oversight

Audit of Information Systems General and Application Controls at Horizon Blue Cross Blue Shield

Published by the Office of Personnel Management, Office of Inspector General on 2015-02-11.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

         U.S. OFFICE OF PERSONNEL MANAGEMENT
            OFFICE OF THE INSPECTOR GENERAL
                     OFFICE OF AUDITS




            Final Audit Report

        Audit of Information Systems General and Application Controls
                      at Horizon Blue Cross Blue Shield

                                           Report Number 1A-10-49-14-021
                                                  February 11, 2015




                                                             -- CAUTION --
This audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit report may
contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available under the Freedom of
Information Act and made available to the public on the OIG webpage (http://www.opm.gov/our-inspector-general), caution needs to be exercised
before releasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy.
                EXECUTIVE SUMMARY
                   Audit of Information Systems and General and Application Controls at
                                      Horizon Blue Cross Blue Shield
Report No 1A-10-19-14-021                                                                                    February 11, 2015


 Why Did We Conduct the Audit?              What Did We Find?
 The objectives of this audit were to       Our audit of the IT security controls of Horizon determined that:
 evaluate controls over the                  Horizon has established an adequate security management program.
 confidentiality, integrity, and             Horizon has implemented controls to prevent unauthorized physical
 availability of Federal Employee Health        access to its facilities, as well as logical controls to protect sensitive
 Benefit Program (FEHBP) data                   information. However, we noted several areas of concern related to
 processed and maintained in Horizon            Horizon’s access controls:
 Blue Cross Blue Shield’s (Horizon)             o The data center did not contain controls we typically observe at
 information technology (IT)                        similar facilities, such as multi-factor authentication and
 environment.                                                        prevention.
                                                o The process to remove employees’ physical access after termination
 What Did We Audit?                                 could be improved.
                                                o Our review of current                               accounts identified five
 The scope of this audit centered on the            individuals that maintained multiple          accounts and that 11
 information systems used by Horizon to             terminated employees still had active accounts.
 process medical insurance claims for        Horizon has implemented an incident response and network security
 FEHBP members, with a primary focus            program. However, we noted several areas of concern related to
 on the claims adjudication applications.       Horizon’s network security controls:
                                                o A full scope vulnerability management program has not been
                                                    implemented.
                                                o A patch management policy is in place, but our test work indicated
                                                    that patches are not being implemented in a timely manner.
                                                o A methodology is not in place to ensure that unsupported or out-of-
                                                    date software is not utilized.
                                             Horizon has developed formal policies and procedures that provide
                                                guidance to ensure that system software is appropriately configured,
                                                updated, and changes are controlled. However, the                   baselines
                                                did not adequately reflect Horizon’s configuration hardening policies or
                                                industry best practices. Horizon is currently revising these baselines to
                                                comply with Center for Internet Security (CIS) benchmarks, as such,
                                                Horizon does not currently audit their servers against formalized
                                                            baseline configurations.
                                             Horizon’s business continuity and disaster recovery plans contain the
                                                key elements suggested by relevant guidance and publications.
                                                However, Horizon does not perform routine business continuity testing.
                                             Horizon has implemented many controls in its claims adjudication
                                                process to ensure that FEHBP claims are processed
                                                accurately. However, we noted a couple of weaknesses in Horizon’s
                                                claims application controls.
                                             Horizon is in compliance with the Health Insurance Portability and
                                                Accountability Act (HIPAA) security, privacy, and national provider
                                                identifier regulations.

 _______________________
 Michael R. Esser
 Assistant Inspector General
 for Audits
                                                        i
          ABBREVIATIONS


BCBSA     BlueCross BlueShield Association

FEP       Federal Employee Plan
FEHBP     Federal Employees Health Benefit Program
FISCAM    Federal Information System Controls Audit Manual
GAO       U.S. Government Accountability Office
HIO       Healthcare and Insurance Office
HIPAA     Health Insurance Portability and Accountability Act
Horizon   Horizon Blue Cross Blue Shield
IT        Information Technology
NIST      National Institute for Standards and Technology
OIG       Office of the Inspector General
OMB       U.S. Office of Management and Budget
OPM       U.S. Office of Personnel Management

SP        Special Publication
The Act   Federal Employees Health Benefits Act




                     ii
     IV. MAJOR CONTRIBUTORS  TO THIS REPORT
               TABLE OF CONTENTS


................................................................................................................................................... Page
EXECUTIVE SUMMARY ........................................................................................................... i

ABBREVIATIONS ....................................................................................................................... ii

I.      BACKGROUND ...................................................................................................................1

II.     OBJECTIVES, SCOPE, AND METHODOLOGY ...........................................................2

III.    AUDIT FINDINGS AND RECOMMENDATIONS .........................................................5

        A. Security Management ........................................................................................................5
        B. Access Controls ..................................................................................................................5
        C. Network Security ................................................................................................................9
        D. Configuration Management ..............................................................................................12
        E. Contingency Planning ......................................................................................................14
        F. Claims Adjudication .........................................................................................................15
        G. Health Insurance Portability and Accountability Act.......................................................18

IV. MAJOR CONTRIBUTORS TO THIS REPORT ...........................................................19

APPENDIX: Horizon’s response to the draft report ....................................................................20

REPORT FRAUD, WASTE, AND MISMANAGEMENT ......................................................25
 IV. MAJOR CONTRIBUTORS
            I. BACKGROUND
                        TO THIS REPORT

This final report details the findings, conclusions, and recommendations resulting from the audit
of general and application controls over the information systems responsible for processing
Federal Employees Health Benefits Program (FEHBP) claims by Horizon Blue Cross Blue
Shield (Horizon).

The audit was conducted pursuant to FEHBP contract CS 1039; 5 U.S.C. Chapter 89; and 5 Code
of Federal Regulations (CFR) Chapter 1, Part 890. The audit was performed by the U.S. Office
of Personnel Management’s (OPM) Office of the Inspector General (OIG), as established by the
Inspector General Act of 1978, as amended.

The Federal Employees Health Benefits Program (FEHBP) was established by the Federal
Employees Health Benefits Act (the Act), enacted on September 28, 1959. The FEHBP was
created to provide health insurance benefits for Federal employees, annuitants, and qualified
dependents. The provisions of the Act are implemented by the U.S. Office of Personnel
Management (OPM) through regulations codified in Title 5, Chapter 1, Part 890 of the Code of
Federal Regulations (CFR). Health insurance coverage is made available through contracts with
various carriers, such as Horizon, that provide service benefits, indemnity benefits, or
comprehensive medical services.

This was our first audit of the information system security controls at Horizon. We discussed the
results of our audit with Horizon representatives at an exit conference.

All Horizon personnel that worked with the auditors were helpful and open to ideas and
suggestions. They viewed the audit as an opportunity to examine practices and to make changes
or improvements as necessary. Their positive attitude and helpfulness throughout the audit was
greatly appreciated.




                                             1                              Report No. 1A-10-49-14-021
    IV. MAJOR CONTRIBUTORS
    II. OBJECTIVES, SCOPE, AND TO THIS REPORT
                               METHODOLOGY

Objectives
The objectives of this audit were to evaluate controls over the confidentiality, integrity, and
availability of FEHBP data processed and maintained in Horizon’s information technology (IT)
environment. We accomplished these objectives by reviewing the following areas:
    Security management;
    Access controls;
    Network Security;
    Configuration management;
    Segregation of duties;
    Contingency planning;
    Application Controls specific to Horizon’s claims processing systems; and,
    Health Insurance Portability and Accountability Act (HIPAA) compliance.

Scope
This performance audit was conducted in accordance with generally accepted government
auditing standards issued by the Comptroller General of the United States. Accordingly, we
obtained an understanding of Horizon’s internal controls through interviews and observations, as
well as inspection of various documents, including IT and other related organizational policies
and procedures. This understanding of Horizon’s internal controls was used in planning the
audit by determining the extent of compliance testing and other auditing procedures necessary to
verify that the internal controls were properly designed, placed in operation, and effective.

The scope of this audit centered on the information systems used by Horizon to process medical
insurance claims for FEHBP members, with a primary focus on the claims adjudication
applications. Horizon processes FEHBP claims through a local claims system and then through
FEP Direct, the BlueCross BlueShield Association’s (BCBSA) nationwide claims adjudication
system. The business processes reviewed are primarily located in Horizon’s Newark, New
Jersey facilities.

The on-site portion of this audit was performed in March through May of 2014. We completed
additional audit work before and after the on-site visit at our office in Washington, D.C. The
findings, recommendations, and conclusions outlined in this report are based on the status of
information system general and application controls in place at Horizon as of May 2014.

In conducting our audit, we relied to varying degrees on computer-generated data provided by
Horizon. Due to time constraints, we did not verify the reliability of the data used to complete


                                             2                              Report No. 1A-10-49-14-021
some of our audit steps but we determined that it was adequate to achieve our audit objectives.
However, when our objective was to assess computer-generated data, we completed audit steps
necessary to obtain evidence that the data was valid and reliable.


Methodology
In conducting this review we:
   Gathered documentation and conducted interviews;
   Reviewed Horizon’s business structure and environment;
   Performed a risk assessment of Horizon’s information systems environment and applications,
    and prepared an audit program based on the assessment and the U.S. Government
    Accountability Office’s (GAO) Federal Information System Controls Audit Manual
    (FISCAM); and,
   Conducted various compliance tests to determine the extent to which established controls and
    procedures are functioning as intended. As appropriate, we used judgmental sampling in
    completing our compliance testing.

Various laws, regulations, and industry standards were used as a guide to evaluating Horizon’s
control structure. These criteria include, but are not limited to, the following publications:
   Title 48 of the 5 CFR Part 890;
   Office of Management and Budget (OMB) Circular A-130, Appendix III;
   OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of
    Personally Identifiable Information;
   Information Technology Governance Institute’s COBIT: Control Objectives for Information
    and Related Technology;
   GAO’s FISCAM;
   National Institute of Standards and Technology’s Special Publication (NIST SP) 800-12,
    Introduction to Computer Security;
   NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information
    Technology Systems;
   NIST SP 800-30, Guide for Conducting Risk Assessments;
   NIST SP 800-34, Contingency Planning Guide for Information Technology Systems;
   NIST SP 800-41 Revision 1, Guidelines on Firewalls and Firewall Policy;
   NIST SP 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems
    and Organizations;
   NIST SP 800-61, Computer Security Incident Handling Guide;
   NIST SP 800-66 Draft, An Introductory Resource Guide for Implementing the HIPAA
    Security Rule; and,
   HIPAA Act of 1996.


                                            3                              Report No. 1A-10-49-14-021
Compliance with Laws and Regulations
In conducting the audit, we performed tests to determine whether Horizon’s practices were
consistent with applicable standards. While generally compliant, with respect to the items tested,
Horizon was not in complete compliance with all standards as described in the “Audit Findings
and Recommendations” section of this report.




                                             4                              Report No. 1A-10-49-14-021
  IV. AUDIT
III.   MAJOR  CONTRIBUTORS
            FINDINGS       TO THIS REPORT
                     AND RECOMMENDATIONS
A. Security Management
The security management component of this audit involved an examination of the policies and
procedures that are the foundation of Horizon’s overall IT security controls. We evaluated
Horizon’s ability to develop security policies, manage risk, assign security-related responsibility,
and monitor the effectiveness of various system-related controls.

Horizon has implemented a series of formal policies and procedures
                                                                         Horizon conducts
that comprise its security management program. Horizon’s IT
                                                                         routine enterprise-wide
security policies and procedures are created, published, and
                                                                         risk assessments.
maintained on its intranet site. Horizon has also developed a
thorough risk management methodology. The risk management
team conducts routine enterprise-wide risk assessments, which has allowed Horizon to
document, track, and mitigate or accept identified risks in a timely manner. We also reviewed
Horizon’s human resources policies and procedures related to hiring, training, transferring, and
terminating employees.

Nothing came to our attention to indicate that Horizon does not have an adequate security
management program.

B. Access Controls
Access controls are the policies, procedures, and techniques used to prevent or detect
unauthorized physical or logical access to sensitive resources.

We examined the physical access controls of Horizon’s facilities and data centers located in
         New Jersey and      New Jersey. We also verified the controls over a third party
contractor data center in          Kentucky, that houses Horizon’s claims processing
application. We also examined the logical controls protecting sensitive data in Horizon’s
network environment and claims processing applications.

The access controls observed during this audit include, but are not limited to:
   Procedures for appropriately granting physical access to facilities and data centers;
   Strong environmental controls over the data centers; and,
   Controls to monitor and filter email and Internet activity.

However, the following section documents opportunities for improvement related to Horizon’s
physical and logical access controls.




                                              5                              Report No. 1A-10-49-14-021
1. Access to Data Centers
   Horizon’s primary and back-up data centers rely solely on electronic card readers to
   control physical access. However, we expect all FEHBP contractors to also have multi-
   factor authentication (e.g., cipher lock or biometric device in
   addition to an access card) at data center entrances, and some    Physical access controls
   form of technical or physical control to detect or prevent        at Horizon’s data center
                                                                     could be improved.


   Failure to implement adequate physical access controls increases the risk that unauthorized
   individuals can gain access to Horizon data centers and the sensitive IT resources and
   confidential data they contain. NIST SP 800-53 Revision 4, “Security and Privacy Controls
   for Federal Information Systems and Organizations,” provides guidance for adequately
   controlling physical access to information systems containing sensitive data.

   Recommendation 1
   We recommend that Horizon implement multi-factor authentication and some form of
              prevention controls at its data center entrances.

   Horizon Response:
    “the Plan will implement the following:
    A biometric scanning device will be installed
    Video cameras will be installed, which monitor every aisle of the data center for a
       complete review of the space
    A security badge policy,                                               , will be
       implemented. Lanyards will be required to be worn in all areas of the Plan’s physical
       locations not just the data centers.

      A robust training program and refresher training for employees, contractors and our
       security staff regarding their responsibilities, with a special focus on
                      , will be implemented.

   The target date for implementation is              .”

   OIG Reply:
   As part of the audit resolution process, we recommend that Horizon provide OPM’s
   Healthcare and Insurance Office (HIO) with evidence that it has adequately implemented this
   recommendation. This statement also applies to all subsequent recommendations in this
   audit report that Horizon agrees to implement.




                                           6                              Report No. 1A-10-49-14-021
2. Physical Access Recertification
   Horizon’s process for removing physical access to its facilities for terminated employees
   begins with human resources notifying building security of the expected termination date. In
   the event of an involuntary termination, the employee’s access is removed immediately.

   However, Horizon’s process to remove employees’ physical access after termination could
   be improved. We compared a list of employees with active access to Horizon facilities to a
   list of employees that were terminated within the last year, and discovered that several
   employees retained access to the facilities after their termination.

   NIST SP 800-53 Revision 4 states that an organization must terminate access upon
   termination of employment. NIST SP 800-53 Revision 4 also states that an organization
   must review and analyze system audit records for indications of inappropriate or unusual
   activity. Failure to remove and audit physical access to terminated users increases the risk
   that a terminated employee could enter a facility and steal, modify, or delete sensitive and
   proprietary information.

   Recommendation 2
   We recommend that Horizon implement a process for routinely auditing all active access
   cards to ensure that they are not assigned to terminated employees.

   Horizon Response:
   “The Plan stated that the Director, Corporate Security will implement a new process to
   routinely audit all active ID cards to ensure terminated employees and terminated
   contractors do not continue to have access to the Plan’s data center locations after their
   separation date. The Plan also stated that the Director, Corporate Security will require
   Human Resources to issue the termination notifications directly to their attention. Access
   terminations will be directly adjusted by the Director, Corporate Security or the Manager,
   Corporate Security. Access changes will be cross-checked by the Director of the Special
   Investigations Unit to ensure accuracy. In addition to the above, quarterly audits of the
   system access data will be reviewed for accuracy.

   The target date for implementation is April 1, 2015.”

3. Logical Access Management
   Horizon has a process in place to automatically grant logical access to newly hired
   employees. In certain circumstances, there is a business need to manually create the user’s
                          account prior to the automated process. In these instances, the
   automatic process subsequently generates a second       account for the user. Our review of




                                            7                               Report No. 1A-10-49-14-021
current active    accounts identified five individuals that maintained multiple    accounts
well beyond a period of time appropriate to address the duplication.

Recommendation 3
We recommend that Horizon remove all duplicate         user accounts.

Horizon Response:
“The Plan stated that the IT Security Operations staff will work with the
team to remove all duplicate                       user accounts by the end of October,
2014. A reconciliation of the    user names will be performed before and after the
duplicate    accounts are removed.

The target date for implementation is October 31, 2014.”

Recommendation 4
We recommend that Horizon implement a review process to ensure that duplicate accounts
are not maintained within the system.

Removing Logical Access
When employees are terminated, Horizon’s policy is to remove their account access at the
system and application level.

We compared a list of recently terminated employees to the active      user list. We
discovered that 11 terminated employees still maintained active user accounts.

FISCAM states that “Inactive accounts and accounts for terminated individuals should be
disabled or removed in a timely manner.”

Horizon Response:
“The Plan stated that the IT Security Operations staff will work with the
Team to establish a reconciliation process for    ids, focusing on duplicate accounts,
which will be conducted every           .

The target date for implementation is December 31, 2014.”

Recommendation 5
We recommend that Horizon disable/remove all active accounts assigned to terminated
employees.




                                         8                              Report No. 1A-10-49-14-021
   Horizon Response:
   “The Plan stated that the IT Security Operations staff will work with the
   team to implement a process to identify and remove all active     user accounts for
                                    st
   terminated users by December 31 , 2014.”

   Recommendation 6
   We recommend that Horizon implement a process to routinely audit all active accounts to
   ensure that they are not assigned to terminated employees.

   Horizon Response:
   “The Plan stated that the IT Security Operations staff will work with the
   team to establish a reconciliation process for   IDs, focusing on terminated employees,
   which will be conducted every            .

   The target date for implementation is December 31, 2014.”

C. Network Security
Network security includes the policies and controls used to prevent or monitor unauthorized
access, misuse, modification, or denial of a computer network and network-accessible resources.

Horizon has implemented an incident response and network security program. However, we
noted several opportunities for improvement related to Horizon’s network security controls.

1. Full Scope Vulnerability Scanning
   We conducted a review of Horizon’s computer server vulnerability management program to
   determine if adequate controls were in place to detect, track, and remediate vulnerabilities.

   Horizon contracts with a third party data center that maintains the
            that support its claims processing application. Two additional data centers are
   managed directly by Horizon and contain the majority of Horizon’s network infrastructure.

   Horizon conducts            vulnerability scans of its public facing servers in the
                , and has recently begun implementing a similar process for its internal network
   servers and databases. Another third party contractor conducts annual penetration and
   vulnerability scans of Horizon’s network. The third party data center conducts its own
   vulnerability scans on a static sample of servers and databases. However, that sample is only
   a small percentage of the total servers within the data center, and the remaining servers are
   never subject to routine vulnerability scans. Therefore, we have determined that Horizon has
   not implemented a full scope vulnerability management program that encompasses its entire
   universe of servers.


                                             9                             Report No. 1A-10-49-14-021
   NIST SP 800-53 Revision 4 states that the organization should scan
   “for vulnerabilities in the information system and hosted applications        Failure to perform
   . . . .”                                                                      full scope
                                                                                 vulnerability
   Failure to perform full scope vulnerability scanning increases the risk       scanning increases
   that Horizon’s systems are compromised and sensitive data could be            the risk that
   stolen or destroyed.                                                          Horizon’s systems
                                                                                 could be breached
   Recommendation 7                                                              and sensitive data
   We recommend that Horizon implement a process to routinely                    could be stolen or
   conduct vulnerability scans on all servers and databases and                  destroyed.
   remediate detected vulnerabilities in a timely manner within the third party data center.

   Horizon Response:
   “The Plan stated that the third party (         ) data center staff is finalizing the revised
   Vulnerability Management Program for the Datacenter in                     Kentucky. The
   modifications include a revision of          ’s Vulnerability Management Program
   documentation and procedures. The modifications also include enhancing the
   Vulnerability Management activity, specifically considering FEP requirements in the
              data center. Policies, standards, and procedures are being updated and a new
   resource has been hired to manage the program. The documentation is in final draft
   review at this time and the program capabilities are currently being tested. The Plan
   expects the revised policies, standards and procedures to be finalized by
   May 1, 2015.”

2. Vulnerabilities Identified in Scans
   As part of our review of Horizon’s computer server vulnerability management program, we
   worked with Horizon employees to independently perform automated vulnerability scans on
   a sample of servers and databases.

   System Patching
   Horizon has documented patch management policies and procedures. However, the results
   of the vulnerability scans performed during this audit indicate that critical patches and
   service packs are not always implemented in a timely manner.

   FISCAM states that “Software should be scanned and updated frequently to guard against
   known vulnerabilities.” NIST SP 800-53 Revision 4 states that Horizon must identify,
   report, and correct information system flaws and install security-relevant software and
   firmware updates promptly.




                                             10                              Report No. 1A-10-49-14-021
Failure to promptly install important updates increases the risk that vulnerabilities will not be
remediated and sensitive information could be stolen.

Recommendation 8
We recommend that Horizon implement procedures and controls to ensure that production
servers are installed with appropriate patches, service packs, and hotfixes on a timely basis.

Horizon Response:
“The Plan currently has policies and procedures in place for maintenance, which includes
patching, service packs, and hotfixes.

The completion of the roll-out of
       will enable the Plan to apply maintenance in a consistent and timely manner.

The Plan’s current patch process monitors for systems that are missed, but in the future
will have a more robust system that will allow a more granular audit on individual patch
success rate. In the interim, the Plan has a combination of both manual and automated
scans for detection.

The target date for implementation is                        .”

Noncurrent Software
The results of the vulnerability scans indicated that several servers contained noncurrent
software applications that were no longer supported by the vendors, and have known security
vulnerabilities.

FISCAM states that “Procedures should ensure that only current software releases are
installed in information systems. Noncurrent software may be vulnerable to malicious code
such as viruses and worms.”

Failure to promptly remove outdated software increases the risk of a successful malicious
attack on the information system.

Recommendation 9
We recommend that Horizon implement a methodology to ensure that only current and
supported versions of system software are installed on the production servers.

Horizon Response:
“The Plan stated that it will develop a policy which articulates a direction on obsolescence
planning. Plan’s direction is to remain at least one release behind the latest major release



                                          11                              Report No. 1A-10-49-14-021
    of system software, and to properly risk assess systems and obsolescence plans. Plan has
    already implemented periodic vulnerability scanning, and will enhance its remediation
    methodology. All enhancements will be implemented by                     .”

    Recommendation 10
    We recommend that Horizon remediate vulnerabilities discovered as a result of the
    vulnerability scanning conducted during this audit.

    Horizon Response:
    “The Plan stated that the vulnerabilities identified during the audit will be addressed by
                   .”

D. Configuration Management
Horizon’s claims processing application is housed in                              . The platform
includes many supporting applications and system interfaces. The                 and several of the
supporting applications are hosted by a third party contractor. Additional supporting
applications are hosted in data centers owned and operated by Horizon. We evaluated Horizon’s
computer configuration management specific to its              servers’ security settings and
determined that the following controls were in place:
   Documented corporate configuration policy; and
   Thorough change management procedures for system software and hardware.

The sections below document areas for improvement related to Horizon’s configuration
management controls.

1. Baseline Configuration Policy
   Horizon has created configuration baselines for all of the operating systems utilized in its
   network environment. However, the               baselines did not adequately reflect Horizon’s
   configuration hardening policies or industry best practices, and are currently being revised to
   comply with Center for Internet Security (CIS) benchmarks.

    NIST SP 800-53 Revision 4 states that an organization must develop, document, and
    maintain a current baseline configuration of the information system. NIST SP 800-53
    Revision 4 also states that an organization must monitor and control changes to the
    configuration settings in accordance with organizational policies and procedures. FISCAM
    requires current configuration information to be routinely monitored for
    accuracy. Monitoring should analyze the baseline and current configuration of the hardware,
    software, and firmware that comprise the information system.




                                              12                             Report No. 1A-10-49-14-021
   Failure to establish and routinely monitor approved system configuration settings increases
   the risk the system may not meet performance and security requirements defined by the
   organization.

   Recommendation 11
   We recommend that Horizon finalize the revision of its              server’s baseline
   configurations for all versions utilized in its network environment.

   Horizon Response:
   “The Plan stated the            Server's Baseline Configuration policy will be developed by
   December 31, 2014.

   New            Server's baselines standards will be added to the Server Build procedures,
   and will be implemented systematically on existing                    via standard change
   control procedures. This will be performed on an ongoing basis.

   The target date for implementation of a New                       is                    .”

2. Configuration Compliance Auditing
   Horizon conducts annual configuration compliance auditing on a subset of servers hosted in
   its data centers. However, this audit does not include a review of Horizon’s
   servers. Additionally, although Horizon’s third party contractor conducts annual
   configuration compliance auditing of its mainframe, it does not conduct a compliance audit
   on all servers supporting the claims processing system.

   NIST SP 800-53 Revision 4 states that an organization must monitor and control changes to
   the configuration settings in accordance with organizational policies and
   procedures. FISCAM requires current configuration information to be routinely monitored
   for accuracy. Monitoring should address the baseline and operational configuration of the
   hardware, software, and firmware that comprise the information system.

   Failure to implement a thorough configuration compliance auditing program increases the
   risk that insecurely configured servers remain undetected, creating a potential gateway for
   malicious virus and hacking activity that could lead to data breaches.

   Recommendation 12
   We recommend that Horizon routinely audit the security configuration settings on all servers
   against the associated configuration baselines.




                                             13                             Report No. 1A-10-49-14-021
    Horizon Response:
    “The Plan will ensure that once the          Server's configuration baseline is established
    and deployed, then the routine compliance auditing process will be implemented on the
    newly built servers and executed on a semi-annual basis.

    The target date for implementation is                      .”

E. Contingency Planning
We reviewed the following elements of Horizon’s contingency planning program to determine
whether controls were in place to prevent or minimize interruptions to business operations when
disastrous events occur:
   Disaster recovery plan;
   Horizon FEP business continuity management plan;
   Disaster recovery plan tests; and
   Emergency response procedures.

We determined that the service continuity documentation contained the critical elements
suggested by NIST SP 800-34, “Contingency Planning Guide for Information Technology
Systems.” Horizon has identified and prioritized the systems and resources that are critical to
business operations, and has developed detailed procedures to recover those systems and
resources.

However, Horizon does not perform adequate and routine business            Horizon contingency
continuity testing. We were provided limited evidence that Horizon         plans are not
conducts random tests in conjunction with business impact analysis         adequately tested.
and business continuity plan maintenance, but the tests are not
thoroughly documented.

FISCAM states that “Testing contingency plans is essential to determining whether they will
function as intended in an emergency situation. . . . The most useful scenarios involve
simulating a disaster situation to test overall service continuity.”

Failure to perform routine business continuity tests decreases the likelihood that Horizon will be
able to restore operations within the required recovery time in the event of a disaster.

Recommendation 13
We recommend that Horizon conduct and document routine business continuity tests.




                                             14                             Report No. 1A-10-49-14-021
Horizon Response:
“The Plan stated that a tabletop exercise for FEP Operations will be coordinated with the next
update to the FEP Operations Business Continuity Plan scheduled for December 2014. The
exercise will include the business owner(s) and participants from the FEP department and will
not incur any cost. Tabletop exercises are documented as they occur and FEP Operations’
exercise will be recorded along with any lessons learned to mitigate gaps identified through
the Business Impact Analysis and Business Continuity Plan maintenance process. This
process is part of the routine maintenance of the Business Continuity Management Plans.

The target date for implementation is December 31, 2014.”

F. Claims Adjudication
The following sections detail our review of the applications and business processes supporting
Horizon’s claims adjudication process. Horizon processes all FEHBP claims through its local
system and then through the BCBSA’s FEP Direct claims adjudication system.

1. Application Configuration Management
   We evaluated the policies and procedures governing application development and change
   control of Horizon’s claims processing systems.

   Horizon has implemented policies and procedures related to application configuration
   management, and has also adopted a system development life cycle methodology that IT
   personnel follow during routine software modifications. We observed the following controls
   related to testing and approvals of software modifications:
    Horizon has adopted practices that allow modifications to be tracked throughout the
       change process;
    Code, unit, system, and quality testing are all conducted in accordance with industry
       standards; and,
    Horizon uses a business unit independent from the software developers to move the code
       between development and production environments to ensure adequate segregation of
       duties.

  Nothing came to our attention to indicate that Horizon has not implemented adequate controls
  related to the application configuration management process.

2. Claims Processing System
   We evaluated the input, processing, and output controls associated with Horizon’s claims
   processing system. We have determined the following controls are in place over Horizon’s
   claims adjudication system:



                                            15                             Report No. 1A-10-49-14-021
      Routine audits are conducted on Horizon’s front-end scanning vendor for incoming paper
       claims;
      Claims are monitored as they are processed through the system with real time tracking of
       the system’s performance; and
      Claims output files are fully reconciled.

   Nothing came to our attention to indicate that Horizon has not implemented adequate
   controls over the claims processing system.

3. Debarment
   Horizon has adequate procedures for updating its claims system with debarred provider
   information. Horizon receives the OPM OIG debarment list every month and makes the
   appropriate updates to the FEP Direct claims processing system. Any claim submitted for a
   debarred provider is flagged by Horizon to adjudicate through the OPM OIG debarment
   process to include initial notification, a 15-day grace period, and then denial.

   Nothing came to our attention to indicate that Horizon has not implemented adequate
   controls over the debarment process.

4. Application Controls Testing
   We conducted a test of Horizon’s claims adjudication application to validate the system’s
   claims processing controls. The exercise involved processing test claims designed with
   inherent flaws and evaluating the manner in which Horizon’s system adjudicated the claims.

   Our test results indicate that the system has controls and edits in place to identify the
   following scenarios:
      Member Eligibility;
      Benefit Structure;
      Overlapping Stays;
      Timely Filing; and,
      Place of Service.

   The sections below document opportunities for improvement related to Horizon’s claims
   application controls.

   Medical Editing
   Our claims testing exercise identified a scenario where Horizon’s claims system processed
   and paid test claims without encountering any edits detecting a medical inconsistency
   between the diagnosis and procedure. One claim had a diagnosis of                   , and the



                                              16                              Report No. 1A-10-49-14-021
procedure was the                                 . The other claim had a diagnosis of         ,
and the procedure was a                  .

Failure to detect this system weakness increases the risk that benefits are being paid for
procedures that were not actually performed.

Recommendation 14
We recommend that BCBSA incorporate medical inconsistency scenarios into its ongoing
efforts to add medical edits to FEP Direct.

Horizon Response:
“BCBSA submitted a project intake request on September 19, 2014, to enhance medical
editing to include various medical inconsistency scenarios. BCBSA will provide an update
on the request by 4th quarter 2014.”

Patient History
Our claims testing exercise identified scenarios where Horizon’s claims processing system
did not adequately evaluate a patient’s medical history when adjudicating a claim. For each
of the following scenarios, a test claim was processed and paid without encountering any
system edits:













Failure to detect claims with patient history inconsistencies increases the risk that fraudulent
or erroneous claims are paid.

Recommendation 15
We recommend that Horizon and/or the BCBSA ensure that the appropriate system
modifications are made to prevent claims with patient history inconsistencies from
processing without proper verification.




                                             17                              Report No. 1A-10-49-14-021
   Horizon Response:
   “BCBSA submitted a project intake request on September 19, 2014, to enhance medical
   editing to prevent patient history inconsistencies processing without proper
   verification. BCBSA will provide an update on the request by 4th quarter 2014.”

G. Health Insurance Portability and Accountability Act
We reviewed Horizon’s efforts to maintain compliance with the security and privacy standards
of the Health Insurance Portability and Accountability Act (HIPAA).

Horizon has implemented a series of IT security policies and procedures to adequately address
the requirements of the HIPAA security rule. Horizon has also developed a series of privacy
policies and procedures that directly addresses all requirements of the HIPAA privacy rule.
Horizon reviews its HIPAA privacy and security policies annually and updates when necessary.
Horizon’s privacy group oversees all HIPAA activities, and helps develop, publish, and maintain
corporate policies. Each year, all employees must complete compliance training which
encompasses HIPAA regulations as well as general compliance.

Nothing came to our attention to indicate that Horizon is not in compliance with the various
requirements of HIPAA regulations.




                                             18                            Report No. 1A-10-49-14-021
 IV. MAJOR CONTRIBUTORS TO THIS REPORT

Information Systems Audit Group

              , Auditor-In-Charge
           , Lead IT Auditor
                  , Lead IT Auditor
                     , IT Auditor
            , IT Auditor
______________________________________________________________________________

                , Group Chief




                                      19                    Report No. 1A-10-49-14-021
                                                Appendix




September 24, 2014
                                                                                 Federal Employee Program
                , Group Chief                                                    1310 G Street, N.W.
Claims & IT Audits Group,                                                        Washington, D.C. 20005
                                                                                 202.942.1000
U.S. Office of Personnel Management
                                                                                 Fax 202.942.1125
1900 E Street, Room 6400
Washington, D.C. 20415-1100

Reference:
OPM DRAFT AUDIT REPORT
           Horizon Blue Cross Blue Shield IT Audit
           Plan Codes 280/780
           Audit Report Number 1A-10-49-14-021
           (Dated July 18, 2014)

The following represents the Plan’s response as it relates to the recommendations included in the draft
report.

B. Access Controls

1.   Access to Data Centers

     Recommendation 1

     We recommend that Horizon implement multi-factor authentication and some form of
               prevention controls at its data center entrances.
     Plan Response

     The Plan stated that the data center staff currently maintains approval to access the data centers and
     recertifies this access on a quarterly basis. Those individuals who do not have access but have
     legitimate business in the data center, will be required to follow the existing procedure:

     1. Be escorted by personnel with access privileges while in the data center; and
     2. Sign the visitor’s log when entering and leaving the data center.

     In addition to the above process, the Plan will implement the following:
          A biometric scanning device will be installed
          Video cameras will be installed, which monitor every aisle of the data center for a complete
              review of the space
          A security badge policy,                                                  , will be implemented.
              Lanyards will be required to be worn in all areas of the Plan’s physical locations not just the
              data centers.

            A robust training program and refresher training for employees, contractors and our security
             staff regarding their responsibilities, with a special focus on              , will be
             implemented.

     The target date for implementation is               .




                                                    20                                Report No. 1A-10-49-14-021
2. Physical Access Recertification

    Recommendation 2

    We recommend that Horizon implement a process for routinely
    auditing all active access cards to ensure that they are not assigned to terminated
    employees.

    Plan Response

    The Plan stated that the Director, Corporate Security will implement a new process to routinely audit
    all active ID cards to ensure terminated employees and terminated contractors do not continue to
    have access to the Plan’s data center locations after their separation date. The Plan also stated that
    the Director, Corporate Security will require Human Resources to issue the termination notifications
    directly to their attention. Access terminations will be directly adjusted by the Director, Corporate
    Security or the Manager, Corporate Security. Access changes will be cross-checked by the Director
    of the Special Investigations Unit to ensure accuracy. In addition to the above, quarterly audits of the
    system access data will be reviewed for accuracy.

    The target date for implementation is April 1, 2015.

3. Logical Access Management
    Recommendation 3

    We recommend that Horizon remove all duplicate         user accounts.

    Plan Response

    The Plan stated that the IT Security Operations staff will work with the             team to
    remove all duplicate                      user accounts by the end of October, 2014. A
    reconciliation of the   user names will be performed before and after the duplicate    accounts are
    removed.

    The target date for implementation is October 31, 2014.

Recommendation 4

We recommend that Horizon implement a process to ensure that duplicate accounts are not maintained
within the system.

Plan Response

The Plan stated that the IT Security Operations staff will work with the               Team to establish
a reconciliation process for   ids, focusing on duplicate accounts, which will be conducted every
       .

The target date for implementation is December 31, 2014.

Recommendation 5

We recommend that Horizon disable/remove all active accounts for terminated users.




                                                  21                                Report No. 1A-10-49-14-021
Plan Response

The Plan stated that the IT Security Operations staff will work with the             team to implement
                                                                                                st
a process to identify and remove all active   user accounts for terminated users by December 31 ,
2014.

Recommendation 6

We recommend that Horizon implement a process to routinely audit all active accounts to ensure that
they are not assigned to terminated employees.

Plan Response

The Plan stated that the IT Security Operations staff will work with the              team to establish a
reconciliation process for    IDs, focusing on terminated employees, which will be conducted every 6
months.

The target date for implementation is December 31, 2014.

C. Network Security

1. Full Scope Vulnerability Scanning
Recommendation 7

We recommend that Horizon implement a process to routinely conduct vulnerability scans on all
servers and databases and remediate detected vulnerabilities in a timely manner within the third
party data center.

Plan Response

The Plan stated that the third party (       ) data center staff is finalizing the revised Vulnerability
Management Program for the Datacenter in               , Kentucky. The modifications include a revision of
        ’s Vulnerability Management Program documentation and procedures. The modifications also
include enhancing the Vulnerability Management activity, specifically considering FEP requirements in the
           data center. Policies, standards, and procedures are being updated and a new resource has
been hired to manage the program. The documentation is in final draft review at this time and the
program capabilities are currently being tested. The Plan expects the revised policies, standards and
procedures to be finalized by
May 1, 2015.

2. Vulnerabilities Identified in Scans

Recommendation 8

We recommend that Horizon implement procedures and controls to ensure that
production servers are installed with appropriate patches, service packs, and hotfixes
on a timely basis.

Plan Response

The Plan currently has policies and procedures in place for maintenance, which includes patching,
service packs, and hotfixes.




                                                22                                Report No. 1A-10-49-14-021
The completion of the roll-out of                                                               will enable the
Plan to apply maintenance in a consistent and timely manner.

The Plan’s current patch process monitors for systems that are missed, but in the future will have a more
robust system that will allow a more granular audit on individual patch success rate. In the interim, the
Plan has a combination of both manual and automated scans for detection.

The target date for implementation is

Recommendation 9

We recommend that Horizon implement a methodology to ensure that only current and
supported versions of system software are installed on the production servers.
Plan Response

The Plan stated that it will develop a policy which articulates a direction on obsolescence
planning. Plan’s direction is to remain at least one release behind the latest major release of system
software, and to properly risk assess systems and obsolescence plans. Plan has already implemented
periodic vulnerability scanning, and will enhance its remediation methodology. All enhancements will be
                             st
implemented by October 1 , 2015.

Recommendation 10

We recommend that Horizon remediate vulnerabilities discovered as a result of the
vulnerability scanning conducted during this audit.

Plan Response

The Plan stated that the vulnerabilities identified during the audit will be addressed by                   .

Recommendation 11

We recommend that Horizon finalize the revision of its               server’s baseline configurations for all
versions utilized in its network environment.

Plan Response

The Plan stated the            Server's Baseline Configuration policy will be developed by December 31,
2014.

New            Server's baselines standards will be added to the Server Build procedures, and will be
implemented systematically on existing            Systems via standard change control procedures. This
will be performed on an ongoing basis.

The target date for implementation of a New              System is                        .

Recommendation 12

We recommend that Horizon routinely audit the security configuration settings on all servers against the
associated configuration baselines.

Plan Response

The Plan will ensure that once the            Server's configuration baseline is established and deployed,


                                                  23                                   Report No. 1A-10-49-14-021
then the routine compliance auditing process will be implemented on the newly built servers and executed
on a semi-annual basis.

The target date for implementation is                     .

Recommendation 13

We recommend that Horizon conduct and document routine business continuity tests.

Plan Response

The Plan stated that a tabletop exercise for FEP Operations will be coordinated with the next update to
the FEP Operations Business Continuity Plan scheduled for December 2014. The exercise will include
the business owner(s) and participants from the FEP department and will not incur any cost. Tabletop
exercises are documented as they occur and FEP Operations’ exercise will be recorded along with any
lessons learned to mitigate gaps identified through the Business Impact Analysis and Business Continuity
Plan maintenance process. This process is part of the routine maintenance of the Business Continuity
Management Plans.

The target date for implementation is December 31, 2014.

Recommendation 14

We recommend that BCBSA incorporate medical inconsistency scenario into its ongoing efforts to add
medical edits to FEP Direct.

BCBSA Response

BCBSA submitted a project intake request on September 19, 2014, to enhance medical editing to include
                                                                                         th
various medical inconsistency scenarios. BCBSA will provide an update on the request by 4 quarter
2014.

Recommendation 15

We recommend that Horizon and/or the BCBSA ensure that the appropriate system modifications are
made to prevent claims with patient history inconsistencies from processing without proper verification.

BCBSA Response

BCBSA submitted a project intake request on September 19, 2014, to enhance medical editing to prevent
patient history inconsistencies processing without proper verification. BCBSA will provide an update on
                  th
the request by 4 quarter 2014.

We appreciate the opportunity to provide our response to each of the findings in this report and request
that our comments be included in their entirety and are made a part of the Final Audit Report. If you have
any questions, please contact me at                 or                  at               .

Sincerely,

            , CISA
Managing Director, Program Assurance

cc:                   , Horizon
                    , FEP
                    , FEP



                                                 24                                Report No. 1A-10-49-14-021
                                       Report Fraud, Waste, and
                                           Mismanagement
                                                  Fraud, waste, and mismanagement in
                                               Government concerns everyone: Office of
                                                   the Inspector General staff, agency
                                                employees, and the general public. We
                                              actively solicit allegations of any inefficient
                                                    and wasteful practices, fraud, and
                                               mismanagement related to OPM programs
                                              and operations. You can report allegations
                                                          to us in several ways:


                     By Internet:                  http://www.opm.gov/our-inspector-general/hotline-to-
                                                   report-fraud-waste-or-abuse


                         By Phone:                 Toll Free Number:                              (877) 499-7295
                                                   Washington Metro Area:                         (202) 606-2423


                           By Mail:                Office of the Inspector General
                                                   U.S. Office of Personnel Management
                                                   1900 E Street, NW
                                                   Room 6400
                                                   Washington, DC 20415-1100




                                                             -- CAUTION --
This audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit report may
contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available under the Freedom of
Information Act and made available to the public on the OIG webpage (http://www.opm.gov/our-inspector-general), caution needs to be exercised
before releasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy.


                                                                      25                                        Report No. 1A-10-49-14-021