UNITED STATES OFFICE OF PERSONNEL MANAGEMENT
Washington, DC 20415
Office of the June 27, 2011
Inspector General
MEMORANDUM FOR JOHN BERRY
Director
FROM: PATRlCK E. McFARLAND
Inspector General
SUBJECT: Follow-up Review of Information Systems General and Application
Controls at American Postal Workers Union Health Plan (Report No.
IB-47-00-11-044)
The purpose of this memorandum is to communicate to you the findings and conclusions
resulting from our follow-up review of information systems general and application controls
conducted at American Postal Workers Union Health Plan (APWU). We initiated the review
because of concerns regarding several instances of premature closure of recommendations
stemming from information technology (IT) audits of insurance carrier systems.
The audit of APWU was scheduled because of the high risk associated with this health plan. A
2001 audit of this plan revealed significant weaknesses in their IT infrastructure. In 2007, we
conducted an audit of APWU as a review of the information systems general and application
controls as well as are-evaluation of the 2001 recommendations.
As a result of our 2007 audit we made 46 recommendations for improvement in a wide range of
business process and technical areas, including the overall IT security environment, business
continuity, access controls, and application processing controls for APWU's claims adjudication
system.
In January 2009, we discovered that all recommendations were closed by the Healthcare and
Insurance Office (HIO) without proper documentation that corrective action had been completed.
In accordance with OMB Circular A-50, and by longstanding custom, my office shares
responsibility for audit resolution by reviewing corrective actions and rendering an opinion
regarding their relevance and effectiveness at mitigating the weaknesses identified during our
audits. In this case, we were not fully involved in this process. Closing audit recommendations
without following the established processes not only allows health plans to avoid correcting
significant weaknesses, but it also wastes limited audit resources expended to identify the
weaknesses in the first place.
www.opm.gov www.usajobs.gov
JOHN BERRY 2
Executive Summary
The 2007 audit revealed that APWU had a very limited IT security program. We identified a
variety of missing policies and procedures along with many technical vulnerabilities in the Plan’s
IT infrastructure. The audit report detailed 46 specific weaknesses in APWU’s information
systems general and application controls. The objective of this follow-up review was to evaluate
the current status of each recommendation and determine which, if any, of the recommendations
should be re-opened.
We concluded that APWU has made substantial progress in implementing a comprehensive IT
security program, and that the Plan has fully addressed 41 of the 46 audit recommendations.
However, five recommendations have not been fully implemented. We also issued one new
recommendation resulting from the follow-up review. The unimplemented recommendations,
and the one new recommendation we are making, from our follow-up review are outlined below:
•
•
• Medical Inconsistency Controls: claims adjudication system processed
and paid professional test claims with inconsistencies and
inconsistencies.
•
•
we believe this process should be automated.
• Special Investigations and Fraud: All components of a comprehensive fraud and abuse
program as required by OPM Carrier Letter 2003-23 are not currently implemented at
APWU.
Background
Audit report 1B-47-00-06-072 was issued on May 18, 2007 with 46 audit recommendations.
APWU subsequently provided the HIO with seven quarterly status reports detailing its progress
in implementing the recommendations. HIO responded to each quarterly status report with a
letter indicating which audit recommendations were being closed that quarter. On January 12,
2009, HIO sent a final closure letter to APWU indicating that all 46 recommendations were
closed. However, 22 of the recommendations were closed based solely on a description of
JOHN BERRY 3
APWU’s plans to address the weakness, even though no actual evidence was provided to
indicate that the recommendation had been addressed.
The issuance of the HIO closure letter created the possibility that APWU would halt its ongoing
efforts to remediate the weaknesses identified during the audit. As a result of this concern, we
initiated this follow-up review to determine the current status of the original audit
recommendations and reopen any that had still not been completed.
Scope and Methodology
The scope of this review was limited to the business processes where weaknesses were identified
during the original audit, including:
• Entity-wide Security;
• Access Controls;
• Application Development and Change Control;
• System Software;
• Service Continuity; and
• Application Controls.
In conducting this review we gathered documentation and conducted interviews related to
remediation activity APWU has completed to address our original audit recommendations.
Various laws, regulations, and industry standards were used as a guide to evaluate the APWU
control structure. This criteria includes, but is not limited to:
• Office of Management and Budget (OMB) Circular A-130, Appendix III;
• OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of
Personally Identifiable Information;
• Information Technology Governance Institute’s CobiT: Control Objectives for Information
and Related Technology;
• GAO's Federal Information System Controls Audit Manual;
• National Institute of Standards and Technology's Special Publication (NIST SP) 800-12,
Introduction to Computer Security;
• NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information
Technology Systems;
• NIST SP 800-30, Risk Management Guide for Information Technology Systems;
• NIST SP 800-34, Contingency Planning Guide for Information Technology Systems;
• NIST SP 800-41, Guidelines on Firewalls and Firewall Policy;
• NIST SP 800-53 Revision 2, Recommended Security Controls for Federal Information
Systems;
• NIST SP 800-61, Computer Security Incident Handling Guide;
• NIST SP 800-66 Revision 1, An Introductory Resource Guide for Implementing the HIPAA
Security Rule; and
• HIPAA Act of 1996.
JOHN BERRY 4
Our review was not conducted in accordance with Generally Accepted Government Auditing
Standards (GAGAS). The nature and scope of the work performed was consistent with that
expected of a GAGAS audit; however, because we consider this to be a review, the
documentation, reporting, and quality control standards are not as rigorous.
Review Follow-up
In accordance with Office of Management and Budget (OMB) Circular A-50 and/or Public Law
103-355, all findings must be resolved within six months of the date of this report. In order to
ensure findings are resolved within the required six-month period, we ask that the Healthcare and
Insurance Office (HIO) respond directly to the Office of the Inspector General (OIG) within 90
days of the date of the report advising us whether they agree or disagree with the findings and
recommendations. As stated in OMB Circular A-50, where agreement is indicated, the HIO
should describe planned corrective action. If the HIO disagrees with any of the findings and
recommendations, we need them to explain the reason for the disagreement and provide any
additional documentation that would support their opinion.
Since this office exercises oversight regarding the progress of corrective actions, we also request
that the HIO provide the OIG a report within six months describing corrective action taken. If
the corrective action has not been completed, we also ask that the HIO continue to provide us
with a report on the status of corrective action every March and September thereafter until action
has been completed.
JOHN BERRY 5
Results
The following sections outline the results of our follow-up review of information systems
general and application controls at APWU.
A. Entity-wide Security
We evaluated the adequacy of APWU’s ability to manage risk, develop security policies, assign
security-related responsibilities, and monitor the effectiveness of various system-related controls.
1. Enterprise Security Program
APWU had developed a series of information technology (IT) security policies and
procedures that comprised its enterprise security program. However, we determined that
APWU had not adequately maintained all policies on its intranet, not all policies were being
enforced, and individuals with significant security responsibilities were not always familiar
with these policies.
a. 2007 Recommendation 1
We recommend that APWUHP update its security policies on its intranet, properly
enforce them, and ensure that individuals with IT security responsibilities are familiar
with these policies. A formal policy requiring periodic reviews and updates of security
policies should also be established.
2007 APWU Response:
“The APWU Health Plan does maintain an Emergency Termination Checklist for all
involuntary terminations. This checklist was provided to the Office of Inspector
General’s auditors along with the procedures. It is APWU Health Plan Information
System’s responsibility to complete and retain this check list and not the Human
Resource Department which is why they may have been unfamiliar with the forms in
question.
The Health Plan updates our security policies and procedures on our Intranet
application, RoboInfo. A Standard Operating Procedure was written to provide
guidance for reviewing and updating security policies and procedures on a bi-annual
basis, or as needed when new rules or regulations are published and to train staff
appropriately. See Attachment 1A for the updated Standard Operating Procedures.”
2011 Status:
We confirmed that APWU has sufficiently updated its security policies and made them
readily available on its intranet; this recommendation is closed.
2. Risk Assessment
APWU’s risk assessment methodology did not appear to identify, evaluate, or provide
mitigating options for threats and vulnerabilities to its information systems.
JOHN BERRY 6
a. 2007 Recommendation 2
We recommend that APWUHP update its risk assessment policy to include steps to
identify, evaluate, and mitigate threats and vulnerabilities to its systems.
2007 APWU Response:
“The APWU Health Plan is currently reviewing the NIST 800-30 ‘Risk Management
Guide for Information Technology Systems’ and will be updating our risk assessment to
identify, evaluate, and provide mitigation options for threats and vulnerabilities to their
current information system and applications. It is the Health Plan’s goal to complete this
assessment during the first quarter of 2007.”
2011 Status:
We confirmed that APWU has implemented an adequate risk assessment methodology;
this recommendation is closed.
3. Incident Response
APWU had not properly defined the organizational structure of individuals responsible for
handling IT security incidents. In addition, employees with incident response duties received
no formal training related to this responsibility.
a. 2007 Recommendation 3
We recommend APWUHP implement a formal, documented security management
structure that outlines the responsibility and authority of APWUHP personnel charged
with responding to IT security incidents.
2007 APWU Response:
“The APWU Health Plan will create and implement formal documented Security
Management Procedures and communicate those procedures to the appropriate
personnel.”
2011 Status:
We confirmed that APWU has implemented a security management structure that details
the personnel responsible for responding to IT security incidents; this recommendation is
closed.
b. 2007 Recommendation 4
We recommend APWUHP create a policy requiring adequate training for individuals
responsible for responding to security incidents.
2007 APWU Response:
“The APWU Health Plan will create a policy to address the training for individuals
responsible for responding to security incidents.”
JOHN BERRY 7
2011 Status:
We confirmed that APWU has implemented an IT Training and Development policy; this
recommendation is closed.
4. Background Reinvestigations
APWU conducted thorough background investigations on all individuals hired by the Plan.
However, APWU did not conduct periodic reinvestigations of its employees.
a. 2007 Recommendation 5
We recommend that APWUHP implement a policy requiring periodic background
reinvestigations on all Health Plan employees.
2007 APWU Response:
“The APWU Health Plan has investigated this recommendation and will implement
criminal background reinvestigations.”
2011 Status:
We confirmed that APWU has implemented a periodic background reinvestigations
policy; this recommendation is closed.
5. Training
Employees did not receive continuing periodic training or professional development courses
to ensure that an employee’s skills are maintained for their job responsibilities.
a. 2007 Recommendation 6
We recommend that APWUHP develop and implement a formal training program that
requires periodic training for all employees.
2007 APWU Response:
“Per the Security Reminders Standard Operating Policy & Procedures provided to
auditors, Health Plan staff receive refresher training on HIPAA Security procedures
during annually scheduled workforce benefits training each year. In addition, any
changes that need to be immediately addressed are handled via business unit meetings or
formalized training sessions as needed.”
2011 Status:
We confirmed that APWU has implemented a formal training program; this
recommendation is closed.
B. Access Controls
We reviewed and evaluated the effectiveness of the access control policies, procedures, and
techniques APWU had in place to help ensure that unauthorized physical or logical access to
sensitive resources are both minimized and actively monitored.
JOHN BERRY 8
1. Data Center Controls
While APWU’s data center was physically secure from the outside world, employees with no
responsibilities related to the computer equipment in the data center were granted access. In
addition, guests to the data center were not required to sign a log detailing their entrance to
the data center, the purpose of their visit, and their escort. We also found that APWU had
not implemented any video monitoring capabilities in the data center, or at its entrances.
a. 2007 Recommendation 7
We recommend that APWUHP limit access to the data center to management and
maintenance personnel, and to those with responsibilities that require physical access to
computing resources in the data center.
2007 APWU Response:
“The APWUHP does limit access to the Data Center and as suggested in
Recommendation 7, have restricted access for the Insertamax Operators.”
2011 Status:
We confirmed that APWU has limited access to the data center; this recommendation is
closed.
b. 2007 Recommendation 8
We recommend that APWUHP maintain a log of all visitors that access its data center.
2007 APWU Response:
“The APWU Health Plan has considered this recommendation and has determined that
with the installation of the video monitors (see Recommendation 9 response below) in the
computer room, limited access by the security doors and requiring outside vendors to
sign-in and be escorted when they enter the building, that we have adequate controls for
the data center.”
2011 Status:
We confirmed that APWU logs all visitor access to the data center; this recommendation
is closed.
c. 2007 Recommendation 9
We recommend that APWUHP implement in its
data center.
2007 APWU Response:
“The APWU Health Plan has entered into a contract with
JOHN BERRY 9
2011 Status:
As of May 2011 APWU has installed within the data
center. However, we observed that
2011 Recommendation 1:
We recommend that APWU enhance
2. Security of Check Stock and Printed Checks
Pre-printed check stock and printed checks were stored in an unsecured location.
a. 2007 Recommendation 10
We recommend that APWUHP secure pre-printed check stock within its data center.
2007 APWU Response:
“The APWU Health Plan has reviewed the recommendation and feel we have adequate
controls over the check stock within the data center. The check stock is stored within the
data center, which has limited access. Only individuals authorized to enter the data
center have access and any other individual entering the data center is escorted. The
APWU Health Plan’s contract with the bank calls for a positive pay verification by the
bank prior to cashing checks. The APWU Health Plan sends the bank a daily check
register of all claim checks issued. If someone were to attempt to type their own check,
the bank would reject the transaction. All checks are accounted for in a reconciliation
process between Computer Operation and Accounting. Additionally, with the installation
of the video cameras in the data center, one of these cameras will be able to monitor the
blank preprinted check stock.”
2011 Status:
We confirmed that APWU has secured the pre-printed check stock within the data center;
this recommendation is closed.
b. 2007 Recommendation 11
We recommend that APWUHP adjust its procedures for mailing printed checks so that
the checks are never left unattended in an insecure area.
2007 APWU Response:
“The APWU Health Plan has reviewed this recommendation and determined that there
are adequate controls in place.
Additionally, there
JOHN BERRY 10
is the positive pay processes with the bank and as back up, the member is mailed an
explanation of benefits of what was paid.”
2011 Status:
We confirmed that APWU has adjusted its procedures to appropriately secure printed
checks prior to mailing; this recommendation is closed.
3. Application Access Controls
Controls to prevent unauthorized logical access to APWU’s information systems were not
adequately implemented. Specifically, APWU did not have a corporate password policy
implemented, which was an outstanding recommendation from 2001.
Passwords were assigned by the system administrator and were known by at least three
individuals before being provided to the user. Each user’s password was stored in hard copy
by the Plan’s HIPAA specialist. Passwords were not subject to any complexity requirements
and there were no controls implemented to prevent unlimited login attempts.
a. 2007 Recommendation 12
We recommend that APWUHP implement a corporate password policy that meets the
requirements of FISCAM and NIST SP 800-14. At a minimum, the policy should
address minimum password lengths, the use of alphanumeric and special characters,
routine password changes and reuse of passwords.
2007 APWU Response:
“Currently, security and password controls are handled on the application level. Each
application has different password requirements and do not allow for the user to choose,
or change their password, nor do they possess the ability to lock accounts after a pre-
determined number of failed login attempts. The Health Plan will prepare business
requirements and functional specifications to present to the vendors for each application
in order to put together a uniform corporate password policy that meets the requirements
of FISCAM and NIST SP 800-14 guidelines. These business requirements and functional
specifications will be presented to the vendor during the first quarter of 2007.”
2011 Status:
We confirmed that APWU has implemented a sufficient corporate password policy; this
recommendation is closed.
b. 2007 Recommendation 13
We recommend that APWUHP adjust its procedures for issuing users’ initial passwords
so that only that individual knows his/her password. This can be accomplished by
allowing users to set their own passwords, or by forcing users to change their assigned
password on first use.
JOHN BERRY 11
2007 APWU Response:
“Currently, security and password controls are handled on the application level. Each
application has different password requirements and do not allow for the user to choose,
or change their password, nor do they possess the ability to lock accounts after a pre-
determined number of failed login attempts. The Health Plan will prepare business
requirements and functional specifications to present to the vendors for each application
in order to put together a uniform corporate password policy that meets the requirements
of FISCAM and NIST SP 800-14 guidelines. These business requirements and functional
specifications will be presented to the vendor during the first quarter of 2007.”
2011 Status:
We confirmed that APWU has implemented system settings to mandate password
changes upon initial sign-on; this recommendation is closed.
c. 2007 Recommendation 14
We recommend that APWUHP improve the password controls for the applications
discussed in this section to meet the requirements of the corporate password policy.
2007 APWU Response:
“Currently, security and password controls are handled on the application level. Each
application has different password requirements and do not allow for the user to choose,
or change their password, nor do they possess the ability to lock accounts after a pre-
determined number of failed login attempts. The Health Plan will prepare business
requirements and functional specifications to present to the vendors for each application
in order to put together a uniform corporate password policy that meets the requirements
of FISCAM and NIST SP 800-14 guidelines. These business requirements and functional
specifications will be presented to the vendor during the first quarter of 2007.”
2011 Status:
. This is in direct violation
of the Corporate Password Policy.
2011 Recommendation 2:
We continue to recommend that APWU improve the password controls to meet the
standards established within the corporate password policy.
d. 2007 Recommendation 15
We recommend that APWUHP configure the applications to lock accounts after a pre-
determined number of failed login attempts.
2007 APWU Response:
“Currently, security and password controls are handled on the application level. Each
application has different password requirements and do not allow for the user to choose,
or change their password, nor do they possess the ability to lock accounts after a pre-
determined number of failed login attempts. The Health Plan will prepare business
requirements and functional specifications to present to the vendors for each application
JOHN BERRY 12
in order to put together a uniform corporate password policy that meets the requirements
of FISCAM and NIST SP 800-14 guidelines. These business requirements and functional
specifications will be presented to the vendor during the first quarter of 2007.”
2011 Status:
We confirmed that APWU has implemented the system changes to lock accounts after
failed login attempts; this recommendation is closed.
4. Access Monitoring
APWU did not adequately monitor access to three systems critical to claims processing
activities and we found that activity is not monitored for APWU employee workstations and
the data entry application.
In addition, APWU’s configuration of its virtual private network (VPN) software did not
enable the logging of user activity.
a. 2007 Recommendation 16
We recommend that APWUHP routinely monitor access to its information systems in
accordance with its “Login Monitoring” policy.
2007 APWU Response:
“Currently, the Health Plan is unable to monitor activity or log-in attempts at the
application level. The Health Plan will prepare business requirements and functional
specifications to present to the vendors for each application that meets the requirements
of the NIST 800-12 and the HIPAA Security Rule 164.308(a)(1)(ii)(D) guidelines. These
business requirements and functional specifications will be presented to the vendors
during the first quarter of 2007.
2011 Status:
We confirmed that APWU has implemented procedures that correspond with the Login
Monitoring policy; this recommendation is closed.
b. 2007 Recommendation 17
We recommend that APWUHP enable the auditing capabilities of its VPN server to
monitor remote access activity.
2007 APWU Response:
“The APWU Health Plan has currently requested proposals for implementing
Firewall/VPN logging.”
2011 Status:
We confirmed that APWU has implemented the appropriate system changes to enable
VPN server auditing; this recommendation is closed.
JOHN BERRY 13
5. Intrusion Detection
APWU had not implemented any intrusion detection systems on its network or individual
workstations.
a. 2007 Recommendation 18
We recommend that APWUHP implement some form of intrusion detection capability.
2007 APWU Response:
“The APWU Health Plan has requested proposals for implementing Intrusion
Detection.”
2011 Status:
We confirmed that APWU implemented intrusion detection; this recommendation is
closed.
6. E-mailing Personal Health Information (PHI)
APWU’s “E-mailing PHI” policy did not provide adequate guidance for properly securing
PHI sent over email.
a. 2007 Recommendation 19
We recommend that APWUHP update its data transmission policy and procedures to
ensure that PHI transmitted over e-mail is properly encrypted.
2007 APWU Response:
“Although the HIPAA regulations do not require that e-mail be encrypted, the Health
Plan continues to look at additional technology to ensure the security of electronic PHI
when e-mail is transmitted outside the organization’s systems and applications.”
2011 Status:
We confirmed that APWU has updated its data transmission policy and procedures to
address the secure transmission of PHI; this recommendation is closed.
7. Internet Usage
APWU’s “Information Technology Policy” did not address the appropriate use of the Internet
and acceptable web browsing practices.
Furthermore, we determined that APWU did not utilize any Internet monitoring or filtering
software.
a. 2007 Recommendation 20
We recommend that APWUHP implement an Internet use policy that describes, in detail,
allowable web browsing practices by Plan employees.
JOHN BERRY 14
2007 APWU Response:
“On December 12, 2006, the APWU Health Plan issued an Information Technology –
Security Policy that addresses access to APWU Health Plan’s equipment, software,
information transmission and Internet. See Attachment 20A.”
2011 Status:
We confirmed that APWU has implemented an Internet use policy; this recommendation
is closed.
b. 2007 Recommendation 21
We recommend that APWUHP implement some form of Internet filtering software to
enforce the Plan’s Internet use policy.
2007 APWU Response:
“The APWU Health Plan is currently pursuing proposals from our vendors for
implementing Content Management/Filtering.”
2011 Status:
We confirmed that APWU has implemented Internet filtering software; this
recommendation is closed.
8. Firewall Utilization
We determined that APWU’s utilization of firewalls in its network environment could be
improved. contracted to perform the original configuration of the firewall ruleset,
but no internal or third party reviews of the firewall ruleset have been conducted since its
implementation and changes made to the ruleset are not logged.
.
a. 2007 Recommendation 22
We recommend that APWUHP periodically review its firewall rulesets and evaluate their
effectiveness in controlling current security threats.
2007 APWU Response:
“The APWUHP will monitor, log changes and periodically review rule sets.”
2011 Status:
We confirmed that APWU periodically reviews its firewall rulesets with regard to current
security threats; this recommendation is closed.
b. 2007 Recommendation 23
We recommend that APWUHP research the costs, benefits, and feasibility of
.
JOHN BERRY 15
2007 APWU Response:
“The APWU Health Plan reviewed this recommendation and found that Health Plan
users are , the
costs associated
is not a cost effective security measure at this time. The Plan will
continue to evaluate this recommendation as other changes are made.”
2011 Status:
APWU has not implemented the recommended
and has formally accepted all associated risk. APWU stated that
“The APWU Health Plan has reviewed this recommendation again to see if
m is feasible. The costs
associated with
is not a cost effective security measure at this time. The Health
Plan will continue to evaluate this recommendation as other enhancements and
modifications are made to our technical infrastructure.”
This recommendation is closed based on APWU’s risk acceptance, but we advise APWU
to continue to evaluate the feasibility and benefits of implementing the recommendation.
C. Application Development and Change Control
We reviewed the APWU application development and change control methodology to determine
whether it included the following features: a process for authorizing processing features and
programming modifications; a change control process with testing standards and practices;
approval methods for the implementation of newly developed or revised software; and controls
over the use of application-related source code and program libraries.
1. Change Control Procedures
APWU’s “Application Change Control manual” did not reflect the current environment for
.
a. 2007 Recommendation 24
We recommend that APWUHP update the “Application Change Control Manual” to
reflect its current operating environment. We also recommend that APWUHP ensure that
the updated application development and change control policies and procedures are
effectively communicated to the appropriate staff members.
2007 APWU Response:
“The APWU Health Plan is in the process of reviewing and updating the “Application
Change Control manual” to reflect the current operating environment. Once the
document has been fully updated, it will be communicated to the appropriate staff.”
JOHN BERRY 16
2011 Status:
We confirmed that APWU has sufficiently updated the change control policies and
procedures; this recommendation is closed.
2. Testing Modifications
APWU’s procedures for testing the claims processing application were not
adequate to ensure the continuing functionality of all system components.
a. 2007 Recommendation 25
We recommend that APWUHP develop a testing methodology that includes test cases for
all major functions (modules) of the claims processing system. The test plans should also
include reusable test data with verifiable expected results. Each time the system is
modified, APWUHP should compare its expected results to those obtained during the
testing exercise.
2007 APWU Response:
“The APWU Health Plan agrees with the recommendation to institute regression testing
into the Health Plan’s testing methodology.”
2011 Status:
We confirmed that APWU has developed and implemented a claims processing testing
methodology; this recommendation is closed.
D. System Software
We evaluated APWU’s configuration and management of the operating platform that
houses the Plan’s claim processing system.
1. Accessing System Software
Two software administrators would occasionally log into the root account
directly instead of using their personal accounts. This practice reduced the
accountability of administrators for their system activity, as it was impossible to tell which
individual was logged into the root account. A better practice is for administrators to log into
their personal account and then execute the “switch user” command to access the root
account when needed. This approach results in an audit trail of the administrator’s activity.
a. 2007 Recommendation 26
We recommend that APWUHP implement a policy requiring system software
administrators to always log into their personal accounts, and use the “switch user”
command to perform root functions.
2007 APWU Response:
“The APWU Health Plan agrees that creating a policy requiring the system software
administrators to always log into their accounts first and then use the
JOHN BERRY 17
to perform root functions, would allow better monitoring of which users gained root
access. APWU Health Plan is in the process of drafting this policy.”
2011 Status:
We confirmed that APWU has implemented the recommended system software
administrators login policy; this recommendation is closed.
2.
We reviewed the system configuration file and determined that two s
hat may not have a business justification for being utilized.
a. 2007 Recommendation 27
We recommend that APWUHP research the purpose of the
. If no business purpose can be found, we recommend that APWUHP consider
disabling . If a business purpose is found, we recommend that APWUHP
research secure alternative that can perform the same function.
2007 APWU Response:
“The APWU Health Plan is researching the business purpose of the
being active in the . So far, three
production jobs have been identified requiring the to be active.
The initial result of turning off the resulted in the failure of these
three production jobs. We are continuing research to find additional production jobs and
ways to limit use of .”
2011 Status:
We confirmed that APWU has researched and determined that a business necessity does
exist for the use of these . The risk associated with the continued use of these
system services has been accepted by APWU; this recommendation is closed.
3. System Software Change Control
APWU does not maintain a log of past changes to its system software.
a. 2007 Recommendation 28
We recommend that APWUHP maintain a log of all changes to its system software.
2007 APWU Response:
The APWU Health Plan will maintain a log of all changes.
2011 Status:
We confirmed that APWU has implemented a system change control log; this
recommendation is closed.
JOHN BERRY 18
E. Service Continuity
We reviewed APWU’s service continuity program to determine if (1) procedures were in place
to protect information resources and minimize the risk of unplanned interruptions and (2) a plan
existed to recover critical operations should interruptions occur.
1. Identifying Critical Operations and Resources
APWU had identified the systems that are critical to continuing business operations.
However, the Plan had not adequately identified the priority in which these systems should
be restored in a disaster recovery situation.
a. 2007 Recommendation 29
We recommend that APWUHP establish the priority in which each of its systems be
restored in an emergency recovery situation.
2007 APWU Response:
“The Health Plan has updated its Disaster Recovery Plan to include the priority in which
each of its systems is to be restored.”
2011 Status:
We confirmed that APWU has prioritized the systems to be restored in an emergency
recovery situation; this recommendation is closed.
b. 2007 Recommendation 30
We recommend that APWUHP identify the specific resources that support each of its
systems.
2007 APWU Response:
“The Health Plan has updated its Disaster Recovery Plan to include specific resources to
support each of its systems.”
2011 Status:
We confirmed that APWU has identified the system specific resources; this
recommendation is closed.
2. Disaster Recovery Plan
APWU’s disaster recovery manual contained the majority of elements suggested by NIST SP
800-34, “Contingency Planning Guide for IT Systems.” However, several critical elements
were missing from the manual regarding alternate team members, travel arrangements, and
contact information.
a. 2007 Recommendation 31
We recommend that APWUHP update its disaster recovery plan to include the missing
elements discussed in the section above.
JOHN BERRY 19
2007 APWU Response:
“The Health Plan is currently in the process of selecting and contracting with a new
disaster recovery vendor. The Disaster Recovery Plan will be updated appropriately
once the vendor has been selected and a new contract executed. In addition, the DR Plan
will be updated with current contact information and updated team members. This will
be completed during the first quarter of 2007.”
2011 Status:
We confirmed that APWU has updated its disaster recovery plan; this recommendation is
closed.
3. Business Continuity Testing
APWU had implemented a business continuity plan, but it had not been tested.
a. 2007 Recommendation 32
We recommend that APWUHP test its business continuity plan at least annually.
2007 APWU Response:
“The Health Plan conducted several system recovery tests during 2006. The written
results of the last two tests were supplied to the auditors. Once the Disaster Recovery
Plan is updated and a new vendor is chosen during the first quarter of 2007, the Health
Plan will conduct further system recovery tests and will plan at least one full tabletop test
of the plan during 2007.”
2011 Status:
We confirmed that APWU has conducted an annual test of their business continuity plan;
this recommendation is closed.
F. Application Controls
We evaluated the input, processing, and output controls associated with APWU’s
claims processing system. During this process we reviewed the policies and procedures adopted
by APWU to help to ensure that 1) there are controls over the inception of claims data into the
system; 2) the data received comes from the appropriate sources; and 3) the data is entered into
the claims database correctly.
1. Processing Controls
A test of the system revealed several weaknesses in APWU’s claims processing
controls, including:
•
JOHN BERRY 20
•
a. 2007 Recommendation 33
We recommend that APWUHP expand clinical edits for professional
claims to account for the medical inconsistencies stated above. We also recommend that
APWUHP take the necessary steps to ensure that these clinical edits are also applied to
hospital claims.
2007 APWU Response:
“The Health Plan agrees we need to minimize s and has reported
this problem to the claims software vendor to correct the issue that has
been identified. Currently, the software editing product used ) in the claims
system, does not accommodate editing for hospital claims. The Health Plan
will take steps to investigate a product that will accommodate editing on hospital
claims.”
2011 Status:
We submitted several professional test claims into APWU’s claims
processing test system to evaluate the effectiveness of the system’s clinical edits. The
system processed and paid a
In addition, several hospital test claims were submitted into the system. A
hospital test claim for did not
encounter the expected clinical edit.
increases the
risk that claims can still be processed inaccurately and generate erroneous payments,
increasing the costs to the FEHBP.
2011 Recommendation 3:
We continue to recommend that APWU expand clinical edits for
professional and hospital claims to account for the medical inconsistencies stated above.
b. 2007 Recommendation 34
We recommend that APWUHP implement the proper technical controls to its claims
processing system to ensure that providers are only paid for services for which they are
covered.
JOHN BERRY 21
2007 APWU Response:
“The Health Plan has controls in place, such as claims audits and Ingenix sends a list of
providers which are flagged in the system as fraudulent in order to ensure providers are
only paid for services for which they are covered.”
2011 Status:
We submitted a professional test claim into APWU’s claims processing test
system to evaluate the effectiveness of the system’s The
system processed and paid a test claim for a
In addition a hospital test claim was processed and
paid for a These
tests revealed the potential for APWU to erroneously pay claims for services
.
APWU personnel explained that
The lack of adequate within the application
increases the risk that claims can still be processed inaccurately, generating erroneous
payments, and thereby increasing the costs to the FEHBP.
2011 Recommendation 4:
We continue to recommend that APWU implement the proper technical controls to its
claims processing system to ensure that
c. 2007 Recommendation 35
We recommend that APWUHP implement the appropriate controls to ensure that only
providers in the provider file are paid, and that new providers are flagged for
review before being added to the system.
2007 APWU Response:
“The APWU Health Plan will satisfy this requirement in conjunction with
implementation of the National Provider Identifier. Only providers that have valid
identification numbers from CMS will be considered for payment. New providers without
a provider identification number will be flagged for review.”
2011 Status:
The OIG has confirmed that the recommended system modifications have been
implemented; this recommendation is closed.
JOHN BERRY 22
d. 2007 Recommendation 36
We recommend that APWUHP implement the necessary technical controls to identify
and process workers’ compensation and coordination of benefits claims in accordance
with its FEHBP contract.
2007 APWU Response:
“Due to the time it takes for the Office of Workers’ Compensation to make a
determination and the fact that the APWU Health Plan members should be afforded
medical services for their injury, the APWU Health Plan has been reluctant to out right
deny possible workers’ compensation claims. Instead the claims are flagged along with
subrogation claims. The accident code used on these claims would be picked up by the
subrogation programs to follow-up with a questionnaire and legal review.”
2011 Status:
The OIG has confirmed that the recommended system modifications have been
implemented; this recommendation is closed.
e. 2007 Recommendation 37
We recommend that APWUHP implement the necessary technical controls to its claims
processing system to ensure that assistant surgeon claims are processed and paid
correctly.
2007 APWU Response:
“The APWU Health Plan agrees with this recommendation and will have the capability
to handle assistant surgeon correctly when the claims system vendor, , completes
enhancement 6.66.”
2011 Status:
The OIG has confirmed that the recommended system modifications have been
implemented; this recommendation is closed.
2. Debarment
The provider files for APWU’s claims processing system did not contain
information to properly identify/flag all FEHBP debarred providers. In addition, several
FEHBP debarred providers were not found in the provider file at all, and could potentially be
added to the system automatically without being flagged for review.
We also submitted a series of test claims to test whether performs the following
actions in accordance with the benefit structure’s guidelines: 1) pay the first claim submitted
for an enrollee receiving services from a debarred provider, 2 ) pay subsequent claims
submitted within 15 days of the enrollee being notified for the debarment, and 3) deny claims
received later than 15 days after the enrollee is notified of the debarment. The system denied
claims for all three situations.
JOHN BERRY 23
a. 2007 Recommendation 38
We recommend that APWUHP update provider file with the current
complete list of FEHBP debarred providers (including those not previously in the
system), and continue to update the file as new debarment lists are released by the OPM
OIG.
2007 APWU Response:
“This issue was corrected prior to the Office of Inspector General exit conference. The
process is working correctly as debarment lists are issued and the Health Plan updates
the files in the claims adjudication system,
2011 Status:
The OIG has confirmed that the recommended changes to the debarment process have
been implemented; this recommendation is closed.
b. 2007 Recommendation 39
We recommend that APWUHP implement the necessary controls to ensure that claims
for debarred providers are processed in accordance with the OIG Guidelines.
2007 APWU Response:
“The Health Plan agrees and has taken the necessary steps to comply with the OIG
guidelines. An enhancement request (number 6.68) is currently being worked on by the
software vendor, RAM Technologies.”
2011 Status:
The OIG has confirmed that the recommended system modifications have been
implemented; this recommendation is closed.
3. OBRA90/DRG Transfers
APWU’s claims adjudication process did not adequately address all required fields of
OBRA90 claims sent to the CMS PRICER program. The APWU “Procedures for Data Input
into Pricer” do not instruct claims examiners in how to address the discharge status code field
when pricing an OBRA90 claim.
a. 2007 Recommendation 40
We recommend that APWUHP update its policies and procedures to ensure that claim
data is entered in the CMS PRICER program accurately and completely. These policies
and procedures should be in accordance with CMS and/or OPM guidance.
Once the policies and procedures have been implemented, we recommend that APWUHP
train the claims examiners on these updated policies and procedures.
2007 APWU Response:
“As a result of this audit finding, the APWU Health Plan opened a problem report with
our software vendor, RAM. The CMS Pricer Program is integrated in the claims
JOHN BERRY 24
processing system and the process to price a claim is only recognizing status code ‘2’
(discharge/transferred for inpatient care), and it should recognize all discharge status
codes.”
2011 Status:
The OIG has confirmed that the recommended policies and procedures have been
implemented; this recommendation is closed.
4. OBRA 90/DRG Pre-certification Penalty
APWU’s claims processing system did not apply the $500 pre-certification penalty on any of
the OBRA90 test claims processed during the 2007 audit.
a. 2007 Recommendation 41
We recommend that APWUHP implement the necessary claims processing system
changes to ensure that pre-certification rules are properly enforced for all FEHBP claims.
2007 APWU Response:
“Currently, DRG claims are priced and processed directly in There have
been no situations identified where the penalty was not taken when it should have been.
Controls are in place within the unit to escalate any claims to the Supervisor where the
system is not applying the penalty correctly.”
2011 Status:
The OIG has confirmed that the recommended system modifications have been
implemented; this recommendation is closed.
5. Medicare Part B
APWU was incorrectly paying some OBRA90 claims in which the patient has Medicare Part
B. Processors used the actual billed charges instead of the DRG equivalent amount when
paying this claim, which is against OPM guidelines.
a. 2007 Recommendation 42
We recommend that APWUHP revise its procedures to use the DRG equivalent amount
even if the priced amount is greater than the billed amount.
2007 APWU Response:
“The Health Plan agrees with the recommendation and has taken steps to correct the
internal procedures. The Plan now uses the DRG equivalent amount that the
Pricer calculated even if more than the charge.”
2011 Status:
The OIG has confirmed that the recommended system modifications have been
implemented; this recommendation is closed.
JOHN BERRY 25
6. PRICER Input
The system only transmitted the last five digits of the total charges to the CMS
PRICER program, resulting in the incorrect pricing of OBRA90 claims.
a. 2007 Recommendation 43
We recommend that APWUHP implement the proper technical controls to ensure that
OBRA90 claims with total charges of $100,000 or more are priced correctly using the
CMS PRICER program.
2007 APWU Response:
“When the OIG reviewed these claims, the CMS Pricer process was not integrated into
the claims adjudication system. Now the CMS Pricer is integrated and operating
correctly. APWUHP validated that claims with total charges of $100,000 or more are
priced correctly using the Pricer program. We will continue to monitor pricing results
when updates are done to the Pricer program.”
2011 Status:
We confirmed that the recommended system modifications have been implemented; this
recommendation is closed.
2011 Recommendation 5:
We recommend that APWUHP implement the necessary technical controls to its claims
processing system to ensure that
7. Explanation of Benefits
APWU’s explanation of benefits (EOB) presentation for OBRA90 claims that include
payments from other sources, such as Medicare Part B, could be confusing for subscribers.
a. 2007 Recommendation 44
We recommend that APWUHP revise its procedures so that non-covered benefits are not
included on an OBRA90 claim in which the patient has Medicare Part B. Alternatively,
APWUHP could use a remark code to state that the patient is not responsible for the non-
covered benefit.
2007 APWU Response:
“The Health Plan will implement the alternative recommendation and use the remark
code “Patient not responsible for amount over DRG pricing”.”
JOHN BERRY 26
2011 Status:
The OIG has confirmed that the recommended system modifications have been
implemented; this recommendation is closed.
8. Special Investigations Unit
APWU was not in full compliance with Carrier Letter 2003-23 “Industry Standards for Fraud
& Abuse (F&A) Programs” as required by OPM. We did not find evidence of an anti-fraud
Policy statement, fraud hotlines for internal and external use, or fraud awareness educational
material for enrollees.
a. 2007 Recommendation 45
We recommend that APWUHP implement all components of a comprehensive fraud and
abuse program as required by carrier letter 2003-23.
2007 APWU Response:
“The Health Plan has reviewed the Carrier Letter 2003-23 and agrees some of the
elements of the carrier letter need to be enhanced and reiterated with the employees of
the Health Plan. Written policies/procedures will be updated and published to all
employees. Training curriculums will be revised to ensure employees have an
understanding of how to identify fraudulent claims.”
2011 Status:
A separate OIG audit determined that all components of a comprehensive fraud and
abuse program as required by carrier letter 2003-23 are not currently implemented at
APWU. As a result of this audit, this recommendation remains open.
2011 Recommendation 6:
We recommend that APWU implement all components of a comprehensive fraud and
abuse program as required by carrier letter 2003-23.
9. Sanctions Implementation Plan
APWU was not in full compliance with the “Guidelines for Implementation of Federal
Employees Health Benefits Program Debarment and Suspension Orders,” as required by the
OPM OIG. Specifically, APWU’s Sanction Implementation Plan does not address
suspension processes and procedures, or approving regulatory authority for appeals.
a. 2007 Recommendation 46
We recommend that APWUHP update its Sanctions Implementation Plan to meet all the
requirements set forth by OPM. These requirements can be found on OPM’s Debarment
website under “Guidelines for Implementation of Federal Employees Health Benefits
Program Debarment and Suspension Orders.”
JOHN BERRY 27
2007 APWU Response:
“The Health Plan has given approval to to enhance the
system in order to improve our Debarment procedures. Enhancement 6.68 is attached
for your review.”
2011 Status:
The OIG has confirmed that the recommended updates to the Sanction Implementation
Plan regarding OPM’s debarment and suspension have been implemented; this
recommendation is closed.
cc: John O’Brien
Director, Healthcare and Insurance
Shirley Patterson
Assistant Director for Federal Employee Insurance Operations
Follow-up Review of Information Systems General and Application Controls at American Postal Workers Union Health Plan
Published by the Office of Personnel Management, Office of Inspector General on 2011-06-27.
Below is a raw (and likely hideous) rendition of the original report. (PDF)