oversight

Audit of the Information Systems General and Application Controls at Regence Blue Cross Blue Shield of Oregon

Published by the Office of Personnel Management, Office of Inspector General on 2017-03-27.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

        U.S. OFFICE OF PERSONNEL MANAGEMENT
           OFFICE OF THE INSPECTOR GENERAL
                    OFFICE OF AUDITS




               Final Audit Report
              AUDIT OF THE INFORMATION SYSTEMS
            GENERAL AND APPLICATION CONTROLS AT
              REGENCE BLUE CROSS BLUE SHIELD OF
                           OREGON
                                            Report Number 1A-10-58-16-047
                                                    March 27, 2017




                                                               -- CAUTION --
 This report has been distributed to Federal officials who are responsible for the administration of the subject program. This non-public version may
contain confidential and/or proprietary information, including information protected by the Trade Secrets Act, 18 U.S.C. § 1905, and the Privacy Act,
5 U.S.C. § 552a. Therefore, while a redacted version of this report is available under the Freedom of Information Act and made publicly available on
  the OIG webpage (http://www.opm.gov/our-inspector-general), this non-public version should not be further released unless authorized by the OIG.
                 EXECUTIVE SUMMARY
                          Audit of the Information Systems General and Application Controls at
                                        Regence Blue Cross Blue Shield of Oregon 

Report No. 1A-10-58-16-047                                                                                                                    March 27, 2017



 Why Did We Conduct the Audit?                            What Did We Find?

 Regence Blue Cross Blue Shield of                        Our audit of the IT security controls of Regence determined that:
 Oregon (Regence) contracts with
 the U.S. Office of Personnel                             	 Regence has established an adequate security management program.
 Management as part of the Federal
                                                          	 Regence has implemented controls to prevent unauthorized physical
 Employees Health Benefits Program
                                                             access to its facilities. However, logical access controls could be
 (FEHBP).
                                                             improved by implementing multi-factor authentication for privileged
                                                             users.
 The objectives of this audit were to
 evaluate controls over the                               	 Regence has implemented an incident response and network security
 confidentiality, integrity, and                             program. Regence has also implemented preventative controls at the
 availability of FEHBP data                                  network perimeter and performs security event monitoring
 processed and maintained in                                 throughout its network. However, Regence has not implemented
 Regence’s information technology                            network access controls throughout the entire facility. Regence has
 (IT) environment.                                           also not documented an approved firewall security configuration
                                                             standard.
 What Did We Audit?
                                                          	 Regence has developed and documented formal configuration
                                                             management policies and configuration standards for its operating
 The scope of this audit centered on
                                                             platforms.
 the information systems used by
 Regence to process and store data                        	 Regence’s business continuity and disaster recovery plans contain
 related to medical encounters and                           the elements suggested by relevant guidance and publications.
 insurance claims for FEHBP                                  Regence also tests these plans on a routine basis.
 members.
                                                          	 Regence has implemented many controls in its claims adjudication
                                                             process to ensure that FEHBP claims are processed accurately.




 ______________________
 Michael R. Esser
 Assistant Inspector General
 for Audits
                                                                         i
           This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
                           information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 522a.
                                            ABBREVIATIONS

    BCBSA                       Blue Cross Blue Shield Association
    Cambia                      Cambia Health Solutions
    CFR                         Code of Federal Regulations
    FEHBP                       Federal Employees Health Benefits Program
    FEP                         Federal Employee Program
    FISCAM                      Federal Information Security Controls Audit Manual
    GAO                         U.S. Government Accountability Office
    IT                          Information Technology
    NIST SP                     National Institute of Standards and Technology’s Special Publication
    OIG                         Office of the Inspector General
    OMB                         U.S. Office of Management and Budget
    OPM                         U.S. Office of Personnel Management
    Regence                     Regence Blue Cross Blue Shield




                                                                       ii
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
                information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
                                   TABLE OF CONTENTS

                                                                                                                     Page 

                EXECUTIVE SUMMARY ........................................................................................ i


                ABBREVIATIONS ..................................................................................................... ii 


    I.          BACKGROUND ..........................................................................................................1 


    II.         OBJECTIVES, SCOPE, AND METHODOLOGY ..................................................2 


    III.        AUDIT FINDINGS AND RECOMMENDATIONS.................................................5


                A. Security Management .............................................................................................5 


                B. Access Controls .......................................................................................................5 


                C. Network Security .....................................................................................................7 


                D. Configuration Management .....................................................................................9 


                E. Contingency Planning..............................................................................................9 


                F. Claims Adjudication ..............................................................................................10 


                APPENDIX: Regence’s December 2, 2016, response to the draft audit report, issued
                          September 30, 2016.

                REPORT FRAUD, WASTE, AND MISMANAGEMENT




This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
                information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
            I. BACKGROUND
IV. MAJOR CONTRIBUTORS TO THIS REPORT

This final report details the findings, conclusions, and recommendations resulting from the audit
of general and application controls over the information systems responsible for processing
Federal Employees Health Benefits Program (FEHBP) data by Regence Blue Cross Blue Shield
of Oregon (Regence).

The audit was conducted pursuant to FEHBP contracts CS 1039; 5 U.S.C. Chapter 89; and 5
Code of Federal Regulations (CFR) Chapter 1, Part 890. The audit was performed by the U.S.
Office of Personnel Management’s (OPM) Office of the Inspector General (OIG), as established
by the Inspector General Act of 1978, as amended.

The FEHBP was established by the Federal Employees Health Benefits Act, enacted on
September 28, 1959. The FEHBP was created to provide health insurance benefits for federal
employees, annuitants, and qualified dependents. The provisions of the Act are implemented by
OPM through regulations codified in Title 5, Chapter 1, Part 890 of the CFR. Health insurance
coverage is made available through contracts with various carriers that provide service benefits,
indemnity benefits, or comprehensive medical services.

This was our first audit of Regence’s information technology (IT) general and application
controls. All Regence personnel that worked with the auditors were helpful and open to ideas
and suggestions. They viewed the audit as an opportunity to examine practices and to make
changes or improvements as necessary. Their positive attitude and helpfulness throughout the
audit was greatly appreciated.




                                                                        1                                        Report No. 1A-10-58-16-047
 This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
                 information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
II.
IV. OBJECTIVES, SCOPE, ANDTO
     MAJOR CONTRIBUTORS   METHODOLOGY
                             THIS REPORT

 OBJECTIVES

 The objectives of this audit were to evaluate controls over the confidentiality, integrity, and
 availability of FEHBP data processed and maintained in Regence’s IT environments. We
 accomplished these objectives by reviewing the following areas:

    Security management;

    Access controls;

    Network Security;

    Configuration management;

    Segregation management;

    Contingency planning; and

    Application controls specific to Regence’s claims processing system.

 SCOPE AND METHODOLOGY

 This performance audit was conducted in accordance with generally accepted government
 auditing standards issued by the Comptroller General of the United States. Accordingly, we
 obtained an understanding of Regence’s internal controls through interviews and observations, as
 well as inspection of various documents, including information technology and other related
 organizational policies and procedures. This understanding of Regence’s internal controls was
 used in planning the audit by determining the extent of compliance testing and other auditing
 procedures necessary to verify that the internal controls were properly designed, placed in
 operation, and effective.

 The scope of this audit centered on the information systems used by Regence to process medical
 insurance claims and/or store the data of FEHBP members. The business processes reviewed are
 primarily located in Portland, Oregon.




                                                                        2                                        Report No. 1A-10-58-16-047
 This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
                 information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
Regence is a subsidiary of Cambia Health Solutions (Cambia), which                                            Regence is a subsidiary of
offers a wide range of insurance products and services. All of the                                            Cambia Health Solutions.
information technology (IT) functions at Regence are managed by                                               The operations of
Cambia. The operations of Cambia were considered within the scope                                             Cambia are within the
of this audit.                                                                                                scope of this audit.

The on-site portion of this audit was performed in June and July of 2016. We completed
additional audit work before and after the on-site visit at our office in Washington, D.C. The
findings, recommendations, and conclusions outlined in this report are based on the status of
information system general and application controls in place at Regence as of July, 2016.
In conducting our audit, we relied to varying degrees on computer-generated data provided by
Regence. Due to time constraints, we did not verify the reliability of the data used to complete
some of our audit steps, but we determined that it was adequate to achieve our audit objectives.
However, when our objective was to assess computer-generated data, we completed audit steps
necessary to obtain evidence that the data was valid and reliable.

In conducting this review we:

	 Gathered documentation and conducted interviews;

	 Reviewed Regence’s business structure and environment;

	 Performed a risk assessment of Regence’s information systems environment and
   applications, and prepared an audit program based on the assessment and the U.S.
   Government Accountability Office’s (GAO) Federal Information System Controls Audit
   Manual (FISCAM); and

	 Conducted various compliance tests to determine the extent to which established controls and
   procedures are functioning as intended. As appropriate, we used judgmental sampling in
   completing our compliance testing.

Various laws, regulations, and industry standards were used as a guide for evaluating Regence’s
control structure. These criteria include, but are not limited to, the following publications:

	 Title 48 of the Code of Federal Regulations;

	 U.S. Office of Management and Budget (OMB) Circular A-130, Appendix III;


                                                                       3	                                       Report No. 1A-10-58-16-047
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
                information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
	 OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of
   Personally Identifiable Information;

	 COBIT 5: A Business Framework for the Governance and Management of Enterprise IT;

	 GAO’s FISCAM;

	 National Institute of Standards and Technology’s Special Publication (NIST SP) 800-12, An
   Introduction to Computer Security: The NIST Handbook;

	 NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information
   Technology Systems;

	 NIST SP 800-30, Revision 1, Guide for Conducting Risk Assessments;

	 NIST SP 800-34, Revision 1, Contingency Planning Guide for Federal Information Systems;

	 NIST SP 800-41, Revision 1, Guidelines on Firewalls and Firewall Policy;

	 NIST SP 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems
   and Organizations; and

	 NIST SP 800-61, Revision 2, Computer Security Incident Handling Guide.

COMPLIANCE WITH LAWS AND REGULATIONS

In conducting the audit, we performed tests to determine whether Regence’s practices were
consistent with applicable standards. While generally compliant, with respect to the items tested,
Regence was not in complete compliance with all standards, as described in section III of this
report.




                                                                       4	                                       Report No. 1A-10-58-16-047
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
                information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
III. AUDIT FINDINGS AND RECOMMENDATIONS

A. SECURITY MANAGEMENT

  As mentioned above, Regence is a subsidiary of Cambia. Therefore, Cambia maintains a
  all Cambia policies and procedures related to information security        series of thorough IT
  management apply to Regence. The security management                      security policies and
  component of this audit involved the examination of the policies and procedures applicable
  procedures that are the foundation of Cambia’s overall IT security        to Regence.
  program. We evaluated Cambia’s ability to develop security
  policies, manage risk, assign security-related responsibility, and monitor the effectiveness of
  various system-related controls.

  Cambia has implemented a series of formal policies and procedures that comprise its security
  management program. Cambia has developed an adequate risk management methodology and
  creates remediation plans to address weaknesses identified in risk assessments. We also
  reviewed Cambia’s human resources policies and procedures related to hiring, training,
  transferring, and terminating employees.

  Nothing came to our attention to indicate that Cambia does not have an adequate security
  management program.

B. ACCESS CONTROLS

  Access controls are the policies, procedures, and techniques used to prevent or detect 

  unauthorized physical or logical access to sensitive resources. 


  We examined the physical access controls of Regence’s and Cambia’s facilities and data center.
  We also examined the logical controls protecting sensitive data on Cambia’s network
  environment and claims processing related applications.

  The access controls observed during this audit include, but are not limited to:

  	 Procedures for appropriately granting and removing physical access to facilities and the data
     center;

  	 Procedures for appropriately granting, adjusting, and removing logical access;

                                                                         5	                                       Report No. 1A-10-58-16-047
  This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
                  information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
   Routinely reviewing user access; and

   Adequate environmental controls over the data center.

The following section documents one opportunity for improvement related to Cambia’s logical
access controls.

1. Privileged User Authentication
    Access to privileged user (system administrator) accounts at Cambia requires multi-factor
    authentication when

                                                                      We expect all FEHBP
    contractors to require multi-factor authentication for administrator-level access to
    information systems regardless of where the user is physically located. Cambia currently has
    a project in progress to fully enforce multi-factor authentication for system administrators.
    However, the control had not been implemented at the time of our audit fieldwork.

    The Federal government requires multi-factor authentication for all information system users.
    Although Cambia is not a government entity, it does process sensitive healthcare data of
    Federal employees. Therefore, we recommend that Cambia implement this control for
    privileged users at a minimum. NIST SP 800-53, Revision 4, states that information systems
    should implement multi-factor authentication for network access to privileged accounts.
    Failure to implement multi-factor authentication increases the risk that privileged user
    credentials could be compromised and that unauthorized users could access sensitive and
    proprietary data.

    Recommendation 1

    We recommend that Regence/Cambia require multi-factor authentication for privileged user
    access to all information systems.

    Regence/Cambia Response:

    “Cambia agrees with this recommendation. As noted in the report, a project is underway
    to implement multifactor authentication for privileged user access to information systems
    that store or process Personal Health Information (PHI). Cambia anticipates completion
    of this effort by                  .”
    OIG Comment:

                                                                       6                                        Report No. 1A-10-58-16-047
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
                information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
      As a part of the audit resolution process, we recommend that Regence/Cambia provide
      OPM’s Healthcare and Insurance Audit Resolution Group with evidence when it has fully
      implemented this recommendation. This statement applies to subsequent recommendations
      in this audit report that Regence/Cambia agrees to implement.

C. NETWORK SECURITY

  Network security includes the policies and controls used to prevent
  and monitor unauthorized access, misuse, modification, or denial of a                                       Regence/Cambia does
  computer network and network-accessible resources.                                                          not have a formal
                                                                                                              firewall configuration
  We evaluated Cambia’s network security program and reviewed the 
                                           standard.
  results of several automated vulnerability scans that we 

  independently performed during this audit. We observed the following controls in place: 


     Preventive controls at the network perimeter;

     Security event monitoring throughout the network;

     An adequate vulnerability management program; and

     A documented incident response program.

  However, we noted the following opportunities for improvement related to Cambia’s network
  security controls.

  1. Documented Firewall Standard

      Cambia’s network has firewall devices installed at key locations on the network perimeter
      and between internal logical security zones. However, Cambia has not formally documented
      a policy or standard that identifies the types of traffic allowed by the organization and the
      approved settings that are needed to harden firewalls within the network.

      NIST SP 800-41, Revision 1, states that “A firewall policy dictates how firewalls should
      handle network traffic for specific IP addresses and address ranges, protocols, applications,
      and content types (e.g., active content) based on the organization’s information security
      policies.”

                                                                         7                                        Report No. 1A-10-58-16-047
  This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
                  information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
    Cambia conducts routine reviews of its firewalls’ rule bases, and also performs vulnerability
    scans capable of detecting firewall configuration insecurities. However, this process could
    be further improved by creating an approved firewall security configuration standard. This
    will enable Cambia to routinely audit the current/actual settings of its firewalls against the
    approved settings. Failure to routinely review actual firewall configuration settings and
    compare them to approved settings could potentially increase the organization’s exposure to
    insecure traffic and vulnerabilities.

    Recommendation 2

    We recommend that Regence/Cambia develop a formal firewall configuration standard, and
    that this standard be used to perform routine firewall configuration audits.

    Regence/Cambia Response:

    “Cambia agrees with this recommendation. A variety of configuration standards are
    currently used in the building and maintenance of our firewalls. The development of a
    formal security standard for firewalls is underway. Cambia anticipates completion of this
    effort by                    .”

2. Network Access Control

    Cambia has implemented network access controls in its shared conference rooms that prevent 

    non-authorized computing devices from connecting to the company’s internal network. 

                                                                                                   

                            This security approach relies on physical access controls to prevent 

    unauthorized personnel from accessing the facilities and connecting unauthorized devices to 

    the network. While Regence and Cambia’s physical access controls are robust, they cannot 

    be considered impenetrable, and therefore we believe that additional logical controls would 

    add value. Furthermore, Cambia’s current control structure does not prevent employees with 

    valid physical access to its facilities from connecting their own unauthorized devices (e.g., a 

    personal device) to the network. 


    NIST SP 800-53, Revision 4, states that information systems should uniquely identify and 

    authenticate devices before establishing a network connection. 

    Failure to control access to network ports could allow unauthorized users or devices to 

    connect to sensitive network resources. 



                                                                       8                                        Report No. 1A-10-58-16-047
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
                information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
      Recommendation 3

      We recommend that Regence/Cambia implement network access controls


      Regence/Cambia Response:

      “Cambia agrees with this recommendation. Cambia will develop a project plan for this
      effort by                , with a targeted pilot implementation (as defined in the project
      plan) to complete by                     . A final full implementation completion date will
      be provided at the conclusion of the pilot implementation phase.”

D. CONFIGURATION MANAGEMENT

  A configuration management program is the policies and procedures used to ensure that systems
  are configured according to a consistent and approved risk-based standard. We evaluated
  Cambia’s configuration management program and observed the following controls in place:

     A thorough change management process; 


     Documented technical configuration standards; and 


     Routine configuration compliance reviews. 


  Nothing came to our attention to indicate that Cambia does not have an adequate configuration 

  management program. 


E. CONTINGENCY PLANNING

  We reviewed the following elements of Cambia’s contingency                                             Regence/Cambia
  planning program to determine whether controls are in place to                                         maintains and routinely
  prevent or minimize interruptions to business operations when                                          tests its disaster recovery
  disastrous events occur:                                                                               and business continuity
                                                                                                         plans.
     Disaster recovery plan;



                                                                         9                                        Report No. 1A-10-58-16-047
  This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
                  information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
     Business continuity plan;

     Contingency plan tests; and

     Emergency response procedures.

  We determined that the contingency planning documentation contained the critical elements
  suggested by NIST SP 800-34, Revision 1, “Contingency Planning Guide for Federal
  Information Systems.” Cambia has identified and prioritized the systems and resources that are
  critical to business operations, and has developed detailed procedures to recover those systems
  and resources.

  Nothing came to our attention to indicate that Cambia has not implemented adequate controls
  related to contingency planning.

F. CLAIMS ADJUDICATION

  The following sections detail our review of the applications and business processes supporting
  the Regence claims adjudication process. Regence processes all FEHBP claims through the Blue
  Cross Blue Shield Association’s (BCBSA) FEP (Federal Employee Program) Direct nationwide
  claims adjudication system. Regence uses a local claims processing system for its other lines of
  business, but relies on the controls and edits within FEP Direct for FEHBP claims.

  1. Application Configuration Management

      We evaluated the policies and procedures governing application development and change
      control of Regence’s claims processing systems.

      Cambia has documented system development life cycle procedures that IT personnel follow
      during routine software modifications. All changes require approval and undergo testing
      prior to migration to the production environment.

      Nothing came to our attention to indicate that Cambia has not implemented adequate controls
      over application configuration management.


  2. Claims Processing System


                                                                        10                                        Report No. 1A-10-58-16-047
  This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
                  information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
    We evaluated the input, processing, and output controls associated with Regence’s claims
    processing system. We determined that Regence has implemented policies and procedures to
    help ensure that:

	 Paper claims that are received in the mail processing facilities are tracked to ensure timely
   processing;

	 Claims are monitored as they are processed through the system with real time tracking of the
   system’s performance; and

	 Claims scheduled for payment are actually paid.

    Nothing came to our attention to indicate that Regence has not implemented adequate
    controls over its claims processing systems.

3.	 Debarment

    Regence has adequate procedures for updating its claims system with debarred provider
    information. Regence is notified by BCBSA that an update to the OPM OIG debarment list
    is available. Plan personnel review the list to determine if any debarred providers have active
    contracts with Regence. If an active provider is determined to be debarred, the provider is
    flagged in FEP Direct, which will cause any incoming claims to defer for further review.
    Regence adheres to the OPM OIG debarment guidelines to include initial member
    notification, a 15-day grace period, and then denial of subsequent claims.

    Nothing came to our attention to indicate that Regence has not implemented adequate
    controls over the debarment process.

4.	 Application Controls Testing

    Regence processes all FEHBP claims directly through the BCBSA’s FEP Direct nationwide
    claims adjudication system. We conducted a test on FEP Direct to evaluate the system’s
    processing controls. The exercise involved processing test claims designed with inherent
    flaws and evaluating the manner in which the claims processing system adjudicated the
    claims.




                                                                      11 	                                      Report No. 1A-10-58-16-047
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
                information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
    Our test work did not identify any new issues with FEP Direct. All issues encountered
    during this audit have been previously reported to the BCBSA through recommendations on
    other audit reports.




                                                                      12                                        Report No. 1A-10-58-16-047
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
                information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
                                                       APPENDIX

December 2, 2016


Chief, Information Systems Audit Group
U.S. Office of Personnel Management (OPM)
1900 E Street, Room 6400
Washington, D.C. 20415-1100
                                                                                                                  Federal Employee Program
                                                                                                                  1310 G Street, N.W.
                                                                                                                  Washington, D.C. 20005
                                                                                                                  202.942.1000
                                                                                                                  Fax 202.942.1125


Reference 	 OPM DRAFT IT AUDIT REPORT
            Regence Blue Cross Blue Shield of Oregon
            Audit Report Number 1A-10-58-16-047
            (Dated September 30, 2016)

The following represents the Plan’s response as it relates to the recommendations
included in the draft report.

A. Network Security

    No recommendation noted.

B. Access Controls

1. Privileged User Authentication

    Recommendation 1

    We recommend that Regence/Cambia require multi-factor authentication for 

    privileged user access to all information systems. 


    Plan Response

    Cambia agrees with this recommendation. As noted in the report, a project is 

    underway to implement multifactor authentication for privileged user access to 

    information systems that store or process Personal Health Information (PHI). 

    Cambia anticipates completion of this effort by                    .





                                                                                                                Report No. 1A-10-58-16-047
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
                information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
C. Network Security

2. Documented Firewall Standard

    Recommendation 2

    We recommend that Regence/Cambia develop a formal firewall configuration
    standard, and that this standard be used to perform routine firewall configuration
    audits.

    Plan Response

    Cambia agrees with this recommendation. A variety of configuration standards are
    currently used in the building and maintenance of our firewalls. The development of
    a formal security standard for firewalls is underway. Cambia anticipates completion
    of this effort by                    .

3. Network Access Control

    Recommendation 3

    We recommend that Regence/Cambia implement network access controls on all
    ports throughout its facilities.

    Plan Response

    Cambia agrees with this recommendation. Cambia will develop a project plan for
    this effort by               , with a targeted pilot implementation (as defined in the
    project plan) to complete by                      . A final full implementation
    completion date will be provided at the conclusion of the pilot implementation phase.

D. Configuration Management

    No recommendations noted.

E. Contingency Planning

    No recommendations noted.

F. Claims Adjudication

    No recommendations noted.



                                                                                                                Report No. 1A-10-58-16-047
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
                information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
We appreciate the opportunity to provide our response to each of the recommendations
in this report and request that our comments be included in their entirety and are made
a part of the Final Audit Report. If you have any questions, please contact me at
           or            at                .

Sincerely, 




Managing Director, FEP Program Assurance 
 
cc: 	                 , FEP
               , FEP

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 




                                                                                                                    Report No. 1A-10-58-16-047
    This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
                    information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
                                                                                                                    



                               Report Fraud, Waste, and
                                   Mismanagement 

                                          Fraud, waste, and mismanagement in
                                       Government concerns everyone: Office of
                                           the Inspector General staff, agency
                                        employees, and the general public. We
                                      actively solicit allegations of any inefficient
                                            and wasteful practices, fraud, and
                                       mismanagement related to OPM programs
                                     and operations. You can report allegations to
                                                   us in several ways:

             By Internet: 	              http://www.opm.gov/our-inspector-general/hotline-to-
                                         report-fraud-waste-or-abuse

               By Phone:                 Toll Free Number:                                  (877) 499-7295
                                         Washington Metro Area:                             (202) 606-2423

                  By Mail:               Office of the Inspector General
                                         U.S. Office of Personnel Management
                                         1900 E Street, NW
                                         Room 6400
                                         Washington, DC 20415-1100
          
                                                                                                                    
                                                                                                                    




                                                               -- CAUTION --

This report has been distributed to Federal officials who are responsible for the administration of the subject program. This non-public
version may contain confidential and/or proprietary information, including information protected by the Trade Secrets Act, 18 U.S.C. §
    1905, and the Privacy Act, 5 U.S.C. § 552a. Therefore, while a redacted version of this report is available under the Freedom of
 Information Act and made publicly available on the OIG webpage (http://www.opm.gov/our-inspector-general), this non-public version
                                      should not be further released unless authorized by the OIG.