oversight

Audit of the Information Systems General and Application Controls at the Government Employees Health Association

Published by the Office of Personnel Management, Office of Inspector General on 2012-08-09.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                                                     U.S. OFFICE OF PERSONNEL MANAGEMENT
                                                           OFFICE OF THE INSPECTOR GENERAL
                                                                            OFFICE OF AUDITS



                                   Final Audit Report

 Subject:

      AUDIT OF INFORMATION SYSTEMS
 GENERAL AND APPLICATION CONTROLS AT THE
GOVERNMENT EMPLOYEES HEALTH ASSOCIATION


                                            Report No. 1B-31-00-11-066

                                            Date:                August 9, 2012




                                                          --CAUTION--
This audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit
report may contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available
under the Freedom of Information Act and made available to the public on the OIG webpage, caution needs to be exercised before
releasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy.
                                                       Audit Report


              FEDERAL EMPLOYEES HEALTH BENEFITS PROGRAM
                            CONTRACT 1063
           THE GOVERNMENT EMPLOYEES HEALTH ASSOCIATION
                                                      PLAN CODE 31
                       LEE’S SUMMIT & INDEPENDENCE, MISSOURI




                                          Report No. 1B-31-00-11-066

                                          Date:                August 9, 2012




                                                                                             ________________________
                                                                                             Michael R. Esser
                                                                                             Assistant Inspector General
                                                                                               for Audits

                                                          --CAUTION--
This audit report has been distributed to Federal and Non-Federal officials who are responsible for the administration of the audited
contract. This audit report may contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit
report is available under the Freedom of Information Act and made available to the public on the OIG webpage, caution needs to be
exercised before releasing the report to the general public as it may contain proprietary information that was redacted from the publicly
distributed copy.
                                   Executive Summary


          FEDERAL EMPLOYEES HEALTH BENEFITS PROGRAM
                        CONTRACT 1063
        THE GOVERNMENT EMPLOYEES HEALTH ASSOCIATION
                                       PLAN CODE 31
                 LEE’S SUMMIT& INDEPENDENCE, MISSOURI




                               Report No. 1B-31-00-11-066

                               Date:          August 9, 2012


This final report discusses the results of our audit of general and application controls over the
information systems at the Government Employees Health Association (GEHA).

Our audit focused on the claims processing applications used to adjudicate Federal Employees
Health Benefits Program (FEHBP) claims for GEHA, as well as the various processes and
information technology (IT) systems used to support these applications. We also conducted a
significant follow-up review of prior audit recommendations from our 2006 IT audit.

In 2006 a substantial number of recommendations were made that collectively identified a
significant weakness in GEHA’s management of IT security. GEHA lacked the critical policies
and procedures necessary for an entity-wide security program. Furthermore, they did not have
the appropriate resources, both tangible and personnel, to ensure the protection of member data
and successful processing of FEHBP claims. During our follow-up review, we determined that
these long standing weaknesses have not been addressed and prior audit recommendations had
been prematurely closed by OPM. While the audit work conducted during this review showed
very recent steps taken by GEHA management to develop an improved IT security program,
currently there are significant weaknesses that still threaten the privacy and security of FEHBP



                                                  i
data and member PII. We documented controls in place and opportunities for improvement in
each of the areas below.

Security Management
GEHA has established a series of IT policies and procedures to create an awareness of IT
security at the Plan. However, GEHA has not developed a Rules of Behavior agreement that all
employees are required to sign.

Access Controls
We found that GEHA has implemented numerous controls related to the process of granting
physical access to its data center, as well as logical controls to encrypt sensitive information.
However, we did note multiple opportunities for improvement related to GEHA’s physical and
logical access controls.

Configuration Management
GEHA has developed formal policies and procedures providing guidance to ensure that system
software is appropriately configured and updated, as well as for controlling system software
configuration changes. However, we noted numerous weaknesses in GEHA’s configuration
management program. The weaknesses were severe enough to consider the program a
significant deficiency in GEHA’s ability to securely process sensitive FEHBP data.

Contingency Planning
We reviewed GEHA’s business continuity plans and concluded that they contained most of the
key elements suggested by relevant guidance and publications. We also determined that these
documents are reviewed and updated on a periodic basis. However, GEHA does not perform
routine disaster recovery testing on its distributed server environment.

Application Controls
GEHA has implemented many controls in its claims adjudication process to ensure that FEHBP
claims are processed accurately. However, we recommended that GEHA implement several
system modifications to ensure that its claims processing systems adjudicate FEHBP claims in a
manner consistent with the OPM contract and other regulations.

Health Insurance Portability and Accountability Act (HIPAA)
Nothing came to our attention that caused us to believe that GEHA is not in compliance with the
HIPAA security, privacy, and national provider identifier regulations.




                                                 ii
                                                                 Contents
                                                                                                                                               page
Executive Summary .......................................................................................................................... i
  I. Introduction................................................................................................................................1
      Background ............................................................................................................................... 1
      Objectives ................................................................................................................................. 1
      Scope ......................................................................................................................................... 2
      Methodology ............................................................................................................................. 2
      Compliance with Laws and Regulations................................................................................... 3
II. Audit Findings and Recommendations .....................................................................................4
      A. Security Management .......................................................................................................... 4
      B. Access Controls .................................................................................................................... 5
      C. Configuration Management................................................................................................ 13
      D. Contingency Planning ........................................................................................................ 18
      E. Application Controls .......................................................................................................... 20
      F. Health Insurance Portability and Accountability Act ......................................................... 25
III. Major Contributors to This Report ...........................................................................................26


 Appendix: Government Employees Health Association’s May 10, 2012 response to the draft
 audit report issued March 14, 2012.
                                      I. Introduction
This final report details the findings, conclusions, and recommendations resulting from the audit
of general and application controls over the information systems responsible for processing
Federal Employees Health Benefits Program (FEHBP) claims at the Government Employees
Health Association (GEHA).

The audit was conducted pursuant to FEHBP contract 1063; 5 U.S.C. Chapter 89; and 5 Code of
Federal Regulations (CFR) Chapter 1, Part 890. The audit was performed by the U.S. Office of
Personnel Management’s (OPM) Office of the Inspector General (OIG), as established by the
Inspector General Act of 1978, as amended.

Background
The FEHBP was established by the Federal Employees Health Benefits Act (the Act), enacted on
September 28, 1959. The FEHBP was created to provide health insurance benefits for federal
employees, annuitants, and qualified dependents. The provisions of the Act are implemented by
OPM through regulations codified in Title 5, Chapter 1, Part 890 of the CFR. Health insurance
coverage is made available through contracts with various carriers that provide service benefits,
indemnity benefits, or comprehensive medical services.

The last OIG audit of general and application controls at GEHA occurred in 2006. While the
audit was closed in 2006 by the audit resolution group in OPM’s Healthcare and Insurance
Office, we did a full review of all recommendations from the 2006 audit. We determined that
several recommendations were inappropriately closed and that numerous weaknesses were not
remediated until after 2009. Several recommendations should still be open and have been rolled
forward within this report.

The business processes related to the scope of this audit are primarily located at GEHA’s Lee’s
Summit and Independence, Missouri facilities. GEHA has two data centers supporting FEHBP
processes in the greater Kansas City, Missouri area. Employees responsible for processing
FEHBP claims are predominantly located in Independence, Missouri. The majority of claim
output is printed and mailed at a contractor facility in St. Louis, Missouri. Several PPO
contractor networks are also utilized to perform functions related to both claims input and output.

All GEHA personnel that worked with the auditors were particularly helpful and open to ideas
and suggestions. They viewed the audit as an opportunity to examine practices and to make
changes or improvements as necessary. Their positive attitude and helpfulness throughout the
audit was greatly appreciated.

Objectives
The objectives of this audit were to evaluate controls over the confidentiality, integrity, and
availability of FEHBP data processed and maintained in GEHA’s information technology (IT)
environment.



                                                1
These objectives were accomplished by reviewing the following areas:
•   Security management;
•   Access controls;
•   Segregation of duties;
•   Configuration management;
•   Contingency planning;
•   Application controls specific to GEHA’s claims processing systems; and,
•   HIPAA compliance.

Scope
This performance audit was conducted in accordance with generally accepted government
auditing standards issued by the Comptroller General of the United States. Accordingly, the OIG
obtained an understanding of GEHA’s internal controls through interviews and observations, as
well as inspection of various documents, including information technology and other related
organizational policies and procedures. This understanding of GEHA’s internal controls was
used in planning the audit by determining the extent of compliance testing and other auditing
procedures necessary to verify that the internal controls were properly designed, placed in
operation, and effective.

The OIG evaluated the confidentiality, integrity, and availability of GEHA’s computer-based
information systems used to process FEHBP claims, and found that there are opportunities for
improvement in the information systems’ internal controls. These areas are detailed in the
“Audit Findings and Recommendations” section of this report.

The scope of this audit centered on the          claims processing system (and the IT
environment that supports it) used by GEHA to process FEHBP claims.

In conducting our audit, we relied to varying degrees on computer-generated data provided by
GEHA. Due to time constraints, we did not verify the reliability of the data used to complete
some of our audit steps but we determined that it was adequate to achieve our audit objectives.
However, when our objective was to assess computer-generated data, we completed audit steps
necessary to obtain evidence that the data was valid and reliable.

The audit was performed at GEHA offices in Lee’s Summit, Missouri, and Independence,
Missouri. These on-site activities were performed in September and October 2011. The OIG
completed additional audit work before and after the on-site visits at OPM’s office in
Washington, D.C. The findings, recommendations, and conclusions outlined in this report are
based on the status of information system general and application controls in place at GEHA as
of December 15, 2011.

Methodology
In conducting this review the OIG:
•   Gathered documentation and conducted interviews;
•   Reviewed GEHA’s business structure and environment;

                                               2
•   Performed a risk assessment of GEHA’s information systems environment and applications,
    and prepared an audit program based on the assessment and the Government Accountability
    Office’s (GAO) Federal Information System Controls Audit Manual (FISCAM); and
•   Conducted various compliance tests to determine the extent to which established controls and
    procedures are functioning as intended. As appropriate, the auditors used judgmental
    sampling in completing their compliance testing.

Various laws, regulations, and industry standards were used as a guide in evaluating GEHA’s
control structure. This criteria includes, but is not limited to, the following publications:
•   Office of Management and Budget (OMB) Circular A-130, Appendix III;
•   OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of
    Personally Identifiable Information;
•   Information Technology Governance Institute’s CobiT: Control Objectives for Information
    and Related Technology;
•   GAO’s Federal Information System Controls Audit Manual;
•   National Institute of Standards and Technology’s Special Publication (NIST SP) 800-12,
    Introduction to Computer Security;
•   NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information
    Technology Systems;
•   NIST SP 800-30, Risk Management Guide for Information Technology Systems;
•   NIST SP 800-34, Contingency Planning Guide for Information Technology Systems;
•   NIST SP 800-41, Guidelines on Firewalls and Firewall Policy;
•   NIST SP 800-53 Revision 3, Recommended Security Controls for Federal Information
    Systems;
•   NIST SP 800-61, Computer Security Incident Handling Guide;
•   NIST SP 800-66 Revision 1, An Introductory Resource Guide for Implementing the HIPAA
    Security Rule; and
•   HIPAA Act of 1996.

Compliance with Laws and Regulations
In conducting the audit, the OIG performed tests to determine whether GEHA’s practices were
consistent with applicable standards. While generally compliant, with respect to the items tested,
GEHA was not in complete compliance with all standards as described in the “Audit Findings
and Recommendations” section of this report.




                                                3
                      II.     Audit Findings and Recommendations
A. Security Management
  The security management component of this audit involved the examination of the policies and
  procedures that are the foundation of GEHA’s overall IT security controls. We evaluated
  GEHA’s ability to develop security policies, manage risk, assign security-related responsibility,
  and monitor the effectiveness of various system-related controls.

  GEHA has implemented a series of formal policies and procedures that comprise a
  comprehensive security management program. GEHA’s security management program is led by
  the company’s IT professionals whose responsibilities include creating policies to protect against
  threats or improper use of sensitive data and HIPAA compliance. All policies and procedures are
  approved by an executive committee before they are published and posted on the company
  intranet. GEHA has also developed a thorough risk management methodology, and has
  procedures to document, track, and alleviate or accept identified risks.

  We also reviewed GEHA’s human resources policies and procedures related to hiring, training,
  transferring, and terminating employees. However, we found that GEHA has not developed a
  rules of behavior agreement for information and information system usage.

  NIST Special Publication 800-53 Revision 3, Recommended Security Controls for Federal
  Information Systems (NIST SP 800-53) states that “The organization: Establishes and makes
  readily available to all information system users, the rules that describe their responsibilities and
  expected behavior with regard to information and information system usage; and receives signed
  acknowledgment from users indicating that they have read, understand, and agree to abide by the
  rules of behavior, before authorizing access to information and the information system.”

  Without clearly defining their rules of behavior the organization increases the risk of employees
  sharing account access information, downloading malicious software, sharing personally
  identifiable information, and general improper use of information systems.

  Recommendation 1
  We recommend GEHA develop a rules of behavior agreement and require all employees to sign
  the document.

  GEHA Response:
  “GEHA has an extensive orientation process where new hires are trained on various policies
  and procedures and are required to sign Acknowledgement of Responsibility forms. These
  acknowledgements encompass what one rules of behavior document would address.”

  OIG Reply:
  We have received evidence that this recommendation has been implemented; no further action is
  required.



                                                    4
B. Access Controls
  Access controls are the policies, procedur es, and techniques used to prevent or detect
  unauthorized physical or logical acce ss to sensitive resources.

  We examin ed the physical access controls ofGEHA' s data centers, the Independence cla ims
  processin g facility, and two Lee' s Summit office buildings . We also examined the logical
  controls protecting sensitive data on GEHA ' s network environment and claims processin g
  related applications.

  In addition, we conducted a network topology scan to verify that all known assets were included
  within GEHA ' s system inventory list.

  The acce ss controls observed during this audit include , but are not limited to:
  •   Procedures for appropriately granting physical acce ss to facilitie s and data centers;
  •   Procedures for revokin g access to data centers for terminated empl oyees;
  •   Procedures for removing _ network access for terminated employees; and,
  •   Controls to monitor an d filter email and Intern et activity.

  The following sections document several opportunities for improvement related to GEHA ' s
  physical and logical acce ss controls.

  1. Facility Physical Access Controls
      The physical acce ss controls at GEHA ' s facilities could be improved.

      All of the facilities we visited utilize some form 0
      the building during off-peak working hours.
      working hours. GEHA has a receptionist at each facility, but does not



                                     Empl oyees are required to
                     but there are no physical controls in place to ensure that every individual
      o ows t us procedure.

      We expect all FEHEP contractors to, at a minimum, have card reader controlled turnstile
      gates at facility entrances and multi-factor authentication at data center entrances (e.!, ci
                                                                                                 !her
      lock or biometric device in addition to an access card). In addition to implementin g
                          , GEHA should ana lyze the benefit of implementing the commo n p rysical
      access controls listed below that we typically see at other FEHBP carrier facilitie s.

      Common Data Center Controls

      •



                                                    5

•
•

•
•
•
Comlllon Office Building Controls

•                                                    , and ,
•
FISCAM states that "Controls should acc ommodate employees who work at the enti ty ' s
facilities all an everyday basis; occasional visitors, such as emp loyees of another entity
facility or maintenance pe ople; and infrequent or unexp ected visitors. Physical secur ity
controls vary, but include: manual door or cipher key locks, magnetic door locks that require
the use of electro nic keycards, bi ometrics authenticat ion, secur ity guards, photo IDs, entry
logs, and electronic and visual surveillance systems."

In addition, NIS T SP 800-53 provide s guidance for adequately controlling ph ysical acce ss to
information systems containing sensitive data (see control PE-3, Physical Access Co ntrol).

Failure to implem ent adequate physical access controls increases the risk that unauthorized
individuals can gain acce ss to GEHA facilities and the sensitive IT re sources and confident ial
data they contain .

Recommendation 2
We recommend that GEHA rea ssess its faciliti es ' phy sical access ma nagement and
implement controls that will ensure ro er h sical securit . At a minimum , GE HA should
implement                                                                 multi-factor
authent ication e.g., crp ter                               men to an acce ss card) at data
cente r entra nce s.

GEHA Respous e:
 "GEHA is cu rrently reassessing facilities access at all ofonr locations and adding th e
following controls to increase physical security.
    1.
    2. Data Center - Multi-Factor A uthentication at Entrance (COi.lfPLETED) ...
    3.
    4.
    5.



                                              6

   DIG ReplY:
   As part of the audit resolution process, we reco mmend that GEHA provide OPM 's
   Health care and Insurance Office (HIO) with evidence that it has fully implemented eac h of
   the chang es to the ph ysical security discussed in its response.

2. Claim Storage Access Contr ols
      er claim s containing sensitive information are stored
                       However, GE HA does not separate access to
                                      The claim s storage area is locke unng non- usme ss
   hours, but during the day there are no ph ysical controls to separate the two areas.

   FISCAM states that "Many of the control techniques for interior security are similar to those
   for perime ter and entry security (for example, locks, surv eillance systems , as well as usin g
   and controlling badges, ID cards, smartcards, passkey, and other entry dev ices) ."

   Failure to restri ct acce ss to the claim s storage area increases the risk that un auth orized

   employees can gain acce ss to sensitive data contained w ithin the room.


   In addition, GE HA does not currently have a process in pl ace to monitor claim s file access.
   There is no employee stationed within this area and claim files can be remo ved for
   referencing. GEHA wa s unable to produce a cla ims file access log.

   NIST SP 800-53 states that "The organization ... Controls access to area s officially
   designated as pu blicly accessible in accordance with the organization 's asse ssment of
   risk.   "

   Failure to monitor and track acce ss to claim files increases the risk that employees may
   manipulate, damage, or lose the claim s.

   Recommendation 3
   We recommend that GEHA im

   require access to the


   GEHA Respouse:
   "GEHA continues to keep this area locked during non-business hours and corrected this
   concern in October 2011 by installing a latching system on the inside ofthe storage area
   that prevents unsupervised access. "

   DIG Reply:
   The intent of this recommendation is to ensure that claim s are stored securely at all times, not
   just during non-busine ss hours. As part of the audit resolution process, we recommend that
   GE HA provide OPM ' s HIO with evidence that the claims are securely stored, preventing
   un auth orized access to claim files at all times.



                                                    7

   Recommendation 4
   We recommend that GEHA implement a process to m onitor and track access to cla im files.

   GEHA Respouse:
   "The area where the claims are kept is sep arated from the                            by a
   locked door. A ccess to this area is restricted to a limited number ofclaims clerical staff.
   There are no sign out pro cedures because claims leave this area only to be copied and
   immediately returned to the locked room. "

   DIG Reply:
   As part of the audit resolution process, we reco mmend that GEHA provide OPM 's HI D with
   the policy detailing the requirement to ph otocopy and immediately retum claim s to storage.
   Please also provide HID with the policy which instru cts GEHA employee s to properly
   dispose of the claim form copies that contain PII.

3. Logical Access Controls
   ~ loye es         are terminated , GEHA 's poli cy is to remove their accounts from the

   _           claim s adjudication application.


   We compared a list of recently terminated employe es to the active ~er list. We
   discovered that 20 terminated employees still had active accounts ~ and that
   several of those employee s had multiple active accounts.

   Most of these individuals were term inated pri or to 20 10. Although GEHA ' s current process
   appears to adequately remove _             acce ss for recentl y terminated users , it appears th at
   there has never been an audit of old accounts to identify terminated users.

   FISCAM states that "Inactive accounts and accounts for terminated indi viduals should be
   disabled or removed in a timely mann er."

   Recommendation 5
   \Ve recommend GEHA conduct a detailed access review audit of _                     user accounts
   to identify account s with inapp ropri ate access.

   GEHA Respouse:
   "GEHA Security Operation s has taken multiple step s to better cOlllrol _            access.
   JVe have reviewed access for nsers with administrative access and have removed access
   that was inappropriate or no longer needed. To better establish and control access, we
   have developed a series of user templates that determine access by position. In doing so we
   have consulted with managers to verify access and remove any 1II111eeded access. JVe have
   developed reporting from our payroll department that will allow us to better track nsers as
   they move within the organization or terminate. We have reviewed all previously
   terminated users to assure that all access has been removed. For auditing purposes it is
   necessary to leave ID s for terminated employees in place, however, all access to the ID is


                                                  8

   removed, the account is locked, and the associated_user id is removed. This activity
   has been completed."

   DIG Reply:
   As part of the audit resolution process, we rec ommend that GEHA provide OPM 's HIO with :
       •	 Samples of the user templates tha t determine acce ss by position ;
       •	 Samples of the reports generated from the payroll department to track transferred and
          terminated employees;
       •	 Evidence of the access review that took place to ensure tenninated user ac ce ss was
          appropr iately removed ; and,
       •	 Evidence of the ongoing logical acce ss auditing for a period of six months .

4.	 Incident Response and Intrusion Detection
   GEHA has docum ente d incident response procedures and has installed an intrusion detection
   system. However, the intru sion detection system has not been configured to optimize its
   security feat ures . GEHA has recentl y installed next generation firewalls and moni toring
   softw are that has the ab ility to prevent an d de tect intrusions, however it is not configu red for
   the GEHA envir onment. Ac cording to GE HA , a contractor will be going on-s ite in the near
   future to assist in configur ing the tools an d trai ning employees.

   FISCAM states that contro l technique s for an effect ive incident re sponse pro gram include "a
   means of prompt centra lized reporting; active monitoring of alerts and advisories; [and]
   resp onse team mem bers with the necessary knowl edge, skills, and ab ilities ...."

   Failur e to prop erl y configure incident re sponse and intru sion dete ction tools could allow
   incidents and intru sions to go urun oni tored and unresolved. Thi s co uld lead to a loss of
   sens itive resources.

   Recommendation 6
   We recommend that GEHA configure its intru sion detection tools to optitnize their

   capa bilities.


   GEH4 Respous e:
   "GEHA uses a_firewall that includes intrusion detection capabilities. Th e
   intrusion detection capabilities were recently activated and are being monitored to
   determine effectiveness ill detecting kllOWII attacks. _ a re updated regularly to
   assure that detection capabilities are current. The Se curity Operations team will assist the
   Enterprise A rchitecture team ill flne-tuuing the detection capabilitie~
   reveals chou es that call be made to im rove th e s 'stem's res onse. _


5.	 Remote Access Authentication
   GE HA does not require                                 to acce ss its netw ork from a remote
   location . Employees are required to use their                                    to remotely


                                                   9

   authenticate to GEHA ' s network.                                consist of a
   _ _ _ _IS to implement                                            in the future by requiring the


   NIST SP 800-53 Revision 3 states that information systems should use multifactor
   authentication for local and netw ork access to privileged and non-privileged accoun ts.

   Failure to implement adequate authentication controls increases the risk that unauthorized
   individuals can gain acce ss to sensitive resources and confidential data.

   Recommendation 7

   We recommend that GEHA implement


   GEHA Respouse:



   _to 's .
   "GEHA ha s taken steps to purchase and implement

   remote access users. Remote web access to GEHA resources orces

                    GEHA          euviroumeut using                and
   ~ is project has been completedlor all users with remote access."

   DIG Reply:
   As part of the audi~roces s , we reco mmend that GEHA
   evidence when the _ i m p lementation is complete and                                         IS
   required for all remote acce ss users.

6. Segregation of Duties
   GEHA does not enforce proper segregation of duti es on its major applications. Currently,
   only one major application is monitored for proper segregation of duties. Furthermore , the
   process for monitoring segregation of duties is not documented .

   FISCAM states that "Work responsibilities should be segregated so that one individual does
   not control critical stages of a process." FISCAM also states that "Management should have
   analyzed operations and identified incompatible duties that are then segregated through
   policies and organizational divisions."

   Failure to implement adequate proper segregation of dut ies increases the risk that erroneo us
   or fraudulent transactions could be processed, that imp roper program changes could be
   impl emented , or that computer resources could be damaged or destroyed .

   Recommendation 8
   We recommend that GEHA document a process for ensuring application access is granted
   with proper segregation of dutie s and implement the process for all major applications.




                                                10

   GEHA Response:
   “GEHA has taken steps to identify duties within the claims processing area and has
   defined those activities that present a potential violation of the segregation of duties.
                access has been reviewed and conflicting access removed. Other applications
   have initially been configured to reduce conflicts, but currently need to be reviewed and
   any conflicts removed. Expected completion of this activity is by the end of the fourth
   quarter of 2012.

   GEHA’s Internal Audit Department performs an annual audit of access rights on major
   applications for employees who have terminated or transferred positions.”

7. Logical Access Privileges Approval and Review
   GEHA does not routinely recertify that employee application access is appropriate for all
   major applications. Currently, only one application is subject to a full access recertification
   review by the system owners. GEHA’s Internal Audit Group does perform periodic
   application access reviews, but the review includes only a small sample of employees.

   FISCAM states that “The computer resource owner should identify the specific user or class
   of users that are authorized to obtain direct access to each resource for which they are
   responsible . . . . The owner should identify the nature and extent of access to each resource
   that is available to each user. [This includes the following types of access: read, update,
   delete, merge, and execute] Access may be permitted at the file, record, or field level. . . .
   Owners should periodically review access authorization listings and determine whether they
   remain appropriate. Access authorizations should be documented on standard forms and
   maintained on file.”

   Failure to routinely recertify the appropriateness of application access could allow employees
   to perform functions or access sensitive information that they should not have approval to
   access.

   Recommendation 9
   We recommend that GEHA expand the access recertification process to all major

   applications. 


   GEHA Response:
   “The GEHA Security Operations team is in the process of working with managers to
   develop role based access templates for                  and major applications. During
   the process we are aligning current access of individuals to templates created for the role
   or job title they hold. Managers are reviewing access changes to align with templates
   created. Going forward the Security Operations team will use this application reports and
   templates to verify with management the access of all employees at least annually.”




                                                11 

8. Application Access Monitoring
   GEHA does not adequately monitor user acce ss to its applications. Weekly access violation
   report s are emailed to management, but the reports are not reviewed. GEHA is in the process
   of creating an Information Security Group that will take over security monit oring
   responsibilities for the entire compan y, including the review of access violation reports.
   Furthermore, GEHA does not monitor user activity within the claims pro cessing application.

   FISCAM states that "Audit and monitoring involves the regu lar collect ion, review, and
   analysis of indications of inappropriate or unauthorized access to the application."
   Management should monitor acce ss within the application (i.e., unauthorized access
   attempts, unusual activity, etc.).

   Failure to monitor act ivity logs an d violation reports could allow attempts to gain
   unauthorized access to sensitive computer resource s to continue unn oticed.

   Recommendation 10
   \Ve recommend that GEHA implement a pro cess to log and review user access to and
   activity within its applications.

   GENA Respouse:
    "The Securitv 0 erations team has develo

   reports.

   for              s and other applications are not available at this time.       reports are
   reviewed, nsers are contacted to respond to violations, and notations are made
   electronically on the report pdffile. The file is stored along with related correspondence.
    This process is currently implemented. "

   DIG ReplY:
   The intent of this recommendation was not to simply monitor log-on violations at the .
   _ b u t also to audit user transactions within the claims processing system. As part ofthe
   audit resolution process, we recommend that GEHA provide OPM ' s HID w ith evidence of a
   solution to monitor the claims processing system's user activity.

9. Claims Processing System Password l\Iodification
   GEHA uses a                                        when creating all new _            user
   accounts or resetting the password of existing acco unts. While GEHA requires that the
   temporary password be changed after the first login attempt, this is not a sufficient
   compensating control. The process for establishing and changing password s for the claims
   processing system is less secure than other major applications at GEHA. For other
   applications, an email is automatically sent to the user with a randomly generated temporary
   password that they use to establish new acco unts or unlock existing ones.

   NIST SP 800-118 (draft) states that "Randomly generated or arbitrarily chosen [one time
   passwords], not default or patterned passwords (e.g., "NIST0722"), should be used during



                                                12

     account creation and pa ssword reset processes. Thi s ensure s that if the user does not
     promptly chang e the assigned password , that the password will not be easily gue ssable."

     Failure to use randoml y generated temporary passwords increa ses the risk that a person could
     gain un authorized access to the claims processing system by exploiting the default password .

     Recommendation 11
     We recommend that GEHA program the new claim s processing system to use randomly
     genera ted temp orary passwords for users who need to establish new accounts and users who
     lock themselves out of the system. The passwords should be automa tically ema iled to the
     user requesting access.

     GENA Respouse:
      "The S ecurity Operation s team will review current practices for creating_ IDs


                                            where users will automatically authenticate
                as they activate the application client.
                                                                                         to.
     and modify that process as necessary adding step s to require interaction with the Help
     Desk before a user id is activated or first use. The new claims system uses authentication
     based on
                                                                          pas sword management
     will be reviewed and changes made as necessary to randomize initial pas swords. A
     password self-s ervice tool will be investigated to see i/they provide a more secure method
     for changing initial or forgotten pa sswords. Changes to processes will be completed by the
     fourth quarter of2012."

C. Configuration    ~'1anagement

  _           is housed in a
  control managed by
  su 0I1in the cla ims adiudication process are housed in a                          with the
                                     We evaluated GEHA ' s management 0 t us system software
  and have serious concerns regarding its overall configuration management program.

  The sections below docum ent areas for improvem ent re lated to GE HA 's configuration
  management controls. We believe that the severity of the weakne sses re lated to configuration
  management represents a significant deficiency in GEHA ' s ability to securely process FEHBP
  data in its IT environment.

  1. Baseline Configur ations
     GE HA has not docum ent ed a secure baseline configuration for its servers or main frame.
     New system software is currently configured using employees ' collec tive knowledge of be st
     practices. However, no standard configura tion doc umentation has been crea ted for any
     system software used by the organization. In December 20 11, GE HA created a Baseline
     Serve r Configuration and Maintenance Plan that detail s the new process for crea ting
     configu ration baselin es for three serv er operating systems. TIle actua l baselin e documents
     are scheduled for complet ion in 20 12.




                                                  13

   FISCAM states that "The entity should maintain current configuration information in a
   forma l configura tion baseline that contains the configuration information fonnally designated
   at a specific time durin g a product' s or produ ct component' s life. Configuration baselines,
   plus approved changes from those baselines, constitute the current configura tion information .
   There should be a CIUTent and comprehensive baseline inventory of hardware, software, and
   firmware, and it should be routinely validated for accurac y."

   Failure to create baseline configurations increases the likelihood that newly implemented or
   modified hardware, software, and firmware will not be securely configure d.

   Recommendation 12
   We recomm end that GEHA forma lly document baseline configura tions for its hardware,
   software, and firmware.

   GEHA Respouse:
   "GEHA is addressing secure baseline configuration in a three-phase approa ch. Ea ch
   phase will document the system function, inventory, configuration s and securi ' hardening
   re uirements. For the initial lmse; GEHA is ocu siu on




2. Monitoring System Administrator Activity
   GEHA 's management does not monitor system administrator activity. GE HA currently
   emPloysi lO! W administrators that have the authority to control security for the entire
   system.         has a reporting capability that docum ents any changes that the administrators
   make to t e system . However, these reports are not currently reviewed.

   NIST SP 800-53 Revision 3 requires that "The organization ... Tracks and monitors
   privileged role assignments.   Privileged roles include, for example, key management,
   network and system administration, database adm inistration, [and] web administration."

   Failure to docum ent and track system administrator activity could allow unint ended or
   malicious events to go undet ected and increase system vulnerability.

   Recommendation 13
   We recommend that GEHA implement a process to routinely monitor system administrator
   activity.




                                               14

   GEHA Response:
   “The Security Operations team has developed a daily process to review
   administrator activity reports. The          reports are reviewed, users are contacted to
   respond to questionable activities, and notations are made electronically on the report pdf
   file. The file is stored along with related correspondence. The new claims processing
   system will require different tools to track administrative access because access will
   primarily be controlled through                      It may be possible to track
   administrative access within the new application but that is unknown at this time. A tool is
   being investigated that will track user data view and that tool may provide additional
   visibility within the new claims application.         administrator activity monitoring is
   currently implemented.”

   OIG Reply:
   As part of the audit resolution process, we recommend that GEHA provide OPM’s HIO with
   samples of the reports generated to monitor        administrator activity as well as evidence
   of the review to routinely monitor system administrator activity.

3. Configuration Auditing
   GEHA performs configuration audits of its              servers. However, they do not
   adequately use the results of the audits to enhance system security. The results of the audits
   revealed numerous configuration settings that were below industry standards. To confirm
   these results, we used an automated tool to conduct a compliance audit on over 150
   production servers to determine if configuration settings were in compliance with HIPAA
   and industry standards. The results of the scan revealed major compliance issues in each
   server (the results of the scan were provided to GEHA but will not be detailed in this report
   due to the sensitive nature of the information).

   FISCAM states “Current configuration information should be routinely monitored for
   accuracy. Monitoring should address the current baseline and operational configuration of the
   hardware, software, and firmware that comprise the information system. . . . Monitoring,
   sometimes called configuration audits, should be periodically conducted to determine the
   extent to which the actual configuration item reflects the required physical and functional
   characteristics originally specified by requirements.”

   Failure to analyze the results of configuration audits and appropriately adjust software

   settings increases the risk of improper and less secure system software configuration.


   Recommendation 14
   We recommend that GEHA address the issues detected by the compliance audit and routinely
   monitor system software configuration to ensure compliance with established baselines.

   GEHA Response:
   “The recent purchase of a security vulnerability scanning tool by the Security Operations
   team gives us the ability to scan configuration settings of individual         servers once


                                               15 

   authenticated to the server. Security Operations will work with the Enterprise Architecture
   to assure that appropriate settings are routinely scanned and addressed. This
   recommendation should be completed by the end ofthe fourth quarter of2012."

4. Vulnerability Scanning and
   GEHA does not perform routine vulnerability scanning of its computer servers. We used an
   automated tool to conduct a vulnerability scan of GEHA 's server environment to determ ine if
   its servers were ro erl secured . We discovered num erous weaknesses related to _
                                                                  (the results of the scan were
   provided to GEHA but w ill not be deta~ue to the sensitive nature of the
   information). GEHA has doclilllente d _ procedur es, but they are not being
   enforced.

   \Ve used another automate d tool to conduct
   scans on GEHA 's
   product any negative results. The                                    was term inated prematurel y
   because it caused a disruption to GEHA' s production environment. However, the limited
   results that were return ed from this scan indicated that the                   may be vulnerable
   to                                                          s t e resu ts 0 t ie scan were
   provided to GEHA but w ill not be detailed in this report due to the sensitive nature of the
   information). We believe that the extent of the securit wea knesses could be better eva luated
   by a third party company that specializes in

   FISCAM states that "Software should be scanned and updated frequ ently to gua rd against
   kn own vulnerabilities." NIST SP 800-53 Revision 3 states "TIle organization (including any
   contractor to the organization) promptly installs security-relevant software updates (e.g.,
   patches, service packs, and hot fixes). Flaws discovered during security assessments,
   continuous monitorin g, incident response activities, or information system error handling, are
   also addressed expeditiously."

   Failure to promptly insta l l _ increases the risk that vulnerabilities will not be
   remediated and llllau~a in access to the system. Furthermore, the
   weakness within the _                   could be compromised, allow ing unauthorized
   users acce ss to PII.

   Recommendation 15
   We recommend that GEHA implement a process to conduct routine vulnerability scans and
   track any identified weaknesses until they are remediated.

   GENA Respome:
   "A product to scan system s for vulnerabilities has recently been purchased and a project
   has been created to develop pro cesses for scanning, uotiflcation offindings, risk
   assessment, remediation, and review. The project will focus Oil redu cing the risk to the
   organization by implementing a routine vulnerability monitoring and remediation



                                                16

program. This recommendation should be completed by the end ofthe fourth quarter of
2012. "

Recommendation 16
We recommend that GEHA install the                                  that were identified in the
scan result s and. in the future , improve the patch management process to ensure that _
_       are installed promptly.

GEHA Respouse:

                        to identify
                                        ortance develo in and implementing
                                                  0                                 a.
                                                               s, determine applicability to
GEHA systems, and distribute and implement on GEHA system s to prevent and minimize
the risk ofsecurity breaches and losses. GEHA is iuitiatin a ormal
program to mitigate the risk presented by the
program will be a combination oftechnology in the form 0                        and
deployment software and processes to identify, test and deploy software updates following a
risk-based management approach. . . . "

Recommendation 17
We recommend that GEHA contract with a third party vendor that specializes in       II
         vu jnerabili assessments to conduct a thoroug h _ vu lnerability assessment
of its

GEHA Respouse:
                                                        ill two dijJe::f.:::l:..!:.!:1!/2012,
                                      to conduct a comprehensil' e _
                                              . The sco eo the assessment included our
                                                                    . Our IT and S ecurity
                                issues noted in that assessment. In addition, GEHA is
currently redesigning our                 and Security team s are involved ill tho se
discussions to ensure that an)' open vulnerabilities or concerns are addressed in the new
design.

~ we                  are addressing this issue is the purchase and implementation of
_ . Our Information Security Analysts have installed this solution and are
currently conducting configuring and testing. This tool will be used on a continuous basis
to assist security in identifying vulnerabilities affecting our infrastructure and will assist ill
the risk ranking ofthose vulnerabilities to drive remediation priorities. The solution will
have the ability to not only alert securit . sta to vulnerabilities fac~.
but also vulnerabilities on our                   . We expect to hal'e~d
in our production environment and identifying vulnerabilities by Q3 of 2012.

We feel that it is important and we plan to continue engag;,r~arty to conduct an
independent assessment, however due to the addition ofo u r _ tool and



                                              17

     vuln erability managem ent pro cesses, we will be reducing the frequency of tttose from
     annually to perhap s every' other year,"

     DIG Reply:
     As part of the audit re s oluti~ , we recommend that GEHA provide OPM 's HIO with
     the followin g evidence: the _vulnerability assessment and penetration test results,
     evidence of the trackin g and remediation of weaknesses, evidence of the imple mentation of
                        and the functionality of the tool.

  5. Up dating System Softwar e
     GEHA is currently running a version of                                          , that is
     not supported by the vendor. GEHA has begu n the process of upgrading to a supported
     operating system, but the upgrade is not complete.

     FISCAM states that "Software should be scanned and updated frequently to guard against
     known vulnerabilities. In addition to periodically looking for software vulnerabilities and
     fixing them, security software should be kept current by establishing effec tive programs for
     patch mana gement, viru s protection, and other emer ging threats. A lso, software releases
     should be adequately contr olled to prevent the use of noncurrent software.... Procedures
     should ensure that only current software releases are installed in information systems.
     Noncurrent software may be vulnerable to malicious code such as viruses and worm s."

     Fail ure to use all operating system that is supported by the vendor increases the risk that the
     operating system contains vulnerabilities that cann ot be fixed or patched.

     Re commendation 18
     We recomm end that GEHA continue its efforts to upgrade the _                opera ting system
     to a vendor-supported version.

     GEHA R espous e:
     "GEHA is continuing the efforts to update the .lie operating systems to vendor
     supported versions. We are working through the         and custom-developed application
     dependencies which require update before th e             e operatin systems can be
     updated. GEHA has also had to pro cure and implement a new                  storage
     subsystem to allow for the increased cap acity needs for the testing environments for
     process and inter-operability testing. "

D. Contingency Planning
  We reviewed GEHA ' s serv ice continuity program to detennine whether controls were in place to
  prevent or minimize damage and interruptions to business operations when disastrous events
  occur.




                                                   18

We evaluated GEHA ' s contingency plann ing documentation to determine whether it outlined
procedure s for maintaining critical services for its members should business operations be
disrupted. TIle followin g elements of GEHA ' s contingency planning pro gram were reviewed :
•	 Business continuity plans for several major business units including claims,
   telecommunications/customer service. and check printing;
•	 Disaster recovery plan for the _          claims processing system;
•	 Disaster recovery tests conducted in conjunction with an _     recovery site; and,
•	 Emergency response procedure s and training.

We determined that critical elements suggested by NIST SP 800-34, "Contingency Planning
Guide for IT Systems," were addressed in the service continuity documentation reviewed .
GEHA has identified which systems and resources are critical to business operations and how to
recover those systems and resources.

GEHA does not perform a complete disaster recovery test for all systems. We were provided
evidence that GEHA routinely performs a disaster recovery test of the         at the recovery
site. However, we learned that there is no routine ~he                          environm ent .
Wh ile the claims processing system resides on the _, the                     ronment
supports other critical GEHA applications.

FISCAM states that "Testing contingency plans is essential to determining whether they will
function as intended in an emergency situ ation.        TIle most useful scenarios involve
simulating a disaster situation to test overall service continuity."

Failure to perform annual disaster recovery tests on the _ decreases the
likelihood that GEHA will be able to completely restore=  of a disaster.

Recommendation 19
\Ve recommend that GEHA conduct and doc ument an annual disaster recovery test for the




                                 all_
GEHA Respouse:
"GEHA ha s designed and implenltf~                      site co-locatiou facility that will function
as the disaster recovery site for                        GEHA is currently replicating all
                    data to the site through the use o / t h e _ d a t a protection platform.

GEHA is scheduled to perform disaster recover)' testing in Q3 0/2012. We have hired a
Manager 0/ Enterprise Risk that will be responsible/or working with IT to maintain/update
our BCPIDR plans to reflect the above changes and to assist in coordinating testing exercises.
This person is currently assisting on our claims system conversion and will be joining the
Enterprise Security and Risk Management team in Q3 0/2012. His locus will be Bep/DR and
other Enterprise Risk . Management initiatives. "




                                                 19

E. Application Controls
  Application Configuration Management
  We evah~lici e s and procedures goveming software development and change control of
  GEHA 's _ claim s processin g application.

  GEHA has a series of poli cies and procedures related to application configu ration management.
  GEHA has adopted a traditional system dev elopment life cycle methodology that IT personnel
  follow during routine software modifications. The following controls related to testing and
  approva ls of software modifications were observed:
  •	   GEHA has implemented change trackin g software and correlating business practices that
       allow modifications to be tracked throughout the change process; and,
  •	   Code, uuit, system , and quality testing are all conducted in accordance with industry

       standards.


  Claims Processing System
  We evaluated the input, processing, and output controls assoc iated with _                In terms of
  input controls, we documented the policies and procedures adopted by GEHA to help ensure
  that: 1) there are controls over the inception of claim s data into the system; 2) the data received
  comes from the appropriate sources; and , 3) the data is entere d into the claims database correctly.
  We also reviewed GEHA 's quality assura nce methods for reconciling processing totals aga inst
  input totals and for evaluating the accurac y of its processes. Finally, we examine d the security of
  ph ysical input and output (paper claim s, checks, explanation of benefits, etc.).

  GE HA informed us that they are in the initi al devel opment phase of implementing a new claim s
  processin g system, _     Thi s is scheduled for completion by the end of 20 12.

  Provider Networks Involvement ill Claims Processing
  GEHA utili zes PPO Contrac tor Networks                        erfonn functions related to claims
  input and clinical editing. One Network,                                , has responsibilities for
  input, clini cal edits, and output processes. During the course of our aud it, we toured the facilities
  responsible for both the input and output of GE HA 's UH C claims. We determined that there are
  sufficient processes in pl ace to ensure the effective input of claims data.

  GE HA sends                                    then prints provider checks from a GE HA bank
  account. However, GEHA and              do not reconcile the quanti ty and do llar amoun t of checks
  printed to the origina l submiss ion by GE HA.

  Without a reconcili ation of the actua l checks print ed by . to those submitted by GE HA , there
  is an increased likelihood that improper claim payments will go un detected.

  Recommendation 20
  We recommend that GEHA , in collaboration with .            develop a process to reconcile printed
  checks.



                                                    20

GEHA Response:
“We have initiated a project with our Project Management Department and have assembled a
team to address this recommendation. We plan to coordinate with        and have a
reconciliation process implemented once we have identified and created the necessary internal
reporting.”

Enrollment
We evaluated GEHA’s procedures for managing its database of member enrollment data. GEHA
receives its enrollment data via fax, mail, and electronic update files. The majority of enrollment
information is received electronically (about 70%) and is inputted into the database
automatically. Enrollment information is otherwise inputted manually into the database.
Information that is manually entered into the system is audited by enrollment specialists. Daily
error reports are generated for managers to view as a part of the employee performance
evaluation as well as used during the audit process by the enrollment specialists.

GEHA receives an e-mail attachment containing the quantity and type of enrollment file
transmissions; however, at the time of the audit GEHA did not have a process to reconcile what
is sent and what is actually received. As a result of our audit GEHA stated that it will begin a
reconciliation process using the e-mail attachment and the files received.

There were no further concerns regarding GEHA’s enrollment policies, process and procedures.

Debarment
GEHA has adequate procedures for updating its claim system with debarred provider
information, but it does not routinely audit its debarment database for accuracy.

GEHA downloads the OPM OIG debarment list every month and compares it to its provider
maintenance file. Any debarred providers that appear in GEHA’s provider master database are
flagged to prevent claims submitted by that provider from being processed by the claims
processing system.

However, this process is done manually, and GEHA does not do a full reconciliation of the
debarment list with its provider master database.

Failure to audit the accuracy of the debarment file increases the risk that claims are being paid to
providers that are debarred.

Recommendation 21
We recommend that GEHA implement an audit process for the full debarment file.

GEHA Response:
“GEHA does currently perform a monthly 3% audit on our full debarment file. However,
based on the recommendation of OPM, we have increased the audit to 100% of the full
debarment file effective April 15, 2012.”



                                                 21 

OIG Reply:
As part of the audit resolution process, we recommend that GEHA provide OPM’s HIO with
evidence of the monthly audit of the debarment file for a period of three months.

Application Controls Testing
To validate claims processing controls, a testing exercise was conducted on the GEHA
             system. This test was conducted at GEHA’s Independence, Missouri facility with
the assistance of GEHA personnel. The exercise involved processing claims designed with
inherent flaws in the test environment of the claims adjudication application. Upon conclusion
of the testing exercise, the expected results were compared with the actual results obtained
during the exercise.

The sections below document the opportunities for improvement that were noted related to
application controls. GEHA intends to replace            with a new claims processing system
called         The recommendations contained within this section are directed toward this new
system.

1. Clinical Edits
   We submitted a hospital claim for a male with a diagnosis of postmenopausal bleeding and a
   procedure code for a total abdominal hysterectomy. This claim was processed and paid
   without encountering any system edits, despite the fact that this procedure could not be
   performed on a male. We were informed by GEHA that                     does not have any
   clinical edits in place for hospital claims. This was a prior recommendation in 2005.

   This system weakness increases the risk that benefits are being paid for procedures
   associated with a diagnosis that may not warrant such treatment.

   Recommendation 22
   We recommend that GEHA ensure that comprehensive medical edits are incorporated into
   the development of the new    claims processing system.

   GEHA Response:
   “Our review of the          System and the new clinical editor has shown that
   does not currently have edits for inpatient hospital claims. This specific claim example
   would not be captured in any of the edits. We will investigate the system capabilities of
   creating the configuration to assist in up front identification of these claims. There are
              edits for outpatient hospital claims.

   For the professional claim example, we have test cases developed to review diagnosis to
   procedure code edits. The system can then be coded to pend, deny, or use a warning
   message.




                                               22 

   We have not received the latest version of           to test at this time. We will add these
   examples to our requirements and set up specific test cases to test capabilities to ensure
   accurate processing . . . .”

   OIG Reply:
   The lack of clinical edits in GEHA’s claims processing system extends back to a prior OPM
   OIG audit from 2005. Clinical edits are a necessary element of implementing a new claims
   processing system. We continue to recommend that GEHA make the appropriate system
   modifications to ensure clinical edits are implemented for both professional and facility
   claims. As part of the audit resolution process, we recommend that GEHA provide OPM’s
   HIO with appropriate supporting documentation indicating its progress in successfully
   implementing these modifications.

2. Therapy Visit Counter
   Procedure codes for therapy visits indicate a specific length of time of the services provided.
   The benefit structure only allows 2 hours per visit in addition to limiting the number of visits
   per year to 60. GEHA is not appropriately calculating the length of time per visit.

   The OIG submitted a series of claims to test                 ability to limit physical and
   occupational therapy visits to 60 per calendar year. While the system is configured to stop
   paying claims after 60 visits, we submitted a visit for 2.25 hours, and it was counted as 1 visit
   rather than two.

   This system weakness increases the risk that providers are paid for rendering non-covered
   services.

   Recommendation 23
   We recommend that GEHA ensure that the appropriate system modifications be incorporated
   into the      claims processing system to ensure that therapy benefits are limited in
   accordance with the plan brochure.

   GEHA Response:
   “GEHA agrees with the recommendation to ensure this is addressed in the conversion to
           However, between now and the time of conversion to         we have implemented
   interim procedures in the Claims Department to adjudicate claims correcting the
   calculation of time per visit.”

   OIG Reply:
   As part of the audit resolution process, we recommend that GEHA provide OPM’s HIO with
   supporting documentation for the interim process showing that therapy claims are
   automatically detected for manual review/calculation. Furthermore, we recommend GEHA
   provide evidence of the implementation of these edits in place in the     claims
   processing system.




                                                23 

3. Overlapping Hospital St ays
   The _ system paid duplicate room and board charges on test claims for a member
   with two overlapping hospital stays.

   The system does not have edits in place to prevent both room and board and intensive care
   charges for the same time period . We submitted a claim for an intensive care room and a
   subsequent claim for a semi-private room at the same facility on the same day. We were
   informed by GEHA representatives tha t _ only looks at the revenue code for
   duplicate billing. As long as different re~s are used, the system will never detect
   multiple claims containing overlapping dates of service for hospital stays.

   This system weakness increases the risk that hospitals are being paid for duplicate room and
   board expenses.

   Recommendation 24
   We recomm end that GEHA ensure that the appropriate system configur ations are made to
   _     to prevent duplicate payments for claims with overlapp ing dates of service.




            in.
   GEH4 Respome:

   "GEHA agrees with th e recommendation and will explore the system configuration
   available        to ensure accurate claim pro cessing. "

4. OBRA 90 PRICER
   GEHA is pricing OBRA90 claims with outdated versions of the

   program.


   We entered several test claims subject to OBRA90 pricing into the _ system . The
   system suspended all of the claims for OBRA90 pricing (also referred to as diagnosis-related
     ou or DRG ricin . and the GEHA claims adjudicator priced each claim using the .


   We also independently priced each claim using the most recent versions of the _
   progra ms, and compared the Medicare DRG amount produced to that calculated by the
   GEHA adjudicator. All of the test claims rocessed by GEHA were priced accurately,
   however we received screenprints of the          from GEHA which indicated GEHA was
   not using the most current version of the

   ~omp tly provide claims adjudicators with updated versions of the _
   _ program increases the risk that GEHA is pricing OBRA90 cla im~

   Recommendation 25
   We recomm end that GEHA im lement rocedures to ensure that OBRA90 claims are priced
   with the correct version of the



                                              24
     GEHA Response:
     “GEHA agrees with the recommendation and is taking steps to ensure that the adjusters
     have access to the most current version of the OBRA 90 Pricer before claims processing.
     This will include working more closely with the IT area to ensure timely loading of the
     current version, while considering whether claims may need to be held in the interim to
     prevent claim payment issues.”

  5.	 Manual Processing of Claims
     A significant portion of claims processed by GEHA are processed manually, including all
     hospital, anesthesiology, and renal failure claims.

     The amount of manual effort required by adjudicators to process claims greatly increases the
     risk that these claims are processed incorrectly.

     Recommendation 26
     We recommend that GEHA ensure that the appropriate system configurations are made to
            to ensure that a reduced manual effort is required by claims adjudicators to process
     claims.

     GEHA Response:
     “GEHA is exploring every opportunity to reduce manual processes. Conversion to the
            system will facilitate our goals in this area. While our conversion to      is still in
     the ‘build’ phase, we have already identified several areas of opportunity where reduced
     manual effort will be realized . . . . ”

F. Health Insurance Portability and Accountability Act
  The OIG reviewed GEHA’s efforts to maintain compliance with the security and privacy

  standards of HIPAA. 


  GEHA has implemented a series of IT security policies and procedures to adequately address the
  requirements of the HIPAA security rule. GEHA has also developed a series of privacy policies
  and procedures that directly addresses all requirements of the HIPAA privacy rule. The plan has
  a designated Privacy Official who has the responsibility of ensuring compliance with HIPAA
  Privacy and GEHA’s HIPAA Privacy policies. GEHA employees receive HIPAA-related
  training during new hire orientation, as well as annual refresher training.

  Nothing came to our attention that caused us to believe that GEHA is not in compliance with the
  various requirements of HIPAA regulations.




                                                 25 

                     III. Major Contributors to This Report

This audit report was prepared by the U.S. Office of Personnel Management, Office of Inspector
General, Information Systems Audits Group. The following individuals participated in the audit
and the preparation of this report:
•                     , Group Chief
•                        , Senior Team Leader
•                 , Auditor In Charge
•                   , IT Auditor
•                 , IT Auditor




                                              26 

                                       Appendix
                                                                                             I

                           The Benefit s of Better Health
                                                                                             I
Ma y 10, 2012




-
Auditor in Charge
I nformat ion Systems Audite; Group Office of the Inspector General
1900 E St reet, NW Room 6400
Wa shington, DC 20415-1100




We have completed our review o f th e report for th e Aud it of info rmatio n Systems
Gen eral and Application Cont rols at Govern ment Employees Health Associat ion (GEHA)
dated Ma rch 14, 2012. The foll owing are our responses for each recommendation th at
was presented in the report.


Recommendati on 1
We recommend GEHA develop a rule s of behavior agreement and requ ire all employees
to sign the document.

GEHA Response
GEHA h as an extensive or ient ation process where new hires are t rained o n various
policies and procedures and are requi red to sign Acknowledgemen t of Responsibility
forms. These acknowledgements encompa ss what one rules of behavior document
would address.

   1.	 Acknowledgement of GEHA Code of Ethics.
            a.	 Confidentiality Agreement which is requ ir ed upon hire and ann uall y
                t hereaft er. The Confident iality agreement ensures the employee t o keep
                GEHA proprietary and healt h informat ion confidential and to repo rt any
                accidental or inte nt iona l disclosure .
            b.	 HR pol icy 5-05 -Code o f Eth ics w hich Includes a section on
                'compromising com puter security'
   2.	 Acknowledgement o f Responsibility for HIPAA confi dent iality of patient
       inform at ion. This is required upon hire and t he reafter when additional training
       is given .
            a.	 HIPAA Polley 210 - Confident iality and Security of Patient Information­
                Employee Breach and Disciplinary Action .
            b.	 HIPM PolicY 215 - Breach Reporting, lnvestigat ion and Notification
                Requ ireme nt s.
   3.	 Acknowledgem ent of GEHA Information Protectio n Policy.

                     Government Empl oyees Health Aaao c!atlon, Inc.
         P.O. Box 4665 • Independence. MO 64051-4665 . Telephone (800) 821-6136
                                     www .gcha.com
           a.	 HR Policy 5-35 – Information Protection. This policy covers all information in any
               form and from any system.
           b.	 HIPAA Policy 840 – Internet and Software Acceptable Use Policy


Recommendation 2
We recommend that GEHA reassess its facilities’ physical access management and implement
controls that will ensure proper physical security. At a minimum, GEHA should implement

                                                                t data center entrances.

GEHA Response
GEHA is currently reassessing facilities access at all of our locations and adding the following
controls to increase physical security.




   2)	 Data Center – Multi-Factor Authentication at Entrance (COMPLETED) - Access to
       GEHA’s data center at our 310 building requires both an access badge as well as the
       code to a cipher lock built into the door. The addition of the cipher lock was completed
       in September of 2011.

   3)




   4)





                                                 2
   5)





Recommendation 3
We recommend that GEHA implement physical controls to prevent employees that only require
access to the

GEHA Response
GEHA continues to keep this area locked during non-business hours and corrected this concern
in October 2011 by installing a latching system on the inside of the storage area that prevents
unsupervised access.


Recommendation 4
We recommend that GEHA implement a process to monitor and track access to claim files (in
the mail sort room).

GEHA Response
The area where the claims are kept is separated from the                              by a locked
door. Access to this area is restricted to a limited number of claims clerical staff. There are no
sign out procedures because claims leave this area only to be copied and immediately returned
to the locked room.


Recommendation 5
We recommend GEHA conduct a detailed access review audit of                  user accounts to
identify accounts with inappropriate access.

GEHA Response
GEHA Security Operations has taken multiple steps to better control             access. We
have reviewed access for users with administrative access and have removed access that was
inappropriate or no longer needed. To better establish and control access, we have developed a
series of user templates that determine access by position. In doing so we have consulted with
managers to verify access and remove any unneeded access. We have developed reporting

                                                3
from our payroll department that will allow us to better track users as they move within the
organization or terminate. We have reviewed all previously terminated users to assure that all
access has been removed. For auditing purposes it is necessary to leave IDs for terminated
employees in place, however, all access to the ID is removed, the account is locked, and the
associated       user id is removed. This activity has been completed.


Recommendation 6
We recommend that GEHA configure its intrusion detection tools to optimize their capabilities.

GEHA Response
GEHA uses a            firewall that includes intrusion detection capabilities. The intrusion
detection capabilities were recently activated and are being monitored to determine
effectiveness in detecting known attacks.              are updated regularly to assure that
detection capabilities are current. The Security Operations team will assist the Enterprise
Architecture team in fine-tuning the detection capabilities as monitoring reveals changes that
can be made to improve the system's response.



Recommendation 7
We recommend that GEHA implement                                   for remote access.

GEHA Response
GEHA has taken steps to purchase and implement                                       for remote
access users. Remote web access to GEHA resources forces                                to
GEHA's        environment using                                                  . This project
has been completed for all users with remote access.


Recommendation 8
We recommend that GEHA document a process for ensuring application access is granted with
proper segregation of duties and implement the process for all major applications.

Response
GEHA has taken steps to identify duties within the claims processing area and has defined those
activities that present a potential violation of the segregation of duties.        access has
been reviewed and conflicting access removed. Other applications have initially been
configured to reduce conflicts, but currently need to be reviewed and any conflicts removed.
Expected completion of this activity is by the end of the fourth quarter of 2012.

GEHA’s Internal Audit Department performs an annual audit of access rights on major
applications for employees who have terminated or transferred positions.


                                               4
Recommendation 9
We recommend that GEHA expand the access recertification process to all major applications.

Response
The GEHA Security Operations team is in the process of working with managers to develop
                                             and major applications. During the process we are
aligning current access of individuals to templates created for the role or job title they hold.
Managers are reviewing access changes to align with templates created. Going forward the
Security Operations team will use this application reports and templates to verify with
management the access of all employees at least annually.

Recommendation 10
We recommend that GEHA implement a process to log and review user activity within its
applications.

Response
The Security Operations team has developed a daily process to review           violation reports.
                                                              . Violation reports for
and other applications are not available at this time.      reports are reviewed, users are
contacted to respond to violations, and notations are made electronically on the report pdf file.
The file is stored along with related correspondence. This process is currently implemented.


Recommendation 11
We recommend that GEHA program the new claims processing system to use randomly
generated temporary passwords for users who need to establish new accounts and users who
lock themselves out of the system. The passwords should be automatically emailed to the user
requesting access.

Response
The Security Operations team will review current practices for creating             IDs and
modify the process as necessary adding steps to require interaction with the Help Desk before a
user id is activated for first use. The new claims system uses authentication based on
                  where users will automatically authenticate to                  as they activate
the application client.                   password management will be reviewed and changes
made as necessary to randomize initial passwords. A password self-service tool will be
investigated to see if they provide a more secure method for changing initial or forgotten
passwords. Changes to processes will be completed by the fourth quarter of 2012.


Recommendation 12
We recommend that GEHA formally document baseline configurations for its hardware,
software, and firmware.


                                                5
Response
GEHA is addressing secure baseline configuration in a three-phase approach. Each phase will
document the system function, inventory, configurations and security hardening requirements.
For the initial phase, GEHA is focusing on
                                                                                                 .
The second phase will extend into higher levels of the architecture including but not limited to
                                                         . The final phase will be a granular view
of the business applications that utilize the architecture detailed in the first two phases such as



Recommendation 13
We recommend that GEHA implement a process to routinely monitor system administrator
activity.

Response
The Security Operations team has developed a daily process to review            administrator
activity reports. The       reports are reviewed, users are contacted to respond to questionable
activities, and notations are made electronically on the report pdf file. The file is stored along
with related correspondence. The new claims processing system will require different tools to
track administrative access because access will primarily be controlled through
It may be possible to track administrative access within the new application but that is
unknown at this time. A tool is being investigated that will track user data view and that tool
may provide additional visibility within the new claims application.        administrator activity
monitoring is currently implemented.


Recommendation 14
We recommend that GEHA address the issues detected by the compliance audit and routinely
monitor system software configuration to ensure compliance with established baselines.

Response - The recent purchase of a security vulnerability scanning tool by the Security
Operations team gives us the ability to scan configuration settings of individual
servers once authenticated to the server. Security Operations will work with the Enterprise
Architecture to assure that appropriate settings are routinely scanned and addressed. This
recommendation should be completed by the end of the fourth quarter of 2012.


Recommendation 15
We recommend that GEHA implement a process to conduct routine vulnerability scans and
track any identified weakness until they are remediated.



                                                 6
Response
A produ ct t o scan syst e ms for vu lne ra bilit ies ha s recent ly been purcha sed and a pro ject ha s
been creat ed t o deve lop processe s for sca nning, notification of findings, risk asse ssment,
remed iat ion , and re view. The project will focu s on reducing the risk to the or ganizat ion by
imple men t ing a rout ine vu lne ra bility mon itoring and remed iation program . This
rec ommendation sho uld be comp leted by the end of the fourth qua rter of 201 2.


Recommendation 16
We rec omme nd that GEHA instal l t he                                  t hat we re ide nt ified in the
sca n re sult s and , in the future, improve the          management process to en sure t h a t _
_ a r e inst alled promptly.

Response
GEHA re cogn izes the need a nd importance of deve lop ing and impleme nt ing a .
                          to iden tify                                  , dete rm ine app licability to
GEHA syst e ms, and distribute and implement on GEHA syst e ms t o prevent and m inimize the
risk of security brea ches and losse s. GEHA is init iat ing a forma l                                  to
m itigate the risk prese nted by t he                                           . The program w ill be a
combinat ion of techn o logy in the form of                        t and deployment softw a re and
processe s to identify, test and deploy softw a re updates followin g a risk-based ma nagement



-
approach.




                                                      7
Recommendation 17
We recommend that GEHA contract with a third party vendor that specializes in
         vulnerability assessments to conduct a thorough         vulnerability assessment
of its                         .

Response
GEHA is addressing                   vulnerabilities in two different ways. In late 2012, we
engaged a third-party,            to conduct a comprehensive                      vulnerability
assessment and penetration test. The scope of the assessment included our
                                                      . Our IT and Security teams are actively
remediating issues noted in that assessment. In addition, GEHA is currently redesigning our
                and Security teams are involved in those discussions to ensure that any open
vulnerabilities or concerns are addressed in the new design.
The second way we are addressing this issue is the purchase and implementation of
            Our Information Security Analysts have installed this solution and are currently
conducting configuring and testing. This tool will be used on a continuous basis to assist
security in identifying vulnerabilities affecting our infrastructure and will assist in the risk
ranking of those vulnerabilities to drive remediation priorities. The solution will have the ability
to not only alert security staff to vulnerabilities facing our              e, but also
vulnerabilities on our                   . We expect to have            fully deployed in our
production environment and identifying vulnerabilities by Q3 of 2012.

We feel that it is important and we plan to continue engaging a third party to conduct an
independent assessment, however due to the addition of our              tool and vulnerability
management processes, we will be reducing the frequency of those from annually to perhaps
every other year.


Recommendation 18
We recommend that GEHA continue their efforts to upgrade the                    operating system
to a vendor-supported version.

Response
GEHA is continuing the efforts to update the              operating systems to vendor-
supported versions. We are working through the         and custom-developed application
dependencies which require update before the                 operating systems can be updated.

GEHA has also had to procure and implement a new                storage subsystem to allow for
the increased capacity needs for the testing environments for process and inter-operability
testing.


Recommendation 19
We recommend that GEHA conduct and document an annual disaster recovery test for the
                    .

Response
GEHA has designed and implemented an secured off-site co-location facility that will function as
the disaster recovery site for all               GEHA is currently replicating all
        data to the site through the use of the        data protection platform.

GEHA is scheduled to perform disaster recovery testing in Q3 of 2012. We have hired a
Manager of Enterprise Risk that will be responsible for working with IT to maintain/update our
BCP/DR plans to reflect the above changes and to assist in coordinating testing exercises. This
person is currently assisting on our claims system conversion and will be joining the Enterprise
Security and Risk Management team in Q3 of 2012. His focus will be BCP/DR and other
Enterprise Risk Management initiatives.

                                                 9
Recommendation 20
We recommend that GEHA, in collaboration with         , develop a process to reconcile printed
checks.

Response
We have initiated a project with our Project Management Department and have assembled a
team to address this recommendation. We plan to coordinate with       and have a
reconciliation process implemented once we have identified and created the necessary internal
reporting.

Recommendation 21
We recommend that GEHA implement an audit process for the full debarment file.

Response
GEHA does currently perform a monthly 3% audit on our full debarment file. However, based
on the recommendation of OPM, we have increased the audit to 100% of the full debarment
file effective April 15, 2012.


Recommendation 22
We recommend that GEHA ensure that comprehensive medical edits are incorporated into the
development of the new     claims processing system.

Response
Our review of the          System and the new clinical editor has shown that             does not
currently have edits for inpatient hospital claims. This specific claim example would not be
captured in any of the edits. We will investigate the system capabilities of creating the
configuration to assist in up front identification of these claims. There are           edits for
outpatient hospital claims.

For the professional claim example, we have test cases developed to review diagnosis to
procedure code edits. The system can then be coded to pend, deny, or use a warning message.

We have not received the latest version of           to test at this time. We will add these
examples to our requirements and set up specific test cases to test capabilities to ensure
accurate processing.

The OIG finding included the following information – “GEHA informed us that for professional
claims, clinical edits produce warning messages rather than having hard edits in place to
prevent the claim from processing. If these claims are submitted electronically, they could be
batched and subsequently processed and paid without a processor ever seeing that warning
message.”



                                               10
GEHA response - GEHA does not allow claims with these Clinicalogic warning messages to pass
through batch, rather they are pended to the adjustor for additional review.


Recommendation 23
We recommend that GEHA ensure that the appropriate system modifications be incorporated
into the      claims processing system to ensure that therapy benefits are limited in
accordance with the plan brochure.

Response
GEHA agrees with the recommendation to ensure this is addressed in the conversion to
However, between now and the time of conversion to          we have implemented interim
procedures in the Claims Department to adjudicate claims correcting the calculation of time
per visit.


Recommendation 24
We recommend that GEHA ensure that the appropriate system configurations are made to
      to prevent duplicate payments for claims with overlapping dates of service.

Response
GEHA agrees with the recommendation and will explore the system configuration available in
      to ensure accurate claim processing.


Recommendation 25
We recommend that GEHA implement procedures to ensure that OBRA90 claims are priced
with the correct version of the

Response
GEHA agrees with the recommendation and is taking steps to ensure that the adjusters have
access to the most current version of the OBRA 90 Pricer before claims processing. This will
include working more closely with the IT area to ensure timely loading of the current version,
while considering whether claims may need to be held in the interim to prevent claim payment
issues.


Recommendation 26
We recommend that GEHA ensure that the appropriate system configurations are made to
        to ensure that a reduced manual effort is required by claims adjudicators to process
claims.




                                               11
Response
GEHA is exploring every o pport unity to reduce manual processes. Conve rSion to th ~
syste m will fa cilitate our goa ls in t his area . While our conversion to    s st ill in the «build'
phase. we have alread y ident ified seve ral area s of opportunity where redu ced manu al effort
will be realized

    •	 With t he addition 0                                  e expect improvements in automated

       hospital and anesthesia processing.

    •	 We will be using reve nue coding which is required by some PPO netw orks. This will be

       loaded from t he elect ronic claim and added t o t he processes In our data e ntry area .

       With thi s information, pricing can be applied through ~ lIo w i n g more claims to

        autc-adjudlcate .
    •	 For PPO USA hospitals and facilities that use a complex rate, they will be priced with
       ~nd avto-adludicate d.
    •	 Authorizat ions for hospital st ays wiD be loaded into _        and then matched to the
                                                                                                         II
       specific cla im they represent. This will red uce man ual review of the autho rization and
       allow auto -adjudtcanon of hospital n ays and outpane nt services.
                                                                                                         i
    •	 ASAcodes and th e associated units are also being loaded into the pricing software, as
       we llas confi guratio n of t he time units, so that auto-calcutatlon can be performed.
                                                                                                         i
    •	 National Co nt racts pricing is also loaded in _
       req uired toda y.
                                                                 reducing th e manual pricing that is
                                                                                                         I
Conclusion                                                                                               I
We are disappointed in th e resu lts ofthe audit, howe ve r we were making progre ss to update
and improve our informat ion syste ms infrastru ctu re. We have filled several key positions
wit hin the last yea r to expand ou r expertise and have add ed staff t o address weaknesses that
we re note d in the OIG's re port. Prior to th e sta rt of the audit we forme d an Enterprise Security
and Risk Man ageme nt Department tha t is inde pende nt of the IT Depart ment and reports
direct lyto me. The Enterp rise Security and Risk Manageme nt Departm ent is res ponsible for
esta blishing security policies, assessing vulnerabilities a nd working with Information Systems
manageme nt to remediete weaknesses in internal controls.

We thank you an d yo ur st aff for your assistance in identifying the are as needing improvement
and we are working diligentlyto resolve t hese issues.

Since re ly,




Richa rd G. Miles
Preside nt




                                                   "
Attachments: Audit Report Draft

CC:	                 , Chief of Health Insurance II Insurance Operations
                         , Chief of Program Planning and Evaluation
       Eileen Hutchinson, GEHA VP - CFO
                       GEHA VP – Claims
                  GEHA VP – Enterprise Security and Risk Management
                   GEHA Manager of Internal Audit




                                              13