U.S. OFFICE OF PERSONNEL MANAGEMENT OFFICE OF THE INSPECTOR GENERAL OFFICE OF AUDITS Final Audit Report Subject: AUDIT OF INFORMATION SYSTEMS GENERAL AND APPLICATION CONTROLS AT THE GOVERNMENT EMPLOYEES HEALTH ASSOCIATION Report No. 1B-31-00-11-066 Date: August 9, 2012 --CAUTION-- This audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit report may contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available under the Freedom of Information Act and made available to the public on the OIG webpage, caution needs to be exercised before releasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy. Audit Report FEDERAL EMPLOYEES HEALTH BENEFITS PROGRAM CONTRACT 1063 THE GOVERNMENT EMPLOYEES HEALTH ASSOCIATION PLAN CODE 31 LEE’S SUMMIT & INDEPENDENCE, MISSOURI Report No. 1B-31-00-11-066 Date: August 9, 2012 ________________________ Michael R. Esser Assistant Inspector General for Audits --CAUTION-- This audit report has been distributed to Federal and Non-Federal officials who are responsible for the administration of the audited contract. This audit report may contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available under the Freedom of Information Act and made available to the public on the OIG webpage, caution needs to be exercised before releasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy. Executive Summary FEDERAL EMPLOYEES HEALTH BENEFITS PROGRAM CONTRACT 1063 THE GOVERNMENT EMPLOYEES HEALTH ASSOCIATION PLAN CODE 31 LEE’S SUMMIT& INDEPENDENCE, MISSOURI Report No. 1B-31-00-11-066 Date: August 9, 2012 This final report discusses the results of our audit of general and application controls over the information systems at the Government Employees Health Association (GEHA). Our audit focused on the claims processing applications used to adjudicate Federal Employees Health Benefits Program (FEHBP) claims for GEHA, as well as the various processes and information technology (IT) systems used to support these applications. We also conducted a significant follow-up review of prior audit recommendations from our 2006 IT audit. In 2006 a substantial number of recommendations were made that collectively identified a significant weakness in GEHA’s management of IT security. GEHA lacked the critical policies and procedures necessary for an entity-wide security program. Furthermore, they did not have the appropriate resources, both tangible and personnel, to ensure the protection of member data and successful processing of FEHBP claims. During our follow-up review, we determined that these long standing weaknesses have not been addressed and prior audit recommendations had been prematurely closed by OPM. While the audit work conducted during this review showed very recent steps taken by GEHA management to develop an improved IT security program, currently there are significant weaknesses that still threaten the privacy and security of FEHBP i data and member PII. We documented controls in place and opportunities for improvement in each of the areas below. Security Management GEHA has established a series of IT policies and procedures to create an awareness of IT security at the Plan. However, GEHA has not developed a Rules of Behavior agreement that all employees are required to sign. Access Controls We found that GEHA has implemented numerous controls related to the process of granting physical access to its data center, as well as logical controls to encrypt sensitive information. However, we did note multiple opportunities for improvement related to GEHA’s physical and logical access controls. Configuration Management GEHA has developed formal policies and procedures providing guidance to ensure that system software is appropriately configured and updated, as well as for controlling system software configuration changes. However, we noted numerous weaknesses in GEHA’s configuration management program. The weaknesses were severe enough to consider the program a significant deficiency in GEHA’s ability to securely process sensitive FEHBP data. Contingency Planning We reviewed GEHA’s business continuity plans and concluded that they contained most of the key elements suggested by relevant guidance and publications. We also determined that these documents are reviewed and updated on a periodic basis. However, GEHA does not perform routine disaster recovery testing on its distributed server environment. Application Controls GEHA has implemented many controls in its claims adjudication process to ensure that FEHBP claims are processed accurately. However, we recommended that GEHA implement several system modifications to ensure that its claims processing systems adjudicate FEHBP claims in a manner consistent with the OPM contract and other regulations. Health Insurance Portability and Accountability Act (HIPAA) Nothing came to our attention that caused us to believe that GEHA is not in compliance with the HIPAA security, privacy, and national provider identifier regulations. ii Contents page Executive Summary .......................................................................................................................... i I. Introduction................................................................................................................................1 Background ............................................................................................................................... 1 Objectives ................................................................................................................................. 1 Scope ......................................................................................................................................... 2 Methodology ............................................................................................................................. 2 Compliance with Laws and Regulations................................................................................... 3 II. Audit Findings and Recommendations .....................................................................................4 A. Security Management .......................................................................................................... 4 B. Access Controls .................................................................................................................... 5 C. Configuration Management................................................................................................ 13 D. Contingency Planning ........................................................................................................ 18 E. Application Controls .......................................................................................................... 20 F. Health Insurance Portability and Accountability Act ......................................................... 25 III. Major Contributors to This Report ...........................................................................................26 Appendix: Government Employees Health Association’s May 10, 2012 response to the draft audit report issued March 14, 2012. I. Introduction This final report details the findings, conclusions, and recommendations resulting from the audit of general and application controls over the information systems responsible for processing Federal Employees Health Benefits Program (FEHBP) claims at the Government Employees Health Association (GEHA). The audit was conducted pursuant to FEHBP contract 1063; 5 U.S.C. Chapter 89; and 5 Code of Federal Regulations (CFR) Chapter 1, Part 890. The audit was performed by the U.S. Office of Personnel Management’s (OPM) Office of the Inspector General (OIG), as established by the Inspector General Act of 1978, as amended. Background The FEHBP was established by the Federal Employees Health Benefits Act (the Act), enacted on September 28, 1959. The FEHBP was created to provide health insurance benefits for federal employees, annuitants, and qualified dependents. The provisions of the Act are implemented by OPM through regulations codified in Title 5, Chapter 1, Part 890 of the CFR. Health insurance coverage is made available through contracts with various carriers that provide service benefits, indemnity benefits, or comprehensive medical services. The last OIG audit of general and application controls at GEHA occurred in 2006. While the audit was closed in 2006 by the audit resolution group in OPM’s Healthcare and Insurance Office, we did a full review of all recommendations from the 2006 audit. We determined that several recommendations were inappropriately closed and that numerous weaknesses were not remediated until after 2009. Several recommendations should still be open and have been rolled forward within this report. The business processes related to the scope of this audit are primarily located at GEHA’s Lee’s Summit and Independence, Missouri facilities. GEHA has two data centers supporting FEHBP processes in the greater Kansas City, Missouri area. Employees responsible for processing FEHBP claims are predominantly located in Independence, Missouri. The majority of claim output is printed and mailed at a contractor facility in St. Louis, Missouri. Several PPO contractor networks are also utilized to perform functions related to both claims input and output. All GEHA personnel that worked with the auditors were particularly helpful and open to ideas and suggestions. They viewed the audit as an opportunity to examine practices and to make changes or improvements as necessary. Their positive attitude and helpfulness throughout the audit was greatly appreciated. Objectives The objectives of this audit were to evaluate controls over the confidentiality, integrity, and availability of FEHBP data processed and maintained in GEHA’s information technology (IT) environment. 1 These objectives were accomplished by reviewing the following areas: • Security management; • Access controls; • Segregation of duties; • Configuration management; • Contingency planning; • Application controls specific to GEHA’s claims processing systems; and, • HIPAA compliance. Scope This performance audit was conducted in accordance with generally accepted government auditing standards issued by the Comptroller General of the United States. Accordingly, the OIG obtained an understanding of GEHA’s internal controls through interviews and observations, as well as inspection of various documents, including information technology and other related organizational policies and procedures. This understanding of GEHA’s internal controls was used in planning the audit by determining the extent of compliance testing and other auditing procedures necessary to verify that the internal controls were properly designed, placed in operation, and effective. The OIG evaluated the confidentiality, integrity, and availability of GEHA’s computer-based information systems used to process FEHBP claims, and found that there are opportunities for improvement in the information systems’ internal controls. These areas are detailed in the “Audit Findings and Recommendations” section of this report. The scope of this audit centered on the claims processing system (and the IT environment that supports it) used by GEHA to process FEHBP claims. In conducting our audit, we relied to varying degrees on computer-generated data provided by GEHA. Due to time constraints, we did not verify the reliability of the data used to complete some of our audit steps but we determined that it was adequate to achieve our audit objectives. However, when our objective was to assess computer-generated data, we completed audit steps necessary to obtain evidence that the data was valid and reliable. The audit was performed at GEHA offices in Lee’s Summit, Missouri, and Independence, Missouri. These on-site activities were performed in September and October 2011. The OIG completed additional audit work before and after the on-site visits at OPM’s office in Washington, D.C. The findings, recommendations, and conclusions outlined in this report are based on the status of information system general and application controls in place at GEHA as of December 15, 2011. Methodology In conducting this review the OIG: • Gathered documentation and conducted interviews; • Reviewed GEHA’s business structure and environment; 2 • Performed a risk assessment of GEHA’s information systems environment and applications, and prepared an audit program based on the assessment and the Government Accountability Office’s (GAO) Federal Information System Controls Audit Manual (FISCAM); and • Conducted various compliance tests to determine the extent to which established controls and procedures are functioning as intended. As appropriate, the auditors used judgmental sampling in completing their compliance testing. Various laws, regulations, and industry standards were used as a guide in evaluating GEHA’s control structure. This criteria includes, but is not limited to, the following publications: • Office of Management and Budget (OMB) Circular A-130, Appendix III; • OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information; • Information Technology Governance Institute’s CobiT: Control Objectives for Information and Related Technology; • GAO’s Federal Information System Controls Audit Manual; • National Institute of Standards and Technology’s Special Publication (NIST SP) 800-12, Introduction to Computer Security; • NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems; • NIST SP 800-30, Risk Management Guide for Information Technology Systems; • NIST SP 800-34, Contingency Planning Guide for Information Technology Systems; • NIST SP 800-41, Guidelines on Firewalls and Firewall Policy; • NIST SP 800-53 Revision 3, Recommended Security Controls for Federal Information Systems; • NIST SP 800-61, Computer Security Incident Handling Guide; • NIST SP 800-66 Revision 1, An Introductory Resource Guide for Implementing the HIPAA Security Rule; and • HIPAA Act of 1996. Compliance with Laws and Regulations In conducting the audit, the OIG performed tests to determine whether GEHA’s practices were consistent with applicable standards. While generally compliant, with respect to the items tested, GEHA was not in complete compliance with all standards as described in the “Audit Findings and Recommendations” section of this report. 3 II. Audit Findings and Recommendations A. Security Management The security management component of this audit involved the examination of the policies and procedures that are the foundation of GEHA’s overall IT security controls. We evaluated GEHA’s ability to develop security policies, manage risk, assign security-related responsibility, and monitor the effectiveness of various system-related controls. GEHA has implemented a series of formal policies and procedures that comprise a comprehensive security management program. GEHA’s security management program is led by the company’s IT professionals whose responsibilities include creating policies to protect against threats or improper use of sensitive data and HIPAA compliance. All policies and procedures are approved by an executive committee before they are published and posted on the company intranet. GEHA has also developed a thorough risk management methodology, and has procedures to document, track, and alleviate or accept identified risks. We also reviewed GEHA’s human resources policies and procedures related to hiring, training, transferring, and terminating employees. However, we found that GEHA has not developed a rules of behavior agreement for information and information system usage. NIST Special Publication 800-53 Revision 3, Recommended Security Controls for Federal Information Systems (NIST SP 800-53) states that “The organization: Establishes and makes readily available to all information system users, the rules that describe their responsibilities and expected behavior with regard to information and information system usage; and receives signed acknowledgment from users indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system.” Without clearly defining their rules of behavior the organization increases the risk of employees sharing account access information, downloading malicious software, sharing personally identifiable information, and general improper use of information systems. Recommendation 1 We recommend GEHA develop a rules of behavior agreement and require all employees to sign the document. GEHA Response: “GEHA has an extensive orientation process where new hires are trained on various policies and procedures and are required to sign Acknowledgement of Responsibility forms. These acknowledgements encompass what one rules of behavior document would address.” OIG Reply: We have received evidence that this recommendation has been implemented; no further action is required. 4 B. Access Controls Access controls are the policies, procedur es, and techniques used to prevent or detect unauthorized physical or logical acce ss to sensitive resources. We examin ed the physical access controls ofGEHA' s data centers, the Independence cla ims processin g facility, and two Lee' s Summit office buildings . We also examined the logical controls protecting sensitive data on GEHA ' s network environment and claims processin g related applications. In addition, we conducted a network topology scan to verify that all known assets were included within GEHA ' s system inventory list. The acce ss controls observed during this audit include , but are not limited to: • Procedures for appropriately granting physical acce ss to facilitie s and data centers; • Procedures for revokin g access to data centers for terminated empl oyees; • Procedures for removing _ network access for terminated employees; and, • Controls to monitor an d filter email and Intern et activity. The following sections document several opportunities for improvement related to GEHA ' s physical and logical acce ss controls. 1. Facility Physical Access Controls The physical acce ss controls at GEHA ' s facilities could be improved. All of the facilities we visited utilize some form 0 the building during off-peak working hours. working hours. GEHA has a receptionist at each facility, but does not Empl oyees are required to but there are no physical controls in place to ensure that every individual o ows t us procedure. We expect all FEHEP contractors to, at a minimum, have card reader controlled turnstile gates at facility entrances and multi-factor authentication at data center entrances (e.!, ci !her lock or biometric device in addition to an access card). In addition to implementin g , GEHA should ana lyze the benefit of implementing the commo n p rysical access controls listed below that we typically see at other FEHBP carrier facilitie s. Common Data Center Controls • 5 • • • • • Comlllon Office Building Controls • , and , • FISCAM states that "Controls should acc ommodate employees who work at the enti ty ' s facilities all an everyday basis; occasional visitors, such as emp loyees of another entity facility or maintenance pe ople; and infrequent or unexp ected visitors. Physical secur ity controls vary, but include: manual door or cipher key locks, magnetic door locks that require the use of electro nic keycards, bi ometrics authenticat ion, secur ity guards, photo IDs, entry logs, and electronic and visual surveillance systems." In addition, NIS T SP 800-53 provide s guidance for adequately controlling ph ysical acce ss to information systems containing sensitive data (see control PE-3, Physical Access Co ntrol). Failure to implem ent adequate physical access controls increases the risk that unauthorized individuals can gain acce ss to GEHA facilities and the sensitive IT re sources and confident ial data they contain . Recommendation 2 We recommend that GEHA rea ssess its faciliti es ' phy sical access ma nagement and implement controls that will ensure ro er h sical securit . At a minimum , GE HA should implement multi-factor authent ication e.g., crp ter men to an acce ss card) at data cente r entra nce s. GEHA Respous e: "GEHA is cu rrently reassessing facilities access at all ofonr locations and adding th e following controls to increase physical security. 1. 2. Data Center - Multi-Factor A uthentication at Entrance (COi.lfPLETED) ... 3. 4. 5. 6 DIG ReplY: As part of the audit resolution process, we reco mmend that GEHA provide OPM 's Health care and Insurance Office (HIO) with evidence that it has fully implemented eac h of the chang es to the ph ysical security discussed in its response. 2. Claim Storage Access Contr ols er claim s containing sensitive information are stored However, GE HA does not separate access to The claim s storage area is locke unng non- usme ss hours, but during the day there are no ph ysical controls to separate the two areas. FISCAM states that "Many of the control techniques for interior security are similar to those for perime ter and entry security (for example, locks, surv eillance systems , as well as usin g and controlling badges, ID cards, smartcards, passkey, and other entry dev ices) ." Failure to restri ct acce ss to the claim s storage area increases the risk that un auth orized employees can gain acce ss to sensitive data contained w ithin the room. In addition, GE HA does not currently have a process in pl ace to monitor claim s file access. There is no employee stationed within this area and claim files can be remo ved for referencing. GEHA wa s unable to produce a cla ims file access log. NIST SP 800-53 states that "The organization ... Controls access to area s officially designated as pu blicly accessible in accordance with the organization 's asse ssment of risk. " Failure to monitor and track acce ss to claim files increases the risk that employees may manipulate, damage, or lose the claim s. Recommendation 3 We recommend that GEHA im require access to the GEHA Respouse: "GEHA continues to keep this area locked during non-business hours and corrected this concern in October 2011 by installing a latching system on the inside ofthe storage area that prevents unsupervised access. " DIG Reply: The intent of this recommendation is to ensure that claim s are stored securely at all times, not just during non-busine ss hours. As part of the audit resolution process, we recommend that GE HA provide OPM ' s HIO with evidence that the claims are securely stored, preventing un auth orized access to claim files at all times. 7 Recommendation 4 We recommend that GEHA implement a process to m onitor and track access to cla im files. GEHA Respouse: "The area where the claims are kept is sep arated from the by a locked door. A ccess to this area is restricted to a limited number ofclaims clerical staff. There are no sign out pro cedures because claims leave this area only to be copied and immediately returned to the locked room. " DIG Reply: As part of the audit resolution process, we reco mmend that GEHA provide OPM 's HI D with the policy detailing the requirement to ph otocopy and immediately retum claim s to storage. Please also provide HID with the policy which instru cts GEHA employee s to properly dispose of the claim form copies that contain PII. 3. Logical Access Controls ~ loye es are terminated , GEHA 's poli cy is to remove their accounts from the _ claim s adjudication application. We compared a list of recently terminated employe es to the active ~er list. We discovered that 20 terminated employees still had active accounts ~ and that several of those employee s had multiple active accounts. Most of these individuals were term inated pri or to 20 10. Although GEHA ' s current process appears to adequately remove _ acce ss for recentl y terminated users , it appears th at there has never been an audit of old accounts to identify terminated users. FISCAM states that "Inactive accounts and accounts for terminated indi viduals should be disabled or removed in a timely mann er." Recommendation 5 \Ve recommend GEHA conduct a detailed access review audit of _ user accounts to identify account s with inapp ropri ate access. GEHA Respouse: "GEHA Security Operation s has taken multiple step s to better cOlllrol _ access. JVe have reviewed access for nsers with administrative access and have removed access that was inappropriate or no longer needed. To better establish and control access, we have developed a series of user templates that determine access by position. In doing so we have consulted with managers to verify access and remove any 1II111eeded access. JVe have developed reporting from our payroll department that will allow us to better track nsers as they move within the organization or terminate. We have reviewed all previously terminated users to assure that all access has been removed. For auditing purposes it is necessary to leave ID s for terminated employees in place, however, all access to the ID is 8 removed, the account is locked, and the associated_user id is removed. This activity has been completed." DIG Reply: As part of the audit resolution process, we rec ommend that GEHA provide OPM 's HIO with : • Samples of the user templates tha t determine acce ss by position ; • Samples of the reports generated from the payroll department to track transferred and terminated employees; • Evidence of the access review that took place to ensure tenninated user ac ce ss was appropr iately removed ; and, • Evidence of the ongoing logical acce ss auditing for a period of six months . 4. Incident Response and Intrusion Detection GEHA has docum ente d incident response procedures and has installed an intrusion detection system. However, the intru sion detection system has not been configured to optimize its security feat ures . GEHA has recentl y installed next generation firewalls and moni toring softw are that has the ab ility to prevent an d de tect intrusions, however it is not configu red for the GEHA envir onment. Ac cording to GE HA , a contractor will be going on-s ite in the near future to assist in configur ing the tools an d trai ning employees. FISCAM states that contro l technique s for an effect ive incident re sponse pro gram include "a means of prompt centra lized reporting; active monitoring of alerts and advisories; [and] resp onse team mem bers with the necessary knowl edge, skills, and ab ilities ...." Failur e to prop erl y configure incident re sponse and intru sion dete ction tools could allow incidents and intru sions to go urun oni tored and unresolved. Thi s co uld lead to a loss of sens itive resources. Recommendation 6 We recommend that GEHA configure its intru sion detection tools to optitnize their capa bilities. GEH4 Respous e: "GEHA uses a_firewall that includes intrusion detection capabilities. Th e intrusion detection capabilities were recently activated and are being monitored to determine effectiveness ill detecting kllOWII attacks. _ a re updated regularly to assure that detection capabilities are current. The Se curity Operations team will assist the Enterprise A rchitecture team ill flne-tuuing the detection capabilitie~ reveals chou es that call be made to im rove th e s 'stem's res onse. _ 5. Remote Access Authentication GE HA does not require to acce ss its netw ork from a remote location . Employees are required to use their to remotely 9 authenticate to GEHA ' s network. consist of a _ _ _ _IS to implement in the future by requiring the NIST SP 800-53 Revision 3 states that information systems should use multifactor authentication for local and netw ork access to privileged and non-privileged accoun ts. Failure to implement adequate authentication controls increases the risk that unauthorized individuals can gain acce ss to sensitive resources and confidential data. Recommendation 7 We recommend that GEHA implement GEHA Respouse: _to 's . "GEHA ha s taken steps to purchase and implement remote access users. Remote web access to GEHA resources orces GEHA euviroumeut using and ~ is project has been completedlor all users with remote access." DIG Reply: As part of the audi~roces s , we reco mmend that GEHA evidence when the _ i m p lementation is complete and IS required for all remote acce ss users. 6. Segregation of Duties GEHA does not enforce proper segregation of duti es on its major applications. Currently, only one major application is monitored for proper segregation of duties. Furthermore , the process for monitoring segregation of duties is not documented . FISCAM states that "Work responsibilities should be segregated so that one individual does not control critical stages of a process." FISCAM also states that "Management should have analyzed operations and identified incompatible duties that are then segregated through policies and organizational divisions." Failure to implement adequate proper segregation of dut ies increases the risk that erroneo us or fraudulent transactions could be processed, that imp roper program changes could be impl emented , or that computer resources could be damaged or destroyed . Recommendation 8 We recommend that GEHA document a process for ensuring application access is granted with proper segregation of dutie s and implement the process for all major applications. 10 GEHA Response: “GEHA has taken steps to identify duties within the claims processing area and has defined those activities that present a potential violation of the segregation of duties. access has been reviewed and conflicting access removed. Other applications have initially been configured to reduce conflicts, but currently need to be reviewed and any conflicts removed. Expected completion of this activity is by the end of the fourth quarter of 2012. GEHA’s Internal Audit Department performs an annual audit of access rights on major applications for employees who have terminated or transferred positions.” 7. Logical Access Privileges Approval and Review GEHA does not routinely recertify that employee application access is appropriate for all major applications. Currently, only one application is subject to a full access recertification review by the system owners. GEHA’s Internal Audit Group does perform periodic application access reviews, but the review includes only a small sample of employees. FISCAM states that “The computer resource owner should identify the specific user or class of users that are authorized to obtain direct access to each resource for which they are responsible . . . . The owner should identify the nature and extent of access to each resource that is available to each user. [This includes the following types of access: read, update, delete, merge, and execute] Access may be permitted at the file, record, or field level. . . . Owners should periodically review access authorization listings and determine whether they remain appropriate. Access authorizations should be documented on standard forms and maintained on file.” Failure to routinely recertify the appropriateness of application access could allow employees to perform functions or access sensitive information that they should not have approval to access. Recommendation 9 We recommend that GEHA expand the access recertification process to all major applications. GEHA Response: “The GEHA Security Operations team is in the process of working with managers to develop role based access templates for and major applications. During the process we are aligning current access of individuals to templates created for the role or job title they hold. Managers are reviewing access changes to align with templates created. Going forward the Security Operations team will use this application reports and templates to verify with management the access of all employees at least annually.” 11 8. Application Access Monitoring GEHA does not adequately monitor user acce ss to its applications. Weekly access violation report s are emailed to management, but the reports are not reviewed. GEHA is in the process of creating an Information Security Group that will take over security monit oring responsibilities for the entire compan y, including the review of access violation reports. Furthermore, GEHA does not monitor user activity within the claims pro cessing application. FISCAM states that "Audit and monitoring involves the regu lar collect ion, review, and analysis of indications of inappropriate or unauthorized access to the application." Management should monitor acce ss within the application (i.e., unauthorized access attempts, unusual activity, etc.). Failure to monitor act ivity logs an d violation reports could allow attempts to gain unauthorized access to sensitive computer resource s to continue unn oticed. Recommendation 10 \Ve recommend that GEHA implement a pro cess to log and review user access to and activity within its applications. GENA Respouse: "The Securitv 0 erations team has develo reports. for s and other applications are not available at this time. reports are reviewed, nsers are contacted to respond to violations, and notations are made electronically on the report pdffile. The file is stored along with related correspondence. This process is currently implemented. " DIG ReplY: The intent of this recommendation was not to simply monitor log-on violations at the . _ b u t also to audit user transactions within the claims processing system. As part ofthe audit resolution process, we recommend that GEHA provide OPM ' s HID w ith evidence of a solution to monitor the claims processing system's user activity. 9. Claims Processing System Password l\Iodification GEHA uses a when creating all new _ user accounts or resetting the password of existing acco unts. While GEHA requires that the temporary password be changed after the first login attempt, this is not a sufficient compensating control. The process for establishing and changing password s for the claims processing system is less secure than other major applications at GEHA. For other applications, an email is automatically sent to the user with a randomly generated temporary password that they use to establish new acco unts or unlock existing ones. NIST SP 800-118 (draft) states that "Randomly generated or arbitrarily chosen [one time passwords], not default or patterned passwords (e.g., "NIST0722"), should be used during 12 account creation and pa ssword reset processes. Thi s ensure s that if the user does not promptly chang e the assigned password , that the password will not be easily gue ssable." Failure to use randoml y generated temporary passwords increa ses the risk that a person could gain un authorized access to the claims processing system by exploiting the default password . Recommendation 11 We recommend that GEHA program the new claim s processing system to use randomly genera ted temp orary passwords for users who need to establish new accounts and users who lock themselves out of the system. The passwords should be automa tically ema iled to the user requesting access. GENA Respouse: "The S ecurity Operation s team will review current practices for creating_ IDs where users will automatically authenticate as they activate the application client. to. and modify that process as necessary adding step s to require interaction with the Help Desk before a user id is activated or first use. The new claims system uses authentication based on pas sword management will be reviewed and changes made as necessary to randomize initial pas swords. A password self-s ervice tool will be investigated to see i/they provide a more secure method for changing initial or forgotten pa sswords. Changes to processes will be completed by the fourth quarter of2012." C. Configuration ~'1anagement _ is housed in a control managed by su 0I1in the cla ims adiudication process are housed in a with the We evaluated GEHA ' s management 0 t us system software and have serious concerns regarding its overall configuration management program. The sections below docum ent areas for improvem ent re lated to GE HA 's configuration management controls. We believe that the severity of the weakne sses re lated to configuration management represents a significant deficiency in GEHA ' s ability to securely process FEHBP data in its IT environment. 1. Baseline Configur ations GE HA has not docum ent ed a secure baseline configuration for its servers or main frame. New system software is currently configured using employees ' collec tive knowledge of be st practices. However, no standard configura tion doc umentation has been crea ted for any system software used by the organization. In December 20 11, GE HA created a Baseline Serve r Configuration and Maintenance Plan that detail s the new process for crea ting configu ration baselin es for three serv er operating systems. TIle actua l baselin e documents are scheduled for complet ion in 20 12. 13 FISCAM states that "The entity should maintain current configuration information in a forma l configura tion baseline that contains the configuration information fonnally designated at a specific time durin g a product' s or produ ct component' s life. Configuration baselines, plus approved changes from those baselines, constitute the current configura tion information . There should be a CIUTent and comprehensive baseline inventory of hardware, software, and firmware, and it should be routinely validated for accurac y." Failure to create baseline configurations increases the likelihood that newly implemented or modified hardware, software, and firmware will not be securely configure d. Recommendation 12 We recomm end that GEHA forma lly document baseline configura tions for its hardware, software, and firmware. GEHA Respouse: "GEHA is addressing secure baseline configuration in a three-phase approa ch. Ea ch phase will document the system function, inventory, configuration s and securi ' hardening re uirements. For the initial lmse; GEHA is ocu siu on 2. Monitoring System Administrator Activity GEHA 's management does not monitor system administrator activity. GE HA currently emPloysi lO! W administrators that have the authority to control security for the entire system. has a reporting capability that docum ents any changes that the administrators make to t e system . However, these reports are not currently reviewed. NIST SP 800-53 Revision 3 requires that "The organization ... Tracks and monitors privileged role assignments. Privileged roles include, for example, key management, network and system administration, database adm inistration, [and] web administration." Failure to docum ent and track system administrator activity could allow unint ended or malicious events to go undet ected and increase system vulnerability. Recommendation 13 We recommend that GEHA implement a process to routinely monitor system administrator activity. 14 GEHA Response: “The Security Operations team has developed a daily process to review administrator activity reports. The reports are reviewed, users are contacted to respond to questionable activities, and notations are made electronically on the report pdf file. The file is stored along with related correspondence. The new claims processing system will require different tools to track administrative access because access will primarily be controlled through It may be possible to track administrative access within the new application but that is unknown at this time. A tool is being investigated that will track user data view and that tool may provide additional visibility within the new claims application. administrator activity monitoring is currently implemented.” OIG Reply: As part of the audit resolution process, we recommend that GEHA provide OPM’s HIO with samples of the reports generated to monitor administrator activity as well as evidence of the review to routinely monitor system administrator activity. 3. Configuration Auditing GEHA performs configuration audits of its servers. However, they do not adequately use the results of the audits to enhance system security. The results of the audits revealed numerous configuration settings that were below industry standards. To confirm these results, we used an automated tool to conduct a compliance audit on over 150 production servers to determine if configuration settings were in compliance with HIPAA and industry standards. The results of the scan revealed major compliance issues in each server (the results of the scan were provided to GEHA but will not be detailed in this report due to the sensitive nature of the information). FISCAM states “Current configuration information should be routinely monitored for accuracy. Monitoring should address the current baseline and operational configuration of the hardware, software, and firmware that comprise the information system. . . . Monitoring, sometimes called configuration audits, should be periodically conducted to determine the extent to which the actual configuration item reflects the required physical and functional characteristics originally specified by requirements.” Failure to analyze the results of configuration audits and appropriately adjust software settings increases the risk of improper and less secure system software configuration. Recommendation 14 We recommend that GEHA address the issues detected by the compliance audit and routinely monitor system software configuration to ensure compliance with established baselines. GEHA Response: “The recent purchase of a security vulnerability scanning tool by the Security Operations team gives us the ability to scan configuration settings of individual servers once 15 authenticated to the server. Security Operations will work with the Enterprise Architecture to assure that appropriate settings are routinely scanned and addressed. This recommendation should be completed by the end ofthe fourth quarter of2012." 4. Vulnerability Scanning and GEHA does not perform routine vulnerability scanning of its computer servers. We used an automated tool to conduct a vulnerability scan of GEHA 's server environment to determ ine if its servers were ro erl secured . We discovered num erous weaknesses related to _ (the results of the scan were provided to GEHA but w ill not be deta~ue to the sensitive nature of the information). GEHA has doclilllente d _ procedur es, but they are not being enforced. \Ve used another automate d tool to conduct scans on GEHA 's product any negative results. The was term inated prematurel y because it caused a disruption to GEHA' s production environment. However, the limited results that were return ed from this scan indicated that the may be vulnerable to s t e resu ts 0 t ie scan were provided to GEHA but w ill not be detailed in this report due to the sensitive nature of the information). We believe that the extent of the securit wea knesses could be better eva luated by a third party company that specializes in FISCAM states that "Software should be scanned and updated frequ ently to gua rd against kn own vulnerabilities." NIST SP 800-53 Revision 3 states "TIle organization (including any contractor to the organization) promptly installs security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitorin g, incident response activities, or information system error handling, are also addressed expeditiously." Failure to promptly insta l l _ increases the risk that vulnerabilities will not be remediated and llllau~a in access to the system. Furthermore, the weakness within the _ could be compromised, allow ing unauthorized users acce ss to PII. Recommendation 15 We recommend that GEHA implement a process to conduct routine vulnerability scans and track any identified weaknesses until they are remediated. GENA Respome: "A product to scan system s for vulnerabilities has recently been purchased and a project has been created to develop pro cesses for scanning, uotiflcation offindings, risk assessment, remediation, and review. The project will focus Oil redu cing the risk to the organization by implementing a routine vulnerability monitoring and remediation 16 program. This recommendation should be completed by the end ofthe fourth quarter of 2012. " Recommendation 16 We recommend that GEHA install the that were identified in the scan result s and. in the future , improve the patch management process to ensure that _ _ are installed promptly. GEHA Respouse: to identify ortance develo in and implementing 0 a. s, determine applicability to GEHA systems, and distribute and implement on GEHA system s to prevent and minimize the risk ofsecurity breaches and losses. GEHA is iuitiatin a ormal program to mitigate the risk presented by the program will be a combination oftechnology in the form 0 and deployment software and processes to identify, test and deploy software updates following a risk-based management approach. . . . " Recommendation 17 We recommend that GEHA contract with a third party vendor that specializes in II vu jnerabili assessments to conduct a thoroug h _ vu lnerability assessment of its GEHA Respouse: ill two dijJe::f.:::l:..!:.!:1!/2012, to conduct a comprehensil' e _ . The sco eo the assessment included our . Our IT and S ecurity issues noted in that assessment. In addition, GEHA is currently redesigning our and Security team s are involved ill tho se discussions to ensure that an)' open vulnerabilities or concerns are addressed in the new design. ~ we are addressing this issue is the purchase and implementation of _ . Our Information Security Analysts have installed this solution and are currently conducting configuring and testing. This tool will be used on a continuous basis to assist security in identifying vulnerabilities affecting our infrastructure and will assist ill the risk ranking ofthose vulnerabilities to drive remediation priorities. The solution will have the ability to not only alert securit . sta to vulnerabilities fac~. but also vulnerabilities on our . We expect to hal'e~d in our production environment and identifying vulnerabilities by Q3 of 2012. We feel that it is important and we plan to continue engag;,r~arty to conduct an independent assessment, however due to the addition ofo u r _ tool and 17 vuln erability managem ent pro cesses, we will be reducing the frequency of tttose from annually to perhap s every' other year," DIG Reply: As part of the audit re s oluti~ , we recommend that GEHA provide OPM 's HIO with the followin g evidence: the _vulnerability assessment and penetration test results, evidence of the trackin g and remediation of weaknesses, evidence of the imple mentation of and the functionality of the tool. 5. Up dating System Softwar e GEHA is currently running a version of , that is not supported by the vendor. GEHA has begu n the process of upgrading to a supported operating system, but the upgrade is not complete. FISCAM states that "Software should be scanned and updated frequently to guard against known vulnerabilities. In addition to periodically looking for software vulnerabilities and fixing them, security software should be kept current by establishing effec tive programs for patch mana gement, viru s protection, and other emer ging threats. A lso, software releases should be adequately contr olled to prevent the use of noncurrent software.... Procedures should ensure that only current software releases are installed in information systems. Noncurrent software may be vulnerable to malicious code such as viruses and worm s." Fail ure to use all operating system that is supported by the vendor increases the risk that the operating system contains vulnerabilities that cann ot be fixed or patched. Re commendation 18 We recomm end that GEHA continue its efforts to upgrade the _ opera ting system to a vendor-supported version. GEHA R espous e: "GEHA is continuing the efforts to update the .lie operating systems to vendor supported versions. We are working through the and custom-developed application dependencies which require update before th e e operatin systems can be updated. GEHA has also had to pro cure and implement a new storage subsystem to allow for the increased cap acity needs for the testing environments for process and inter-operability testing. " D. Contingency Planning We reviewed GEHA ' s serv ice continuity program to detennine whether controls were in place to prevent or minimize damage and interruptions to business operations when disastrous events occur. 18 We evaluated GEHA ' s contingency plann ing documentation to determine whether it outlined procedure s for maintaining critical services for its members should business operations be disrupted. TIle followin g elements of GEHA ' s contingency planning pro gram were reviewed : • Business continuity plans for several major business units including claims, telecommunications/customer service. and check printing; • Disaster recovery plan for the _ claims processing system; • Disaster recovery tests conducted in conjunction with an _ recovery site; and, • Emergency response procedure s and training. We determined that critical elements suggested by NIST SP 800-34, "Contingency Planning Guide for IT Systems," were addressed in the service continuity documentation reviewed . GEHA has identified which systems and resources are critical to business operations and how to recover those systems and resources. GEHA does not perform a complete disaster recovery test for all systems. We were provided evidence that GEHA routinely performs a disaster recovery test of the at the recovery site. However, we learned that there is no routine ~he environm ent . Wh ile the claims processing system resides on the _, the ronment supports other critical GEHA applications. FISCAM states that "Testing contingency plans is essential to determining whether they will function as intended in an emergency situ ation. TIle most useful scenarios involve simulating a disaster situation to test overall service continuity." Failure to perform annual disaster recovery tests on the _ decreases the likelihood that GEHA will be able to completely restore= of a disaster. Recommendation 19 \Ve recommend that GEHA conduct and doc ument an annual disaster recovery test for the all_ GEHA Respouse: "GEHA ha s designed and implenltf~ site co-locatiou facility that will function as the disaster recovery site for GEHA is currently replicating all data to the site through the use o / t h e _ d a t a protection platform. GEHA is scheduled to perform disaster recover)' testing in Q3 0/2012. We have hired a Manager 0/ Enterprise Risk that will be responsible/or working with IT to maintain/update our BCPIDR plans to reflect the above changes and to assist in coordinating testing exercises. This person is currently assisting on our claims system conversion and will be joining the Enterprise Security and Risk Management team in Q3 0/2012. His locus will be Bep/DR and other Enterprise Risk . Management initiatives. " 19 E. Application Controls Application Configuration Management We evah~lici e s and procedures goveming software development and change control of GEHA 's _ claim s processin g application. GEHA has a series of poli cies and procedures related to application configu ration management. GEHA has adopted a traditional system dev elopment life cycle methodology that IT personnel follow during routine software modifications. The following controls related to testing and approva ls of software modifications were observed: • GEHA has implemented change trackin g software and correlating business practices that allow modifications to be tracked throughout the change process; and, • Code, uuit, system , and quality testing are all conducted in accordance with industry standards. Claims Processing System We evaluated the input, processing, and output controls assoc iated with _ In terms of input controls, we documented the policies and procedures adopted by GEHA to help ensure that: 1) there are controls over the inception of claim s data into the system; 2) the data received comes from the appropriate sources; and , 3) the data is entere d into the claims database correctly. We also reviewed GEHA 's quality assura nce methods for reconciling processing totals aga inst input totals and for evaluating the accurac y of its processes. Finally, we examine d the security of ph ysical input and output (paper claim s, checks, explanation of benefits, etc.). GE HA informed us that they are in the initi al devel opment phase of implementing a new claim s processin g system, _ Thi s is scheduled for completion by the end of 20 12. Provider Networks Involvement ill Claims Processing GEHA utili zes PPO Contrac tor Networks erfonn functions related to claims input and clinical editing. One Network, , has responsibilities for input, clini cal edits, and output processes. During the course of our aud it, we toured the facilities responsible for both the input and output of GE HA 's UH C claims. We determined that there are sufficient processes in pl ace to ensure the effective input of claims data. GE HA sends then prints provider checks from a GE HA bank account. However, GEHA and do not reconcile the quanti ty and do llar amoun t of checks printed to the origina l submiss ion by GE HA. Without a reconcili ation of the actua l checks print ed by . to those submitted by GE HA , there is an increased likelihood that improper claim payments will go un detected. Recommendation 20 We recommend that GEHA , in collaboration with . develop a process to reconcile printed checks. 20 GEHA Response: “We have initiated a project with our Project Management Department and have assembled a team to address this recommendation. We plan to coordinate with and have a reconciliation process implemented once we have identified and created the necessary internal reporting.” Enrollment We evaluated GEHA’s procedures for managing its database of member enrollment data. GEHA receives its enrollment data via fax, mail, and electronic update files. The majority of enrollment information is received electronically (about 70%) and is inputted into the database automatically. Enrollment information is otherwise inputted manually into the database. Information that is manually entered into the system is audited by enrollment specialists. Daily error reports are generated for managers to view as a part of the employee performance evaluation as well as used during the audit process by the enrollment specialists. GEHA receives an e-mail attachment containing the quantity and type of enrollment file transmissions; however, at the time of the audit GEHA did not have a process to reconcile what is sent and what is actually received. As a result of our audit GEHA stated that it will begin a reconciliation process using the e-mail attachment and the files received. There were no further concerns regarding GEHA’s enrollment policies, process and procedures. Debarment GEHA has adequate procedures for updating its claim system with debarred provider information, but it does not routinely audit its debarment database for accuracy. GEHA downloads the OPM OIG debarment list every month and compares it to its provider maintenance file. Any debarred providers that appear in GEHA’s provider master database are flagged to prevent claims submitted by that provider from being processed by the claims processing system. However, this process is done manually, and GEHA does not do a full reconciliation of the debarment list with its provider master database. Failure to audit the accuracy of the debarment file increases the risk that claims are being paid to providers that are debarred. Recommendation 21 We recommend that GEHA implement an audit process for the full debarment file. GEHA Response: “GEHA does currently perform a monthly 3% audit on our full debarment file. However, based on the recommendation of OPM, we have increased the audit to 100% of the full debarment file effective April 15, 2012.” 21 OIG Reply: As part of the audit resolution process, we recommend that GEHA provide OPM’s HIO with evidence of the monthly audit of the debarment file for a period of three months. Application Controls Testing To validate claims processing controls, a testing exercise was conducted on the GEHA system. This test was conducted at GEHA’s Independence, Missouri facility with the assistance of GEHA personnel. The exercise involved processing claims designed with inherent flaws in the test environment of the claims adjudication application. Upon conclusion of the testing exercise, the expected results were compared with the actual results obtained during the exercise. The sections below document the opportunities for improvement that were noted related to application controls. GEHA intends to replace with a new claims processing system called The recommendations contained within this section are directed toward this new system. 1. Clinical Edits We submitted a hospital claim for a male with a diagnosis of postmenopausal bleeding and a procedure code for a total abdominal hysterectomy. This claim was processed and paid without encountering any system edits, despite the fact that this procedure could not be performed on a male. We were informed by GEHA that does not have any clinical edits in place for hospital claims. This was a prior recommendation in 2005. This system weakness increases the risk that benefits are being paid for procedures associated with a diagnosis that may not warrant such treatment. Recommendation 22 We recommend that GEHA ensure that comprehensive medical edits are incorporated into the development of the new claims processing system. GEHA Response: “Our review of the System and the new clinical editor has shown that does not currently have edits for inpatient hospital claims. This specific claim example would not be captured in any of the edits. We will investigate the system capabilities of creating the configuration to assist in up front identification of these claims. There are edits for outpatient hospital claims. For the professional claim example, we have test cases developed to review diagnosis to procedure code edits. The system can then be coded to pend, deny, or use a warning message. 22 We have not received the latest version of to test at this time. We will add these examples to our requirements and set up specific test cases to test capabilities to ensure accurate processing . . . .” OIG Reply: The lack of clinical edits in GEHA’s claims processing system extends back to a prior OPM OIG audit from 2005. Clinical edits are a necessary element of implementing a new claims processing system. We continue to recommend that GEHA make the appropriate system modifications to ensure clinical edits are implemented for both professional and facility claims. As part of the audit resolution process, we recommend that GEHA provide OPM’s HIO with appropriate supporting documentation indicating its progress in successfully implementing these modifications. 2. Therapy Visit Counter Procedure codes for therapy visits indicate a specific length of time of the services provided. The benefit structure only allows 2 hours per visit in addition to limiting the number of visits per year to 60. GEHA is not appropriately calculating the length of time per visit. The OIG submitted a series of claims to test ability to limit physical and occupational therapy visits to 60 per calendar year. While the system is configured to stop paying claims after 60 visits, we submitted a visit for 2.25 hours, and it was counted as 1 visit rather than two. This system weakness increases the risk that providers are paid for rendering non-covered services. Recommendation 23 We recommend that GEHA ensure that the appropriate system modifications be incorporated into the claims processing system to ensure that therapy benefits are limited in accordance with the plan brochure. GEHA Response: “GEHA agrees with the recommendation to ensure this is addressed in the conversion to However, between now and the time of conversion to we have implemented interim procedures in the Claims Department to adjudicate claims correcting the calculation of time per visit.” OIG Reply: As part of the audit resolution process, we recommend that GEHA provide OPM’s HIO with supporting documentation for the interim process showing that therapy claims are automatically detected for manual review/calculation. Furthermore, we recommend GEHA provide evidence of the implementation of these edits in place in the claims processing system. 23 3. Overlapping Hospital St ays The _ system paid duplicate room and board charges on test claims for a member with two overlapping hospital stays. The system does not have edits in place to prevent both room and board and intensive care charges for the same time period . We submitted a claim for an intensive care room and a subsequent claim for a semi-private room at the same facility on the same day. We were informed by GEHA representatives tha t _ only looks at the revenue code for duplicate billing. As long as different re~s are used, the system will never detect multiple claims containing overlapping dates of service for hospital stays. This system weakness increases the risk that hospitals are being paid for duplicate room and board expenses. Recommendation 24 We recomm end that GEHA ensure that the appropriate system configur ations are made to _ to prevent duplicate payments for claims with overlapp ing dates of service. in. GEH4 Respome: "GEHA agrees with th e recommendation and will explore the system configuration available to ensure accurate claim pro cessing. " 4. OBRA 90 PRICER GEHA is pricing OBRA90 claims with outdated versions of the program. We entered several test claims subject to OBRA90 pricing into the _ system . The system suspended all of the claims for OBRA90 pricing (also referred to as diagnosis-related ou or DRG ricin . and the GEHA claims adjudicator priced each claim using the . We also independently priced each claim using the most recent versions of the _ progra ms, and compared the Medicare DRG amount produced to that calculated by the GEHA adjudicator. All of the test claims rocessed by GEHA were priced accurately, however we received screenprints of the from GEHA which indicated GEHA was not using the most current version of the ~omp tly provide claims adjudicators with updated versions of the _ _ program increases the risk that GEHA is pricing OBRA90 cla im~ Recommendation 25 We recomm end that GEHA im lement rocedures to ensure that OBRA90 claims are priced with the correct version of the 24 GEHA Response: “GEHA agrees with the recommendation and is taking steps to ensure that the adjusters have access to the most current version of the OBRA 90 Pricer before claims processing. This will include working more closely with the IT area to ensure timely loading of the current version, while considering whether claims may need to be held in the interim to prevent claim payment issues.” 5. Manual Processing of Claims A significant portion of claims processed by GEHA are processed manually, including all hospital, anesthesiology, and renal failure claims. The amount of manual effort required by adjudicators to process claims greatly increases the risk that these claims are processed incorrectly. Recommendation 26 We recommend that GEHA ensure that the appropriate system configurations are made to to ensure that a reduced manual effort is required by claims adjudicators to process claims. GEHA Response: “GEHA is exploring every opportunity to reduce manual processes. Conversion to the system will facilitate our goals in this area. While our conversion to is still in the ‘build’ phase, we have already identified several areas of opportunity where reduced manual effort will be realized . . . . ” F. Health Insurance Portability and Accountability Act The OIG reviewed GEHA’s efforts to maintain compliance with the security and privacy standards of HIPAA. GEHA has implemented a series of IT security policies and procedures to adequately address the requirements of the HIPAA security rule. GEHA has also developed a series of privacy policies and procedures that directly addresses all requirements of the HIPAA privacy rule. The plan has a designated Privacy Official who has the responsibility of ensuring compliance with HIPAA Privacy and GEHA’s HIPAA Privacy policies. GEHA employees receive HIPAA-related training during new hire orientation, as well as annual refresher training. Nothing came to our attention that caused us to believe that GEHA is not in compliance with the various requirements of HIPAA regulations. 25 III. Major Contributors to This Report This audit report was prepared by the U.S. Office of Personnel Management, Office of Inspector General, Information Systems Audits Group. The following individuals participated in the audit and the preparation of this report: • , Group Chief • , Senior Team Leader • , Auditor In Charge • , IT Auditor • , IT Auditor 26 Appendix I The Benefit s of Better Health I Ma y 10, 2012 - Auditor in Charge I nformat ion Systems Audite; Group Office of the Inspector General 1900 E St reet, NW Room 6400 Wa shington, DC 20415-1100 We have completed our review o f th e report for th e Aud it of info rmatio n Systems Gen eral and Application Cont rols at Govern ment Employees Health Associat ion (GEHA) dated Ma rch 14, 2012. The foll owing are our responses for each recommendation th at was presented in the report. Recommendati on 1 We recommend GEHA develop a rule s of behavior agreement and requ ire all employees to sign the document. GEHA Response GEHA h as an extensive or ient ation process where new hires are t rained o n various policies and procedures and are requi red to sign Acknowledgemen t of Responsibility forms. These acknowledgements encompa ss what one rules of behavior document would address. 1. Acknowledgement of GEHA Code of Ethics. a. Confidentiality Agreement which is requ ir ed upon hire and ann uall y t hereaft er. The Confident iality agreement ensures the employee t o keep GEHA proprietary and healt h informat ion confidential and to repo rt any accidental or inte nt iona l disclosure . b. HR pol icy 5-05 -Code o f Eth ics w hich Includes a section on 'compromising com puter security' 2. Acknowledgement o f Responsibility for HIPAA confi dent iality of patient inform at ion. This is required upon hire and t he reafter when additional training is given . a. HIPAA Polley 210 - Confident iality and Security of Patient Information Employee Breach and Disciplinary Action . b. HIPM PolicY 215 - Breach Reporting, lnvestigat ion and Notification Requ ireme nt s. 3. Acknowledgem ent of GEHA Information Protectio n Policy. Government Empl oyees Health Aaao c!atlon, Inc. P.O. Box 4665 • Independence. MO 64051-4665 . Telephone (800) 821-6136 www .gcha.com a. HR Policy 5-35 – Information Protection. This policy covers all information in any form and from any system. b. HIPAA Policy 840 – Internet and Software Acceptable Use Policy Recommendation 2 We recommend that GEHA reassess its facilities’ physical access management and implement controls that will ensure proper physical security. At a minimum, GEHA should implement t data center entrances. GEHA Response GEHA is currently reassessing facilities access at all of our locations and adding the following controls to increase physical security. 2) Data Center – Multi-Factor Authentication at Entrance (COMPLETED) - Access to GEHA’s data center at our 310 building requires both an access badge as well as the code to a cipher lock built into the door. The addition of the cipher lock was completed in September of 2011. 3) 4) 2 5) Recommendation 3 We recommend that GEHA implement physical controls to prevent employees that only require access to the GEHA Response GEHA continues to keep this area locked during non-business hours and corrected this concern in October 2011 by installing a latching system on the inside of the storage area that prevents unsupervised access. Recommendation 4 We recommend that GEHA implement a process to monitor and track access to claim files (in the mail sort room). GEHA Response The area where the claims are kept is separated from the by a locked door. Access to this area is restricted to a limited number of claims clerical staff. There are no sign out procedures because claims leave this area only to be copied and immediately returned to the locked room. Recommendation 5 We recommend GEHA conduct a detailed access review audit of user accounts to identify accounts with inappropriate access. GEHA Response GEHA Security Operations has taken multiple steps to better control access. We have reviewed access for users with administrative access and have removed access that was inappropriate or no longer needed. To better establish and control access, we have developed a series of user templates that determine access by position. In doing so we have consulted with managers to verify access and remove any unneeded access. We have developed reporting 3 from our payroll department that will allow us to better track users as they move within the organization or terminate. We have reviewed all previously terminated users to assure that all access has been removed. For auditing purposes it is necessary to leave IDs for terminated employees in place, however, all access to the ID is removed, the account is locked, and the associated user id is removed. This activity has been completed. Recommendation 6 We recommend that GEHA configure its intrusion detection tools to optimize their capabilities. GEHA Response GEHA uses a firewall that includes intrusion detection capabilities. The intrusion detection capabilities were recently activated and are being monitored to determine effectiveness in detecting known attacks. are updated regularly to assure that detection capabilities are current. The Security Operations team will assist the Enterprise Architecture team in fine-tuning the detection capabilities as monitoring reveals changes that can be made to improve the system's response. Recommendation 7 We recommend that GEHA implement for remote access. GEHA Response GEHA has taken steps to purchase and implement for remote access users. Remote web access to GEHA resources forces to GEHA's environment using . This project has been completed for all users with remote access. Recommendation 8 We recommend that GEHA document a process for ensuring application access is granted with proper segregation of duties and implement the process for all major applications. Response GEHA has taken steps to identify duties within the claims processing area and has defined those activities that present a potential violation of the segregation of duties. access has been reviewed and conflicting access removed. Other applications have initially been configured to reduce conflicts, but currently need to be reviewed and any conflicts removed. Expected completion of this activity is by the end of the fourth quarter of 2012. GEHA’s Internal Audit Department performs an annual audit of access rights on major applications for employees who have terminated or transferred positions. 4 Recommendation 9 We recommend that GEHA expand the access recertification process to all major applications. Response The GEHA Security Operations team is in the process of working with managers to develop and major applications. During the process we are aligning current access of individuals to templates created for the role or job title they hold. Managers are reviewing access changes to align with templates created. Going forward the Security Operations team will use this application reports and templates to verify with management the access of all employees at least annually. Recommendation 10 We recommend that GEHA implement a process to log and review user activity within its applications. Response The Security Operations team has developed a daily process to review violation reports. . Violation reports for and other applications are not available at this time. reports are reviewed, users are contacted to respond to violations, and notations are made electronically on the report pdf file. The file is stored along with related correspondence. This process is currently implemented. Recommendation 11 We recommend that GEHA program the new claims processing system to use randomly generated temporary passwords for users who need to establish new accounts and users who lock themselves out of the system. The passwords should be automatically emailed to the user requesting access. Response The Security Operations team will review current practices for creating IDs and modify the process as necessary adding steps to require interaction with the Help Desk before a user id is activated for first use. The new claims system uses authentication based on where users will automatically authenticate to as they activate the application client. password management will be reviewed and changes made as necessary to randomize initial passwords. A password self-service tool will be investigated to see if they provide a more secure method for changing initial or forgotten passwords. Changes to processes will be completed by the fourth quarter of 2012. Recommendation 12 We recommend that GEHA formally document baseline configurations for its hardware, software, and firmware. 5 Response GEHA is addressing secure baseline configuration in a three-phase approach. Each phase will document the system function, inventory, configurations and security hardening requirements. For the initial phase, GEHA is focusing on . The second phase will extend into higher levels of the architecture including but not limited to . The final phase will be a granular view of the business applications that utilize the architecture detailed in the first two phases such as Recommendation 13 We recommend that GEHA implement a process to routinely monitor system administrator activity. Response The Security Operations team has developed a daily process to review administrator activity reports. The reports are reviewed, users are contacted to respond to questionable activities, and notations are made electronically on the report pdf file. The file is stored along with related correspondence. The new claims processing system will require different tools to track administrative access because access will primarily be controlled through It may be possible to track administrative access within the new application but that is unknown at this time. A tool is being investigated that will track user data view and that tool may provide additional visibility within the new claims application. administrator activity monitoring is currently implemented. Recommendation 14 We recommend that GEHA address the issues detected by the compliance audit and routinely monitor system software configuration to ensure compliance with established baselines. Response - The recent purchase of a security vulnerability scanning tool by the Security Operations team gives us the ability to scan configuration settings of individual servers once authenticated to the server. Security Operations will work with the Enterprise Architecture to assure that appropriate settings are routinely scanned and addressed. This recommendation should be completed by the end of the fourth quarter of 2012. Recommendation 15 We recommend that GEHA implement a process to conduct routine vulnerability scans and track any identified weakness until they are remediated. 6 Response A produ ct t o scan syst e ms for vu lne ra bilit ies ha s recent ly been purcha sed and a pro ject ha s been creat ed t o deve lop processe s for sca nning, notification of findings, risk asse ssment, remed iat ion , and re view. The project will focu s on reducing the risk to the or ganizat ion by imple men t ing a rout ine vu lne ra bility mon itoring and remed iation program . This rec ommendation sho uld be comp leted by the end of the fourth qua rter of 201 2. Recommendation 16 We rec omme nd that GEHA instal l t he t hat we re ide nt ified in the sca n re sult s and , in the future, improve the management process to en sure t h a t _ _ a r e inst alled promptly. Response GEHA re cogn izes the need a nd importance of deve lop ing and impleme nt ing a . to iden tify , dete rm ine app licability to GEHA syst e ms, and distribute and implement on GEHA syst e ms t o prevent and m inimize the risk of security brea ches and losse s. GEHA is init iat ing a forma l to m itigate the risk prese nted by t he . The program w ill be a combinat ion of techn o logy in the form of t and deployment softw a re and processe s to identify, test and deploy softw a re updates followin g a risk-based ma nagement - approach. 7 Recommendation 17 We recommend that GEHA contract with a third party vendor that specializes in vulnerability assessments to conduct a thorough vulnerability assessment of its . Response GEHA is addressing vulnerabilities in two different ways. In late 2012, we engaged a third-party, to conduct a comprehensive vulnerability assessment and penetration test. The scope of the assessment included our . Our IT and Security teams are actively remediating issues noted in that assessment. In addition, GEHA is currently redesigning our and Security teams are involved in those discussions to ensure that any open vulnerabilities or concerns are addressed in the new design. The second way we are addressing this issue is the purchase and implementation of Our Information Security Analysts have installed this solution and are currently conducting configuring and testing. This tool will be used on a continuous basis to assist security in identifying vulnerabilities affecting our infrastructure and will assist in the risk ranking of those vulnerabilities to drive remediation priorities. The solution will have the ability to not only alert security staff to vulnerabilities facing our e, but also vulnerabilities on our . We expect to have fully deployed in our production environment and identifying vulnerabilities by Q3 of 2012. We feel that it is important and we plan to continue engaging a third party to conduct an independent assessment, however due to the addition of our tool and vulnerability management processes, we will be reducing the frequency of those from annually to perhaps every other year. Recommendation 18 We recommend that GEHA continue their efforts to upgrade the operating system to a vendor-supported version. Response GEHA is continuing the efforts to update the operating systems to vendor- supported versions. We are working through the and custom-developed application dependencies which require update before the operating systems can be updated. GEHA has also had to procure and implement a new storage subsystem to allow for the increased capacity needs for the testing environments for process and inter-operability testing. Recommendation 19 We recommend that GEHA conduct and document an annual disaster recovery test for the . Response GEHA has designed and implemented an secured off-site co-location facility that will function as the disaster recovery site for all GEHA is currently replicating all data to the site through the use of the data protection platform. GEHA is scheduled to perform disaster recovery testing in Q3 of 2012. We have hired a Manager of Enterprise Risk that will be responsible for working with IT to maintain/update our BCP/DR plans to reflect the above changes and to assist in coordinating testing exercises. This person is currently assisting on our claims system conversion and will be joining the Enterprise Security and Risk Management team in Q3 of 2012. His focus will be BCP/DR and other Enterprise Risk Management initiatives. 9 Recommendation 20 We recommend that GEHA, in collaboration with , develop a process to reconcile printed checks. Response We have initiated a project with our Project Management Department and have assembled a team to address this recommendation. We plan to coordinate with and have a reconciliation process implemented once we have identified and created the necessary internal reporting. Recommendation 21 We recommend that GEHA implement an audit process for the full debarment file. Response GEHA does currently perform a monthly 3% audit on our full debarment file. However, based on the recommendation of OPM, we have increased the audit to 100% of the full debarment file effective April 15, 2012. Recommendation 22 We recommend that GEHA ensure that comprehensive medical edits are incorporated into the development of the new claims processing system. Response Our review of the System and the new clinical editor has shown that does not currently have edits for inpatient hospital claims. This specific claim example would not be captured in any of the edits. We will investigate the system capabilities of creating the configuration to assist in up front identification of these claims. There are edits for outpatient hospital claims. For the professional claim example, we have test cases developed to review diagnosis to procedure code edits. The system can then be coded to pend, deny, or use a warning message. We have not received the latest version of to test at this time. We will add these examples to our requirements and set up specific test cases to test capabilities to ensure accurate processing. The OIG finding included the following information – “GEHA informed us that for professional claims, clinical edits produce warning messages rather than having hard edits in place to prevent the claim from processing. If these claims are submitted electronically, they could be batched and subsequently processed and paid without a processor ever seeing that warning message.” 10 GEHA response - GEHA does not allow claims with these Clinicalogic warning messages to pass through batch, rather they are pended to the adjustor for additional review. Recommendation 23 We recommend that GEHA ensure that the appropriate system modifications be incorporated into the claims processing system to ensure that therapy benefits are limited in accordance with the plan brochure. Response GEHA agrees with the recommendation to ensure this is addressed in the conversion to However, between now and the time of conversion to we have implemented interim procedures in the Claims Department to adjudicate claims correcting the calculation of time per visit. Recommendation 24 We recommend that GEHA ensure that the appropriate system configurations are made to to prevent duplicate payments for claims with overlapping dates of service. Response GEHA agrees with the recommendation and will explore the system configuration available in to ensure accurate claim processing. Recommendation 25 We recommend that GEHA implement procedures to ensure that OBRA90 claims are priced with the correct version of the Response GEHA agrees with the recommendation and is taking steps to ensure that the adjusters have access to the most current version of the OBRA 90 Pricer before claims processing. This will include working more closely with the IT area to ensure timely loading of the current version, while considering whether claims may need to be held in the interim to prevent claim payment issues. Recommendation 26 We recommend that GEHA ensure that the appropriate system configurations are made to to ensure that a reduced manual effort is required by claims adjudicators to process claims. 11 Response GEHA is exploring every o pport unity to reduce manual processes. Conve rSion to th ~ syste m will fa cilitate our goa ls in t his area . While our conversion to s st ill in the «build' phase. we have alread y ident ified seve ral area s of opportunity where redu ced manu al effort will be realized • With t he addition 0 e expect improvements in automated hospital and anesthesia processing. • We will be using reve nue coding which is required by some PPO netw orks. This will be loaded from t he elect ronic claim and added t o t he processes In our data e ntry area . With thi s information, pricing can be applied through ~ lIo w i n g more claims to autc-adjudlcate . • For PPO USA hospitals and facilities that use a complex rate, they will be priced with ~nd avto-adludicate d. • Authorizat ions for hospital st ays wiD be loaded into _ and then matched to the II specific cla im they represent. This will red uce man ual review of the autho rization and allow auto -adjudtcanon of hospital n ays and outpane nt services. i • ASAcodes and th e associated units are also being loaded into the pricing software, as we llas confi guratio n of t he time units, so that auto-calcutatlon can be performed. i • National Co nt racts pricing is also loaded in _ req uired toda y. reducing th e manual pricing that is I Conclusion I We are disappointed in th e resu lts ofthe audit, howe ve r we were making progre ss to update and improve our informat ion syste ms infrastru ctu re. We have filled several key positions wit hin the last yea r to expand ou r expertise and have add ed staff t o address weaknesses that we re note d in the OIG's re port. Prior to th e sta rt of the audit we forme d an Enterprise Security and Risk Man ageme nt Department tha t is inde pende nt of the IT Depart ment and reports direct lyto me. The Enterp rise Security and Risk Manageme nt Departm ent is res ponsible for esta blishing security policies, assessing vulnerabilities a nd working with Information Systems manageme nt to remediete weaknesses in internal controls. We thank you an d yo ur st aff for your assistance in identifying the are as needing improvement and we are working diligentlyto resolve t hese issues. Since re ly, Richa rd G. Miles Preside nt " Attachments: Audit Report Draft CC: , Chief of Health Insurance II Insurance Operations , Chief of Program Planning and Evaluation Eileen Hutchinson, GEHA VP - CFO GEHA VP – Claims GEHA VP – Enterprise Security and Risk Management GEHA Manager of Internal Audit 13
Audit of the Information Systems General and Application Controls at the Government Employees Health Association
Published by the Office of Personnel Management, Office of Inspector General on 2012-08-09.
Below is a raw (and likely hideous) rendition of the original report. (PDF)