U.S. OFFICE OF PERSONNEL MANAGEMENT OFFICE OF THE INSPECTOR GENERAL OFFICE OF AUDITS Final Audit Report AUDIT OF THE INFORMATION SYSTEMS GENERAL AND APPLICATION CONTROLS AT REGENCE BLUE CROSS BLUE SHIELD OF OREGON Report Number 1A-10-58-16-047 March 27, 2017 -- CAUTION -- This report has been distributed to Federal officials who are responsible for the administration of the subject program. This non-public version may contain confidential and/or proprietary information, including information protected by the Trade Secrets Act, 18 U.S.C. § 1905, and the Privacy Act, 5 U.S.C. § 552a. Therefore, while a redacted version of this report is available under the Freedom of Information Act and made publicly available on the OIG webpage (http://www.opm.gov/our-inspector-general), this non-public version should not be further released unless authorized by the OIG. EXECUTIVE SUMMARY Audit of the Information Systems General and Application Controls at Regence Blue Cross Blue Shield of Oregon Report No. 1A-10-58-16-047 March 27, 2017 Why Did We Conduct the Audit? What Did We Find? Regence Blue Cross Blue Shield of Our audit of the IT security controls of Regence determined that: Oregon (Regence) contracts with the U.S. Office of Personnel Regence has established an adequate security management program. Management as part of the Federal Regence has implemented controls to prevent unauthorized physical Employees Health Benefits Program access to its facilities. However, logical access controls could be (FEHBP). improved by implementing multi-factor authentication for privileged users. The objectives of this audit were to evaluate controls over the Regence has implemented an incident response and network security confidentiality, integrity, and program. Regence has also implemented preventative controls at the availability of FEHBP data network perimeter and performs security event monitoring processed and maintained in throughout its network. However, Regence has not implemented Regence’s information technology network access controls throughout the entire facility. Regence has (IT) environment. also not documented an approved firewall security configuration standard. What Did We Audit? Regence has developed and documented formal configuration management policies and configuration standards for its operating The scope of this audit centered on platforms. the information systems used by Regence to process and store data Regence’s business continuity and disaster recovery plans contain related to medical encounters and the elements suggested by relevant guidance and publications. insurance claims for FEHBP Regence also tests these plans on a routine basis. members. Regence has implemented many controls in its claims adjudication process to ensure that FEHBP claims are processed accurately. ______________________ Michael R. Esser Assistant Inspector General for Audits i This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 522a. ABBREVIATIONS BCBSA Blue Cross Blue Shield Association Cambia Cambia Health Solutions CFR Code of Federal Regulations FEHBP Federal Employees Health Benefits Program FEP Federal Employee Program FISCAM Federal Information Security Controls Audit Manual GAO U.S. Government Accountability Office IT Information Technology NIST SP National Institute of Standards and Technology’s Special Publication OIG Office of the Inspector General OMB U.S. Office of Management and Budget OPM U.S. Office of Personnel Management Regence Regence Blue Cross Blue Shield ii This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a. TABLE OF CONTENTS Page EXECUTIVE SUMMARY ........................................................................................ i ABBREVIATIONS ..................................................................................................... ii I. BACKGROUND ..........................................................................................................1 II. OBJECTIVES, SCOPE, AND METHODOLOGY ..................................................2 III. AUDIT FINDINGS AND RECOMMENDATIONS.................................................5 A. Security Management .............................................................................................5 B. Access Controls .......................................................................................................5 C. Network Security .....................................................................................................7 D. Configuration Management .....................................................................................9 E. Contingency Planning..............................................................................................9 F. Claims Adjudication ..............................................................................................10 APPENDIX: Regence’s December 2, 2016, response to the draft audit report, issued September 30, 2016. REPORT FRAUD, WASTE, AND MISMANAGEMENT This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a. I. BACKGROUND IV. MAJOR CONTRIBUTORS TO THIS REPORT This final report details the findings, conclusions, and recommendations resulting from the audit of general and application controls over the information systems responsible for processing Federal Employees Health Benefits Program (FEHBP) data by Regence Blue Cross Blue Shield of Oregon (Regence). The audit was conducted pursuant to FEHBP contracts CS 1039; 5 U.S.C. Chapter 89; and 5 Code of Federal Regulations (CFR) Chapter 1, Part 890. The audit was performed by the U.S. Office of Personnel Management’s (OPM) Office of the Inspector General (OIG), as established by the Inspector General Act of 1978, as amended. The FEHBP was established by the Federal Employees Health Benefits Act, enacted on September 28, 1959. The FEHBP was created to provide health insurance benefits for federal employees, annuitants, and qualified dependents. The provisions of the Act are implemented by OPM through regulations codified in Title 5, Chapter 1, Part 890 of the CFR. Health insurance coverage is made available through contracts with various carriers that provide service benefits, indemnity benefits, or comprehensive medical services. This was our first audit of Regence’s information technology (IT) general and application controls. All Regence personnel that worked with the auditors were helpful and open to ideas and suggestions. They viewed the audit as an opportunity to examine practices and to make changes or improvements as necessary. Their positive attitude and helpfulness throughout the audit was greatly appreciated. 1 Report No. 1A-10-58-16-047 This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a. II. IV. OBJECTIVES, SCOPE, ANDTO MAJOR CONTRIBUTORS METHODOLOGY THIS REPORT OBJECTIVES The objectives of this audit were to evaluate controls over the confidentiality, integrity, and availability of FEHBP data processed and maintained in Regence’s IT environments. We accomplished these objectives by reviewing the following areas: Security management; Access controls; Network Security; Configuration management; Segregation management; Contingency planning; and Application controls specific to Regence’s claims processing system. SCOPE AND METHODOLOGY This performance audit was conducted in accordance with generally accepted government auditing standards issued by the Comptroller General of the United States. Accordingly, we obtained an understanding of Regence’s internal controls through interviews and observations, as well as inspection of various documents, including information technology and other related organizational policies and procedures. This understanding of Regence’s internal controls was used in planning the audit by determining the extent of compliance testing and other auditing procedures necessary to verify that the internal controls were properly designed, placed in operation, and effective. The scope of this audit centered on the information systems used by Regence to process medical insurance claims and/or store the data of FEHBP members. The business processes reviewed are primarily located in Portland, Oregon. 2 Report No. 1A-10-58-16-047 This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a. Regence is a subsidiary of Cambia Health Solutions (Cambia), which Regence is a subsidiary of offers a wide range of insurance products and services. All of the Cambia Health Solutions. information technology (IT) functions at Regence are managed by The operations of Cambia. The operations of Cambia were considered within the scope Cambia are within the of this audit. scope of this audit. The on-site portion of this audit was performed in June and July of 2016. We completed additional audit work before and after the on-site visit at our office in Washington, D.C. The findings, recommendations, and conclusions outlined in this report are based on the status of information system general and application controls in place at Regence as of July, 2016. In conducting our audit, we relied to varying degrees on computer-generated data provided by Regence. Due to time constraints, we did not verify the reliability of the data used to complete some of our audit steps, but we determined that it was adequate to achieve our audit objectives. However, when our objective was to assess computer-generated data, we completed audit steps necessary to obtain evidence that the data was valid and reliable. In conducting this review we: Gathered documentation and conducted interviews; Reviewed Regence’s business structure and environment; Performed a risk assessment of Regence’s information systems environment and applications, and prepared an audit program based on the assessment and the U.S. Government Accountability Office’s (GAO) Federal Information System Controls Audit Manual (FISCAM); and Conducted various compliance tests to determine the extent to which established controls and procedures are functioning as intended. As appropriate, we used judgmental sampling in completing our compliance testing. Various laws, regulations, and industry standards were used as a guide for evaluating Regence’s control structure. These criteria include, but are not limited to, the following publications: Title 48 of the Code of Federal Regulations; U.S. Office of Management and Budget (OMB) Circular A-130, Appendix III; 3 Report No. 1A-10-58-16-047 This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a. OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information; COBIT 5: A Business Framework for the Governance and Management of Enterprise IT; GAO’s FISCAM; National Institute of Standards and Technology’s Special Publication (NIST SP) 800-12, An Introduction to Computer Security: The NIST Handbook; NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems; NIST SP 800-30, Revision 1, Guide for Conducting Risk Assessments; NIST SP 800-34, Revision 1, Contingency Planning Guide for Federal Information Systems; NIST SP 800-41, Revision 1, Guidelines on Firewalls and Firewall Policy; NIST SP 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations; and NIST SP 800-61, Revision 2, Computer Security Incident Handling Guide. COMPLIANCE WITH LAWS AND REGULATIONS In conducting the audit, we performed tests to determine whether Regence’s practices were consistent with applicable standards. While generally compliant, with respect to the items tested, Regence was not in complete compliance with all standards, as described in section III of this report. 4 Report No. 1A-10-58-16-047 This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a. III. AUDIT FINDINGS AND RECOMMENDATIONS A. SECURITY MANAGEMENT As mentioned above, Regence is a subsidiary of Cambia. Therefore, Cambia maintains a all Cambia policies and procedures related to information security series of thorough IT management apply to Regence. The security management security policies and component of this audit involved the examination of the policies and procedures applicable procedures that are the foundation of Cambia’s overall IT security to Regence. program. We evaluated Cambia’s ability to develop security policies, manage risk, assign security-related responsibility, and monitor the effectiveness of various system-related controls. Cambia has implemented a series of formal policies and procedures that comprise its security management program. Cambia has developed an adequate risk management methodology and creates remediation plans to address weaknesses identified in risk assessments. We also reviewed Cambia’s human resources policies and procedures related to hiring, training, transferring, and terminating employees. Nothing came to our attention to indicate that Cambia does not have an adequate security management program. B. ACCESS CONTROLS Access controls are the policies, procedures, and techniques used to prevent or detect unauthorized physical or logical access to sensitive resources. We examined the physical access controls of Regence’s and Cambia’s facilities and data center. We also examined the logical controls protecting sensitive data on Cambia’s network environment and claims processing related applications. The access controls observed during this audit include, but are not limited to: Procedures for appropriately granting and removing physical access to facilities and the data center; Procedures for appropriately granting, adjusting, and removing logical access; 5 Report No. 1A-10-58-16-047 This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a. Routinely reviewing user access; and Adequate environmental controls over the data center. The following section documents one opportunity for improvement related to Cambia’s logical access controls. 1. Privileged User Authentication Access to privileged user (system administrator) accounts at Cambia requires multi-factor authentication when We expect all FEHBP contractors to require multi-factor authentication for administrator-level access to information systems regardless of where the user is physically located. Cambia currently has a project in progress to fully enforce multi-factor authentication for system administrators. However, the control had not been implemented at the time of our audit fieldwork. The Federal government requires multi-factor authentication for all information system users. Although Cambia is not a government entity, it does process sensitive healthcare data of Federal employees. Therefore, we recommend that Cambia implement this control for privileged users at a minimum. NIST SP 800-53, Revision 4, states that information systems should implement multi-factor authentication for network access to privileged accounts. Failure to implement multi-factor authentication increases the risk that privileged user credentials could be compromised and that unauthorized users could access sensitive and proprietary data. Recommendation 1 We recommend that Regence/Cambia require multi-factor authentication for privileged user access to all information systems. Regence/Cambia Response: “Cambia agrees with this recommendation. As noted in the report, a project is underway to implement multifactor authentication for privileged user access to information systems that store or process Personal Health Information (PHI). Cambia anticipates completion of this effort by .” OIG Comment: 6 Report No. 1A-10-58-16-047 This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a. As a part of the audit resolution process, we recommend that Regence/Cambia provide OPM’s Healthcare and Insurance Audit Resolution Group with evidence when it has fully implemented this recommendation. This statement applies to subsequent recommendations in this audit report that Regence/Cambia agrees to implement. C. NETWORK SECURITY Network security includes the policies and controls used to prevent and monitor unauthorized access, misuse, modification, or denial of a Regence/Cambia does computer network and network-accessible resources. not have a formal firewall configuration We evaluated Cambia’s network security program and reviewed the standard. results of several automated vulnerability scans that we independently performed during this audit. We observed the following controls in place: Preventive controls at the network perimeter; Security event monitoring throughout the network; An adequate vulnerability management program; and A documented incident response program. However, we noted the following opportunities for improvement related to Cambia’s network security controls. 1. Documented Firewall Standard Cambia’s network has firewall devices installed at key locations on the network perimeter and between internal logical security zones. However, Cambia has not formally documented a policy or standard that identifies the types of traffic allowed by the organization and the approved settings that are needed to harden firewalls within the network. NIST SP 800-41, Revision 1, states that “A firewall policy dictates how firewalls should handle network traffic for specific IP addresses and address ranges, protocols, applications, and content types (e.g., active content) based on the organization’s information security policies.” 7 Report No. 1A-10-58-16-047 This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a. Cambia conducts routine reviews of its firewalls’ rule bases, and also performs vulnerability scans capable of detecting firewall configuration insecurities. However, this process could be further improved by creating an approved firewall security configuration standard. This will enable Cambia to routinely audit the current/actual settings of its firewalls against the approved settings. Failure to routinely review actual firewall configuration settings and compare them to approved settings could potentially increase the organization’s exposure to insecure traffic and vulnerabilities. Recommendation 2 We recommend that Regence/Cambia develop a formal firewall configuration standard, and that this standard be used to perform routine firewall configuration audits. Regence/Cambia Response: “Cambia agrees with this recommendation. A variety of configuration standards are currently used in the building and maintenance of our firewalls. The development of a formal security standard for firewalls is underway. Cambia anticipates completion of this effort by .” 2. Network Access Control Cambia has implemented network access controls in its shared conference rooms that prevent non-authorized computing devices from connecting to the company’s internal network. This security approach relies on physical access controls to prevent unauthorized personnel from accessing the facilities and connecting unauthorized devices to the network. While Regence and Cambia’s physical access controls are robust, they cannot be considered impenetrable, and therefore we believe that additional logical controls would add value. Furthermore, Cambia’s current control structure does not prevent employees with valid physical access to its facilities from connecting their own unauthorized devices (e.g., a personal device) to the network. NIST SP 800-53, Revision 4, states that information systems should uniquely identify and authenticate devices before establishing a network connection. Failure to control access to network ports could allow unauthorized users or devices to connect to sensitive network resources. 8 Report No. 1A-10-58-16-047 This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a. Recommendation 3 We recommend that Regence/Cambia implement network access controls Regence/Cambia Response: “Cambia agrees with this recommendation. Cambia will develop a project plan for this effort by , with a targeted pilot implementation (as defined in the project plan) to complete by . A final full implementation completion date will be provided at the conclusion of the pilot implementation phase.” D. CONFIGURATION MANAGEMENT A configuration management program is the policies and procedures used to ensure that systems are configured according to a consistent and approved risk-based standard. We evaluated Cambia’s configuration management program and observed the following controls in place: A thorough change management process; Documented technical configuration standards; and Routine configuration compliance reviews. Nothing came to our attention to indicate that Cambia does not have an adequate configuration management program. E. CONTINGENCY PLANNING We reviewed the following elements of Cambia’s contingency Regence/Cambia planning program to determine whether controls are in place to maintains and routinely prevent or minimize interruptions to business operations when tests its disaster recovery disastrous events occur: and business continuity plans. Disaster recovery plan; 9 Report No. 1A-10-58-16-047 This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a. Business continuity plan; Contingency plan tests; and Emergency response procedures. We determined that the contingency planning documentation contained the critical elements suggested by NIST SP 800-34, Revision 1, “Contingency Planning Guide for Federal Information Systems.” Cambia has identified and prioritized the systems and resources that are critical to business operations, and has developed detailed procedures to recover those systems and resources. Nothing came to our attention to indicate that Cambia has not implemented adequate controls related to contingency planning. F. CLAIMS ADJUDICATION The following sections detail our review of the applications and business processes supporting the Regence claims adjudication process. Regence processes all FEHBP claims through the Blue Cross Blue Shield Association’s (BCBSA) FEP (Federal Employee Program) Direct nationwide claims adjudication system. Regence uses a local claims processing system for its other lines of business, but relies on the controls and edits within FEP Direct for FEHBP claims. 1. Application Configuration Management We evaluated the policies and procedures governing application development and change control of Regence’s claims processing systems. Cambia has documented system development life cycle procedures that IT personnel follow during routine software modifications. All changes require approval and undergo testing prior to migration to the production environment. Nothing came to our attention to indicate that Cambia has not implemented adequate controls over application configuration management. 2. Claims Processing System 10 Report No. 1A-10-58-16-047 This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a. We evaluated the input, processing, and output controls associated with Regence’s claims processing system. We determined that Regence has implemented policies and procedures to help ensure that: Paper claims that are received in the mail processing facilities are tracked to ensure timely processing; Claims are monitored as they are processed through the system with real time tracking of the system’s performance; and Claims scheduled for payment are actually paid. Nothing came to our attention to indicate that Regence has not implemented adequate controls over its claims processing systems. 3. Debarment Regence has adequate procedures for updating its claims system with debarred provider information. Regence is notified by BCBSA that an update to the OPM OIG debarment list is available. Plan personnel review the list to determine if any debarred providers have active contracts with Regence. If an active provider is determined to be debarred, the provider is flagged in FEP Direct, which will cause any incoming claims to defer for further review. Regence adheres to the OPM OIG debarment guidelines to include initial member notification, a 15-day grace period, and then denial of subsequent claims. Nothing came to our attention to indicate that Regence has not implemented adequate controls over the debarment process. 4. Application Controls Testing Regence processes all FEHBP claims directly through the BCBSA’s FEP Direct nationwide claims adjudication system. We conducted a test on FEP Direct to evaluate the system’s processing controls. The exercise involved processing test claims designed with inherent flaws and evaluating the manner in which the claims processing system adjudicated the claims. 11 Report No. 1A-10-58-16-047 This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a. Our test work did not identify any new issues with FEP Direct. All issues encountered during this audit have been previously reported to the BCBSA through recommendations on other audit reports. 12 Report No. 1A-10-58-16-047 This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a. APPENDIX December 2, 2016 Chief, Information Systems Audit Group U.S. Office of Personnel Management (OPM) 1900 E Street, Room 6400 Washington, D.C. 20415-1100 Federal Employee Program 1310 G Street, N.W. Washington, D.C. 20005 202.942.1000 Fax 202.942.1125 Reference OPM DRAFT IT AUDIT REPORT Regence Blue Cross Blue Shield of Oregon Audit Report Number 1A-10-58-16-047 (Dated September 30, 2016) The following represents the Plan’s response as it relates to the recommendations included in the draft report. A. Network Security No recommendation noted. B. Access Controls 1. Privileged User Authentication Recommendation 1 We recommend that Regence/Cambia require multi-factor authentication for privileged user access to all information systems. Plan Response Cambia agrees with this recommendation. As noted in the report, a project is underway to implement multifactor authentication for privileged user access to information systems that store or process Personal Health Information (PHI). Cambia anticipates completion of this effort by . Report No. 1A-10-58-16-047 This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a. C. Network Security 2. Documented Firewall Standard Recommendation 2 We recommend that Regence/Cambia develop a formal firewall configuration standard, and that this standard be used to perform routine firewall configuration audits. Plan Response Cambia agrees with this recommendation. A variety of configuration standards are currently used in the building and maintenance of our firewalls. The development of a formal security standard for firewalls is underway. Cambia anticipates completion of this effort by . 3. Network Access Control Recommendation 3 We recommend that Regence/Cambia implement network access controls on all ports throughout its facilities. Plan Response Cambia agrees with this recommendation. Cambia will develop a project plan for this effort by , with a targeted pilot implementation (as defined in the project plan) to complete by . A final full implementation completion date will be provided at the conclusion of the pilot implementation phase. D. Configuration Management No recommendations noted. E. Contingency Planning No recommendations noted. F. Claims Adjudication No recommendations noted. Report No. 1A-10-58-16-047 This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a. We appreciate the opportunity to provide our response to each of the recommendations in this report and request that our comments be included in their entirety and are made a part of the Final Audit Report. If you have any questions, please contact me at or at . Sincerely, Managing Director, FEP Program Assurance cc: , FEP , FEP Report No. 1A-10-58-16-047 This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a. Report Fraud, Waste, and Mismanagement Fraud, waste, and mismanagement in Government concerns everyone: Office of the Inspector General staff, agency employees, and the general public. We actively solicit allegations of any inefficient and wasteful practices, fraud, and mismanagement related to OPM programs and operations. You can report allegations to us in several ways: By Internet: http://www.opm.gov/our-inspector-general/hotline-to- report-fraud-waste-or-abuse By Phone: Toll Free Number: (877) 499-7295 Washington Metro Area: (202) 606-2423 By Mail: Office of the Inspector General U.S. Office of Personnel Management 1900 E Street, NW Room 6400 Washington, DC 20415-1100 -- CAUTION -- This report has been distributed to Federal officials who are responsible for the administration of the subject program. This non-public version may contain confidential and/or proprietary information, including information protected by the Trade Secrets Act, 18 U.S.C. § 1905, and the Privacy Act, 5 U.S.C. § 552a. Therefore, while a redacted version of this report is available under the Freedom of Information Act and made publicly available on the OIG webpage (http://www.opm.gov/our-inspector-general), this non-public version should not be further released unless authorized by the OIG.
Audit of the Information Systems General and Application Controls at Regence Blue Cross Blue Shield of Oregon
Published by the Office of Personnel Management, Office of Inspector General on 2017-03-27.
Below is a raw (and likely hideous) rendition of the original report. (PDF)