U.S. OFFICE OF PERSONNEL MANAGEMENT OFFICE OF THE INSPECTOR GENERAL OFFICE OF AUDITS Final Audit Report Subject: AUDIT OF INFORMATION SYSTEMS GENERAL AND APPLICATION CONTROLS AT AETNA INC. Report No. 1C-22-00-12-065 Date: March 18, 2013 --CAUTION-- This audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit report may contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available under the Freedom of Information Act and made available to the public on the OIG webpage, caution needs to be exercised before releasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy. Audit Report FEDERAL EMPLOYEES HEALTH BENEFITS PROGRAM CONTRACTS 2900, 2867, 2914 & 1766 AETNA INC. PLAN CODES 22 / JN / 2X / JC / HF / JR / 2U WQ / C3 / HY / P1 / P3 / UB HARTFORD, CONNECTICUT Report No. 1C-22-00-12-065 03/18/13 Date: ________________________ Michael R. Esser Assistant Inspector General for Audits --CAUTION-- This audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit report may contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available under the Freedom of Information Act and made available to the public on the OIG webpage, caution needs to be exercised before releasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy. Executive Summary FEDERAL EMPLOYEES HEALTH BENEFITS PROGRAM CONTRACTS 2900, 2867, 2914 & 1766 AETNA INC. PLAN CODES 22 / JN / 2X / JC / HF / JR / 2U WQ / C3 / HY / P1 / P3 / UB HARTFORD, CONNECTICUT Report No. 1C-22-00-12-065 Date: 03/18/13 This final report discusses the results of our audit of general and application controls over the information systems at Aetna Inc. (Aetna or Plan). Aetna has two separate plans that service federal employees: a Health Maintenance Organization plan (HMO) referred to as “Open Access” and an individual practice plan with a consumer driven health plan option and a high deductible health plan option referred to as the “HealthFund.” Our audit focused on the claims processing applications used to adjudicate Federal Employees Health Benefits Program (FEHBP) claims for Aetna, as well as the various processes and information technology (IT) systems used to support these applications. We documented controls in place and opportunities for improvement in each of the areas below. Security Management Aetna has established a series of IT policies and procedures to create an awareness of IT security at the Plan. We also verified that Aetna has adequate human resources policies related to the security aspects of hiring, training, transferring, and terminating employees. i Access Controls Aetna has implemented numerous controls to grant and remove physical access to its data center, as well as logical controls to protect sensitive information. We also noted various controls over physical access to the data centers, as well as the method for encrypting emails containing sensitive information. Network Security Aetna has developed thorough network security policies and procedures around its entire operating environment. We also noted numerous hardening controls around the internal network and that Aetna conducts routine configuration reviews. Aetna’s incident response policies and procedures are comprehensive and utilize software packages for incident correlation. Configuration Management Aetna has developed formal policies and procedures that provide guidance to ensure that system software is appropriately configured and updated, as well as for controlling system software configuration changes. However, we noted several weaknesses in Aetna’s configuration management program related to system configuration auditing and vulnerability scanning methodology. Aetna is working to implement the necessary changes for the identified vulnerabilities. Contingency Planning We reviewed Aetna’s business continuity plans and concluded that they contained the key elements suggested by relevant guidance and publications. We also determined that these documents are reviewed and updated on a periodic basis. Claims Adjudication Aetna has implemented many controls in its claims adjudication process to ensure that FEHBP claims are processed accurately. However, we noted several weaknesses in Aetna’s claims application controls. Health Insurance Portability and Accountability Act (HIPAA) Nothing came to our attention that caused us to believe that Aetna is not in compliance with the HIPAA security, privacy, and national provider identifier regulations. ii Contents Page Executive Summary ......................................................................................................................... i I. Introduction ............................................................................................................................... 1 Background ............................................................................................................................... 1 Objectives ................................................................................................................................. 1 Scope ......................................................................................................................................... 2 Methodology ............................................................................................................................. 2 Compliance with Laws and Regulations................................................................................... 3 II. Audit Findings and Recommendations .................................................................................... 4 A. Security Management ........................................................................................................ 4 B. Access Controls .................................................................................................................. 4 C. Network Security................................................................................................................ 4 D. Configuration Management ............................................................................................... 5 E. Contingency Planning ........................................................................................................ 9 F. Claims Adjudication ......................................................................................................... 10 G. Health Insurance Portability and Accountability Act ...................................................... 14 III. Major Contributors to This Report ....................................................................................... 16 Appendix: Aetna’s December 19, 2012 response to the draft audit report issued October 31, 2012. I. Introduction This draft report details the findings, conclusions, and recommendations resulting from the audit of general and application controls over the information systems responsible for processing Federal Employees Health Benefits Program (FEHBP) claims by Aetna Inc. (Aetna or Plan). The audit was conducted pursuant to FEHBP contracts CS 2900, CS 2867, CS 2914, and CS 1766; 5 U.S.C. Chapter 89; and 5 Code of Federal Regulations (CFR) Chapter 1, Part 890. The audit was performed by the U.S. Office of Personnel Management’s (OPM) Office of the Inspector General (OIG), as established by the Inspector General Act of 1978, as amended. Background The FEHBP was established by the Federal Employees Health Benefits Act (the Act), enacted on September 28, 1959. The FEHBP was created to provide health insurance benefits for federal employees, annuitants, and qualified dependents. The provisions of the Act are implemented by OPM through regulations codified in Title 5, Chapter 1, Part 890 of the CFR. Health insurance coverage is made available through contracts with various carriers that provide service benefits, indemnity benefits, or comprehensive medical services. This was our second audit of Aetna’s general and application controls. The first audit was conducted in 2001, and all recommendations from that audit were closed prior to the start of the current audit. We also reviewed Aetna’s compliance with the Health Insurance Portability and Accountability Act (HIPAA). All Aetna personnel that worked with the auditors were helpful and open to ideas and suggestions. They viewed the audit as an opportunity to examine practices and to make changes or improvements as necessary. Their positive attitude and helpfulness throughout the audit was greatly appreciated. Objectives The objectives of this audit were to evaluate controls over the confidentiality, integrity, and availability of FEHBP data processed and maintained in Aetna’s IT environment. We accomplished these objectives by reviewing the following areas: • Security management; • Access controls; • Configuration management; • Segregation of duties; • Contingency planning; • Application controls specific to Aetna’s claims processing systems; and, • HIPAA compliance. 1 Scope Thi s performance audit was co nducted in accorda nce with gene rally acc epte d gove rnment audi ting standa rds issued by the Co mptroller General of the United States. Accordingly, we obta ined an understanding of Ae tna 's intern al co ntrols through interviews and observations, as we ll as inspec tion of various doc uments, includi ng information technology and other re lated organizational polic ies and procedures. Thi s understanding of Aetna 's interna l controls was used in planning the audi t by de termining the extent of compliance testing and other auditing pro cedures necessary to verify that the internal co ntro ls we re properly designed , placed in operation, and effec tive. Ae tna has two separate plans that servi ce fed eral employee s : a Health Ma intena nce Orga niza tion plan (HM O) referred to as "Open Access" and an individual practice plan with a co nsumer drive n health plan option and a high deductib le health plan option re ferre d to as the "Hea lthfund ." The scope of thi s audi t ce ntered on the informati on systems used by Ae tna to process medical insur ance cla im s for FEHBP members, with a primary focus on the cla im~ a licati ons. Two se ara te s stems are used to process cla ims at Ae tna : _ s stem adiudica tes cla ims for the Open Access plan and the adj udica tes cla im s for the Healthfund . The busin ess processes reviewed are primaril y located in Aetna 's Hartford . Connecticut facilities. The on-site portion of thi s audi t wa s perfonned in Jul y and Augu st of 20 12. We co mpleted additional audi t work before and after the on-site visit at our office in Wa shington, D .C. The findi ngs , recommendations, and conclusions outlined in thi s rep ort are based on the status of information system general and applica tion contro ls in place at Ae tna as of Sep tember 20 12. In co nducting our audit, we relied to varyi ng degrees on computer-ge ne rated da ta provided by Ae tna . Due to time co nstra ints, we did not verify the reliabili ty of the da ta used to co mplete some of our audi t steps but we de termi ned tha t it wa s adequate to achie ve our audit obj ectives. However, whe n our objective wa s to assess computer-gene rated da ta, we co mpleted audit steps necessary to obtain evidence that the da ta was valid and reliabl e. Methodologv In co nducting thi s review we: • Gathe red documen tation and co nducted intervi ews; • Revi ewed Ae tna 's business structur e and environment ; • Performed a risk assessment of Aetna ' s informati on systems environmen t and applica tions, and prep ared an audit program based on the assessment and the Go ve nunent Acc ountability Office ' s (GAO) Federal Information System Controls Audit Ma nua l (FISCAM); and, • Conducted va rious co mpliance tests to de term ine the extent to which established co ntro ls and pro cedures are functioning as intended . As appro pr iate, we used j udgmenta l sampling in completing our compliance testing. 2 Various laws, regulations, and industry standards were used as a guide to evaluating Aetna’s control structure. These criteria include, but are not limited to, the following publications: • Title 48 of the Code of Federal Regulations; • Office of Management and Budget (OMB) Circular A-130, Appendix III; • OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information; • Information Technology Governance Institute’s CobiT: Control Objectives for Information and Related Technology; • GAO’s FISCAM; • National Institute of Standards and Technology’s Special Publication (NIST SP) 800-12, Introduction to Computer Security; • NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems; • NIST SP 800-30, Risk Management Guide for Information Technology Systems; • NIST SP 800-34, Contingency Planning Guide for Information Technology Systems; • NIST SP 800-41, Guidelines on Firewalls and Firewall Policy; • NIST SP 800-53 Revision 3, Recommended Security Controls for Federal Information Systems and Organizations; • NIST SP 800-61, Computer Security Incident Handling Guide; • NIST SP 800-66 Revision 1, An Introductory Resource Guide for Implementing the HIPAA Security Rule; and, • HIPAA Act of 1996. Compliance with Laws and Regulations In conducting the audit, we performed tests to determine whether Aetna’s practices were consistent with applicable standards. While generally compliant, with respect to the items tested, Aetna was not in complete compliance with all standards as described in the “Audit Findings and Recommendations” section of this report. 3 II. Audit Findings and Recommendations A. Security Management The security management component of this audit involved the examination of the policies and procedures that are the foundation of Aetna’s overall IT security controls. We evaluated Aetna’s ability to develop security policies, manage risk, assign security-related responsibility, and monitor the effectiveness of various system-related controls. Aetna has implemented a series of formal policies and procedures that comprise its security management program. Aetna’s Information Security Committee is responsible for creating, reviewing, editing, and disseminating IT security policies. Aetna has also developed a thorough risk management methodology, and has procedures to document, track, and mitigate or accept identified risks. We also reviewed Aetna’s human resources policies and procedures related to hiring, training, transferring, and terminating employees. Nothing came to our attention to indicate that Aetna does not have an adequate security management program. B. Access Controls Access controls are the policies, procedures, and techniques used to prevent or detect unauthorized physical or logical access to sensitive resources. We examined the physical access controls at Aetna’s headquarters building and its data centers. We also examined the logical controls protecting sensitive data on Aetna’s network environment and claims processing applications. The access controls observed during this audit include, but are not limited to: • Procedures for appropriately granting physical access to facilities and data centers; • Procedures for revoking access to data centers for terminated employees; • Procedures for removing Windows/network access for terminated employees; and, • Controls to monitor and filter email and Internet activity. Nothing came to our attention to indicate that Aetna has not implemented adequate controls related to access controls. C. Network Security Network security includes the policies and controls used to prevent or monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources. Aetna has documented thorough and complete network infrastructure diagrams. Aetna has implemented a comprehensive firewall architecture in its network, and conducts routine configuration reviews of these devices. Aetna’s incident response policies and procedures are comprehensive, and they have utilized software packages for incident correlation. 4 Nothing came to our attention to indicate that Aetna does not have an adequate network security program . D. Configuration l\lanagement Aetna uses two clai ms adjudication app lications to process FEHBP cla ims: _ for the Open Acc ess plan and . for the Healthfund. These applications are housed in a mainframe environme nt. We eva luated Aetna ' s management of the configuration of the mainfram es and the support ing environme nt and determined that the following controls were in place: • Documented and approved server and workstation builds; • Controls for mon itorin g privileged user act ivity on the operating platform ; and, • Thorou gh change management procedures for system software and hardware. The sections below doc ument areas for improvement re lated to Aetna 's configura tion management controls. 1. Routine System C onfigur at ion Auditing Aetna maintain s an approved baseline configuration for its mainframe security software. In the fieldwork phase of our audit, we found that routine compliance audit ing was not a forma l process and wa s not documented w ithin Aetna ' s security policie s and procedure s. Since then, Aetna has implem ented a formal process for routine mainframe system configu ration auditing and has doc umented the procedure s within an approved security policy. Aetna utili zes an approved standard build for all Before a is moved from the test enviro mne nt to produ ction , a one-time review is conducted to ensure configuration settings are compliant with the anorooved build. However , there is currently no ongo ing/ro utine comp liance chec k to ensure onfigurations continue to remain in comp liance with approved build sheets after impl ement ation. NIST SP 800-53 Revision 3 states that an organization must monitor and contro l changes to the configura tion settings in acco rdance with organizational policies and procedures. FISCA1v1 also requ ires that current configuration information be routinely monitored for accuracy. Monitoring should address the baseline and operational configuration of the hardware, software, and firm ware that comprise the information system . Failure to routine ly monitor the system configuration increases the risk the system may not meet security and performance requir ements define d in the established documentation . 0_ Recommendation 1 We recommend that Aetna impl ement a methodology to routine ly monitor the configura tion to the approved build document ation. 5 Aetna Respom;e: "A etna will implem ent a methodology that includes: • Establish configuration baselines • Schedule scans to determine deviation from baseline • Establish a risk based approach for remediation ofconfiguration deviations Closure ETA : kJallagemellt has presented all issue closure pian by 01/31/2013._ DIG Reply: As pa rt of the audit resolution process, we recomme nd that Aetna provide OPM ' s Healthcare and Insurance Office (HID) with evidence that configuration baselines have been established, scans have been conducted, and deviations have been remediated. 2. Vulnerability Scanning a. Full-scope Vulnerability Sca nn in g Aetna conducts per iodic vulnerability scans on its information systems using automated tools, and contracts a third party vendor to conduct external scans. Aetna scans several s ecific on a weeki basis, but ani scans the rema inder on an erstand that it may be unreasonable for Aetna to frequently scan its entire environment. However, we were not able to independently confirm whether had ever bee n subject to previous vulnerability scans . Recommendation 2 \Ve recommend that Aetna implement a process to conduct routine vulnerability scans on its entire _ enviromne nt. Aetna Response: "Aetna currently utilizes a risk based approach ill supp ort ofcompleting vuln erability assessm ents byfocusing its scanning resources to high risk environments. A s a result, th ese environments are scanned with sigulflcant rigor by both Aetna and externally contracted partners. Currently, Aetna 's int ernal trusted network is sub iected to anuuat and ad hoc assessm ents that scan and provide results with remediation advice to the system owners responsible for remediation. 6 To evolve A etna's strategic vulnerability management program in 2012, the investm ent of deploying a scanning technology f ram ework across th e enterp rise was achieved. Aetna's strategic vision ofits vulnerability managem ent program furth er evolved in 2012 due to the integration effort ofthe scanning infrastructure into the IT GR C (Governance, Risk and Comp liance) tool. Integrating vuln erability scan results into th e IT GR C tool will provide increased risk managem ent oversight/or remediation and prioritization. This new vulnerability managem ent program will establish a strategic foundation f or finding s management and remediation workflow by p roviding data to assess and deploy tim ely patches across the enterprise... This accomplishment will allow/or the management ofmore frequent scanning and drive tim ely imp lementation ofsystem patches. Aetna will implem ent a m ethodology that includes: • Aetna has contin ue d to exp and its vulnerability managem ent program to oth er en viron ments with the solutio n ill place as 0/1/31/201[3]. • To complete the migration ofits strate ic l'ulllerability managem ent program, Aetna is sch eduled to include all within the Internal Trusted network " DIG Reply: As pa rt of the audit resolution process, we recomme nd that Aetn a provide OPM ' s lila with evidence that vulnerab ility scans are routinely conducted on the entire . environment. b. System Patching Aetna has documented of am FISCAM states that " Software should be scanned and u known vulnerabilities." Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling, are also addressed expedi tiously." Although the servers we scanned are rotected b firewalls and other technolo .es, tlililiiiil sensitive information could be stolen. Re commendation 3 7 Aetna Respom;e: "A etna will continue to evolve its enterprise vulnerability management program, enabling more stringent oversight and connnuuication with system oWllers on vuln erabilityfindings and remediation expectations. A etna will implement a methodology that includes: • R eview ofcurr~ patching process to identify gaps • Refinement o ~ tchillg pro cess • Post-implementation scan to ensure successf ul completion ofupgrades DIG Replv: As pa rt of the audit resolution process, we reco mme nd that Aetna rovide OPM ' s HID with evidence of its im roved methodolo to ensure that are installed with appropriate c. Noncu r r ent Softw are The results of our vulnerability scans indi cated that s contai ned uoncurreut software applications that were no longer support ed by the vendors and may have know n security vulnerabilities. FISCA1v1 states that "Procedures should ensure that only current software releases are installed in information systems . Noncurrent software may be vulnerable to malicious code such as viruses and worms." Fail ure to promptly remove outdated software increases the risk of a successful malicious attack on the information system . Recommendation 4 We recommend that Aetna implement a methodology to e~ent and support ed versions of system software are installed on t h e _ A etna Respom;e: "A etna will implem ent a methodology that includes: • Review ofcurr~ software patching pro cess to identify gaps • R efinement o~twarepatching pro cess • Schedule ofscans • Establish a risk based approach for remediation ofnou-current and unsupported software Closure ETA: Management has submitted an issue closure plan by 01/31/2013. Closure target date was presented as part ofth e closure plan," 8 DIG Reply: As part of the audit resolution process, we recommend that Aetna provide OP1.1's HID with evidence of its improved methodology to e~ent and supported versions of system software are installed a ll the _ d. Unnecessary Applications The results of om vulne rab ili scans indi cated that contained third-party applica tions that were not likely essential to the fun ctionality of that serv er. NIST SP 800 -53 Revision 3 states that the orga niza tion should configu re the information system to provide only essential capabilities. An organization should also revi ew the information system to identify and elimina te unnecessary functions. Installing unnecessary software to an information system can increase the amount of exposed vulnerabilities and methods an intrud er can use to gain unauthorized acce ss to the system. Recommendation 5 We recommend that Aetna revi ew i t~lfi gurati on to ensure that only necessary software is installed on its _ Aetna Response: "Aetna will implement a methodology that includes: • Schedule ofscans to identify unnecessary software installations • Establish a risk based approach for removal ofunnecessary sof tware. Closure ETA: Management has presented all issue closure piau by 01/31/2013. Closure target date was presented as part ofthe closure plan." DIG Replv: As part of the audit resolution process, we reco mme nd that Aetna provide OPM ' s lila with evidence ~hodology to ensure that only necessary softw are is installed on its _ E. Contingency Planning We reviewed the following elements of Aetna ' s contingency planning pro gram to determi ne whether controls were in place to prevent or minimize inrenuptions to business operations when disastrou s events occur : • Disaster response plan; • Business continuity plan for data center opera tions; • Business continuity plans for claims pro cessing operations and claim s support; • Disaster recovery plan tests conduc ted in conjunction with the altemate data center; and, 9 • Emergency response procedures and training. We determined that the service continuity documentation contained the critical elements suggested by NIST SP 800-34, “Contingency Planning Guide for IT Systems.” Aetna has identified and prioritized the systems and resources that are critical to business operations, and has developed detailed procedures to recover those systems and resources. Nothing came to our attention to indicate that Aetna has not implemented adequate controls related to contingency planning. F. Claims Adjudication The following sections detail our review of the applications and business processes supporting Aetna’s claims adjudication process. 1. Application Configuration Management We evaluated the policies and procedures governing application development and change control of Aetna’s claims processing systems. Aetna has implemented policies and procedures related to application configuration management, and has adopted a system development life cycle methodology that IT personnel follow during routine software modifications. We observed the following controls related to testing and approvals of software modifications: • Aetna has adopted practices that allow modifications to be tracked throughout the change process; • Code, unit, system, and quality testing are all conducted in accordance with industry standards; and, • Aetna uses a business unit independent from the software developers to move the code between development and production environments to ensure adequate segregation of duties. Nothing came to our attention to indicate that Aetna has not implemented adequate controls related to the application configuration management process. 2. Claims Processing System We evaluated the input, processing, and output controls associated with Aetna’s claims processing systems. We determined that Aetna has implemented policies and procedures to help ensure that: • Paper claims that are received in the mail room are tracked to ensure timely processing; • Claims are monitored as they are processed through the systems with real time tracking of the system’s performance; and, • Claims scheduled for payment are actually paid. Nothing came to our attention to indicate that Aetna has not implemented adequate controls over the claims processing system. 10 3. Enrollment We evaluated Aetna’s procedures for managing its database of member enrollment data. Electronic enrollment data is processed weekly and paper files are processed daily. Aetna has a reconciliation process to ensure all data that was sent to the plan was received and processed. Nothing came to our attention to indicate that Aetna has not implemented adequate controls over the enrollment process. 4. Debarment Aetna has adequate procedures for updating its claim processing systems with debarred provider information and routinely audits its debarment database for accuracy. Aetna downloads the OPM OIG debarment list every month and compares the data to its provider database. Debarred providers that are a direct match to the debarment list are automatically terminated from the provider database. A manual review is conducted for all partial matches to ensure that all debarred providers are appropriately terminated. Nothing came to our attention to indicate that Aetna has not implemented adequate controls over the debarment process. 5. Special Investigations and Fraud We evaluated the Aetna policies and procedures governing special investigations and fraud. We determined that Aetna has substantial policies and procedures in place to detect, manage, and report fraud. Nothing came to our attention to indicate that Aetna has not implemented adequate controls over its special investigations and fraud unit. 6. Application Controls Testing We conducted a test on Aetna’s claims adjudication applications to validate the systems’ processing controls. The exercise involved processing test claims designed with inherent flaws and evaluating the manner in which Aetna’s systems adjudicated the claims. Test claims were submitted to the system for the Open Access plan and for the HealthFund. Our test results indicate that both systems have controls and system edits in place to identify the following scenarios: • Invalid members and providers; • Member eligibility; • Gender; • Timely filing; and, • Catastrophic maximum. 11 The sections below document oppo rtunities for imp rovement related to Aetna ' s claim s application controls. a. Benefit Structure Inconsistency We submitted test cla ims into _ for The claims were processed and a $ 15 dollar copay was applied . However. according to the Aetna Open Acc ess 20 12 benefit brochure , the copay for _ should be $35 . Aetna confirmed that the copay amo unt was loade d ~ctly, but only for th e state of Delaware, and has since correc ted the error. We also entered two test claims for a within the same year. Both of these cla ims were processed ~ever, the Aetna Open Access 20 12 benefit brochure restricts coverage ot _ to one time per year. Recommendation 6 \Ve recommend that Aetna conduct a review o~ setting s to ensure the application properly refl ects the benefits defined in the Aetna Open Access benefit brochure. Aetna Response: "Going forward, when Aetna is notified of a new state mandate the HillO Product Admin team will be sent a list of all groups with plans in that particular state. The team will scan the list for the federal plans and remove them from the list. III the unlikely instance that a plan participant would receive more tlmn olle _ ill a year, due to system limitations, Aetna 's H,UO system does not have the ability to limit to thisfrequen~l the planned migration offof Hi.110 to A etna's strategic claim platform _ there is 1I0t anticipated inve stment in enhancements to the legacy platform." DIG Reply: We believe that the recommendation should remain open until Aetna provide s OPM 's HIO with evidence that the _ has been upd ated to correc t the defi~r that the plan has success fully migrated all FEHBP claims processing activity to _ b. Provider/Procedure Inconsistency We entered test claims for ~rul ing a and _ Despite the fa~r is not licensed to claim was processed without enco untering any edit s. We also entered test claim s for a ~erforulin Aga in, the claim s were inappropriately p roc~ and systems without enco unteri ng any edits. Aetna stated that its system s are not configured to compare the _ to the to identi fy inconsistencies. Aetna assume~ 12 provider is billing a service, and that they are indeed actively licensed in that state. Aetna’s Special Investigations Unit is responsible for detecting instances of providers who are billing . While we acknowledge that a medical doctor legally can perform any medical procedure ), the providers in our test claims were not medical doctors. Although Aetna’s SIU is tasked with detecting instances of providers billing outside the scope of their license, this process can be improved by utilizing preventive controls within the claims processing system. Recommendation 7 We recommend that Aetna make the appropriate system modifications to prevent medically inconsistent claims from processing. Aetna Response: “Aetna has carefully reviewed this issue and based on a significantly extensive activity to implement such a solution for what would [be] considered a highly unlikely event, Aetna will continue to place reliance on the downstream SIU process.” OIG Reply: We disagree with Aetna’s position and continue to recommend that Aetna modify its claims processing system to prevent medically inconsistent claims from processing. We believe that preventive medical editing controls are much more efficient and effective than reactive controls, such as relying on the SIU to recoup inappropriately billed claims. c. Procedure Code Billing Guidelines Not Enforced We entered two separate test claims for with multiple service dates within a span of 30 days. All of these services were paid without encountering edits in However, according to the American Medical Association, this procedure code is only allowed to be billed once every 30 days. was able to recognize the procedure code inconsistency and appropriately denied all but one claim line that occurred within the 30 day time span. Recommendation 8 We recommend that Aetna make the appropriate system modification to enforce proper procedure code billing guidelines. Aetna Response: “A system enhancement was implemented November 10, 2012 which is now denying services for this scenario. Evidence has been provided to the OIG to demonstrate closure.” 13 OIG Reply: The evidence provided by Aetna in response to the draft audit report indicates that the Plan has made the appropriate system modification to enforce proper procedure code billing guidelines; no further action is required. d. Near Duplicate We submitted two separate test claims into with an identical patient, procedure code, diagnosis code, date of service and billed amounts; the only difference between the two claims was the provider. These claims processed without encountering any edits and paid both providers the same amount. Due to the similarity of these claims, we expected the second claim to be deferred by a suspected duplicate edit so that a claims processor could determine if the claim was submitted correctly. Recommendation 9 We recommend that Aetna implement controls to prevent near duplicate claims from processing. Aetna Response: • “A recommendation for revision to our duplicate editing logic will be presented internally to our policy area for review. • The recommendation will be presented to the policy council at their March meeting. Target date: 3/30/13 • Any additional management action plans will be reviewed with the OIG based upon the review committees decision.” OIG Reply: As part of the audit resolution process, we recommend that Aetna provide OPM’s HIO with evidence that the claims processing system has been modified to prevent near duplicate claims from processing. G. Health Insurance Portability and Accountability Act We reviewed Aetna’s efforts to maintain compliance with the security and privacy standards of HIPAA. Aetna has implemented a series of IT security policies and procedures to adequately address the requirements of the HIPAA security rule. Aetna has also developed a series of privacy policies and procedures that directly addresses all requirements of the HIPAA privacy rule. Aetna reviews its HIPAA privacy and security policies annually and updates when necessary. Aetna has designated a Privacy Official who has the responsibility of ensuring compliance with HIPAA Privacy and Security policies. Each year, all employees must complete Aetna’s “Business 14 Conduct and Integrity” training course. This training encompasses HIPAA regulations as well as general compliance. Nothing came to our attention that caused us to believe that Aetna is not in compliance with the various requirements of HIPAA regulations. 15 III. Major Contributors to This Report This audit report was prepared by the U.S. Office of Personnel Management, Office of Inspector General, Information Systems Audits Group. The following individuals participated in the audit and the preparation of this report: • , Group Chief • , Senior Team Leader • , Auditor-In-Charge • , Lead IT Auditor • , IT Auditor 16 Appendix Aet na Inc. 151 Farmington Avenue Hartford, CT 06156 - " Manager Aetna Information Systems .- December 19 , 20 12 Infonnation Systems Aud its Group U.S. Office of Inspector Gene ral 1900 E Street, NW - Room 6400 W ashington, D.C. 204 15-1100 RE: Aetna 's respon se to Draft Report No .1 C-22-00- 12-065 Aetna submits the following response to the above-referenced Draft Aud it Report issued by the Office of Person nel Ma nagement (O PM) Office of the Inspe ctor General (D IG) unde r the Federal Employees Health Benefits Program (FEHBP) . The aud it covered the gene ral and applicati on controls over the automated claims processing systems and other computer-based systems at Aetna . Enclosed you will find two copies of the Draft Repo rt. The first attachment is labeled "Aetna's Co mments to the Draft Report" and the second attachment is labeled "Proposed Redact ions" . Aetna has responded to all of a lG's recommendations and has included a proposed timetable fo r completion in the first attachment. The second attachment includes Aet na's response to the Draft Report with prop osed at_ redactions. Aet na respectfully requests a lG to implement the prop osed redactions prior to the Final Report's posting on the a lG website under the Freedom of Information Act. If you have an questions or concerns about our respon se, please feel to contact me Sincerely, , Senior Vice Pres ident, Aetna Federal Plans ret, nfonnation Systems Audits Group nderwr iting Head of Aetna Federal Plans Recommendation 1 Aetna will implement a methodology that includes: • Establish configuration baselines • Schedule scans to determine deviation from baseline • Establish a risk based approach for remediation of configuration deviations Closure ETA: Management has presented an issue closure plan by 01/31/2013. 1 Recommendation 2 Aetna currently utilizes a risk based approach in support of completing vulnerability assessments by focusing its scanning resources to high risk environments. As a result, these environments are scanned with significant rigor by both Aetna and externally contracted partners. Currently, Aetna’s internal trusted network is subjected to annual and ad hoc assessments that scan a sample of Aetna’s and provide results with remediation advice to the system owners responsible for remediation. To evolve Aetna’s strategic vulnerability management program in 2012, the investment of deploying a scanning technology framework across the enterprise was achieved. Aetna’s strategic vision of its vulnerability management program further evolved in 2012 due to the integration effort of the scanning infrastructure into the IT GRC (Governance, Risk and Compliance) tool. Integrating vulnerability scan results into the IT GRC tool will provide increased risk management oversight for remediation and prioritization. This new vulnerability management program will establish a strategic foundation for findings management and remediation workflow by providing data to assess and deploy timely patches across the enterprise... This accomplishment will allow for the management of more frequent scanning and drive timely implementation of system patches. Aetna will implement a methodology that includes: • Aetna has continued to expand its vulnerability management program to other environments with the solution in place as of 1/31/201[3]. • To complete the migration of its strategic vulnerability management program, Aetna is scheduled to include all within the Internal Trusted network by Recommendation 3 Aetna will continue to evolve its enterprise vulnerability management program, enabling more stringent oversight and communication with system owners on vulnerability findings and remediation expectations. Aetna will implement a methodology that includes: • Review of current patching process to identify gaps • Refinement of patching process • Post-implementation scan to ensure successful completion of upgrades Closure ETA: Recommendation 4 Aetna will implement a methodology that includes: • Review of current software patching process to identify gaps • Refinement of software patching process • Schedule of scans • Establish a risk based approach for remediation of non-current and unsupported software Closure ETA: Management has submitted an issue closure plan by 01/31/2013. Closure target date was presented as part of the closure plan. Recommendation 5 Aetna will implement a methodology that includes: • Schedule of scans to identify unnecessary software installations • Establish a risk based approach for removal of unnecessary software. Closure ETA: Management has presented an issue closure plan by 01/31/2013. Closure target date was presented as part of the closure plan. Recommendation 6 Going forward, when Aetna is notified of a new state mandate the HMO Product Admin team will be sent a list of all groups with plans in that particular state. The team will scan the list for the federal plans and remove them from the list. In the unlikely instance that a plan participant would receive more than one routine mammogram in a year, due to system limitations, Aetna’s HMO system does not have the ability to limit to this frequency. With the planned migration off of HMO to Aetna’s there is not anticipated investment in enhancements to the legacy platform. Recommendation 7 Aetna has carefully reviewed this issue and based on a significantly extensive activity to implement such a solution for what would is considered a highly unlikely event, Aetna will continue to place reliance on the downstream SIU process. Recommendation 8 A system enhancement was implemented November 10, 2012 which is now denying services for this scenario. Evidence has been provided to the OIG to demonstrate closure. Recommendation 9 • A recommendation for revision to our duplicate editing logic will be presented internally to our policy area for review. • The recommendation will be presented to the policy council at their March meeting. Target date: 3/30/13 • Any additional management action plans will be reviewed with the OIG based upon the review committees decision.
Audit of Information Systems General and Application Controls at Aetna, Inc.
Published by the Office of Personnel Management, Office of Inspector General on 2013-03-18.
Below is a raw (and likely hideous) rendition of the original report. (PDF)