U.S. OFFICE OF PERSONNEL MANAGEMENT
OFFICE OF THE INSPECTOR GENERAL
OFFICE OF AUDITS
Final Audit Report
Subject:
AUDIT OF INFORMATION SYSTEMS
GENERAL AND APPLICATION CONTROLS AT THE
GOVERNMENT EMPLOYEES HEALTH ASSOCIATION
Report No. 1B-31-00-11-066
Date: August 9, 2012
--CAUTION--
This audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit
report may contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available
under the Freedom of Information Act and made available to the public on the OIG webpage, caution needs to be exercised before
releasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy.
Audit Report
FEDERAL EMPLOYEES HEALTH BENEFITS PROGRAM
CONTRACT 1063
THE GOVERNMENT EMPLOYEES HEALTH ASSOCIATION
PLAN CODE 31
LEE’S SUMMIT & INDEPENDENCE, MISSOURI
Report No. 1B-31-00-11-066
Date: August 9, 2012
________________________
Michael R. Esser
Assistant Inspector General
for Audits
--CAUTION--
This audit report has been distributed to Federal and Non-Federal officials who are responsible for the administration of the audited
contract. This audit report may contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit
report is available under the Freedom of Information Act and made available to the public on the OIG webpage, caution needs to be
exercised before releasing the report to the general public as it may contain proprietary information that was redacted from the publicly
distributed copy.
Executive Summary
FEDERAL EMPLOYEES HEALTH BENEFITS PROGRAM
CONTRACT 1063
THE GOVERNMENT EMPLOYEES HEALTH ASSOCIATION
PLAN CODE 31
LEE’S SUMMIT& INDEPENDENCE, MISSOURI
Report No. 1B-31-00-11-066
Date: August 9, 2012
This final report discusses the results of our audit of general and application controls over the
information systems at the Government Employees Health Association (GEHA).
Our audit focused on the claims processing applications used to adjudicate Federal Employees
Health Benefits Program (FEHBP) claims for GEHA, as well as the various processes and
information technology (IT) systems used to support these applications. We also conducted a
significant follow-up review of prior audit recommendations from our 2006 IT audit.
In 2006 a substantial number of recommendations were made that collectively identified a
significant weakness in GEHA’s management of IT security. GEHA lacked the critical policies
and procedures necessary for an entity-wide security program. Furthermore, they did not have
the appropriate resources, both tangible and personnel, to ensure the protection of member data
and successful processing of FEHBP claims. During our follow-up review, we determined that
these long standing weaknesses have not been addressed and prior audit recommendations had
been prematurely closed by OPM. While the audit work conducted during this review showed
very recent steps taken by GEHA management to develop an improved IT security program,
currently there are significant weaknesses that still threaten the privacy and security of FEHBP
i
data and member PII. We documented controls in place and opportunities for improvement in
each of the areas below.
Security Management
GEHA has established a series of IT policies and procedures to create an awareness of IT
security at the Plan. However, GEHA has not developed a Rules of Behavior agreement that all
employees are required to sign.
Access Controls
We found that GEHA has implemented numerous controls related to the process of granting
physical access to its data center, as well as logical controls to encrypt sensitive information.
However, we did note multiple opportunities for improvement related to GEHA’s physical and
logical access controls.
Configuration Management
GEHA has developed formal policies and procedures providing guidance to ensure that system
software is appropriately configured and updated, as well as for controlling system software
configuration changes. However, we noted numerous weaknesses in GEHA’s configuration
management program. The weaknesses were severe enough to consider the program a
significant deficiency in GEHA’s ability to securely process sensitive FEHBP data.
Contingency Planning
We reviewed GEHA’s business continuity plans and concluded that they contained most of the
key elements suggested by relevant guidance and publications. We also determined that these
documents are reviewed and updated on a periodic basis. However, GEHA does not perform
routine disaster recovery testing on its distributed server environment.
Application Controls
GEHA has implemented many controls in its claims adjudication process to ensure that FEHBP
claims are processed accurately. However, we recommended that GEHA implement several
system modifications to ensure that its claims processing systems adjudicate FEHBP claims in a
manner consistent with the OPM contract and other regulations.
Health Insurance Portability and Accountability Act (HIPAA)
Nothing came to our attention that caused us to believe that GEHA is not in compliance with the
HIPAA security, privacy, and national provider identifier regulations.
ii
Contents
page
Executive Summary .......................................................................................................................... i
I. Introduction................................................................................................................................1
Background ............................................................................................................................... 1
Objectives ................................................................................................................................. 1
Scope ......................................................................................................................................... 2
Methodology ............................................................................................................................. 2
Compliance with Laws and Regulations................................................................................... 3
II. Audit Findings and Recommendations .....................................................................................4
A. Security Management .......................................................................................................... 4
B. Access Controls .................................................................................................................... 5
C. Configuration Management................................................................................................ 13
D. Contingency Planning ........................................................................................................ 18
E. Application Controls .......................................................................................................... 20
F. Health Insurance Portability and Accountability Act ......................................................... 25
III. Major Contributors to This Report ...........................................................................................26
Appendix: Government Employees Health Association’s May 10, 2012 response to the draft
audit report issued March 14, 2012.
I. Introduction
This final report details the findings, conclusions, and recommendations resulting from the audit
of general and application controls over the information systems responsible for processing
Federal Employees Health Benefits Program (FEHBP) claims at the Government Employees
Health Association (GEHA).
The audit was conducted pursuant to FEHBP contract 1063; 5 U.S.C. Chapter 89; and 5 Code of
Federal Regulations (CFR) Chapter 1, Part 890. The audit was performed by the U.S. Office of
Personnel Management’s (OPM) Office of the Inspector General (OIG), as established by the
Inspector General Act of 1978, as amended.
Background
The FEHBP was established by the Federal Employees Health Benefits Act (the Act), enacted on
September 28, 1959. The FEHBP was created to provide health insurance benefits for federal
employees, annuitants, and qualified dependents. The provisions of the Act are implemented by
OPM through regulations codified in Title 5, Chapter 1, Part 890 of the CFR. Health insurance
coverage is made available through contracts with various carriers that provide service benefits,
indemnity benefits, or comprehensive medical services.
The last OIG audit of general and application controls at GEHA occurred in 2006. While the
audit was closed in 2006 by the audit resolution group in OPM’s Healthcare and Insurance
Office, we did a full review of all recommendations from the 2006 audit. We determined that
several recommendations were inappropriately closed and that numerous weaknesses were not
remediated until after 2009. Several recommendations should still be open and have been rolled
forward within this report.
The business processes related to the scope of this audit are primarily located at GEHA’s Lee’s
Summit and Independence, Missouri facilities. GEHA has two data centers supporting FEHBP
processes in the greater Kansas City, Missouri area. Employees responsible for processing
FEHBP claims are predominantly located in Independence, Missouri. The majority of claim
output is printed and mailed at a contractor facility in St. Louis, Missouri. Several PPO
contractor networks are also utilized to perform functions related to both claims input and output.
All GEHA personnel that worked with the auditors were particularly helpful and open to ideas
and suggestions. They viewed the audit as an opportunity to examine practices and to make
changes or improvements as necessary. Their positive attitude and helpfulness throughout the
audit was greatly appreciated.
Objectives
The objectives of this audit were to evaluate controls over the confidentiality, integrity, and
availability of FEHBP data processed and maintained in GEHA’s information technology (IT)
environment.
1
These objectives were accomplished by reviewing the following areas:
• Security management;
• Access controls;
• Segregation of duties;
• Configuration management;
• Contingency planning;
• Application controls specific to GEHA’s claims processing systems; and,
• HIPAA compliance.
Scope
This performance audit was conducted in accordance with generally accepted government
auditing standards issued by the Comptroller General of the United States. Accordingly, the OIG
obtained an understanding of GEHA’s internal controls through interviews and observations, as
well as inspection of various documents, including information technology and other related
organizational policies and procedures. This understanding of GEHA’s internal controls was
used in planning the audit by determining the extent of compliance testing and other auditing
procedures necessary to verify that the internal controls were properly designed, placed in
operation, and effective.
The OIG evaluated the confidentiality, integrity, and availability of GEHA’s computer-based
information systems used to process FEHBP claims, and found that there are opportunities for
improvement in the information systems’ internal controls. These areas are detailed in the
“Audit Findings and Recommendations” section of this report.
The scope of this audit centered on the claims processing system (and the IT
environment that supports it) used by GEHA to process FEHBP claims.
In conducting our audit, we relied to varying degrees on computer-generated data provided by
GEHA. Due to time constraints, we did not verify the reliability of the data used to complete
some of our audit steps but we determined that it was adequate to achieve our audit objectives.
However, when our objective was to assess computer-generated data, we completed audit steps
necessary to obtain evidence that the data was valid and reliable.
The audit was performed at GEHA offices in Lee’s Summit, Missouri, and Independence,
Missouri. These on-site activities were performed in September and October 2011. The OIG
completed additional audit work before and after the on-site visits at OPM’s office in
Washington, D.C. The findings, recommendations, and conclusions outlined in this report are
based on the status of information system general and application controls in place at GEHA as
of December 15, 2011.
Methodology
In conducting this review the OIG:
• Gathered documentation and conducted interviews;
• Reviewed GEHA’s business structure and environment;
2
• Performed a risk assessment of GEHA’s information systems environment and applications,
and prepared an audit program based on the assessment and the Government Accountability
Office’s (GAO) Federal Information System Controls Audit Manual (FISCAM); and
• Conducted various compliance tests to determine the extent to which established controls and
procedures are functioning as intended. As appropriate, the auditors used judgmental
sampling in completing their compliance testing.
Various laws, regulations, and industry standards were used as a guide in evaluating GEHA’s
control structure. This criteria includes, but is not limited to, the following publications:
• Office of Management and Budget (OMB) Circular A-130, Appendix III;
• OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of
Personally Identifiable Information;
• Information Technology Governance Institute’s CobiT: Control Objectives for Information
and Related Technology;
• GAO’s Federal Information System Controls Audit Manual;
• National Institute of Standards and Technology’s Special Publication (NIST SP) 800-12,
Introduction to Computer Security;
• NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information
Technology Systems;
• NIST SP 800-30, Risk Management Guide for Information Technology Systems;
• NIST SP 800-34, Contingency Planning Guide for Information Technology Systems;
• NIST SP 800-41, Guidelines on Firewalls and Firewall Policy;
• NIST SP 800-53 Revision 3, Recommended Security Controls for Federal Information
Systems;
• NIST SP 800-61, Computer Security Incident Handling Guide;
• NIST SP 800-66 Revision 1, An Introductory Resource Guide for Implementing the HIPAA
Security Rule; and
• HIPAA Act of 1996.
Compliance with Laws and Regulations
In conducting the audit, the OIG performed tests to determine whether GEHA’s practices were
consistent with applicable standards. While generally compliant, with respect to the items tested,
GEHA was not in complete compliance with all standards as described in the “Audit Findings
and Recommendations” section of this report.
3
II. Audit Findings and Recommendations
A. Security Management
The security management component of this audit involved the examination of the policies and
procedures that are the foundation of GEHA’s overall IT security controls. We evaluated
GEHA’s ability to develop security policies, manage risk, assign security-related responsibility,
and monitor the effectiveness of various system-related controls.
GEHA has implemented a series of formal policies and procedures that comprise a
comprehensive security management program. GEHA’s security management program is led by
the company’s IT professionals whose responsibilities include creating policies to protect against
threats or improper use of sensitive data and HIPAA compliance. All policies and procedures are
approved by an executive committee before they are published and posted on the company
intranet. GEHA has also developed a thorough risk management methodology, and has
procedures to document, track, and alleviate or accept identified risks.
We also reviewed GEHA’s human resources policies and procedures related to hiring, training,
transferring, and terminating employees. However, we found that GEHA has not developed a
rules of behavior agreement for information and information system usage.
NIST Special Publication 800-53 Revision 3, Recommended Security Controls for Federal
Information Systems (NIST SP 800-53) states that “The organization: Establishes and makes
readily available to all information system users, the rules that describe their responsibilities and
expected behavior with regard to information and information system usage; and receives signed
acknowledgment from users indicating that they have read, understand, and agree to abide by the
rules of behavior, before authorizing access to information and the information system.”
Without clearly defining their rules of behavior the organization increases the risk of employees
sharing account access information, downloading malicious software, sharing personally
identifiable information, and general improper use of information systems.
Recommendation 1
We recommend GEHA develop a rules of behavior agreement and require all employees to sign
the document.
GEHA Response:
“GEHA has an extensive orientation process where new hires are trained on various policies
and procedures and are required to sign Acknowledgement of Responsibility forms. These
acknowledgements encompass what one rules of behavior document would address.”
OIG Reply:
We have received evidence that this recommendation has been implemented; no further action is
required.
4
B. Access Controls
Access controls are the policies, procedur es, and techniques used to prevent or detect
unauthorized physical or logical acce ss to sensitive resources.
We examin ed the physical access controls ofGEHA' s data centers, the Independence cla ims
processin g facility, and two Lee' s Summit office buildings . We also examined the logical
controls protecting sensitive data on GEHA ' s network environment and claims processin g
related applications.
In addition, we conducted a network topology scan to verify that all known assets were included
within GEHA ' s system inventory list.
The acce ss controls observed during this audit include , but are not limited to:
• Procedures for appropriately granting physical acce ss to facilitie s and data centers;
• Procedures for revokin g access to data centers for terminated empl oyees;
• Procedures for removing _ network access for terminated employees; and,
• Controls to monitor an d filter email and Intern et activity.
The following sections document several opportunities for improvement related to GEHA ' s
physical and logical acce ss controls.
1. Facility Physical Access Controls
The physical acce ss controls at GEHA ' s facilities could be improved.
All of the facilities we visited utilize some form 0
the building during off-peak working hours.
working hours. GEHA has a receptionist at each facility, but does not
Empl oyees are required to
but there are no physical controls in place to ensure that every individual
o ows t us procedure.
We expect all FEHEP contractors to, at a minimum, have card reader controlled turnstile
gates at facility entrances and multi-factor authentication at data center entrances (e.!, ci
!her
lock or biometric device in addition to an access card). In addition to implementin g
, GEHA should ana lyze the benefit of implementing the commo n p rysical
access controls listed below that we typically see at other FEHBP carrier facilitie s.
Common Data Center Controls
•
5
•
•
•
•
•
Comlllon Office Building Controls
• , and ,
•
FISCAM states that "Controls should acc ommodate employees who work at the enti ty ' s
facilities all an everyday basis; occasional visitors, such as emp loyees of another entity
facility or maintenance pe ople; and infrequent or unexp ected visitors. Physical secur ity
controls vary, but include: manual door or cipher key locks, magnetic door locks that require
the use of electro nic keycards, bi ometrics authenticat ion, secur ity guards, photo IDs, entry
logs, and electronic and visual surveillance systems."
In addition, NIS T SP 800-53 provide s guidance for adequately controlling ph ysical acce ss to
information systems containing sensitive data (see control PE-3, Physical Access Co ntrol).
Failure to implem ent adequate physical access controls increases the risk that unauthorized
individuals can gain acce ss to GEHA facilities and the sensitive IT re sources and confident ial
data they contain .
Recommendation 2
We recommend that GEHA rea ssess its faciliti es ' phy sical access ma nagement and
implement controls that will ensure ro er h sical securit . At a minimum , GE HA should
implement multi-factor
authent ication e.g., crp ter men to an acce ss card) at data
cente r entra nce s.
GEHA Respous e:
"GEHA is cu rrently reassessing facilities access at all ofonr locations and adding th e
following controls to increase physical security.
1.
2. Data Center - Multi-Factor A uthentication at Entrance (COi.lfPLETED) ...
3.
4.
5.
6
DIG ReplY:
As part of the audit resolution process, we reco mmend that GEHA provide OPM 's
Health care and Insurance Office (HIO) with evidence that it has fully implemented eac h of
the chang es to the ph ysical security discussed in its response.
2. Claim Storage Access Contr ols
er claim s containing sensitive information are stored
However, GE HA does not separate access to
The claim s storage area is locke unng non- usme ss
hours, but during the day there are no ph ysical controls to separate the two areas.
FISCAM states that "Many of the control techniques for interior security are similar to those
for perime ter and entry security (for example, locks, surv eillance systems , as well as usin g
and controlling badges, ID cards, smartcards, passkey, and other entry dev ices) ."
Failure to restri ct acce ss to the claim s storage area increases the risk that un auth orized
employees can gain acce ss to sensitive data contained w ithin the room.
In addition, GE HA does not currently have a process in pl ace to monitor claim s file access.
There is no employee stationed within this area and claim files can be remo ved for
referencing. GEHA wa s unable to produce a cla ims file access log.
NIST SP 800-53 states that "The organization ... Controls access to area s officially
designated as pu blicly accessible in accordance with the organization 's asse ssment of
risk. "
Failure to monitor and track acce ss to claim files increases the risk that employees may
manipulate, damage, or lose the claim s.
Recommendation 3
We recommend that GEHA im
require access to the
GEHA Respouse:
"GEHA continues to keep this area locked during non-business hours and corrected this
concern in October 2011 by installing a latching system on the inside ofthe storage area
that prevents unsupervised access. "
DIG Reply:
The intent of this recommendation is to ensure that claim s are stored securely at all times, not
just during non-busine ss hours. As part of the audit resolution process, we recommend that
GE HA provide OPM ' s HIO with evidence that the claims are securely stored, preventing
un auth orized access to claim files at all times.
7
Recommendation 4
We recommend that GEHA implement a process to m onitor and track access to cla im files.
GEHA Respouse:
"The area where the claims are kept is sep arated from the by a
locked door. A ccess to this area is restricted to a limited number ofclaims clerical staff.
There are no sign out pro cedures because claims leave this area only to be copied and
immediately returned to the locked room. "
DIG Reply:
As part of the audit resolution process, we reco mmend that GEHA provide OPM 's HI D with
the policy detailing the requirement to ph otocopy and immediately retum claim s to storage.
Please also provide HID with the policy which instru cts GEHA employee s to properly
dispose of the claim form copies that contain PII.
3. Logical Access Controls
~ loye es are terminated , GEHA 's poli cy is to remove their accounts from the
_ claim s adjudication application.
We compared a list of recently terminated employe es to the active ~er list. We
discovered that 20 terminated employees still had active accounts ~ and that
several of those employee s had multiple active accounts.
Most of these individuals were term inated pri or to 20 10. Although GEHA ' s current process
appears to adequately remove _ acce ss for recentl y terminated users , it appears th at
there has never been an audit of old accounts to identify terminated users.
FISCAM states that "Inactive accounts and accounts for terminated indi viduals should be
disabled or removed in a timely mann er."
Recommendation 5
\Ve recommend GEHA conduct a detailed access review audit of _ user accounts
to identify account s with inapp ropri ate access.
GEHA Respouse:
"GEHA Security Operation s has taken multiple step s to better cOlllrol _ access.
JVe have reviewed access for nsers with administrative access and have removed access
that was inappropriate or no longer needed. To better establish and control access, we
have developed a series of user templates that determine access by position. In doing so we
have consulted with managers to verify access and remove any 1II111eeded access. JVe have
developed reporting from our payroll department that will allow us to better track nsers as
they move within the organization or terminate. We have reviewed all previously
terminated users to assure that all access has been removed. For auditing purposes it is
necessary to leave ID s for terminated employees in place, however, all access to the ID is
8
removed, the account is locked, and the associated_user id is removed. This activity
has been completed."
DIG Reply:
As part of the audit resolution process, we rec ommend that GEHA provide OPM 's HIO with :
• Samples of the user templates tha t determine acce ss by position ;
• Samples of the reports generated from the payroll department to track transferred and
terminated employees;
• Evidence of the access review that took place to ensure tenninated user ac ce ss was
appropr iately removed ; and,
• Evidence of the ongoing logical acce ss auditing for a period of six months .
4. Incident Response and Intrusion Detection
GEHA has docum ente d incident response procedures and has installed an intrusion detection
system. However, the intru sion detection system has not been configured to optimize its
security feat ures . GEHA has recentl y installed next generation firewalls and moni toring
softw are that has the ab ility to prevent an d de tect intrusions, however it is not configu red for
the GEHA envir onment. Ac cording to GE HA , a contractor will be going on-s ite in the near
future to assist in configur ing the tools an d trai ning employees.
FISCAM states that contro l technique s for an effect ive incident re sponse pro gram include "a
means of prompt centra lized reporting; active monitoring of alerts and advisories; [and]
resp onse team mem bers with the necessary knowl edge, skills, and ab ilities ...."
Failur e to prop erl y configure incident re sponse and intru sion dete ction tools could allow
incidents and intru sions to go urun oni tored and unresolved. Thi s co uld lead to a loss of
sens itive resources.
Recommendation 6
We recommend that GEHA configure its intru sion detection tools to optitnize their
capa bilities.
GEH4 Respous e:
"GEHA uses a_firewall that includes intrusion detection capabilities. Th e
intrusion detection capabilities were recently activated and are being monitored to
determine effectiveness ill detecting kllOWII attacks. _ a re updated regularly to
assure that detection capabilities are current. The Se curity Operations team will assist the
Enterprise A rchitecture team ill flne-tuuing the detection capabilitie~
reveals chou es that call be made to im rove th e s 'stem's res onse. _
5. Remote Access Authentication
GE HA does not require to acce ss its netw ork from a remote
location . Employees are required to use their to remotely
9
authenticate to GEHA ' s network. consist of a
_ _ _ _IS to implement in the future by requiring the
NIST SP 800-53 Revision 3 states that information systems should use multifactor
authentication for local and netw ork access to privileged and non-privileged accoun ts.
Failure to implement adequate authentication controls increases the risk that unauthorized
individuals can gain acce ss to sensitive resources and confidential data.
Recommendation 7
We recommend that GEHA implement
GEHA Respouse:
_to 's .
"GEHA ha s taken steps to purchase and implement
remote access users. Remote web access to GEHA resources orces
GEHA euviroumeut using and
~ is project has been completedlor all users with remote access."
DIG Reply:
As part of the audi~roces s , we reco mmend that GEHA
evidence when the _ i m p lementation is complete and IS
required for all remote acce ss users.
6. Segregation of Duties
GEHA does not enforce proper segregation of duti es on its major applications. Currently,
only one major application is monitored for proper segregation of duties. Furthermore , the
process for monitoring segregation of duties is not documented .
FISCAM states that "Work responsibilities should be segregated so that one individual does
not control critical stages of a process." FISCAM also states that "Management should have
analyzed operations and identified incompatible duties that are then segregated through
policies and organizational divisions."
Failure to implement adequate proper segregation of dut ies increases the risk that erroneo us
or fraudulent transactions could be processed, that imp roper program changes could be
impl emented , or that computer resources could be damaged or destroyed .
Recommendation 8
We recommend that GEHA document a process for ensuring application access is granted
with proper segregation of dutie s and implement the process for all major applications.
10
GEHA Response:
“GEHA has taken steps to identify duties within the claims processing area and has
defined those activities that present a potential violation of the segregation of duties.
access has been reviewed and conflicting access removed. Other applications
have initially been configured to reduce conflicts, but currently need to be reviewed and
any conflicts removed. Expected completion of this activity is by the end of the fourth
quarter of 2012.
GEHA’s Internal Audit Department performs an annual audit of access rights on major
applications for employees who have terminated or transferred positions.”
7. Logical Access Privileges Approval and Review
GEHA does not routinely recertify that employee application access is appropriate for all
major applications. Currently, only one application is subject to a full access recertification
review by the system owners. GEHA’s Internal Audit Group does perform periodic
application access reviews, but the review includes only a small sample of employees.
FISCAM states that “The computer resource owner should identify the specific user or class
of users that are authorized to obtain direct access to each resource for which they are
responsible . . . . The owner should identify the nature and extent of access to each resource
that is available to each user. [This includes the following types of access: read, update,
delete, merge, and execute] Access may be permitted at the file, record, or field level. . . .
Owners should periodically review access authorization listings and determine whether they
remain appropriate. Access authorizations should be documented on standard forms and
maintained on file.”
Failure to routinely recertify the appropriateness of application access could allow employees
to perform functions or access sensitive information that they should not have approval to
access.
Recommendation 9
We recommend that GEHA expand the access recertification process to all major
applications.
GEHA Response:
“The GEHA Security Operations team is in the process of working with managers to
develop role based access templates for and major applications. During
the process we are aligning current access of individuals to templates created for the role
or job title they hold. Managers are reviewing access changes to align with templates
created. Going forward the Security Operations team will use this application reports and
templates to verify with management the access of all employees at least annually.”
11
8. Application Access Monitoring
GEHA does not adequately monitor user acce ss to its applications. Weekly access violation
report s are emailed to management, but the reports are not reviewed. GEHA is in the process
of creating an Information Security Group that will take over security monit oring
responsibilities for the entire compan y, including the review of access violation reports.
Furthermore, GEHA does not monitor user activity within the claims pro cessing application.
FISCAM states that "Audit and monitoring involves the regu lar collect ion, review, and
analysis of indications of inappropriate or unauthorized access to the application."
Management should monitor acce ss within the application (i.e., unauthorized access
attempts, unusual activity, etc.).
Failure to monitor act ivity logs an d violation reports could allow attempts to gain
unauthorized access to sensitive computer resource s to continue unn oticed.
Recommendation 10
\Ve recommend that GEHA implement a pro cess to log and review user access to and
activity within its applications.
GENA Respouse:
"The Securitv 0 erations team has develo
reports.
for s and other applications are not available at this time. reports are
reviewed, nsers are contacted to respond to violations, and notations are made
electronically on the report pdffile. The file is stored along with related correspondence.
This process is currently implemented. "
DIG ReplY:
The intent of this recommendation was not to simply monitor log-on violations at the .
_ b u t also to audit user transactions within the claims processing system. As part ofthe
audit resolution process, we recommend that GEHA provide OPM ' s HID w ith evidence of a
solution to monitor the claims processing system's user activity.
9. Claims Processing System Password l\Iodification
GEHA uses a when creating all new _ user
accounts or resetting the password of existing acco unts. While GEHA requires that the
temporary password be changed after the first login attempt, this is not a sufficient
compensating control. The process for establishing and changing password s for the claims
processing system is less secure than other major applications at GEHA. For other
applications, an email is automatically sent to the user with a randomly generated temporary
password that they use to establish new acco unts or unlock existing ones.
NIST SP 800-118 (draft) states that "Randomly generated or arbitrarily chosen [one time
passwords], not default or patterned passwords (e.g., "NIST0722"), should be used during
12
account creation and pa ssword reset processes. Thi s ensure s that if the user does not
promptly chang e the assigned password , that the password will not be easily gue ssable."
Failure to use randoml y generated temporary passwords increa ses the risk that a person could
gain un authorized access to the claims processing system by exploiting the default password .
Recommendation 11
We recommend that GEHA program the new claim s processing system to use randomly
genera ted temp orary passwords for users who need to establish new accounts and users who
lock themselves out of the system. The passwords should be automa tically ema iled to the
user requesting access.
GENA Respouse:
"The S ecurity Operation s team will review current practices for creating_ IDs
where users will automatically authenticate
as they activate the application client.
to.
and modify that process as necessary adding step s to require interaction with the Help
Desk before a user id is activated or first use. The new claims system uses authentication
based on
pas sword management
will be reviewed and changes made as necessary to randomize initial pas swords. A
password self-s ervice tool will be investigated to see i/they provide a more secure method
for changing initial or forgotten pa sswords. Changes to processes will be completed by the
fourth quarter of2012."
C. Configuration ~'1anagement
_ is housed in a
control managed by
su 0I1in the cla ims adiudication process are housed in a with the
We evaluated GEHA ' s management 0 t us system software
and have serious concerns regarding its overall configuration management program.
The sections below docum ent areas for improvem ent re lated to GE HA 's configuration
management controls. We believe that the severity of the weakne sses re lated to configuration
management represents a significant deficiency in GEHA ' s ability to securely process FEHBP
data in its IT environment.
1. Baseline Configur ations
GE HA has not docum ent ed a secure baseline configuration for its servers or main frame.
New system software is currently configured using employees ' collec tive knowledge of be st
practices. However, no standard configura tion doc umentation has been crea ted for any
system software used by the organization. In December 20 11, GE HA created a Baseline
Serve r Configuration and Maintenance Plan that detail s the new process for crea ting
configu ration baselin es for three serv er operating systems. TIle actua l baselin e documents
are scheduled for complet ion in 20 12.
13
FISCAM states that "The entity should maintain current configuration information in a
forma l configura tion baseline that contains the configuration information fonnally designated
at a specific time durin g a product' s or produ ct component' s life. Configuration baselines,
plus approved changes from those baselines, constitute the current configura tion information .
There should be a CIUTent and comprehensive baseline inventory of hardware, software, and
firmware, and it should be routinely validated for accurac y."
Failure to create baseline configurations increases the likelihood that newly implemented or
modified hardware, software, and firmware will not be securely configure d.
Recommendation 12
We recomm end that GEHA forma lly document baseline configura tions for its hardware,
software, and firmware.
GEHA Respouse:
"GEHA is addressing secure baseline configuration in a three-phase approa ch. Ea ch
phase will document the system function, inventory, configuration s and securi ' hardening
re uirements. For the initial lmse; GEHA is ocu siu on
2. Monitoring System Administrator Activity
GEHA 's management does not monitor system administrator activity. GE HA currently
emPloysi lO! W administrators that have the authority to control security for the entire
system. has a reporting capability that docum ents any changes that the administrators
make to t e system . However, these reports are not currently reviewed.
NIST SP 800-53 Revision 3 requires that "The organization ... Tracks and monitors
privileged role assignments. Privileged roles include, for example, key management,
network and system administration, database adm inistration, [and] web administration."
Failure to docum ent and track system administrator activity could allow unint ended or
malicious events to go undet ected and increase system vulnerability.
Recommendation 13
We recommend that GEHA implement a process to routinely monitor system administrator
activity.
14
GEHA Response:
“The Security Operations team has developed a daily process to review
administrator activity reports. The reports are reviewed, users are contacted to
respond to questionable activities, and notations are made electronically on the report pdf
file. The file is stored along with related correspondence. The new claims processing
system will require different tools to track administrative access because access will
primarily be controlled through It may be possible to track
administrative access within the new application but that is unknown at this time. A tool is
being investigated that will track user data view and that tool may provide additional
visibility within the new claims application. administrator activity monitoring is
currently implemented.”
OIG Reply:
As part of the audit resolution process, we recommend that GEHA provide OPM’s HIO with
samples of the reports generated to monitor administrator activity as well as evidence
of the review to routinely monitor system administrator activity.
3. Configuration Auditing
GEHA performs configuration audits of its servers. However, they do not
adequately use the results of the audits to enhance system security. The results of the audits
revealed numerous configuration settings that were below industry standards. To confirm
these results, we used an automated tool to conduct a compliance audit on over 150
production servers to determine if configuration settings were in compliance with HIPAA
and industry standards. The results of the scan revealed major compliance issues in each
server (the results of the scan were provided to GEHA but will not be detailed in this report
due to the sensitive nature of the information).
FISCAM states “Current configuration information should be routinely monitored for
accuracy. Monitoring should address the current baseline and operational configuration of the
hardware, software, and firmware that comprise the information system. . . . Monitoring,
sometimes called configuration audits, should be periodically conducted to determine the
extent to which the actual configuration item reflects the required physical and functional
characteristics originally specified by requirements.”
Failure to analyze the results of configuration audits and appropriately adjust software
settings increases the risk of improper and less secure system software configuration.
Recommendation 14
We recommend that GEHA address the issues detected by the compliance audit and routinely
monitor system software configuration to ensure compliance with established baselines.
GEHA Response:
“The recent purchase of a security vulnerability scanning tool by the Security Operations
team gives us the ability to scan configuration settings of individual servers once
15
authenticated to the server. Security Operations will work with the Enterprise Architecture
to assure that appropriate settings are routinely scanned and addressed. This
recommendation should be completed by the end ofthe fourth quarter of2012."
4. Vulnerability Scanning and
GEHA does not perform routine vulnerability scanning of its computer servers. We used an
automated tool to conduct a vulnerability scan of GEHA 's server environment to determ ine if
its servers were ro erl secured . We discovered num erous weaknesses related to _
(the results of the scan were
provided to GEHA but w ill not be deta~ue to the sensitive nature of the
information). GEHA has doclilllente d _ procedur es, but they are not being
enforced.
\Ve used another automate d tool to conduct
scans on GEHA 's
product any negative results. The was term inated prematurel y
because it caused a disruption to GEHA' s production environment. However, the limited
results that were return ed from this scan indicated that the may be vulnerable
to s t e resu ts 0 t ie scan were
provided to GEHA but w ill not be detailed in this report due to the sensitive nature of the
information). We believe that the extent of the securit wea knesses could be better eva luated
by a third party company that specializes in
FISCAM states that "Software should be scanned and updated frequ ently to gua rd against
kn own vulnerabilities." NIST SP 800-53 Revision 3 states "TIle organization (including any
contractor to the organization) promptly installs security-relevant software updates (e.g.,
patches, service packs, and hot fixes). Flaws discovered during security assessments,
continuous monitorin g, incident response activities, or information system error handling, are
also addressed expeditiously."
Failure to promptly insta l l _ increases the risk that vulnerabilities will not be
remediated and llllau~a in access to the system. Furthermore, the
weakness within the _ could be compromised, allow ing unauthorized
users acce ss to PII.
Recommendation 15
We recommend that GEHA implement a process to conduct routine vulnerability scans and
track any identified weaknesses until they are remediated.
GENA Respome:
"A product to scan system s for vulnerabilities has recently been purchased and a project
has been created to develop pro cesses for scanning, uotiflcation offindings, risk
assessment, remediation, and review. The project will focus Oil redu cing the risk to the
organization by implementing a routine vulnerability monitoring and remediation
16
program. This recommendation should be completed by the end ofthe fourth quarter of
2012. "
Recommendation 16
We recommend that GEHA install the that were identified in the
scan result s and. in the future , improve the patch management process to ensure that _
_ are installed promptly.
GEHA Respouse:
to identify
ortance develo in and implementing
0 a.
s, determine applicability to
GEHA systems, and distribute and implement on GEHA system s to prevent and minimize
the risk ofsecurity breaches and losses. GEHA is iuitiatin a ormal
program to mitigate the risk presented by the
program will be a combination oftechnology in the form 0 and
deployment software and processes to identify, test and deploy software updates following a
risk-based management approach. . . . "
Recommendation 17
We recommend that GEHA contract with a third party vendor that specializes in II
vu jnerabili assessments to conduct a thoroug h _ vu lnerability assessment
of its
GEHA Respouse:
ill two dijJe::f.:::l:..!:.!:1!/2012,
to conduct a comprehensil' e _
. The sco eo the assessment included our
. Our IT and S ecurity
issues noted in that assessment. In addition, GEHA is
currently redesigning our and Security team s are involved ill tho se
discussions to ensure that an)' open vulnerabilities or concerns are addressed in the new
design.
~ we are addressing this issue is the purchase and implementation of
_ . Our Information Security Analysts have installed this solution and are
currently conducting configuring and testing. This tool will be used on a continuous basis
to assist security in identifying vulnerabilities affecting our infrastructure and will assist ill
the risk ranking ofthose vulnerabilities to drive remediation priorities. The solution will
have the ability to not only alert securit . sta to vulnerabilities fac~.
but also vulnerabilities on our . We expect to hal'e~d
in our production environment and identifying vulnerabilities by Q3 of 2012.
We feel that it is important and we plan to continue engag;,r~arty to conduct an
independent assessment, however due to the addition ofo u r _ tool and
17
vuln erability managem ent pro cesses, we will be reducing the frequency of tttose from
annually to perhap s every' other year,"
DIG Reply:
As part of the audit re s oluti~ , we recommend that GEHA provide OPM 's HIO with
the followin g evidence: the _vulnerability assessment and penetration test results,
evidence of the trackin g and remediation of weaknesses, evidence of the imple mentation of
and the functionality of the tool.
5. Up dating System Softwar e
GEHA is currently running a version of , that is
not supported by the vendor. GEHA has begu n the process of upgrading to a supported
operating system, but the upgrade is not complete.
FISCAM states that "Software should be scanned and updated frequently to guard against
known vulnerabilities. In addition to periodically looking for software vulnerabilities and
fixing them, security software should be kept current by establishing effec tive programs for
patch mana gement, viru s protection, and other emer ging threats. A lso, software releases
should be adequately contr olled to prevent the use of noncurrent software.... Procedures
should ensure that only current software releases are installed in information systems.
Noncurrent software may be vulnerable to malicious code such as viruses and worm s."
Fail ure to use all operating system that is supported by the vendor increases the risk that the
operating system contains vulnerabilities that cann ot be fixed or patched.
Re commendation 18
We recomm end that GEHA continue its efforts to upgrade the _ opera ting system
to a vendor-supported version.
GEHA R espous e:
"GEHA is continuing the efforts to update the .lie operating systems to vendor
supported versions. We are working through the and custom-developed application
dependencies which require update before th e e operatin systems can be
updated. GEHA has also had to pro cure and implement a new storage
subsystem to allow for the increased cap acity needs for the testing environments for
process and inter-operability testing. "
D. Contingency Planning
We reviewed GEHA ' s serv ice continuity program to detennine whether controls were in place to
prevent or minimize damage and interruptions to business operations when disastrous events
occur.
18
We evaluated GEHA ' s contingency plann ing documentation to determine whether it outlined
procedure s for maintaining critical services for its members should business operations be
disrupted. TIle followin g elements of GEHA ' s contingency planning pro gram were reviewed :
• Business continuity plans for several major business units including claims,
telecommunications/customer service. and check printing;
• Disaster recovery plan for the _ claims processing system;
• Disaster recovery tests conducted in conjunction with an _ recovery site; and,
• Emergency response procedure s and training.
We determined that critical elements suggested by NIST SP 800-34, "Contingency Planning
Guide for IT Systems," were addressed in the service continuity documentation reviewed .
GEHA has identified which systems and resources are critical to business operations and how to
recover those systems and resources.
GEHA does not perform a complete disaster recovery test for all systems. We were provided
evidence that GEHA routinely performs a disaster recovery test of the at the recovery
site. However, we learned that there is no routine ~he environm ent .
Wh ile the claims processing system resides on the _, the ronment
supports other critical GEHA applications.
FISCAM states that "Testing contingency plans is essential to determining whether they will
function as intended in an emergency situ ation. TIle most useful scenarios involve
simulating a disaster situation to test overall service continuity."
Failure to perform annual disaster recovery tests on the _ decreases the
likelihood that GEHA will be able to completely restore= of a disaster.
Recommendation 19
\Ve recommend that GEHA conduct and doc ument an annual disaster recovery test for the
all_
GEHA Respouse:
"GEHA ha s designed and implenltf~ site co-locatiou facility that will function
as the disaster recovery site for GEHA is currently replicating all
data to the site through the use o / t h e _ d a t a protection platform.
GEHA is scheduled to perform disaster recover)' testing in Q3 0/2012. We have hired a
Manager 0/ Enterprise Risk that will be responsible/or working with IT to maintain/update
our BCPIDR plans to reflect the above changes and to assist in coordinating testing exercises.
This person is currently assisting on our claims system conversion and will be joining the
Enterprise Security and Risk Management team in Q3 0/2012. His locus will be Bep/DR and
other Enterprise Risk . Management initiatives. "
19
E. Application Controls
Application Configuration Management
We evah~lici e s and procedures goveming software development and change control of
GEHA 's _ claim s processin g application.
GEHA has a series of poli cies and procedures related to application configu ration management.
GEHA has adopted a traditional system dev elopment life cycle methodology that IT personnel
follow during routine software modifications. The following controls related to testing and
approva ls of software modifications were observed:
• GEHA has implemented change trackin g software and correlating business practices that
allow modifications to be tracked throughout the change process; and,
• Code, uuit, system , and quality testing are all conducted in accordance with industry
standards.
Claims Processing System
We evaluated the input, processing, and output controls assoc iated with _ In terms of
input controls, we documented the policies and procedures adopted by GEHA to help ensure
that: 1) there are controls over the inception of claim s data into the system; 2) the data received
comes from the appropriate sources; and , 3) the data is entere d into the claims database correctly.
We also reviewed GEHA 's quality assura nce methods for reconciling processing totals aga inst
input totals and for evaluating the accurac y of its processes. Finally, we examine d the security of
ph ysical input and output (paper claim s, checks, explanation of benefits, etc.).
GE HA informed us that they are in the initi al devel opment phase of implementing a new claim s
processin g system, _ Thi s is scheduled for completion by the end of 20 12.
Provider Networks Involvement ill Claims Processing
GEHA utili zes PPO Contrac tor Networks erfonn functions related to claims
input and clinical editing. One Network, , has responsibilities for
input, clini cal edits, and output processes. During the course of our aud it, we toured the facilities
responsible for both the input and output of GE HA 's UH C claims. We determined that there are
sufficient processes in pl ace to ensure the effective input of claims data.
GE HA sends then prints provider checks from a GE HA bank
account. However, GEHA and do not reconcile the quanti ty and do llar amoun t of checks
printed to the origina l submiss ion by GE HA.
Without a reconcili ation of the actua l checks print ed by . to those submitted by GE HA , there
is an increased likelihood that improper claim payments will go un detected.
Recommendation 20
We recommend that GEHA , in collaboration with . develop a process to reconcile printed
checks.
20
GEHA Response:
“We have initiated a project with our Project Management Department and have assembled a
team to address this recommendation. We plan to coordinate with and have a
reconciliation process implemented once we have identified and created the necessary internal
reporting.”
Enrollment
We evaluated GEHA’s procedures for managing its database of member enrollment data. GEHA
receives its enrollment data via fax, mail, and electronic update files. The majority of enrollment
information is received electronically (about 70%) and is inputted into the database
automatically. Enrollment information is otherwise inputted manually into the database.
Information that is manually entered into the system is audited by enrollment specialists. Daily
error reports are generated for managers to view as a part of the employee performance
evaluation as well as used during the audit process by the enrollment specialists.
GEHA receives an e-mail attachment containing the quantity and type of enrollment file
transmissions; however, at the time of the audit GEHA did not have a process to reconcile what
is sent and what is actually received. As a result of our audit GEHA stated that it will begin a
reconciliation process using the e-mail attachment and the files received.
There were no further concerns regarding GEHA’s enrollment policies, process and procedures.
Debarment
GEHA has adequate procedures for updating its claim system with debarred provider
information, but it does not routinely audit its debarment database for accuracy.
GEHA downloads the OPM OIG debarment list every month and compares it to its provider
maintenance file. Any debarred providers that appear in GEHA’s provider master database are
flagged to prevent claims submitted by that provider from being processed by the claims
processing system.
However, this process is done manually, and GEHA does not do a full reconciliation of the
debarment list with its provider master database.
Failure to audit the accuracy of the debarment file increases the risk that claims are being paid to
providers that are debarred.
Recommendation 21
We recommend that GEHA implement an audit process for the full debarment file.
GEHA Response:
“GEHA does currently perform a monthly 3% audit on our full debarment file. However,
based on the recommendation of OPM, we have increased the audit to 100% of the full
debarment file effective April 15, 2012.”
21
OIG Reply:
As part of the audit resolution process, we recommend that GEHA provide OPM’s HIO with
evidence of the monthly audit of the debarment file for a period of three months.
Application Controls Testing
To validate claims processing controls, a testing exercise was conducted on the GEHA
system. This test was conducted at GEHA’s Independence, Missouri facility with
the assistance of GEHA personnel. The exercise involved processing claims designed with
inherent flaws in the test environment of the claims adjudication application. Upon conclusion
of the testing exercise, the expected results were compared with the actual results obtained
during the exercise.
The sections below document the opportunities for improvement that were noted related to
application controls. GEHA intends to replace with a new claims processing system
called The recommendations contained within this section are directed toward this new
system.
1. Clinical Edits
We submitted a hospital claim for a male with a diagnosis of postmenopausal bleeding and a
procedure code for a total abdominal hysterectomy. This claim was processed and paid
without encountering any system edits, despite the fact that this procedure could not be
performed on a male. We were informed by GEHA that does not have any
clinical edits in place for hospital claims. This was a prior recommendation in 2005.
This system weakness increases the risk that benefits are being paid for procedures
associated with a diagnosis that may not warrant such treatment.
Recommendation 22
We recommend that GEHA ensure that comprehensive medical edits are incorporated into
the development of the new claims processing system.
GEHA Response:
“Our review of the System and the new clinical editor has shown that
does not currently have edits for inpatient hospital claims. This specific claim example
would not be captured in any of the edits. We will investigate the system capabilities of
creating the configuration to assist in up front identification of these claims. There are
edits for outpatient hospital claims.
For the professional claim example, we have test cases developed to review diagnosis to
procedure code edits. The system can then be coded to pend, deny, or use a warning
message.
22
We have not received the latest version of to test at this time. We will add these
examples to our requirements and set up specific test cases to test capabilities to ensure
accurate processing . . . .”
OIG Reply:
The lack of clinical edits in GEHA’s claims processing system extends back to a prior OPM
OIG audit from 2005. Clinical edits are a necessary element of implementing a new claims
processing system. We continue to recommend that GEHA make the appropriate system
modifications to ensure clinical edits are implemented for both professional and facility
claims. As part of the audit resolution process, we recommend that GEHA provide OPM’s
HIO with appropriate supporting documentation indicating its progress in successfully
implementing these modifications.
2. Therapy Visit Counter
Procedure codes for therapy visits indicate a specific length of time of the services provided.
The benefit structure only allows 2 hours per visit in addition to limiting the number of visits
per year to 60. GEHA is not appropriately calculating the length of time per visit.
The OIG submitted a series of claims to test ability to limit physical and
occupational therapy visits to 60 per calendar year. While the system is configured to stop
paying claims after 60 visits, we submitted a visit for 2.25 hours, and it was counted as 1 visit
rather than two.
This system weakness increases the risk that providers are paid for rendering non-covered
services.
Recommendation 23
We recommend that GEHA ensure that the appropriate system modifications be incorporated
into the claims processing system to ensure that therapy benefits are limited in
accordance with the plan brochure.
GEHA Response:
“GEHA agrees with the recommendation to ensure this is addressed in the conversion to
However, between now and the time of conversion to we have implemented
interim procedures in the Claims Department to adjudicate claims correcting the
calculation of time per visit.”
OIG Reply:
As part of the audit resolution process, we recommend that GEHA provide OPM’s HIO with
supporting documentation for the interim process showing that therapy claims are
automatically detected for manual review/calculation. Furthermore, we recommend GEHA
provide evidence of the implementation of these edits in place in the claims
processing system.
23
3. Overlapping Hospital St ays
The _ system paid duplicate room and board charges on test claims for a member
with two overlapping hospital stays.
The system does not have edits in place to prevent both room and board and intensive care
charges for the same time period . We submitted a claim for an intensive care room and a
subsequent claim for a semi-private room at the same facility on the same day. We were
informed by GEHA representatives tha t _ only looks at the revenue code for
duplicate billing. As long as different re~s are used, the system will never detect
multiple claims containing overlapping dates of service for hospital stays.
This system weakness increases the risk that hospitals are being paid for duplicate room and
board expenses.
Recommendation 24
We recomm end that GEHA ensure that the appropriate system configur ations are made to
_ to prevent duplicate payments for claims with overlapp ing dates of service.
in.
GEH4 Respome:
"GEHA agrees with th e recommendation and will explore the system configuration
available to ensure accurate claim pro cessing. "
4. OBRA 90 PRICER
GEHA is pricing OBRA90 claims with outdated versions of the
program.
We entered several test claims subject to OBRA90 pricing into the _ system . The
system suspended all of the claims for OBRA90 pricing (also referred to as diagnosis-related
ou or DRG ricin . and the GEHA claims adjudicator priced each claim using the .
We also independently priced each claim using the most recent versions of the _
progra ms, and compared the Medicare DRG amount produced to that calculated by the
GEHA adjudicator. All of the test claims rocessed by GEHA were priced accurately,
however we received screenprints of the from GEHA which indicated GEHA was
not using the most current version of the
~omp tly provide claims adjudicators with updated versions of the _
_ program increases the risk that GEHA is pricing OBRA90 cla im~
Recommendation 25
We recomm end that GEHA im lement rocedures to ensure that OBRA90 claims are priced
with the correct version of the
24
GEHA Response:
“GEHA agrees with the recommendation and is taking steps to ensure that the adjusters
have access to the most current version of the OBRA 90 Pricer before claims processing.
This will include working more closely with the IT area to ensure timely loading of the
current version, while considering whether claims may need to be held in the interim to
prevent claim payment issues.”
5. Manual Processing of Claims
A significant portion of claims processed by GEHA are processed manually, including all
hospital, anesthesiology, and renal failure claims.
The amount of manual effort required by adjudicators to process claims greatly increases the
risk that these claims are processed incorrectly.
Recommendation 26
We recommend that GEHA ensure that the appropriate system configurations are made to
to ensure that a reduced manual effort is required by claims adjudicators to process
claims.
GEHA Response:
“GEHA is exploring every opportunity to reduce manual processes. Conversion to the
system will facilitate our goals in this area. While our conversion to is still in
the ‘build’ phase, we have already identified several areas of opportunity where reduced
manual effort will be realized . . . . ”
F. Health Insurance Portability and Accountability Act
The OIG reviewed GEHA’s efforts to maintain compliance with the security and privacy
standards of HIPAA.
GEHA has implemented a series of IT security policies and procedures to adequately address the
requirements of the HIPAA security rule. GEHA has also developed a series of privacy policies
and procedures that directly addresses all requirements of the HIPAA privacy rule. The plan has
a designated Privacy Official who has the responsibility of ensuring compliance with HIPAA
Privacy and GEHA’s HIPAA Privacy policies. GEHA employees receive HIPAA-related
training during new hire orientation, as well as annual refresher training.
Nothing came to our attention that caused us to believe that GEHA is not in compliance with the
various requirements of HIPAA regulations.
25
III. Major Contributors to This Report
This audit report was prepared by the U.S. Office of Personnel Management, Office of Inspector
General, Information Systems Audits Group. The following individuals participated in the audit
and the preparation of this report:
• , Group Chief
• , Senior Team Leader
• , Auditor In Charge
• , IT Auditor
• , IT Auditor
26
Appendix
I
The Benefit s of Better Health
I
Ma y 10, 2012
-
Auditor in Charge
I nformat ion Systems Audite; Group Office of the Inspector General
1900 E St reet, NW Room 6400
Wa shington, DC 20415-1100
We have completed our review o f th e report for th e Aud it of info rmatio n Systems
Gen eral and Application Cont rols at Govern ment Employees Health Associat ion (GEHA)
dated Ma rch 14, 2012. The foll owing are our responses for each recommendation th at
was presented in the report.
Recommendati on 1
We recommend GEHA develop a rule s of behavior agreement and requ ire all employees
to sign the document.
GEHA Response
GEHA h as an extensive or ient ation process where new hires are t rained o n various
policies and procedures and are requi red to sign Acknowledgemen t of Responsibility
forms. These acknowledgements encompa ss what one rules of behavior document
would address.
1. Acknowledgement of GEHA Code of Ethics.
a. Confidentiality Agreement which is requ ir ed upon hire and ann uall y
t hereaft er. The Confident iality agreement ensures the employee t o keep
GEHA proprietary and healt h informat ion confidential and to repo rt any
accidental or inte nt iona l disclosure .
b. HR pol icy 5-05 -Code o f Eth ics w hich Includes a section on
'compromising com puter security'
2. Acknowledgement o f Responsibility for HIPAA confi dent iality of patient
inform at ion. This is required upon hire and t he reafter when additional training
is given .
a. HIPAA Polley 210 - Confident iality and Security of Patient Information
Employee Breach and Disciplinary Action .
b. HIPM PolicY 215 - Breach Reporting, lnvestigat ion and Notification
Requ ireme nt s.
3. Acknowledgem ent of GEHA Information Protectio n Policy.
Government Empl oyees Health Aaao c!atlon, Inc.
P.O. Box 4665 • Independence. MO 64051-4665 . Telephone (800) 821-6136
www .gcha.com
a. HR Policy 5-35 – Information Protection. This policy covers all information in any
form and from any system.
b. HIPAA Policy 840 – Internet and Software Acceptable Use Policy
Recommendation 2
We recommend that GEHA reassess its facilities’ physical access management and implement
controls that will ensure proper physical security. At a minimum, GEHA should implement
t data center entrances.
GEHA Response
GEHA is currently reassessing facilities access at all of our locations and adding the following
controls to increase physical security.
2) Data Center – Multi-Factor Authentication at Entrance (COMPLETED) - Access to
GEHA’s data center at our 310 building requires both an access badge as well as the
code to a cipher lock built into the door. The addition of the cipher lock was completed
in September of 2011.
3)
4)
2
5)
Recommendation 3
We recommend that GEHA implement physical controls to prevent employees that only require
access to the
GEHA Response
GEHA continues to keep this area locked during non-business hours and corrected this concern
in October 2011 by installing a latching system on the inside of the storage area that prevents
unsupervised access.
Recommendation 4
We recommend that GEHA implement a process to monitor and track access to claim files (in
the mail sort room).
GEHA Response
The area where the claims are kept is separated from the by a locked
door. Access to this area is restricted to a limited number of claims clerical staff. There are no
sign out procedures because claims leave this area only to be copied and immediately returned
to the locked room.
Recommendation 5
We recommend GEHA conduct a detailed access review audit of user accounts to
identify accounts with inappropriate access.
GEHA Response
GEHA Security Operations has taken multiple steps to better control access. We
have reviewed access for users with administrative access and have removed access that was
inappropriate or no longer needed. To better establish and control access, we have developed a
series of user templates that determine access by position. In doing so we have consulted with
managers to verify access and remove any unneeded access. We have developed reporting
3
from our payroll department that will allow us to better track users as they move within the
organization or terminate. We have reviewed all previously terminated users to assure that all
access has been removed. For auditing purposes it is necessary to leave IDs for terminated
employees in place, however, all access to the ID is removed, the account is locked, and the
associated user id is removed. This activity has been completed.
Recommendation 6
We recommend that GEHA configure its intrusion detection tools to optimize their capabilities.
GEHA Response
GEHA uses a firewall that includes intrusion detection capabilities. The intrusion
detection capabilities were recently activated and are being monitored to determine
effectiveness in detecting known attacks. are updated regularly to assure that
detection capabilities are current. The Security Operations team will assist the Enterprise
Architecture team in fine-tuning the detection capabilities as monitoring reveals changes that
can be made to improve the system's response.
Recommendation 7
We recommend that GEHA implement for remote access.
GEHA Response
GEHA has taken steps to purchase and implement for remote
access users. Remote web access to GEHA resources forces to
GEHA's environment using . This project
has been completed for all users with remote access.
Recommendation 8
We recommend that GEHA document a process for ensuring application access is granted with
proper segregation of duties and implement the process for all major applications.
Response
GEHA has taken steps to identify duties within the claims processing area and has defined those
activities that present a potential violation of the segregation of duties. access has
been reviewed and conflicting access removed. Other applications have initially been
configured to reduce conflicts, but currently need to be reviewed and any conflicts removed.
Expected completion of this activity is by the end of the fourth quarter of 2012.
GEHA’s Internal Audit Department performs an annual audit of access rights on major
applications for employees who have terminated or transferred positions.
4
Recommendation 9
We recommend that GEHA expand the access recertification process to all major applications.
Response
The GEHA Security Operations team is in the process of working with managers to develop
and major applications. During the process we are
aligning current access of individuals to templates created for the role or job title they hold.
Managers are reviewing access changes to align with templates created. Going forward the
Security Operations team will use this application reports and templates to verify with
management the access of all employees at least annually.
Recommendation 10
We recommend that GEHA implement a process to log and review user activity within its
applications.
Response
The Security Operations team has developed a daily process to review violation reports.
. Violation reports for
and other applications are not available at this time. reports are reviewed, users are
contacted to respond to violations, and notations are made electronically on the report pdf file.
The file is stored along with related correspondence. This process is currently implemented.
Recommendation 11
We recommend that GEHA program the new claims processing system to use randomly
generated temporary passwords for users who need to establish new accounts and users who
lock themselves out of the system. The passwords should be automatically emailed to the user
requesting access.
Response
The Security Operations team will review current practices for creating IDs and
modify the process as necessary adding steps to require interaction with the Help Desk before a
user id is activated for first use. The new claims system uses authentication based on
where users will automatically authenticate to as they activate
the application client. password management will be reviewed and changes
made as necessary to randomize initial passwords. A password self-service tool will be
investigated to see if they provide a more secure method for changing initial or forgotten
passwords. Changes to processes will be completed by the fourth quarter of 2012.
Recommendation 12
We recommend that GEHA formally document baseline configurations for its hardware,
software, and firmware.
5
Response
GEHA is addressing secure baseline configuration in a three-phase approach. Each phase will
document the system function, inventory, configurations and security hardening requirements.
For the initial phase, GEHA is focusing on
.
The second phase will extend into higher levels of the architecture including but not limited to
. The final phase will be a granular view
of the business applications that utilize the architecture detailed in the first two phases such as
Recommendation 13
We recommend that GEHA implement a process to routinely monitor system administrator
activity.
Response
The Security Operations team has developed a daily process to review administrator
activity reports. The reports are reviewed, users are contacted to respond to questionable
activities, and notations are made electronically on the report pdf file. The file is stored along
with related correspondence. The new claims processing system will require different tools to
track administrative access because access will primarily be controlled through
It may be possible to track administrative access within the new application but that is
unknown at this time. A tool is being investigated that will track user data view and that tool
may provide additional visibility within the new claims application. administrator activity
monitoring is currently implemented.
Recommendation 14
We recommend that GEHA address the issues detected by the compliance audit and routinely
monitor system software configuration to ensure compliance with established baselines.
Response - The recent purchase of a security vulnerability scanning tool by the Security
Operations team gives us the ability to scan configuration settings of individual
servers once authenticated to the server. Security Operations will work with the Enterprise
Architecture to assure that appropriate settings are routinely scanned and addressed. This
recommendation should be completed by the end of the fourth quarter of 2012.
Recommendation 15
We recommend that GEHA implement a process to conduct routine vulnerability scans and
track any identified weakness until they are remediated.
6
Response
A produ ct t o scan syst e ms for vu lne ra bilit ies ha s recent ly been purcha sed and a pro ject ha s
been creat ed t o deve lop processe s for sca nning, notification of findings, risk asse ssment,
remed iat ion , and re view. The project will focu s on reducing the risk to the or ganizat ion by
imple men t ing a rout ine vu lne ra bility mon itoring and remed iation program . This
rec ommendation sho uld be comp leted by the end of the fourth qua rter of 201 2.
Recommendation 16
We rec omme nd that GEHA instal l t he t hat we re ide nt ified in the
sca n re sult s and , in the future, improve the management process to en sure t h a t _
_ a r e inst alled promptly.
Response
GEHA re cogn izes the need a nd importance of deve lop ing and impleme nt ing a .
to iden tify , dete rm ine app licability to
GEHA syst e ms, and distribute and implement on GEHA syst e ms t o prevent and m inimize the
risk of security brea ches and losse s. GEHA is init iat ing a forma l to
m itigate the risk prese nted by t he . The program w ill be a
combinat ion of techn o logy in the form of t and deployment softw a re and
processe s to identify, test and deploy softw a re updates followin g a risk-based ma nagement
-
approach.
7
Recommendation 17
We recommend that GEHA contract with a third party vendor that specializes in
vulnerability assessments to conduct a thorough vulnerability assessment
of its .
Response
GEHA is addressing vulnerabilities in two different ways. In late 2012, we
engaged a third-party, to conduct a comprehensive vulnerability
assessment and penetration test. The scope of the assessment included our
. Our IT and Security teams are actively
remediating issues noted in that assessment. In addition, GEHA is currently redesigning our
and Security teams are involved in those discussions to ensure that any open
vulnerabilities or concerns are addressed in the new design.
The second way we are addressing this issue is the purchase and implementation of
Our Information Security Analysts have installed this solution and are currently
conducting configuring and testing. This tool will be used on a continuous basis to assist
security in identifying vulnerabilities affecting our infrastructure and will assist in the risk
ranking of those vulnerabilities to drive remediation priorities. The solution will have the ability
to not only alert security staff to vulnerabilities facing our e, but also
vulnerabilities on our . We expect to have fully deployed in our
production environment and identifying vulnerabilities by Q3 of 2012.
We feel that it is important and we plan to continue engaging a third party to conduct an
independent assessment, however due to the addition of our tool and vulnerability
management processes, we will be reducing the frequency of those from annually to perhaps
every other year.
Recommendation 18
We recommend that GEHA continue their efforts to upgrade the operating system
to a vendor-supported version.
Response
GEHA is continuing the efforts to update the operating systems to vendor-
supported versions. We are working through the and custom-developed application
dependencies which require update before the operating systems can be updated.
GEHA has also had to procure and implement a new storage subsystem to allow for
the increased capacity needs for the testing environments for process and inter-operability
testing.
Recommendation 19
We recommend that GEHA conduct and document an annual disaster recovery test for the
.
Response
GEHA has designed and implemented an secured off-site co-location facility that will function as
the disaster recovery site for all GEHA is currently replicating all
data to the site through the use of the data protection platform.
GEHA is scheduled to perform disaster recovery testing in Q3 of 2012. We have hired a
Manager of Enterprise Risk that will be responsible for working with IT to maintain/update our
BCP/DR plans to reflect the above changes and to assist in coordinating testing exercises. This
person is currently assisting on our claims system conversion and will be joining the Enterprise
Security and Risk Management team in Q3 of 2012. His focus will be BCP/DR and other
Enterprise Risk Management initiatives.
9
Recommendation 20
We recommend that GEHA, in collaboration with , develop a process to reconcile printed
checks.
Response
We have initiated a project with our Project Management Department and have assembled a
team to address this recommendation. We plan to coordinate with and have a
reconciliation process implemented once we have identified and created the necessary internal
reporting.
Recommendation 21
We recommend that GEHA implement an audit process for the full debarment file.
Response
GEHA does currently perform a monthly 3% audit on our full debarment file. However, based
on the recommendation of OPM, we have increased the audit to 100% of the full debarment
file effective April 15, 2012.
Recommendation 22
We recommend that GEHA ensure that comprehensive medical edits are incorporated into the
development of the new claims processing system.
Response
Our review of the System and the new clinical editor has shown that does not
currently have edits for inpatient hospital claims. This specific claim example would not be
captured in any of the edits. We will investigate the system capabilities of creating the
configuration to assist in up front identification of these claims. There are edits for
outpatient hospital claims.
For the professional claim example, we have test cases developed to review diagnosis to
procedure code edits. The system can then be coded to pend, deny, or use a warning message.
We have not received the latest version of to test at this time. We will add these
examples to our requirements and set up specific test cases to test capabilities to ensure
accurate processing.
The OIG finding included the following information – “GEHA informed us that for professional
claims, clinical edits produce warning messages rather than having hard edits in place to
prevent the claim from processing. If these claims are submitted electronically, they could be
batched and subsequently processed and paid without a processor ever seeing that warning
message.”
10
GEHA response - GEHA does not allow claims with these Clinicalogic warning messages to pass
through batch, rather they are pended to the adjustor for additional review.
Recommendation 23
We recommend that GEHA ensure that the appropriate system modifications be incorporated
into the claims processing system to ensure that therapy benefits are limited in
accordance with the plan brochure.
Response
GEHA agrees with the recommendation to ensure this is addressed in the conversion to
However, between now and the time of conversion to we have implemented interim
procedures in the Claims Department to adjudicate claims correcting the calculation of time
per visit.
Recommendation 24
We recommend that GEHA ensure that the appropriate system configurations are made to
to prevent duplicate payments for claims with overlapping dates of service.
Response
GEHA agrees with the recommendation and will explore the system configuration available in
to ensure accurate claim processing.
Recommendation 25
We recommend that GEHA implement procedures to ensure that OBRA90 claims are priced
with the correct version of the
Response
GEHA agrees with the recommendation and is taking steps to ensure that the adjusters have
access to the most current version of the OBRA 90 Pricer before claims processing. This will
include working more closely with the IT area to ensure timely loading of the current version,
while considering whether claims may need to be held in the interim to prevent claim payment
issues.
Recommendation 26
We recommend that GEHA ensure that the appropriate system configurations are made to
to ensure that a reduced manual effort is required by claims adjudicators to process
claims.
11
Response
GEHA is exploring every o pport unity to reduce manual processes. Conve rSion to th ~
syste m will fa cilitate our goa ls in t his area . While our conversion to s st ill in the «build'
phase. we have alread y ident ified seve ral area s of opportunity where redu ced manu al effort
will be realized
• With t he addition 0 e expect improvements in automated
hospital and anesthesia processing.
• We will be using reve nue coding which is required by some PPO netw orks. This will be
loaded from t he elect ronic claim and added t o t he processes In our data e ntry area .
With thi s information, pricing can be applied through ~ lIo w i n g more claims to
autc-adjudlcate .
• For PPO USA hospitals and facilities that use a complex rate, they will be priced with
~nd avto-adludicate d.
• Authorizat ions for hospital st ays wiD be loaded into _ and then matched to the
II
specific cla im they represent. This will red uce man ual review of the autho rization and
allow auto -adjudtcanon of hospital n ays and outpane nt services.
i
• ASAcodes and th e associated units are also being loaded into the pricing software, as
we llas confi guratio n of t he time units, so that auto-calcutatlon can be performed.
i
• National Co nt racts pricing is also loaded in _
req uired toda y.
reducing th e manual pricing that is
I
Conclusion I
We are disappointed in th e resu lts ofthe audit, howe ve r we were making progre ss to update
and improve our informat ion syste ms infrastru ctu re. We have filled several key positions
wit hin the last yea r to expand ou r expertise and have add ed staff t o address weaknesses that
we re note d in the OIG's re port. Prior to th e sta rt of the audit we forme d an Enterprise Security
and Risk Man ageme nt Department tha t is inde pende nt of the IT Depart ment and reports
direct lyto me. The Enterp rise Security and Risk Manageme nt Departm ent is res ponsible for
esta blishing security policies, assessing vulnerabilities a nd working with Information Systems
manageme nt to remediete weaknesses in internal controls.
We thank you an d yo ur st aff for your assistance in identifying the are as needing improvement
and we are working diligentlyto resolve t hese issues.
Since re ly,
Richa rd G. Miles
Preside nt
"
Attachments: Audit Report Draft
CC: , Chief of Health Insurance II Insurance Operations
, Chief of Program Planning and Evaluation
Eileen Hutchinson, GEHA VP - CFO
GEHA VP – Claims
GEHA VP – Enterprise Security and Risk Management
GEHA Manager of Internal Audit
13
Audit of the Information Systems General and Application Controls at the Government Employees Health Association
Published by the Office of Personnel Management, Office of Inspector General on 2012-08-09.
Below is a raw (and likely hideous) rendition of the original report. (PDF)