UNITED STATES OFFICE OF PERSONNEL MANAGEMENT Washington, DC 20415 Office of the June 27, 2011 Inspector General MEMORANDUM FOR JOHN BERRY Director FROM: PATRlCK E. McFARLAND Inspector General SUBJECT: Follow-up Review of Information Systems General and Application Controls at American Postal Workers Union Health Plan (Report No. IB-47-00-11-044) The purpose of this memorandum is to communicate to you the findings and conclusions resulting from our follow-up review of information systems general and application controls conducted at American Postal Workers Union Health Plan (APWU). We initiated the review because of concerns regarding several instances of premature closure of recommendations stemming from information technology (IT) audits of insurance carrier systems. The audit of APWU was scheduled because of the high risk associated with this health plan. A 2001 audit of this plan revealed significant weaknesses in their IT infrastructure. In 2007, we conducted an audit of APWU as a review of the information systems general and application controls as well as are-evaluation of the 2001 recommendations. As a result of our 2007 audit we made 46 recommendations for improvement in a wide range of business process and technical areas, including the overall IT security environment, business continuity, access controls, and application processing controls for APWU's claims adjudication system. In January 2009, we discovered that all recommendations were closed by the Healthcare and Insurance Office (HIO) without proper documentation that corrective action had been completed. In accordance with OMB Circular A-50, and by longstanding custom, my office shares responsibility for audit resolution by reviewing corrective actions and rendering an opinion regarding their relevance and effectiveness at mitigating the weaknesses identified during our audits. In this case, we were not fully involved in this process. Closing audit recommendations without following the established processes not only allows health plans to avoid correcting significant weaknesses, but it also wastes limited audit resources expended to identify the weaknesses in the first place. www.opm.gov www.usajobs.gov JOHN BERRY 2 Executive Summary The 2007 audit revealed that APWU had a very limited IT security program. We identified a variety of missing policies and procedures along with many technical vulnerabilities in the Plan’s IT infrastructure. The audit report detailed 46 specific weaknesses in APWU’s information systems general and application controls. The objective of this follow-up review was to evaluate the current status of each recommendation and determine which, if any, of the recommendations should be re-opened. We concluded that APWU has made substantial progress in implementing a comprehensive IT security program, and that the Plan has fully addressed 41 of the 46 audit recommendations. However, five recommendations have not been fully implemented. We also issued one new recommendation resulting from the follow-up review. The unimplemented recommendations, and the one new recommendation we are making, from our follow-up review are outlined below: • • • Medical Inconsistency Controls: claims adjudication system processed and paid professional test claims with inconsistencies and inconsistencies. • • we believe this process should be automated. • Special Investigations and Fraud: All components of a comprehensive fraud and abuse program as required by OPM Carrier Letter 2003-23 are not currently implemented at APWU. Background Audit report 1B-47-00-06-072 was issued on May 18, 2007 with 46 audit recommendations. APWU subsequently provided the HIO with seven quarterly status reports detailing its progress in implementing the recommendations. HIO responded to each quarterly status report with a letter indicating which audit recommendations were being closed that quarter. On January 12, 2009, HIO sent a final closure letter to APWU indicating that all 46 recommendations were closed. However, 22 of the recommendations were closed based solely on a description of JOHN BERRY 3 APWU’s plans to address the weakness, even though no actual evidence was provided to indicate that the recommendation had been addressed. The issuance of the HIO closure letter created the possibility that APWU would halt its ongoing efforts to remediate the weaknesses identified during the audit. As a result of this concern, we initiated this follow-up review to determine the current status of the original audit recommendations and reopen any that had still not been completed. Scope and Methodology The scope of this review was limited to the business processes where weaknesses were identified during the original audit, including: • Entity-wide Security; • Access Controls; • Application Development and Change Control; • System Software; • Service Continuity; and • Application Controls. In conducting this review we gathered documentation and conducted interviews related to remediation activity APWU has completed to address our original audit recommendations. Various laws, regulations, and industry standards were used as a guide to evaluate the APWU control structure. This criteria includes, but is not limited to: • Office of Management and Budget (OMB) Circular A-130, Appendix III; • OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information; • Information Technology Governance Institute’s CobiT: Control Objectives for Information and Related Technology; • GAO's Federal Information System Controls Audit Manual; • National Institute of Standards and Technology's Special Publication (NIST SP) 800-12, Introduction to Computer Security; • NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems; • NIST SP 800-30, Risk Management Guide for Information Technology Systems; • NIST SP 800-34, Contingency Planning Guide for Information Technology Systems; • NIST SP 800-41, Guidelines on Firewalls and Firewall Policy; • NIST SP 800-53 Revision 2, Recommended Security Controls for Federal Information Systems; • NIST SP 800-61, Computer Security Incident Handling Guide; • NIST SP 800-66 Revision 1, An Introductory Resource Guide for Implementing the HIPAA Security Rule; and • HIPAA Act of 1996. JOHN BERRY 4 Our review was not conducted in accordance with Generally Accepted Government Auditing Standards (GAGAS). The nature and scope of the work performed was consistent with that expected of a GAGAS audit; however, because we consider this to be a review, the documentation, reporting, and quality control standards are not as rigorous. Review Follow-up In accordance with Office of Management and Budget (OMB) Circular A-50 and/or Public Law 103-355, all findings must be resolved within six months of the date of this report. In order to ensure findings are resolved within the required six-month period, we ask that the Healthcare and Insurance Office (HIO) respond directly to the Office of the Inspector General (OIG) within 90 days of the date of the report advising us whether they agree or disagree with the findings and recommendations. As stated in OMB Circular A-50, where agreement is indicated, the HIO should describe planned corrective action. If the HIO disagrees with any of the findings and recommendations, we need them to explain the reason for the disagreement and provide any additional documentation that would support their opinion. Since this office exercises oversight regarding the progress of corrective actions, we also request that the HIO provide the OIG a report within six months describing corrective action taken. If the corrective action has not been completed, we also ask that the HIO continue to provide us with a report on the status of corrective action every March and September thereafter until action has been completed. JOHN BERRY 5 Results The following sections outline the results of our follow-up review of information systems general and application controls at APWU. A. Entity-wide Security We evaluated the adequacy of APWU’s ability to manage risk, develop security policies, assign security-related responsibilities, and monitor the effectiveness of various system-related controls. 1. Enterprise Security Program APWU had developed a series of information technology (IT) security policies and procedures that comprised its enterprise security program. However, we determined that APWU had not adequately maintained all policies on its intranet, not all policies were being enforced, and individuals with significant security responsibilities were not always familiar with these policies. a. 2007 Recommendation 1 We recommend that APWUHP update its security policies on its intranet, properly enforce them, and ensure that individuals with IT security responsibilities are familiar with these policies. A formal policy requiring periodic reviews and updates of security policies should also be established. 2007 APWU Response: “The APWU Health Plan does maintain an Emergency Termination Checklist for all involuntary terminations. This checklist was provided to the Office of Inspector General’s auditors along with the procedures. It is APWU Health Plan Information System’s responsibility to complete and retain this check list and not the Human Resource Department which is why they may have been unfamiliar with the forms in question. The Health Plan updates our security policies and procedures on our Intranet application, RoboInfo. A Standard Operating Procedure was written to provide guidance for reviewing and updating security policies and procedures on a bi-annual basis, or as needed when new rules or regulations are published and to train staff appropriately. See Attachment 1A for the updated Standard Operating Procedures.” 2011 Status: We confirmed that APWU has sufficiently updated its security policies and made them readily available on its intranet; this recommendation is closed. 2. Risk Assessment APWU’s risk assessment methodology did not appear to identify, evaluate, or provide mitigating options for threats and vulnerabilities to its information systems. JOHN BERRY 6 a. 2007 Recommendation 2 We recommend that APWUHP update its risk assessment policy to include steps to identify, evaluate, and mitigate threats and vulnerabilities to its systems. 2007 APWU Response: “The APWU Health Plan is currently reviewing the NIST 800-30 ‘Risk Management Guide for Information Technology Systems’ and will be updating our risk assessment to identify, evaluate, and provide mitigation options for threats and vulnerabilities to their current information system and applications. It is the Health Plan’s goal to complete this assessment during the first quarter of 2007.” 2011 Status: We confirmed that APWU has implemented an adequate risk assessment methodology; this recommendation is closed. 3. Incident Response APWU had not properly defined the organizational structure of individuals responsible for handling IT security incidents. In addition, employees with incident response duties received no formal training related to this responsibility. a. 2007 Recommendation 3 We recommend APWUHP implement a formal, documented security management structure that outlines the responsibility and authority of APWUHP personnel charged with responding to IT security incidents. 2007 APWU Response: “The APWU Health Plan will create and implement formal documented Security Management Procedures and communicate those procedures to the appropriate personnel.” 2011 Status: We confirmed that APWU has implemented a security management structure that details the personnel responsible for responding to IT security incidents; this recommendation is closed. b. 2007 Recommendation 4 We recommend APWUHP create a policy requiring adequate training for individuals responsible for responding to security incidents. 2007 APWU Response: “The APWU Health Plan will create a policy to address the training for individuals responsible for responding to security incidents.” JOHN BERRY 7 2011 Status: We confirmed that APWU has implemented an IT Training and Development policy; this recommendation is closed. 4. Background Reinvestigations APWU conducted thorough background investigations on all individuals hired by the Plan. However, APWU did not conduct periodic reinvestigations of its employees. a. 2007 Recommendation 5 We recommend that APWUHP implement a policy requiring periodic background reinvestigations on all Health Plan employees. 2007 APWU Response: “The APWU Health Plan has investigated this recommendation and will implement criminal background reinvestigations.” 2011 Status: We confirmed that APWU has implemented a periodic background reinvestigations policy; this recommendation is closed. 5. Training Employees did not receive continuing periodic training or professional development courses to ensure that an employee’s skills are maintained for their job responsibilities. a. 2007 Recommendation 6 We recommend that APWUHP develop and implement a formal training program that requires periodic training for all employees. 2007 APWU Response: “Per the Security Reminders Standard Operating Policy & Procedures provided to auditors, Health Plan staff receive refresher training on HIPAA Security procedures during annually scheduled workforce benefits training each year. In addition, any changes that need to be immediately addressed are handled via business unit meetings or formalized training sessions as needed.” 2011 Status: We confirmed that APWU has implemented a formal training program; this recommendation is closed. B. Access Controls We reviewed and evaluated the effectiveness of the access control policies, procedures, and techniques APWU had in place to help ensure that unauthorized physical or logical access to sensitive resources are both minimized and actively monitored. JOHN BERRY 8 1. Data Center Controls While APWU’s data center was physically secure from the outside world, employees with no responsibilities related to the computer equipment in the data center were granted access. In addition, guests to the data center were not required to sign a log detailing their entrance to the data center, the purpose of their visit, and their escort. We also found that APWU had not implemented any video monitoring capabilities in the data center, or at its entrances. a. 2007 Recommendation 7 We recommend that APWUHP limit access to the data center to management and maintenance personnel, and to those with responsibilities that require physical access to computing resources in the data center. 2007 APWU Response: “The APWUHP does limit access to the Data Center and as suggested in Recommendation 7, have restricted access for the Insertamax Operators.” 2011 Status: We confirmed that APWU has limited access to the data center; this recommendation is closed. b. 2007 Recommendation 8 We recommend that APWUHP maintain a log of all visitors that access its data center. 2007 APWU Response: “The APWU Health Plan has considered this recommendation and has determined that with the installation of the video monitors (see Recommendation 9 response below) in the computer room, limited access by the security doors and requiring outside vendors to sign-in and be escorted when they enter the building, that we have adequate controls for the data center.” 2011 Status: We confirmed that APWU logs all visitor access to the data center; this recommendation is closed. c. 2007 Recommendation 9 We recommend that APWUHP implement in its data center. 2007 APWU Response: “The APWU Health Plan has entered into a contract with JOHN BERRY 9 2011 Status: As of May 2011 APWU has installed within the data center. However, we observed that 2011 Recommendation 1: We recommend that APWU enhance 2. Security of Check Stock and Printed Checks Pre-printed check stock and printed checks were stored in an unsecured location. a. 2007 Recommendation 10 We recommend that APWUHP secure pre-printed check stock within its data center. 2007 APWU Response: “The APWU Health Plan has reviewed the recommendation and feel we have adequate controls over the check stock within the data center. The check stock is stored within the data center, which has limited access. Only individuals authorized to enter the data center have access and any other individual entering the data center is escorted. The APWU Health Plan’s contract with the bank calls for a positive pay verification by the bank prior to cashing checks. The APWU Health Plan sends the bank a daily check register of all claim checks issued. If someone were to attempt to type their own check, the bank would reject the transaction. All checks are accounted for in a reconciliation process between Computer Operation and Accounting. Additionally, with the installation of the video cameras in the data center, one of these cameras will be able to monitor the blank preprinted check stock.” 2011 Status: We confirmed that APWU has secured the pre-printed check stock within the data center; this recommendation is closed. b. 2007 Recommendation 11 We recommend that APWUHP adjust its procedures for mailing printed checks so that the checks are never left unattended in an insecure area. 2007 APWU Response: “The APWU Health Plan has reviewed this recommendation and determined that there are adequate controls in place. Additionally, there JOHN BERRY 10 is the positive pay processes with the bank and as back up, the member is mailed an explanation of benefits of what was paid.” 2011 Status: We confirmed that APWU has adjusted its procedures to appropriately secure printed checks prior to mailing; this recommendation is closed. 3. Application Access Controls Controls to prevent unauthorized logical access to APWU’s information systems were not adequately implemented. Specifically, APWU did not have a corporate password policy implemented, which was an outstanding recommendation from 2001. Passwords were assigned by the system administrator and were known by at least three individuals before being provided to the user. Each user’s password was stored in hard copy by the Plan’s HIPAA specialist. Passwords were not subject to any complexity requirements and there were no controls implemented to prevent unlimited login attempts. a. 2007 Recommendation 12 We recommend that APWUHP implement a corporate password policy that meets the requirements of FISCAM and NIST SP 800-14. At a minimum, the policy should address minimum password lengths, the use of alphanumeric and special characters, routine password changes and reuse of passwords. 2007 APWU Response: “Currently, security and password controls are handled on the application level. Each application has different password requirements and do not allow for the user to choose, or change their password, nor do they possess the ability to lock accounts after a pre- determined number of failed login attempts. The Health Plan will prepare business requirements and functional specifications to present to the vendors for each application in order to put together a uniform corporate password policy that meets the requirements of FISCAM and NIST SP 800-14 guidelines. These business requirements and functional specifications will be presented to the vendor during the first quarter of 2007.” 2011 Status: We confirmed that APWU has implemented a sufficient corporate password policy; this recommendation is closed. b. 2007 Recommendation 13 We recommend that APWUHP adjust its procedures for issuing users’ initial passwords so that only that individual knows his/her password. This can be accomplished by allowing users to set their own passwords, or by forcing users to change their assigned password on first use. JOHN BERRY 11 2007 APWU Response: “Currently, security and password controls are handled on the application level. Each application has different password requirements and do not allow for the user to choose, or change their password, nor do they possess the ability to lock accounts after a pre- determined number of failed login attempts. The Health Plan will prepare business requirements and functional specifications to present to the vendors for each application in order to put together a uniform corporate password policy that meets the requirements of FISCAM and NIST SP 800-14 guidelines. These business requirements and functional specifications will be presented to the vendor during the first quarter of 2007.” 2011 Status: We confirmed that APWU has implemented system settings to mandate password changes upon initial sign-on; this recommendation is closed. c. 2007 Recommendation 14 We recommend that APWUHP improve the password controls for the applications discussed in this section to meet the requirements of the corporate password policy. 2007 APWU Response: “Currently, security and password controls are handled on the application level. Each application has different password requirements and do not allow for the user to choose, or change their password, nor do they possess the ability to lock accounts after a pre- determined number of failed login attempts. The Health Plan will prepare business requirements and functional specifications to present to the vendors for each application in order to put together a uniform corporate password policy that meets the requirements of FISCAM and NIST SP 800-14 guidelines. These business requirements and functional specifications will be presented to the vendor during the first quarter of 2007.” 2011 Status: . This is in direct violation of the Corporate Password Policy. 2011 Recommendation 2: We continue to recommend that APWU improve the password controls to meet the standards established within the corporate password policy. d. 2007 Recommendation 15 We recommend that APWUHP configure the applications to lock accounts after a pre- determined number of failed login attempts. 2007 APWU Response: “Currently, security and password controls are handled on the application level. Each application has different password requirements and do not allow for the user to choose, or change their password, nor do they possess the ability to lock accounts after a pre- determined number of failed login attempts. The Health Plan will prepare business requirements and functional specifications to present to the vendors for each application JOHN BERRY 12 in order to put together a uniform corporate password policy that meets the requirements of FISCAM and NIST SP 800-14 guidelines. These business requirements and functional specifications will be presented to the vendor during the first quarter of 2007.” 2011 Status: We confirmed that APWU has implemented the system changes to lock accounts after failed login attempts; this recommendation is closed. 4. Access Monitoring APWU did not adequately monitor access to three systems critical to claims processing activities and we found that activity is not monitored for APWU employee workstations and the data entry application. In addition, APWU’s configuration of its virtual private network (VPN) software did not enable the logging of user activity. a. 2007 Recommendation 16 We recommend that APWUHP routinely monitor access to its information systems in accordance with its “Login Monitoring” policy. 2007 APWU Response: “Currently, the Health Plan is unable to monitor activity or log-in attempts at the application level. The Health Plan will prepare business requirements and functional specifications to present to the vendors for each application that meets the requirements of the NIST 800-12 and the HIPAA Security Rule 164.308(a)(1)(ii)(D) guidelines. These business requirements and functional specifications will be presented to the vendors during the first quarter of 2007. 2011 Status: We confirmed that APWU has implemented procedures that correspond with the Login Monitoring policy; this recommendation is closed. b. 2007 Recommendation 17 We recommend that APWUHP enable the auditing capabilities of its VPN server to monitor remote access activity. 2007 APWU Response: “The APWU Health Plan has currently requested proposals for implementing Firewall/VPN logging.” 2011 Status: We confirmed that APWU has implemented the appropriate system changes to enable VPN server auditing; this recommendation is closed. JOHN BERRY 13 5. Intrusion Detection APWU had not implemented any intrusion detection systems on its network or individual workstations. a. 2007 Recommendation 18 We recommend that APWUHP implement some form of intrusion detection capability. 2007 APWU Response: “The APWU Health Plan has requested proposals for implementing Intrusion Detection.” 2011 Status: We confirmed that APWU implemented intrusion detection; this recommendation is closed. 6. E-mailing Personal Health Information (PHI) APWU’s “E-mailing PHI” policy did not provide adequate guidance for properly securing PHI sent over email. a. 2007 Recommendation 19 We recommend that APWUHP update its data transmission policy and procedures to ensure that PHI transmitted over e-mail is properly encrypted. 2007 APWU Response: “Although the HIPAA regulations do not require that e-mail be encrypted, the Health Plan continues to look at additional technology to ensure the security of electronic PHI when e-mail is transmitted outside the organization’s systems and applications.” 2011 Status: We confirmed that APWU has updated its data transmission policy and procedures to address the secure transmission of PHI; this recommendation is closed. 7. Internet Usage APWU’s “Information Technology Policy” did not address the appropriate use of the Internet and acceptable web browsing practices. Furthermore, we determined that APWU did not utilize any Internet monitoring or filtering software. a. 2007 Recommendation 20 We recommend that APWUHP implement an Internet use policy that describes, in detail, allowable web browsing practices by Plan employees. JOHN BERRY 14 2007 APWU Response: “On December 12, 2006, the APWU Health Plan issued an Information Technology – Security Policy that addresses access to APWU Health Plan’s equipment, software, information transmission and Internet. See Attachment 20A.” 2011 Status: We confirmed that APWU has implemented an Internet use policy; this recommendation is closed. b. 2007 Recommendation 21 We recommend that APWUHP implement some form of Internet filtering software to enforce the Plan’s Internet use policy. 2007 APWU Response: “The APWU Health Plan is currently pursuing proposals from our vendors for implementing Content Management/Filtering.” 2011 Status: We confirmed that APWU has implemented Internet filtering software; this recommendation is closed. 8. Firewall Utilization We determined that APWU’s utilization of firewalls in its network environment could be improved. contracted to perform the original configuration of the firewall ruleset, but no internal or third party reviews of the firewall ruleset have been conducted since its implementation and changes made to the ruleset are not logged. . a. 2007 Recommendation 22 We recommend that APWUHP periodically review its firewall rulesets and evaluate their effectiveness in controlling current security threats. 2007 APWU Response: “The APWUHP will monitor, log changes and periodically review rule sets.” 2011 Status: We confirmed that APWU periodically reviews its firewall rulesets with regard to current security threats; this recommendation is closed. b. 2007 Recommendation 23 We recommend that APWUHP research the costs, benefits, and feasibility of . JOHN BERRY 15 2007 APWU Response: “The APWU Health Plan reviewed this recommendation and found that Health Plan users are , the costs associated is not a cost effective security measure at this time. The Plan will continue to evaluate this recommendation as other changes are made.” 2011 Status: APWU has not implemented the recommended and has formally accepted all associated risk. APWU stated that “The APWU Health Plan has reviewed this recommendation again to see if m is feasible. The costs associated with is not a cost effective security measure at this time. The Health Plan will continue to evaluate this recommendation as other enhancements and modifications are made to our technical infrastructure.” This recommendation is closed based on APWU’s risk acceptance, but we advise APWU to continue to evaluate the feasibility and benefits of implementing the recommendation. C. Application Development and Change Control We reviewed the APWU application development and change control methodology to determine whether it included the following features: a process for authorizing processing features and programming modifications; a change control process with testing standards and practices; approval methods for the implementation of newly developed or revised software; and controls over the use of application-related source code and program libraries. 1. Change Control Procedures APWU’s “Application Change Control manual” did not reflect the current environment for . a. 2007 Recommendation 24 We recommend that APWUHP update the “Application Change Control Manual” to reflect its current operating environment. We also recommend that APWUHP ensure that the updated application development and change control policies and procedures are effectively communicated to the appropriate staff members. 2007 APWU Response: “The APWU Health Plan is in the process of reviewing and updating the “Application Change Control manual” to reflect the current operating environment. Once the document has been fully updated, it will be communicated to the appropriate staff.” JOHN BERRY 16 2011 Status: We confirmed that APWU has sufficiently updated the change control policies and procedures; this recommendation is closed. 2. Testing Modifications APWU’s procedures for testing the claims processing application were not adequate to ensure the continuing functionality of all system components. a. 2007 Recommendation 25 We recommend that APWUHP develop a testing methodology that includes test cases for all major functions (modules) of the claims processing system. The test plans should also include reusable test data with verifiable expected results. Each time the system is modified, APWUHP should compare its expected results to those obtained during the testing exercise. 2007 APWU Response: “The APWU Health Plan agrees with the recommendation to institute regression testing into the Health Plan’s testing methodology.” 2011 Status: We confirmed that APWU has developed and implemented a claims processing testing methodology; this recommendation is closed. D. System Software We evaluated APWU’s configuration and management of the operating platform that houses the Plan’s claim processing system. 1. Accessing System Software Two software administrators would occasionally log into the root account directly instead of using their personal accounts. This practice reduced the accountability of administrators for their system activity, as it was impossible to tell which individual was logged into the root account. A better practice is for administrators to log into their personal account and then execute the “switch user” command to access the root account when needed. This approach results in an audit trail of the administrator’s activity. a. 2007 Recommendation 26 We recommend that APWUHP implement a policy requiring system software administrators to always log into their personal accounts, and use the “switch user” command to perform root functions. 2007 APWU Response: “The APWU Health Plan agrees that creating a policy requiring the system software administrators to always log into their accounts first and then use the JOHN BERRY 17 to perform root functions, would allow better monitoring of which users gained root access. APWU Health Plan is in the process of drafting this policy.” 2011 Status: We confirmed that APWU has implemented the recommended system software administrators login policy; this recommendation is closed. 2. We reviewed the system configuration file and determined that two s hat may not have a business justification for being utilized. a. 2007 Recommendation 27 We recommend that APWUHP research the purpose of the . If no business purpose can be found, we recommend that APWUHP consider disabling . If a business purpose is found, we recommend that APWUHP research secure alternative that can perform the same function. 2007 APWU Response: “The APWU Health Plan is researching the business purpose of the being active in the . So far, three production jobs have been identified requiring the to be active. The initial result of turning off the resulted in the failure of these three production jobs. We are continuing research to find additional production jobs and ways to limit use of .” 2011 Status: We confirmed that APWU has researched and determined that a business necessity does exist for the use of these . The risk associated with the continued use of these system services has been accepted by APWU; this recommendation is closed. 3. System Software Change Control APWU does not maintain a log of past changes to its system software. a. 2007 Recommendation 28 We recommend that APWUHP maintain a log of all changes to its system software. 2007 APWU Response: The APWU Health Plan will maintain a log of all changes. 2011 Status: We confirmed that APWU has implemented a system change control log; this recommendation is closed. JOHN BERRY 18 E. Service Continuity We reviewed APWU’s service continuity program to determine if (1) procedures were in place to protect information resources and minimize the risk of unplanned interruptions and (2) a plan existed to recover critical operations should interruptions occur. 1. Identifying Critical Operations and Resources APWU had identified the systems that are critical to continuing business operations. However, the Plan had not adequately identified the priority in which these systems should be restored in a disaster recovery situation. a. 2007 Recommendation 29 We recommend that APWUHP establish the priority in which each of its systems be restored in an emergency recovery situation. 2007 APWU Response: “The Health Plan has updated its Disaster Recovery Plan to include the priority in which each of its systems is to be restored.” 2011 Status: We confirmed that APWU has prioritized the systems to be restored in an emergency recovery situation; this recommendation is closed. b. 2007 Recommendation 30 We recommend that APWUHP identify the specific resources that support each of its systems. 2007 APWU Response: “The Health Plan has updated its Disaster Recovery Plan to include specific resources to support each of its systems.” 2011 Status: We confirmed that APWU has identified the system specific resources; this recommendation is closed. 2. Disaster Recovery Plan APWU’s disaster recovery manual contained the majority of elements suggested by NIST SP 800-34, “Contingency Planning Guide for IT Systems.” However, several critical elements were missing from the manual regarding alternate team members, travel arrangements, and contact information. a. 2007 Recommendation 31 We recommend that APWUHP update its disaster recovery plan to include the missing elements discussed in the section above. JOHN BERRY 19 2007 APWU Response: “The Health Plan is currently in the process of selecting and contracting with a new disaster recovery vendor. The Disaster Recovery Plan will be updated appropriately once the vendor has been selected and a new contract executed. In addition, the DR Plan will be updated with current contact information and updated team members. This will be completed during the first quarter of 2007.” 2011 Status: We confirmed that APWU has updated its disaster recovery plan; this recommendation is closed. 3. Business Continuity Testing APWU had implemented a business continuity plan, but it had not been tested. a. 2007 Recommendation 32 We recommend that APWUHP test its business continuity plan at least annually. 2007 APWU Response: “The Health Plan conducted several system recovery tests during 2006. The written results of the last two tests were supplied to the auditors. Once the Disaster Recovery Plan is updated and a new vendor is chosen during the first quarter of 2007, the Health Plan will conduct further system recovery tests and will plan at least one full tabletop test of the plan during 2007.” 2011 Status: We confirmed that APWU has conducted an annual test of their business continuity plan; this recommendation is closed. F. Application Controls We evaluated the input, processing, and output controls associated with APWU’s claims processing system. During this process we reviewed the policies and procedures adopted by APWU to help to ensure that 1) there are controls over the inception of claims data into the system; 2) the data received comes from the appropriate sources; and 3) the data is entered into the claims database correctly. 1. Processing Controls A test of the system revealed several weaknesses in APWU’s claims processing controls, including: • JOHN BERRY 20 • a. 2007 Recommendation 33 We recommend that APWUHP expand clinical edits for professional claims to account for the medical inconsistencies stated above. We also recommend that APWUHP take the necessary steps to ensure that these clinical edits are also applied to hospital claims. 2007 APWU Response: “The Health Plan agrees we need to minimize s and has reported this problem to the claims software vendor to correct the issue that has been identified. Currently, the software editing product used ) in the claims system, does not accommodate editing for hospital claims. The Health Plan will take steps to investigate a product that will accommodate editing on hospital claims.” 2011 Status: We submitted several professional test claims into APWU’s claims processing test system to evaluate the effectiveness of the system’s clinical edits. The system processed and paid a In addition, several hospital test claims were submitted into the system. A hospital test claim for did not encounter the expected clinical edit. increases the risk that claims can still be processed inaccurately and generate erroneous payments, increasing the costs to the FEHBP. 2011 Recommendation 3: We continue to recommend that APWU expand clinical edits for professional and hospital claims to account for the medical inconsistencies stated above. b. 2007 Recommendation 34 We recommend that APWUHP implement the proper technical controls to its claims processing system to ensure that providers are only paid for services for which they are covered. JOHN BERRY 21 2007 APWU Response: “The Health Plan has controls in place, such as claims audits and Ingenix sends a list of providers which are flagged in the system as fraudulent in order to ensure providers are only paid for services for which they are covered.” 2011 Status: We submitted a professional test claim into APWU’s claims processing test system to evaluate the effectiveness of the system’s The system processed and paid a test claim for a In addition a hospital test claim was processed and paid for a These tests revealed the potential for APWU to erroneously pay claims for services . APWU personnel explained that The lack of adequate within the application increases the risk that claims can still be processed inaccurately, generating erroneous payments, and thereby increasing the costs to the FEHBP. 2011 Recommendation 4: We continue to recommend that APWU implement the proper technical controls to its claims processing system to ensure that c. 2007 Recommendation 35 We recommend that APWUHP implement the appropriate controls to ensure that only providers in the provider file are paid, and that new providers are flagged for review before being added to the system. 2007 APWU Response: “The APWU Health Plan will satisfy this requirement in conjunction with implementation of the National Provider Identifier. Only providers that have valid identification numbers from CMS will be considered for payment. New providers without a provider identification number will be flagged for review.” 2011 Status: The OIG has confirmed that the recommended system modifications have been implemented; this recommendation is closed. JOHN BERRY 22 d. 2007 Recommendation 36 We recommend that APWUHP implement the necessary technical controls to identify and process workers’ compensation and coordination of benefits claims in accordance with its FEHBP contract. 2007 APWU Response: “Due to the time it takes for the Office of Workers’ Compensation to make a determination and the fact that the APWU Health Plan members should be afforded medical services for their injury, the APWU Health Plan has been reluctant to out right deny possible workers’ compensation claims. Instead the claims are flagged along with subrogation claims. The accident code used on these claims would be picked up by the subrogation programs to follow-up with a questionnaire and legal review.” 2011 Status: The OIG has confirmed that the recommended system modifications have been implemented; this recommendation is closed. e. 2007 Recommendation 37 We recommend that APWUHP implement the necessary technical controls to its claims processing system to ensure that assistant surgeon claims are processed and paid correctly. 2007 APWU Response: “The APWU Health Plan agrees with this recommendation and will have the capability to handle assistant surgeon correctly when the claims system vendor, , completes enhancement 6.66.” 2011 Status: The OIG has confirmed that the recommended system modifications have been implemented; this recommendation is closed. 2. Debarment The provider files for APWU’s claims processing system did not contain information to properly identify/flag all FEHBP debarred providers. In addition, several FEHBP debarred providers were not found in the provider file at all, and could potentially be added to the system automatically without being flagged for review. We also submitted a series of test claims to test whether performs the following actions in accordance with the benefit structure’s guidelines: 1) pay the first claim submitted for an enrollee receiving services from a debarred provider, 2 ) pay subsequent claims submitted within 15 days of the enrollee being notified for the debarment, and 3) deny claims received later than 15 days after the enrollee is notified of the debarment. The system denied claims for all three situations. JOHN BERRY 23 a. 2007 Recommendation 38 We recommend that APWUHP update provider file with the current complete list of FEHBP debarred providers (including those not previously in the system), and continue to update the file as new debarment lists are released by the OPM OIG. 2007 APWU Response: “This issue was corrected prior to the Office of Inspector General exit conference. The process is working correctly as debarment lists are issued and the Health Plan updates the files in the claims adjudication system, 2011 Status: The OIG has confirmed that the recommended changes to the debarment process have been implemented; this recommendation is closed. b. 2007 Recommendation 39 We recommend that APWUHP implement the necessary controls to ensure that claims for debarred providers are processed in accordance with the OIG Guidelines. 2007 APWU Response: “The Health Plan agrees and has taken the necessary steps to comply with the OIG guidelines. An enhancement request (number 6.68) is currently being worked on by the software vendor, RAM Technologies.” 2011 Status: The OIG has confirmed that the recommended system modifications have been implemented; this recommendation is closed. 3. OBRA90/DRG Transfers APWU’s claims adjudication process did not adequately address all required fields of OBRA90 claims sent to the CMS PRICER program. The APWU “Procedures for Data Input into Pricer” do not instruct claims examiners in how to address the discharge status code field when pricing an OBRA90 claim. a. 2007 Recommendation 40 We recommend that APWUHP update its policies and procedures to ensure that claim data is entered in the CMS PRICER program accurately and completely. These policies and procedures should be in accordance with CMS and/or OPM guidance. Once the policies and procedures have been implemented, we recommend that APWUHP train the claims examiners on these updated policies and procedures. 2007 APWU Response: “As a result of this audit finding, the APWU Health Plan opened a problem report with our software vendor, RAM. The CMS Pricer Program is integrated in the claims JOHN BERRY 24 processing system and the process to price a claim is only recognizing status code ‘2’ (discharge/transferred for inpatient care), and it should recognize all discharge status codes.” 2011 Status: The OIG has confirmed that the recommended policies and procedures have been implemented; this recommendation is closed. 4. OBRA 90/DRG Pre-certification Penalty APWU’s claims processing system did not apply the $500 pre-certification penalty on any of the OBRA90 test claims processed during the 2007 audit. a. 2007 Recommendation 41 We recommend that APWUHP implement the necessary claims processing system changes to ensure that pre-certification rules are properly enforced for all FEHBP claims. 2007 APWU Response: “Currently, DRG claims are priced and processed directly in There have been no situations identified where the penalty was not taken when it should have been. Controls are in place within the unit to escalate any claims to the Supervisor where the system is not applying the penalty correctly.” 2011 Status: The OIG has confirmed that the recommended system modifications have been implemented; this recommendation is closed. 5. Medicare Part B APWU was incorrectly paying some OBRA90 claims in which the patient has Medicare Part B. Processors used the actual billed charges instead of the DRG equivalent amount when paying this claim, which is against OPM guidelines. a. 2007 Recommendation 42 We recommend that APWUHP revise its procedures to use the DRG equivalent amount even if the priced amount is greater than the billed amount. 2007 APWU Response: “The Health Plan agrees with the recommendation and has taken steps to correct the internal procedures. The Plan now uses the DRG equivalent amount that the Pricer calculated even if more than the charge.” 2011 Status: The OIG has confirmed that the recommended system modifications have been implemented; this recommendation is closed. JOHN BERRY 25 6. PRICER Input The system only transmitted the last five digits of the total charges to the CMS PRICER program, resulting in the incorrect pricing of OBRA90 claims. a. 2007 Recommendation 43 We recommend that APWUHP implement the proper technical controls to ensure that OBRA90 claims with total charges of $100,000 or more are priced correctly using the CMS PRICER program. 2007 APWU Response: “When the OIG reviewed these claims, the CMS Pricer process was not integrated into the claims adjudication system. Now the CMS Pricer is integrated and operating correctly. APWUHP validated that claims with total charges of $100,000 or more are priced correctly using the Pricer program. We will continue to monitor pricing results when updates are done to the Pricer program.” 2011 Status: We confirmed that the recommended system modifications have been implemented; this recommendation is closed. 2011 Recommendation 5: We recommend that APWUHP implement the necessary technical controls to its claims processing system to ensure that 7. Explanation of Benefits APWU’s explanation of benefits (EOB) presentation for OBRA90 claims that include payments from other sources, such as Medicare Part B, could be confusing for subscribers. a. 2007 Recommendation 44 We recommend that APWUHP revise its procedures so that non-covered benefits are not included on an OBRA90 claim in which the patient has Medicare Part B. Alternatively, APWUHP could use a remark code to state that the patient is not responsible for the non- covered benefit. 2007 APWU Response: “The Health Plan will implement the alternative recommendation and use the remark code “Patient not responsible for amount over DRG pricing”.” JOHN BERRY 26 2011 Status: The OIG has confirmed that the recommended system modifications have been implemented; this recommendation is closed. 8. Special Investigations Unit APWU was not in full compliance with Carrier Letter 2003-23 “Industry Standards for Fraud & Abuse (F&A) Programs” as required by OPM. We did not find evidence of an anti-fraud Policy statement, fraud hotlines for internal and external use, or fraud awareness educational material for enrollees. a. 2007 Recommendation 45 We recommend that APWUHP implement all components of a comprehensive fraud and abuse program as required by carrier letter 2003-23. 2007 APWU Response: “The Health Plan has reviewed the Carrier Letter 2003-23 and agrees some of the elements of the carrier letter need to be enhanced and reiterated with the employees of the Health Plan. Written policies/procedures will be updated and published to all employees. Training curriculums will be revised to ensure employees have an understanding of how to identify fraudulent claims.” 2011 Status: A separate OIG audit determined that all components of a comprehensive fraud and abuse program as required by carrier letter 2003-23 are not currently implemented at APWU. As a result of this audit, this recommendation remains open. 2011 Recommendation 6: We recommend that APWU implement all components of a comprehensive fraud and abuse program as required by carrier letter 2003-23. 9. Sanctions Implementation Plan APWU was not in full compliance with the “Guidelines for Implementation of Federal Employees Health Benefits Program Debarment and Suspension Orders,” as required by the OPM OIG. Specifically, APWU’s Sanction Implementation Plan does not address suspension processes and procedures, or approving regulatory authority for appeals. a. 2007 Recommendation 46 We recommend that APWUHP update its Sanctions Implementation Plan to meet all the requirements set forth by OPM. These requirements can be found on OPM’s Debarment website under “Guidelines for Implementation of Federal Employees Health Benefits Program Debarment and Suspension Orders.” JOHN BERRY 27 2007 APWU Response: “The Health Plan has given approval to to enhance the system in order to improve our Debarment procedures. Enhancement 6.68 is attached for your review.” 2011 Status: The OIG has confirmed that the recommended updates to the Sanction Implementation Plan regarding OPM’s debarment and suspension have been implemented; this recommendation is closed. cc: John O’Brien Director, Healthcare and Insurance Shirley Patterson Assistant Director for Federal Employee Insurance Operations
Follow-up Review of Information Systems General and Application Controls at American Postal Workers Union Health Plan
Published by the Office of Personnel Management, Office of Inspector General on 2011-06-27.
Below is a raw (and likely hideous) rendition of the original report. (PDF)