and conducted interviews;
•	 Reviewed BCBSFL's business structure and environment;
•	 Perfonned a risk assessment ofBCBSFL's information systems environment and
   applications, and prepared an audit program based on Lhe assessment and the Government
   Accountability Office's (GAO) Federal Information System Controls Audit Manual
   (FISCAM); and


                                                2
•	 Conducted various compliance tests to determine the extent to which established controls and
   procedures were functioning as intended. As appropriate, the auditors used judgmental
   sampling in completing their compliance testing.

Various laws, regulations, and industry standards were used as a guide to evaluating BCBSFL's
control structure. This criteria includes, but is not limited to, the following publications:
•	 Office of Management and Budget (OMB) Circular A-130, Appendix III;
•	 Information Technology Governance Institute's CobiT: Control Objectives for Information
   and Related Technology;
•	 GAO's Federal Information System Controls Audit Manual;
•	 National Institute of Standards and Technology's Special Publication (NIST SP) 800-12,
   Introduction to Computer Security;
•	 NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information
   Technology Systems;
•	 NIST SP 800-30, Risk Management Guide for Information Technology Systems;
•	 NIST SP 800-34, Contingency Planning Guide for Information Technology Systems;
•	 NIST SP 800-53 Revision 2, Recommended Security Controls for Federal Information
   Systems;
•	 NIST SP 800-61, Computer Security Incident Handling Guide;
•	 NIST SP 800-66 Revision 1, An Introductory Resource Guide for Implementing the HIPAA
   Security Rule; and
•	 The Health Insurance Portability and Accountability Act of 1996.

Compliance with Laws and Regulations
In conducting the audit, the OIG performed tests to determine whether BCBSFL's practices were
consistent with applicable standards. While generally compliant with respect to the items tested,
BCBSFL was not in complete compliance with all standards, as described in the "Audit Findings
and Recommendations" section of this report.




                                               3

                  II. Audit Findings and Recommendations


A. Security Management
  The security management component of this audit involved the examination of the policies
  and procedures that are the foundation ofBCBSFL's overall IT security controls. The GIG
  evaluated the adequacy ofBCBSFL's ability to develop security policies, manage risk, assign
  security-related responsibility, and monitor the effectiveness of various system-related
  controls.

  BCBSFL has implemented a series of formal policies and procedures that comprise a
  comprehensive entity-wide security program. The Plan has organized a Policy Committee
  that has the responsibility for creating, maintaining, and routinely reviewing security-related
  policies and procedures.

  The GIG also reviewed BCBSFL's human resources policies and procedures related to the
  security aspects of hiring, training, transferring, and terminating employees. We verified that
  BCBSFL's policies and procedures are maintained on the Plan's intranet site in a manner that
  is easily accessible by employees.

B.	 Access Controls
   Access controls are the policies, procedures, and techniques used to prevent or detect

   unauthorized physical or logical access to sensitive resources.


   The GIG examined the physical access controls of BCBSFL' s primary facilities in
   Jacksonville, Florida, as weB as the additional physical and environmental controls
   protecting the Plan's data center, mail room, and check printing facilities.

  Access to all BCBSFL facilities and secure areas within those facilities is controlled by an
  electronic access card system. Card readers are located on interior and exterior doors
  throughout the buildings, and the system is capable oflimiting an individual's access to the
  physical areas required by their job function.

  The OIG also examined the logical controls protecting sensitive data on BCBSFL's network
  environment and claims processing related applications. The controls documented during
  this review include, but were not limited to:
  •	   Appropriate management of firewalls, remote access, and wireless access;
  •	   Monitoring potential security configuration weaknesses through vulnerability testing;
  •	   Procedures for controlling sensitive data transferred to portable media;
  •	   Procedures for appropriately granting and disabling access to information systems;
  •	   Procedures for reviewing existing system access for appropriateness;
  •	   Procedures for controlJing and monitoring access of privileged system users; and
  •	   Procedures for appropriately removing system and physical access for terminated

       employees.




                                               4

Although BCBSFL has implemented a variety of techniques to protect its IT environment,
we did document two opportunities for improvement related to access controls.

1. Authentication Controls for Scanning and Data Verification Application

   A software application critical to BCBSFL's claims adjudication process does not have
   adequate authentication controls.

   BCBSFL has contracted with                                             erform its front­
   end claims processing operations.        uses an app lcatJOn ca e          to scan paper
   claims and perform optical character recognition and data verificatJOn e ore the claims
   are loaded into the claims adjudication system.

   The authentication controls governing access t o _ r e q u i r e _
                    However, there are no additional password com~
   This configuration does not meet the requirements ofBCBSFL's Authentication Security
   Standard which requires all passwords to maintain a history of six passwords, and • • •


  _acknowledged the risk associated with non-compliance with password policy at the
      lication level and stated that the risk is mitigated by the inability of users to launch the
                        from an outside network and the fact that access is controlled by the
                                                 However, many of BCBSFL's applications
   cannot e aunc e rom outSl e t e an's network and also require
  _        yet these applications are still subject to the requirements of the Plan's
   Authentication Security Standard.

  •  informed the OlG of its efforts to roll out additional

  _ t o several .pplications over the next year.


   Recommendation 1
   We recommend that ACS and BCBSFL continue their efforts to ensure that the
   authentication controls for all applications that process FEP data meet the requirements of
   BCBSFL's Authentication Security Standard.

   BCBSFL Response:
   "BCBSFL agrees with this recommendation. The ACS CISO Policy and Governance
   team recognizes the risks associated with non-compliance with password policy at the
   application level and is monitoring remediation efforts across the enterprise. One such
   effort involves the WebDE application in use within the BCBSFL operations• ...

   The ACS Security Engineering team is deploying afederated solution/rom the Novell
   Identity Management product line to provide front-end aUlhentication to several
   internal ACS applications. This product is to he piloted in all ACS business unil using
   the WehDE application and should he rolled out 10 all WebDE instances over the '
   course ofnext year. The pilot process began in September 2009 and is expected to be


                                              5

   completed by the end ofthe calendar year. On December 16, 2009, this policy was
   amendedfor clarification regarding the ACS pilot group. ACS WebDE team had pre­
   determined groups they would utilize during the pilot phase. This pilot group does not
   include any ofthe BCBSFL SBp's. ACS anticipates the successful completion ofthe
   pilot phase by the end oftheftrst quarter of 2010. Barring unforeseen technical issues,
   BCBSFL hopes to implement this solution within the SBV's by the end ofSecond
   Quarter of 2010."

   DIG Reply:
   As part of the audit resolution process, we recommend that BCBSFL provide OPM's
   RBO with supporting documentation detailing progress made in addressing this
   recommendation.

2. Secure Transmission of Electronic Data

   BCBSFL has implemented content filters designed to encrypt sensitive data sent via
   email or transmitted to a portable media device. However, the email filter was unable to
   detect social security numbers (SSN) that were not formatted in the traditional maImer
   (###-##-####).

   BCBSFL has policies and procedures in place to manage the protection of physical and
   electronic data. The Plan has implemented controls to detect sensitive data such as SSNs
   that are transmitted to portable media or sent through email. When a transmission of
   sensitive data to a portable media device is detected, the filtering software will warn the
   user of their responsibility to protect sensitive data, and wilJ send an alert of the
   transmission to BCBSFL's information security team. When sensitive data is sent over
   email, the filter is designed to automatically encrypt the message and send it to the
   recipient through a secure web link.

   Auditors tested these controls by attempting to move files containing valid SSNs to a
   portable media device and by sending them through emails. The filter for portable media
   devices appeared to be functioning as intended. In addition, SSNs sent via email in the
   traditional format (###-##-####) were appropriately detected and secured by the filtering
   controls. However, valid SSNs formatted without dashes (#########) were not detected
   and were transmitted in an unencrypted, insecure manner.

   ]-]JPAA Security Standard § 164.312(e)( I) requires that Plans "implement technical
   security measures to guard against unauthorized access to electronic protected health
   information that is being transmitted over an electronic communications network."

   Recommendation 2
   We recommend that BCBSFL make the appropriate changes to its email filter settings to
   ensure that all social security numbers and other sensitive data are blocked from being
   transmitted in an insecure manner.




                                            6

         BCBSFL Response:
         uBCBSFL is in the process ofperforming an analysis ofcurrent traffic patterns and
         preliminmy results indicate that ,the recommended change in the emailfilter would
         result in primarily capturing and encrypting non-privacy related emails that include zip
         codes, addresses and phone numbers. However, the Plan willfinaiize its analysis of
         the results by April 30, 2010 and make appropriate enhancements as required to
         mitigate risks. "

         OIG Reply:
         As part of the audit resolution process, we recommend that BCBSFL provide OPM's
         RBO with documentation detailing the final results of its analysis and any enhancements
         made to its controls related to protecting the electronic transmission of sensitive data.

c.   Configuration Management
     BCBSFL's local claims processing system is housed in a sever environment with the AIX
     operating platform.

     BCBSFL has developed fonnal policies and procedures providing guidance to ensure that
     system software is appropriately configured and updated, as well as for controlling system
     software configuration changes.

     The following policies and procedures were examined:
     •   Change Management Policy
     •   Vulnerability Testing Procedures
     •   Vulnerabilily Patch Management Standard
     •   AIX Configuration Security Baseline
     •   Web Server Security Standard
     •   Application Server Security Standard

     Auditors verified that these policies are being appropriately foHowed and did not detect any
     weaknesses in BCBSFL's configuration management methodology. We also conducted'a
     limited review of the security settings ofBCBSFL's AIX configuration and did not identify
     any weaknesses in the seltings.

D. Contingency Planning
     The DIG reviewed BCBSFL's service continuity program to detennine if (1) procedures
     were in place to protect information resources and minimize the risk of unplanned
     interruptions, and (2) a plan existed to recover critical operations should interruptions occur.

     In an effort to assess BCBSFL's contingency planning capabilities, we evaluated
     documentalion related to the Plan's procedures that ensure continuity of its FEP business
     unit, including:
     •   BCBSFL' s Mission Critical Employees Standard Operating Procedure;


                                                   7

  8	  IT Disaster Recovery/Systems Continuity Standard; and
  • Several business units' continuity plans including the claims department and check
  printing plans.

  The OIG found that each of these documents contain a majority of the key elements ofa
  comprehensive service continuity program suggested by NIST SP 800-34, "Contingency
  Planning Guide for IT Systems." BCBSFL's service continuity documentation explicitly
  identifies the systems that are critical to continuing business operations, prioritizes these
  systems, and outlines the specific resources needed to support each system. Each of these
  documents is reviewed, updated, and tested regularly.

E. Application Controls
  Application Configuration Management
  The OIG evaluated the policies and procedures governing software development and change
  control of the Plan's claims processing application.

  BCBSFL has adopted a traditional system development life cycle methodology that IT
  personnel foHow during routine software modifications. The Plan has also implemented a
  fonnal approval process for change requests. The following controls related to testing and
  approvals of software modifications were observed:
  •	 BCBSFL has adopted practices that allow modifications to be tracked;
  •	 Parallel testing and unit testing are conducted in accordance with industry standards; and
  •	 BCBSFL has a team dedicated to testing FEP modifications.

  The OIG also observed the foJlowing controls related to the maintenance of software

  libraries:

  •	 BCBSFL utilizes a "Build and Release Tool" to move the code between the segregated
     libraries.
  IIIBCBSFL clearly segregates application development and change control activities along
     organizational lines.
  •	 BCBSFL utilizes versioning of the source code to detennine if appropriate changes are
     implemented as expected.

  Claims Processing System
  The DIG evaluated the input, processing, and output controls associated with BCBSFL' s
  local claims processing system and the FEP Express system. In terms of input controls, the
  GIG documented the policies and procedures adopted by BCBSFL to help ensure that: 1)
  there are co·ntrols over the inception of claims data into the system; 2) the data received
  comes from the appropriate sources; and 3) the data is entered into the claims database
  correctly. BCBSFL's methods for reconciling processing totals against input totals and for
  evaluating the accuracy of its processes were also reviewed. Auditors also examined the
  security of physical input and output (paper claims, checks, explanations of benefits, etc.).




                                                8

Application Controls Testing
To validate the claims processing controls, a testing exercise was conducted on the BCBSFL
local system and the BCBSA's FEP Express system. This test was conducted at BCBSFL's
Jacksonville, Florida facility with the' assistance of BCBSFL personnel. The exercise
involved developing a test plan that included realistic situations to present to BCBSFL
personnel in the form of institutional and professional claims. All test scenarios were
processed through the BCBSFL local claims processing system, and where appropriate, the
FEP Express system. The test plan included expected results for each test case. Upon
conclusion of the testing exercise, the expected results were compared with the actual results
obtained during the exercise.

The sections below document the opportunities for improvement that were noted related to
application controls.

1. Procedure to Diagnosis Inconsistency

   Two test claims were processed where benefits were paid for a procedure associated with
   an inappropriate diagnosis.

   The OIG entered a test claim into the BCBSFL lo~cedure code for a
                                   and a diagnosis o~ A second test
   claim was entered with a procedure code for an                        and a diagnosis
   of                                 Despite the pro~sistencies, the
   claims processed through the local system without encountering any edits and were sent
   to FEP Express. FEP Express also processed and paid these claims without suspending
   the claims or triggering any edits.

   This system weakness increases the risk that benefits are being paid for procedures
   associated with a diagnosis that may not warrant such treatment. This issue has been
   documented in past OIG audits of BCBS plans.

   Recommendation 3
   We recommend that the BCBSA make the appropriate system modifications to FEP
   Express to ensure that claims with procedure/diagnosis inconsistencies are flagged for
   reVIew.

   BCBSFL Response:
   HBCBSFL disagrees with this recommendation. BCBSFL has implemented and
   maintains detective system controls to ensure claims with diagnosis inconsistencies are
   reviewed prior to processing. The Plan has a comprehensive medical policy program
   that applies necessary controls to ensure services are medically appropriate before
   approved to pay. However, these controls are not absolute but are intended to identify
   the common types ofprocedures that are not consistent witlt the diagnosis.




                                            9

   However, the FEP Director's Office is in the process ofanalyzing thefeasibility of
   using existing commercial medical editing software to address this issue. The analysis
   will also consider implications across the system and how this process will impact
   Plans. The anticipated completion datefor this project is late Second Quarter 2010."

   DIG Reply:
   We believe that comprehensive medical edit software is needed for FEP Express, as
   multiple 010 audits ofBCBS Plans have detected many weaknesses" in the system's
   medical edit capabilities (including three found during this audit). As part of the audit
   resolution process, we recommend that the BCBSA provide the REO documentation
   detailing its efforts in implementing commercial medical editing software.

2. Provider Invalid for Procedure

   Two test claims were processed where a provider was paid for services outside the scope
   of their license.

   The 010 entered a test claim for professional services into the BCBSFL local s
   with                                         performed by an
   This proce ure wou genera y e per orme by an                         Despite the
   provider/procedure inconsistency, the claim was processed by the BCBSFL local system
   and FEP Express without encountering any edits.

   A second test claim for professional services entered into the BCBSFL local system
   indicated that a                           was performed by a n _ This
   procedure wou genera y e per onne y a                         De~
   provider/procedure inconsistency, the claim was processed by the BCBSFL local system
   and FEP Express without encountering any edits.

   This system weakness increases the risk that providers are being paid for services outside
   the scope of their license.

   Recommendation 4
   We recommend that the BCBSA make the appropriate system modifications to FEP
   Express to ensure that medical providers are not paid for services outside the scope of
   their license.

   BCBSFL Response:
   "BCBSFL disagrees with this recommendation, given that the Plan has implemented
   and maintains appropriate system controls to ensure that medical providers are not
   paidfor services outside the scope oftheir license on n post payment basis. Most
   physicians declare a specialty and often receive board certification, but with additional
   training and or experience in other specialty areas, can through the life ofthe practice
   change their practice specialty to a subset or other areas ofinterest. Therefore, it is
   impossible to limit a physician when they study in all areas of medicine.


                                          " 10
  The claim form may indicate one specialty however, some providers have multiple
  specialties. Edits exist to keep limited license practitioners such as podiatrists from
  performing medical services outside their scope o/practice and cuntrols are in place
  which helps ensure that medical providers are paid only for services within the scope of
  their license. In addition, the Plan does have pre-payment edits in place to identifY
  providers rendering services outside ofthe scope licensure. Also, the Plan does have
  post-payment review processes conducted by its Special Investigation Unit and

  Utilization Review areas to identify abnormal billing practices.


  However, the FEP Director's Office is in the process 0/ analyzing the/easibility of
  using existing commercial medical editing software to address this issue. The analysis
  will also consider implications across the system and how this process will impact
  Plans. The anticipated completion date/or this project is late Second Quarter 2010."

  OIG Reply:
  We acknowledge the fact that certain providers may be capable of providing a broad
  range of medical services. However, the inconsistency in this test claim was so extreme
  that we would expect the system to detect it and suspend the claim for further review.
  Although the SCBSA searches for these inconsistencies on a post-payment basis, the
  implementation of preventive controls in the fonn of medical edit software is more
  effective and less costly. Post-payment reviews should complement rather than replace
  preventive controls.

  We believe that comprehensive medical edit software is needed for FEP Express, as
  multiple OIG audits of BCBS Plans have detected many weaknesses in the system's
  medical edit capabilities (including three found during this audit). As part of the audit
  resolution process, we recommend that BCBSFL provide OPM's RBO documentation
  detailing its efforts in implementing commercial medical editing software.

3. OBRA90 PRlCER Updates

  BCBSFL OBRA90 claims are being processed with an outdated version of the 2009
  CMS PRICER program.

  The OIG entered seven test claims that are subject to OBRA90 pricing into the BCBSFL
  local system. The local system sent the claims to FEP Express where they were
  processed and priced. The auditors priced each claim with the CMS Inpatienl PC
  PRICER program and compared the Medicare Diagnosis Related Group (DRG) amount
  produced by the PRICER to the amount produced in the test case.

  In three of the seven test claims, the Medicare DRG amount produced by the October 26,
  2009 version of the PRICER did not match the amount produced in the test case. The
  auditors priced these claims again using an older version of the 2009 CMS PRICER
  program, and in each case the Medicare DRG amount matched that from the test case.
  The OIG believes that this indicates that FEP Express is processing OBRA90 claims with


                                           11

     an outdated version of the eMS PRICER. As a result, BCBSFL has incorrectly priced
     some of the OBRA90 claims processed after January 1,2009.

     Recommendation 5 (Draft Audit Report Recommendation 6)
     We recommend that the BCBSA implement the appropriate system modifications to FEP
     Express to ensure that OBRA90 claims are priced with the correct version of the CMS
     PRICER and adjust all OBRA90 claims that were incorrectly priced.

     BCBSFL Response:
     uBCBSA agrees with this recommendation as the FEP Operations Center's OPM
     approved OBRA '90 Mainframe Pricer is the official mechanism used to price all FEP
     claims meeting the OBBA '90 requirements and not the responsibility ofBCBSFL.

     In tlte past, OPMprovided FEP with any updates to the OBRA '90 Pricer. Recently,
     FEP began obtaining the updates directly from CMS. When the first updates were
     received, it was discovered that the type oftape used by CMS was 110 longer supported
     by the FEP Data Center. In order to use the CMS tapes, the Operations Center had to
     find a vendor to convert them into an alternative tape format for usage in the FEP
     claims system Mainframe OBRA '90 Pricer. Tltis process resulted in a delay in
     implementing the CMS updates. All updates receivedfirst and second quarters 2009
      were updated by July 17,2009, and re-pricing ofthe impacted OBRA'90 claims will
     occur prior to year-end 2010. Attachment A is a schedule of when the updates were
     receivedfrom the various sources and tlte dates that the changes were implemented
      into the FEP Mainframe OBRA '90 Pricer Mainframe software. There was a delay in
     the April 4, 2009 update to the OBRA '90 Pricer.

     This delay could account for the different pricing generated during tlte claims testing
     process. "

     DIG Reply:
     As part of the audit resolution process, we recommend that the BCBSA provide OPM's
     RBO with documentation demonstrating that the impacted cJaims have been
     appropriately re-priced.

F. Health Insurance Portability and Accountability Act
  The DIG reviewed BCBSFL's efforts to maintain compliance with the security, privacy, and
  national provider identifier standards of HIP AA. Nothing came to our attention that caused
  us to believe that BCBSFL is not in compliance with the various requirements of these
  H1PAA regulations.

  BCBSFL has implemented a series of IT security policies and procedures to adequately
  address the requirements of the HIPAA security rule. BCBSFL has also developed a series
  of privacy policies and procedures that direclly addresses all requirements of the HIPAA
  privacy rule. The documents related to the HIPAA privacy and security rules are readily



                                             12

available to all BCBSFL employees via the company's intranet. BCBSFL employees receive
privacy and security-related training during new hire orientation, as well as periodic
subsequent training as needed.

]n addition, the OIG documented that BCBSFL has adopted the national provider identifier
as the standard unique health identifier for health care providers, as required by HIPAA.




                                          13

                    III. Major Contributors to This Report

This audit report was prepared by the U.S. Office of Personnel Management, Office of Inspector
General, Information Systems Audits Group. The following individuals participated in the audit
and the preparation of this report:

•        Group Chief
•          Auditor~ In-Charge
•   ~.IT Auditor
•   _  IT Auditor
•     IT Auditor




                                              14

                                 Appendix

                                                                      ••
                                                                       BlueCross BlueSWeld
                                                                       Association
                                                                       An Association of Independent
                                                                       Blue Cross and BIlle Shield Plans



                                                                       Federal Employee Program
                                                                       1310 G Street, N.W.
                                                                       Washington, D.C. 20005
                                                                       202.942. t 000
February 3. 2010                                                       Fax 202.942.1125




               Chief
Information Systems Audits Group
Insurance Service Programs
Office of Personnel Management
1900 E Street, N.W., Room 6400
Washington, D.C. 20415


Reference:	 OPM DRAFT EDP AUDIT REPORT
            Florida Blue Cross Blue Shield
            Audit Report Number 1A·10-41-09-063


DearMr._

This report is in response to the above-referenced U.S. Office of Personnel
Management (OPM) Draft Audit Report covering the Federal Employees' Health
Benefits Program (FEHBP) Audit of Information Systems General and Application
Controls for the Florida Blue Cross Blue Shield Plan's interface with the FEP claims
processing system, access and security controls. Our comments regarding the
findings in this report are as follows:

A.   ACCESS CONTROLS

     1. Authentication Controls for Scanning and Data Verification Application

        Recommendation 1

        OIG recommended that Affiliated Computer Services (ACS) and Blue Cross
        Blue Shield of Florida (BCBSFL) continue its efforts to ensure that the
        authentication controls for all applications that process FEP's data that meet
        the requirements of BCBSFL's Authentication Security Standard.
            , Chief
February 3, 2010
Page 2


        BCBSFL Response to -Recommendation 1

        BCBSFL agrees with this recommendation. The ACS CISO Policy and
        Governance team recognizes the risks associated with non-compliance with
        password policy at the application level and is monitoring remediation efforts
        across the enterprise. One such effort involves the WebDE application in use
        within the BCBSFL operations. WebDE based data entry application does
        not adhere to the ACS Information Security Standard's password policy
        requirements for password complexity. WebDE is one of several legacy
        applications in use at ACS which does not adhere to this poJicy and is part of
        a temporary exception granted by the ACS Security Governance Committee.
        The exception was granted on the basis of existing mitigating controls and a
        commitment by the application developers to research, pilot, and deploy a
        new authentication mechanism for these applications by using a federated
        solution to front end the applications.

        The mitigating controls protecting access to the WebDE application include
        the inability of users to launch the web application from an outside system or
        network. The application can only be initiated from an active directory
        authenticated session on the production or administration domain.
        Additionally, use of the application requires membership within an active
        directory security group of authorized WebDE users. Therefore, access to
        the application is controlled through a fully compliant windows domain
        authentication process and is role based through the security group
        designation. The WebDE application is entirely an internally hosted
        application. Access to the web site is restricted to only hosts on the
        production and administrative networks by perimeter firewalls and the use of
        restricted routing to the application server.

        The ACS Security Engineering team is deploying a federated solution from
        the Novell Identity Management product line to provide front-end
        authentication to several internal ACS applications. This product is to be
        piloted in an ACS business unit using the WebDE application and should be
        rolled out to all WebDE instances over the course of next year. The pilot
        process began in September 2009 and is expected to be completed by the
        end of the calendar year. On December 16, 2009, this policy was amended
        for clarification regarding the ACS pilot group. ACS WebDE team had pre­
        determined groups they would utilize during the pilot phase. This pilot group
        does not include any of the BCBSFL SBU's. ACS anticipates the successful
        completion of the pilot phase by the end of the first quarter of 2010. Barring
        unforeseen technical issues, BCBSFL hopes to implement this solution within
        the SBU's by the end of Second Quarter of 2010.
• • • •Chief
Febn'ary 3, 2010
Page :)


     2. Secure Transmission of Electronic Data

        Recommendation 2

        OIG recommended that BCBSFL make the appropriate changes to its email
        filter settings to ensure that all social security numbers and other sensitive
        data are blocked from being transmitted in an insecure manner.

        BCBSFL Response to Recommendation 2

        BCBSFL is in the process of performing an analysis of current traffic patterns
        and preliminary results indicate that the recommended change in the email
        filter would result in primarily capturing and encrypting non-privacy related
        emails that include zip codes, addresses and phone numbers. However, the
        Plan will finalize its analysis of the results by April 30, 2010 and make
        appropriate enhancements as required to mitigate risks.

B.   APPLICATION CONTROLS

     1. Procedure to Diagnosis Inconsistency

        Recommendation 3

        OIG recommended that BCBSFL make the appropriate system modifications
        to ensure that claims with procedure/diagnosis inconsistencies are flagged for
        review.

        BCBSFL Response to Recommendation 3

        BCBSFL disagrees with this recommendation. BCBSFL has implemented
        and maintains detective system controls to ensure claims with diagnosis
        inconsistencies are reviewed prior to processing. The Plan has a
        comprehensive medical policy program that applies necessary controls to
        ensure services are medically appropriate before approved to pay. However,
        these controls are not absolute but are intended to identify the common types
        of procedures that are not consisted with the diagnosis.

        However, the FEP Director's Office is in the process of analyzing the
        feasibility of using existing commercial medical editing software to address
        this issue. The analysis will also consider implications across the system and
        how this process will impact Plans. The anticipated completion date for this
        project is late Second Quarter 2010.
             , Chief
February 3, 2010
Page 4


     2. Provider Invalid for Procedure

          Recommendation 4

          OIG recommended that BCBSFL make the appropriate system modifications
          to ensure that medical providers are not paid for services outside the scope of
          their license.

          BCBSFL Response to Recommendation 4

          BCBSFL disagrees with this recommendation, given that the Plan has
          implemented and maintains appropriate system controls to ensure that
          medical providers are not paid for services outside the scope of their license
          on a post payment basis. Most physicians declare a specialty and often
          receive board certification, but with additional training and or experience in
          other specialty areas, can through the life of the practice change their practice
          specialty to a subset or other areas of interest. Therefore, it is impossible to
          limit a physician when they study in all areas of medicine.                    '

          The claim form may indicate one specialty however, some providers have
          multiple specialties. Edits exist to keep limited license practitioners such as
          podiatrists from performing medical services outside their scope of practice
          and controls are in place which helps ensure that medical providers are paid
          only for services within the scope of their license. In addition, the Plan does
          have pre-payment edits in place to identify providers rendering services
          outside of the scope licensure, Also, the Plan does have post-payment
          review processes conducted by its Special Investigation Unit and Utilization
          Review areas to identify abnormal billing practices.

          However, the FEP Director's Office is in the process of analyzing the
          feasibility of using existing commercial medical editing software to address
          this issue. The analysis will also consider implications across the system and
          how this process will impact Plans. The anticipated completion date for this
          projectis late Second Quarter 2010.

     3.

          ***Text redacted: not relevant to final audit report**'"
             Chief
February 3, 2010
Page 5




        ***Text redacted: not relevant to final audit report***




     4. OBRA '90 Pricer Updates

        Recommendation 6

        OIG recommended that BCBSFL implement the appropriate system
        modifications to ensure that OBRA '90 claims are priced with the correct
        version of the CMS PRICER, and adjust all OBRA '90 claims that were
        incorrectly priced.

        BCBSFL Response to Recommendation 6

        BCBSA agrees with this recommendation as the FEP Operations Center's
        OPM approved OBRA '90 Mainframe Pricer is the official mechanism used to
        price all FEP claims meeting the OBRA '90 requirements and not the
        responsibility of BCBSFL.

        In the past, OPM provided FEP with any updates to the OBRA '90 Pricer.
        Recently, FEP began obtaining the updates directly from CMS. When the
        first updates were received, it was discovered that the type of tape used by
        CMS was no longer supported by the FEP Data Center. In order to use the
        eMS tapes, the Operations Center had to find a vendor to convert them into
        an alternative tape format for usage in the FEP claims system Mainframe
        OBRA '90 Pricer. This process resulted in a delay in implementing the eMS
        updates. All updates received first and second quarters 2009 were updated
        by July 17, 2009, and re-pricing of the impacted OBRA '90 claims will occur
        prior to year-end 2010. Attachment A is a schedule of when the updates
        were received from the various sources and the dates that the changes were
        implemented into the FEP Mainframe OBRA '90 Pricer Mainframe software.
        There was a delay in the April 4, 2009 update to the OBRA '90 Pricer.
        This delay could account for the different pricing generated during the claims
        testing process.
              Chief

February 3, 2010

Page 6



We appreciate the opportunity to provide our response to this Draft Audit Report and
request that our comments be included in their entirety as an amendment to the Final
Audit Report.

Sincerely,




Executive Director, Program Integrity



-
Attachments
cc:
Attachment                                                 A


 ***Text redacted: not relevant to final audit report***
Attachment - B


   OBRA '90


Updates for OBRA '90

       And

Implementation Dates

                           HISTORY OF OBRA90 SOFTWARE RECEIVED FROM OPM/CMS
!DAyr- ,...--'
RECEIVED
                                                      II;t<LY
                                                 UPDATES FOUND DATE
                                                                      --
FROM                                             ONCMS          INSTALLED IN
OPM/CMS
.-­      SOFTWARE RECEIVED    NEW/UPDATES        WEBSITE   FOR  PRODUCTION Probleml Comments                 TT#
             Medicare Code Editor
             Software: Version 21,0
             October 1,2004; CMS
             Diagnosis Related Groups
             Software: Version 22.0
             October 1, 2004; Provider
Nov-04       Specific Files including      New: Yearly Software                           1/1/2005           21210
                                                                      Provider data
                                                                      submitted thru Sap
                                                                      30 2004 & also
              Provider Specific Files                                 Provider data

              including Pricer Software-ver
 UPDATES: Provider file   submitted thru Dec

   14-Mar-05
 005,0 (PSF0105). PP5050 updates only                   131 2004             4/8/2005           29375
                                             UPDATES: Pricer
                                             Modules - PPCAL046,
                                             PPCAL051, PPDRV041
              Provider Specific Files        & PPDRV051; PPSPROV

              including Pricer Software-ver
 - Provider Data files for

   14-Apr-O? 005.1 (PSF0105), PPS051
 2005; PPSCBSA - Wage                                  6/11/2005    ,   34823
              Provider Specific Files        UPDATES: PPSPROV ­ Provider data

              including Pricer Soffware-ver
 Provider Data files for    submitted thru Mar

  17-May-05
 005.1 (PSF0405), PPS051 2005                               31 2005             6/11/2005        34823
              Provider Specific Files        UPDATES: PPSPROV ­ Provider data

              including Pricer Software-ver
 Provider Data fites for    submitted thru Jun

  24·Aug-05
f---.
              005.1   (PSF0705),  PPS051
    2005                       302005              10/15/2005       51377
              Medicare Code Editor

              Software: Version 22.0

              October 1, 2005; eMS

              Diagnosis Related Groups

              Software: Version 23.0

              October 1, 2005; Provider

    13-0ct-05 Specific Files inclUding       New: Yearly Software                           1/1/2006         39456
                                         UPDATES: Pricer
           Provider Specific Files       Modules - PPCAL061 &
           including Pricer Software-ver PPDRV061; PPSPROV ­
20-0ec-05 006.1 (PSF1005), PPS061 Provider Data files for               2/11/2006                                 58485
                                         UPDATES: Pricer
                                         Modules· PPCAL062,
           Provider Specific Files       PPDRV062 & New CICS
           including Pricer Software-ver interface module
28-Feb-06 006,2 (PSF01 06), PPS062 PPOPN062; PPSPROV ­                      6/17/2006                             63698
           Provider Specific Files       UPDATES: PPSPROV-                                 Found 15 New Providers
           including Pricer Software·ver Provider Data files for            07/07/2006     were added & 51 Old
13-Jun-06 006.2 (PSF0406), PPS062 2006                                      (08/12/2006)   Providers were deleted 67022
           Medicare Code Editor
           Software: Version 23.0
           October 1, 2006; eMS
           Diagnosis Related Groups                                     1
           Software: Version 24.0
           October 1, 2006; Provider
           Specific Files including
           Pricer Software·ver 007,2
           (PSF0706), PPS072 along
           with Provider Specific Files
           including Pricer Software-ver New: Yearly Software for
 25-0ct-06 007.1 (PSF0706), PPS071 2007 & updates for 2007,
21-Nov-06 and Provider Specific Files 2006, 2005 & 2004.                    1/2/2007                               58479
                                                                                           Problems found with
                                                                                           some Utah & Arizona
                                                                    I                      Providers that were
                                                                                           dropped for the last
                                                                                           quarter of 2006 PPS
                                                                                           Provider files. Upon
                                                                                           receiving an e-mail
          I

          I                                                                                confirmation from Sarah
 7-Feb-07i                                                                  3/2/2007       Shirey @ CMS, the 2006 78423
          ProVider Specific Files       UPDATES:PPSPROV·                                      Found 137 New
          including Pricer Software-ver Provider Data files for                               Providers were added &
3D-Mar-O? 007.2 (PSF0107), PPS072 2007                                           5/18/2007    16 Old Providers were  81980

                                                                                              Found 22 New Providers
                                         UPDATES: PPSPROV-                                    were added when

           Provider Specific Files
                                         Provider Data files for
                                         2007 & PPSCBSA·
                                                                            I
                compared to previous
                                                                                              version of PPSPROV
          ,including Pricer Software-var CBSA (Wage Index) file                               file. Also found 23 new

24-Jul-07
 007.2 (PSF0407), PPS072 for 2007. ---_ •....~-
                                                                                 8/17/2007    CBSA (Wage Index)        88731
                                                             -~   ...._-­
          Medicare Code Editor                                                                Found 87 New Providers
          Software: Version 24.0                                                              were added and 4 Old
          October 1, 2007; Medicare                                                           Providers were dropped
          Severity DRG Software (MS.                                        I
                                                                            ,
                                                                                              when compared to 2007
          DRG): Version 25.0 October                                        I
                                                                                              version of PPSPROV
          1, 2007; Provider Specific                                                          file. Also found 447 new
          Flies including Pricer                                                              CBSA (Wage Index)
          Software-ver 008.4                                                                  records were added
13-Sep-07 (PSF0710), PPS084 along New: Yearly Software for                                    when compared to 2007
19-Nov-07 with updated 2007 Pricer   2008 & updates for 2007.                    12/14/2007   version of PPSCBSA file. 81983

                                                                                              Per documentation, a
                                                                                              new discharge status 70
                                                                                              was added effective
                                                                                              4/1/08: Dischargel
          Medicare Code Editor                                                                transfer to another type
          Software: Version 24.1 April    Updates: Updated                                    of health care institution
          1, 2008; Medicare Severity      version of Editor, Grouper                          not defined elsewhere in
          ORG Software (MS-DRG):          & Pricer software                                   the code list. Also,
          Version 25.1 April 1, 2008;     effective from 4/1/08                               existing discharge status
          Provider Specific Files         along with updated                                  code 05 has a definition
21-Mar-08 including Pricer Software-ver   Provider Data files for                             change effective 4/1/08:
14~Apr-08 008.5 (PSFOB01), PPS085.        2008.                                  5/9/2008     Dischargedl transferred 101511
                                                                                     Defer claims that meet
                                                                                     OBRA90 requirements 94186
   N/A                  N/A                      Updates                 8/16/2008   (ie. Attempt all claims to (07BRD114)

           Medicare Code Editor                                                      Found 38 New Providers      98673
           Software: Version 25.0                                                    were added and 1,336         (OBRA90
           October 1, 2008; Medicare                                                 Old Providers that were    I Real Time
           Severity DRG Software (MS­                                                terminated in prior FYs,     Processing)
           DRG): Version 26.0 October                                                were dropped when           98087
           1, 2008; Provider Specific                                                compared to 2008            (OBRA90
           Files including Pricer                                                    version of PPSPROV          YearEnd
 11-Sep-08 Software-ver 009.3         New: Yearly Software for                       file. Also found 445 new     software
 10-Nov-08 (PSF0807), PPS093.         2009.                              1/2/2009    CBSA (Wage Index)            install)
                                                                                                             -­

                                                                                     Modify OBRA90 Patient
                                                                                     Discharge status (Set        100775
    N/A                 N/A                      Updates                 4/412009    Pricer Review code           (08BRD028)

                                                                                     Needed to convert 3490
                                                                                     tapes from CMS to 3590
                                                                                     tapes as CareFirst does
                                         UPDATES: Pricer                             not support 3490 tapes
                                         Modules - PPCAL096,                         anymore effective
                                         PPDRV096, PPOPN096                          02120/2009.
03/06/2009 Provider Specific Files       & PPCAL086; PPSPROV                         Found 3,214 New
03/23/2009 including Pricer Software-ver - Provider Data files for                   Providers were added
06/08/2009 009.6 (PSF0904), PPS096 2009.                             I   7/18/2009   when compared to        176024