U.S. OFFICE OF PERSONNEL MANAGEMENT
OFFICE OF THE INSPECTOR GENERAL
OFFICE OF AUDITS
Final Audit Report
Subject:
AUDIT OF INFORMATION SYSTEMS
GENERAL AND APPLICATION CONTROLS AT
AETNA INC.
Report No. 1C-22-00-12-065
Date: March 18, 2013
--CAUTION--
This audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit
report may contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available
under the Freedom of Information Act and made available to the public on the OIG webpage, caution needs to be exercised before
releasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy.
Audit Report
FEDERAL EMPLOYEES HEALTH BENEFITS PROGRAM
CONTRACTS 2900, 2867, 2914 & 1766
AETNA INC.
PLAN CODES 22 / JN / 2X / JC / HF / JR / 2U
WQ / C3 / HY / P1 / P3 / UB
HARTFORD, CONNECTICUT
Report No. 1C-22-00-12-065
03/18/13
Date:
________________________
Michael R. Esser
Assistant Inspector General
for Audits
--CAUTION--
This audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit
report may contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available
under the Freedom of Information Act and made available to the public on the OIG webpage, caution needs to be exercised before
releasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy.
Executive Summary
FEDERAL EMPLOYEES HEALTH BENEFITS PROGRAM
CONTRACTS 2900, 2867, 2914 & 1766
AETNA INC.
PLAN CODES 22 / JN / 2X / JC / HF / JR / 2U
WQ / C3 / HY / P1 / P3 / UB
HARTFORD, CONNECTICUT
Report No. 1C-22-00-12-065
Date: 03/18/13
This final report discusses the results of our audit of general and application controls over the
information systems at Aetna Inc. (Aetna or Plan). Aetna has two separate plans that service
federal employees: a Health Maintenance Organization plan (HMO) referred to as “Open
Access” and an individual practice plan with a consumer driven health plan option and a high
deductible health plan option referred to as the “HealthFund.”
Our audit focused on the claims processing applications used to adjudicate Federal Employees
Health Benefits Program (FEHBP) claims for Aetna, as well as the various processes and
information technology (IT) systems used to support these applications. We documented
controls in place and opportunities for improvement in each of the areas below.
Security Management
Aetna has established a series of IT policies and procedures to create an awareness of IT security
at the Plan. We also verified that Aetna has adequate human resources policies related to the
security aspects of hiring, training, transferring, and terminating employees.
i
Access Controls
Aetna has implemented numerous controls to grant and remove physical access to its data center,
as well as logical controls to protect sensitive information. We also noted various controls over
physical access to the data centers, as well as the method for encrypting emails containing
sensitive information.
Network Security
Aetna has developed thorough network security policies and procedures around its entire
operating environment. We also noted numerous hardening controls around the internal network
and that Aetna conducts routine configuration reviews. Aetna’s incident response policies and
procedures are comprehensive and utilize software packages for incident correlation.
Configuration Management
Aetna has developed formal policies and procedures that provide guidance to ensure that system
software is appropriately configured and updated, as well as for controlling system software
configuration changes. However, we noted several weaknesses in Aetna’s configuration
management program related to system configuration auditing and vulnerability scanning
methodology. Aetna is working to implement the necessary changes for the identified
vulnerabilities.
Contingency Planning
We reviewed Aetna’s business continuity plans and concluded that they contained the key
elements suggested by relevant guidance and publications. We also determined that these
documents are reviewed and updated on a periodic basis.
Claims Adjudication
Aetna has implemented many controls in its claims adjudication process to ensure that FEHBP
claims are processed accurately. However, we noted several weaknesses in Aetna’s claims
application controls.
Health Insurance Portability and Accountability Act (HIPAA)
Nothing came to our attention that caused us to believe that Aetna is not in compliance with the
HIPAA security, privacy, and national provider identifier regulations.
ii
Contents
Page
Executive Summary ......................................................................................................................... i
I. Introduction ............................................................................................................................... 1
Background ............................................................................................................................... 1
Objectives ................................................................................................................................. 1
Scope ......................................................................................................................................... 2
Methodology ............................................................................................................................. 2
Compliance with Laws and Regulations................................................................................... 3
II. Audit Findings and Recommendations .................................................................................... 4
A. Security Management ........................................................................................................ 4
B. Access Controls .................................................................................................................. 4
C. Network Security................................................................................................................ 4
D. Configuration Management ............................................................................................... 5
E. Contingency Planning ........................................................................................................ 9
F. Claims Adjudication ......................................................................................................... 10
G. Health Insurance Portability and Accountability Act ...................................................... 14
III. Major Contributors to This Report ....................................................................................... 16
Appendix: Aetna’s December 19, 2012 response to the draft audit report issued October 31,
2012.
I. Introduction
This draft report details the findings, conclusions, and recommendations resulting from the audit
of general and application controls over the information systems responsible for processing
Federal Employees Health Benefits Program (FEHBP) claims by Aetna Inc. (Aetna or Plan).
The audit was conducted pursuant to FEHBP contracts CS 2900, CS 2867, CS 2914, and CS
1766; 5 U.S.C. Chapter 89; and 5 Code of Federal Regulations (CFR) Chapter 1, Part 890. The
audit was performed by the U.S. Office of Personnel Management’s (OPM) Office of the
Inspector General (OIG), as established by the Inspector General Act of 1978, as amended.
Background
The FEHBP was established by the Federal Employees Health Benefits Act (the Act), enacted on
September 28, 1959. The FEHBP was created to provide health insurance benefits for federal
employees, annuitants, and qualified dependents. The provisions of the Act are implemented by
OPM through regulations codified in Title 5, Chapter 1, Part 890 of the CFR. Health insurance
coverage is made available through contracts with various carriers that provide service benefits,
indemnity benefits, or comprehensive medical services.
This was our second audit of Aetna’s general and application controls. The first audit was
conducted in 2001, and all recommendations from that audit were closed prior to the start of the
current audit. We also reviewed Aetna’s compliance with the Health Insurance Portability and
Accountability Act (HIPAA).
All Aetna personnel that worked with the auditors were helpful and open to ideas and
suggestions. They viewed the audit as an opportunity to examine practices and to make changes
or improvements as necessary. Their positive attitude and helpfulness throughout the audit was
greatly appreciated.
Objectives
The objectives of this audit were to evaluate controls over the confidentiality, integrity, and
availability of FEHBP data processed and maintained in Aetna’s IT environment.
We accomplished these objectives by reviewing the following areas:
• Security management;
• Access controls;
• Configuration management;
• Segregation of duties;
• Contingency planning;
• Application controls specific to Aetna’s claims processing systems; and,
• HIPAA compliance.
1
Scope
Thi s performance audit was co nducted in accorda nce with gene rally acc epte d gove rnment
audi ting standa rds issued by the Co mptroller General of the United States. Accordingly, we
obta ined an understanding of Ae tna 's intern al co ntrols through interviews and observations, as
we ll as inspec tion of various doc uments, includi ng information technology and other re lated
organizational polic ies and procedures. Thi s understanding of Aetna 's interna l controls was used
in planning the audi t by de termining the extent of compliance testing and other auditing
pro cedures necessary to verify that the internal co ntro ls we re properly designed , placed in
operation, and effec tive.
Ae tna has two separate plans that servi ce fed eral employee s : a Health Ma intena nce Orga niza tion
plan (HM O) referred to as "Open Access" and an individual practice plan with a co nsumer
drive n health plan option and a high deductib le health plan option re ferre d to as the
"Hea lthfund ."
The scope of thi s audi t ce ntered on the informati on systems used by Ae tna to process medical
insur ance cla im s for FEHBP members, with a primary focus on the cla im~
a licati ons. Two se ara te s stems are used to process cla ims at Ae tna : _
s stem adiudica tes cla ims for the Open Access plan and the
adj udica tes cla im s for the Healthfund . The
busin ess processes reviewed are primaril y located in Aetna 's Hartford . Connecticut facilities.
The on-site portion of thi s audi t wa s perfonned in Jul y and Augu st of 20 12. We co mpleted
additional audi t work before and after the on-site visit at our office in Wa shington, D .C. The
findi ngs , recommendations, and conclusions outlined in thi s rep ort are based on the status of
information system general and applica tion contro ls in place at Ae tna as of Sep tember 20 12.
In co nducting our audit, we relied to varyi ng degrees on computer-ge ne rated da ta provided by
Ae tna . Due to time co nstra ints, we did not verify the reliabili ty of the da ta used to co mplete
some of our audi t steps but we de termi ned tha t it wa s adequate to achie ve our audit obj ectives.
However, whe n our objective wa s to assess computer-gene rated da ta, we co mpleted audit steps
necessary to obtain evidence that the da ta was valid and reliabl e.
Methodologv
In co nducting thi s review we:
• Gathe red documen tation and co nducted intervi ews;
• Revi ewed Ae tna 's business structur e and environment ;
• Performed a risk assessment of Aetna ' s informati on systems environmen t and applica tions,
and prep ared an audit program based on the assessment and the Go ve nunent Acc ountability
Office ' s (GAO) Federal Information System Controls Audit Ma nua l (FISCAM); and,
• Conducted va rious co mpliance tests to de term ine the extent to which established co ntro ls and
pro cedures are functioning as intended . As appro pr iate, we used j udgmenta l sampling in
completing our compliance testing.
2
Various laws, regulations, and industry standards were used as a guide to evaluating Aetna’s
control structure. These criteria include, but are not limited to, the following publications:
• Title 48 of the Code of Federal Regulations;
• Office of Management and Budget (OMB) Circular A-130, Appendix III;
• OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of
Personally Identifiable Information;
• Information Technology Governance Institute’s CobiT: Control Objectives for Information
and Related Technology;
• GAO’s FISCAM;
• National Institute of Standards and Technology’s Special Publication (NIST SP) 800-12,
Introduction to Computer Security;
• NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information
Technology Systems;
• NIST SP 800-30, Risk Management Guide for Information Technology Systems;
• NIST SP 800-34, Contingency Planning Guide for Information Technology Systems;
• NIST SP 800-41, Guidelines on Firewalls and Firewall Policy;
• NIST SP 800-53 Revision 3, Recommended Security Controls for Federal Information
Systems and Organizations;
• NIST SP 800-61, Computer Security Incident Handling Guide;
• NIST SP 800-66 Revision 1, An Introductory Resource Guide for Implementing the HIPAA
Security Rule; and,
• HIPAA Act of 1996.
Compliance with Laws and Regulations
In conducting the audit, we performed tests to determine whether Aetna’s practices were
consistent with applicable standards. While generally compliant, with respect to the items tested,
Aetna was not in complete compliance with all standards as described in the “Audit Findings and
Recommendations” section of this report.
3
II. Audit Findings and Recommendations
A. Security Management
The security management component of this audit involved the examination of the policies and
procedures that are the foundation of Aetna’s overall IT security controls. We evaluated Aetna’s
ability to develop security policies, manage risk, assign security-related responsibility, and
monitor the effectiveness of various system-related controls.
Aetna has implemented a series of formal policies and procedures that comprise its security
management program. Aetna’s Information Security Committee is responsible for creating,
reviewing, editing, and disseminating IT security policies. Aetna has also developed a thorough
risk management methodology, and has procedures to document, track, and mitigate or accept
identified risks. We also reviewed Aetna’s human resources policies and procedures related to
hiring, training, transferring, and terminating employees.
Nothing came to our attention to indicate that Aetna does not have an adequate security
management program.
B. Access Controls
Access controls are the policies, procedures, and techniques used to prevent or detect
unauthorized physical or logical access to sensitive resources.
We examined the physical access controls at Aetna’s headquarters building and its data centers.
We also examined the logical controls protecting sensitive data on Aetna’s network environment
and claims processing applications.
The access controls observed during this audit include, but are not limited to:
• Procedures for appropriately granting physical access to facilities and data centers;
• Procedures for revoking access to data centers for terminated employees;
• Procedures for removing Windows/network access for terminated employees; and,
• Controls to monitor and filter email and Internet activity.
Nothing came to our attention to indicate that Aetna has not implemented adequate controls
related to access controls.
C. Network Security
Network security includes the policies and controls used to prevent or monitor unauthorized
access, misuse, modification, or denial of a computer network and network-accessible resources.
Aetna has documented thorough and complete network infrastructure diagrams. Aetna has
implemented a comprehensive firewall architecture in its network, and conducts routine
configuration reviews of these devices. Aetna’s incident response policies and procedures are
comprehensive, and they have utilized software packages for incident correlation.
4
Nothing came to our attention to indicate that Aetna does not have an adequate network security
program .
D. Configuration l\lanagement
Aetna uses two clai ms adjudication app lications to process FEHBP cla ims: _ for the Open
Acc ess plan and . for the Healthfund. These applications are housed in a mainframe
environme nt. We eva luated Aetna ' s management of the configuration of the mainfram es and the
support ing environme nt and determined that the following controls were in
place:
• Documented and approved server and workstation builds;
• Controls for mon itorin g privileged user act ivity on the operating platform ; and,
• Thorou gh change management procedures for system software and hardware.
The sections below doc ument areas for improvement re lated to Aetna 's configura tion
management controls.
1. Routine System C onfigur at ion Auditing
Aetna maintain s an approved baseline configuration for its mainframe security software. In
the fieldwork phase of our audit, we found that routine compliance audit ing was not a forma l
process and wa s not documented w ithin Aetna ' s security policie s and procedure s. Since
then, Aetna has implem ented a formal process for routine mainframe system configu ration
auditing and has doc umented the procedure s within an approved security policy.
Aetna utili zes an approved standard build for all Before a
is moved from the test enviro mne nt to produ ction , a one-time review is conducted to ensure
configuration settings are compliant with the anorooved build. However , there is currently no
ongo ing/ro utine comp liance chec k to ensure onfigurations continue to remain in
comp liance with approved build sheets after impl ement ation.
NIST SP 800-53 Revision 3 states that an organization must monitor and contro l changes to
the configura tion settings in acco rdance with organizational policies and procedures.
FISCA1v1 also requ ires that current configuration information be routinely monitored for
accuracy. Monitoring should address the baseline and operational configuration of the
hardware, software, and firm ware that comprise the information system .
Failure to routine ly monitor the system configuration increases the risk the system may not
meet security and performance requir ements define d in the established documentation .
0_
Recommendation 1
We recommend that Aetna impl ement a methodology to routine ly monitor the configura tion
to the approved build document ation.
5
Aetna Respom;e:
"A etna will implem ent a methodology that includes:
• Establish configuration baselines
• Schedule scans to determine deviation from baseline
• Establish a risk based approach for remediation ofconfiguration deviations
Closure ETA : kJallagemellt has presented all issue closure pian by 01/31/2013._
DIG Reply:
As pa rt of the audit resolution process, we recomme nd that Aetna provide OPM ' s Healthcare
and Insurance Office (HID) with evidence that configuration baselines have been established,
scans have been conducted, and deviations have been remediated.
2. Vulnerability Scanning
a. Full-scope Vulnerability Sca nn in g
Aetna conducts per iodic vulnerability scans on its information systems using automated
tools, and contracts a third party vendor to conduct external scans. Aetna scans several
s ecific on a weeki basis, but ani scans the rema inder
on an
erstand that it
may be unreasonable for Aetna to frequently scan its entire environment. However, we
were not able to independently confirm whether had ever bee n subject to
previous vulnerability scans .
Recommendation 2
\Ve recommend that Aetna implement a process to conduct routine vulnerability scans on
its entire _ enviromne nt.
Aetna Response:
"Aetna currently utilizes a risk based approach ill supp ort ofcompleting vuln erability
assessm ents byfocusing its scanning resources to high risk environments. A s a result,
th ese environments are scanned with sigulflcant rigor by both Aetna and externally
contracted partners. Currently, Aetna 's int ernal trusted network is sub iected to anuuat
and ad hoc assessm ents that scan and provide
results with remediation advice to the system owners responsible for remediation.
6
To evolve A etna's strategic vulnerability management program in 2012, the investm ent
of deploying a scanning technology f ram ework across th e enterp rise was achieved.
Aetna's strategic vision ofits vulnerability managem ent program furth er evolved in
2012 due to the integration effort ofthe scanning infrastructure into the IT GR C
(Governance, Risk and Comp liance) tool. Integrating vuln erability scan results into
th e IT GR C tool will provide increased risk managem ent oversight/or remediation and
prioritization. This new vulnerability managem ent program will establish a strategic
foundation f or finding s management and remediation workflow by p roviding data to
assess and deploy tim ely patches across the enterprise... This accomplishment will
allow/or the management ofmore frequent scanning and drive tim ely imp lementation
ofsystem patches.
Aetna will implem ent a m ethodology that includes:
• Aetna has contin ue d to exp and its vulnerability managem ent program to oth er
en viron ments with the solutio n ill place as 0/1/31/201[3].
• To complete the migration ofits strate ic l'ulllerability managem ent program,
Aetna is sch eduled to include all within the Internal Trusted network
"
DIG Reply:
As pa rt of the audit resolution process, we recomme nd that Aetn a provide OPM ' s lila
with evidence that vulnerab ility scans are routinely conducted on the entire .
environment.
b. System Patching
Aetna has documented
of am
FISCAM states that " Software should be scanned and u
known vulnerabilities."
Flaws discovered during security
assessments, continuous monitoring, incident response activities, or information system
error handling, are also addressed expedi tiously."
Although the servers we scanned are rotected b firewalls and other
technolo .es,
tlililiiiil
sensitive information could be stolen.
Re commendation 3
7
Aetna Respom;e:
"A etna will continue to evolve its enterprise vulnerability management program,
enabling more stringent oversight and connnuuication with system oWllers on
vuln erabilityfindings and remediation expectations.
A etna will implement a methodology that includes:
• R eview ofcurr~ patching process to identify gaps
• Refinement o ~ tchillg pro cess
• Post-implementation scan to ensure successf ul completion ofupgrades
DIG Replv:
As pa rt of the audit resolution process, we reco mme nd that Aetna rovide OPM ' s HID
with evidence of its im roved methodolo to ensure that are installed
with appropriate
c. Noncu r r ent Softw are
The results of our vulnerability scans indi cated that s contai ned uoncurreut
software applications that were no longer support ed by the vendors and may have know n
security vulnerabilities.
FISCA1v1 states that "Procedures should ensure that only current software releases are
installed in information systems . Noncurrent software may be vulnerable to malicious
code such as viruses and worms."
Fail ure to promptly remove outdated software increases the risk of a successful malicious
attack on the information system .
Recommendation 4
We recommend that Aetna implement a methodology to e~ent and
support ed versions of system software are installed on t h e _
A etna Respom;e:
"A etna will implem ent a methodology that includes:
• Review ofcurr~ software patching pro cess to identify gaps
• R efinement o~twarepatching pro cess
• Schedule ofscans
• Establish a risk based approach for remediation ofnou-current and unsupported
software
Closure ETA: Management has submitted an issue closure plan by 01/31/2013.
Closure target date was presented as part ofth e closure plan,"
8
DIG Reply:
As part of the audit resolution process, we recommend that Aetna provide OP1.1's HID
with evidence of its improved methodology to e~ent and supported
versions of system software are installed a ll the _
d. Unnecessary Applications
The results of om vulne rab ili scans indi cated that contained third-party
applica tions that were not likely essential to the fun ctionality
of that serv er.
NIST SP 800 -53 Revision 3 states that the orga niza tion should configu re the information
system to provide only essential capabilities. An organization should also revi ew the
information system to identify and elimina te unnecessary functions.
Installing unnecessary software to an information system can increase the amount of
exposed vulnerabilities and methods an intrud er can use to gain unauthorized acce ss to
the system.
Recommendation 5
We recommend that Aetna revi ew i t~lfi gurati on to ensure that only
necessary software is installed on its _
Aetna Response:
"Aetna will implement a methodology that includes:
• Schedule ofscans to identify unnecessary software installations
• Establish a risk based approach for removal ofunnecessary sof tware.
Closure ETA: Management has presented all issue closure piau by 01/31/2013.
Closure target date was presented as part ofthe closure plan."
DIG Replv:
As part of the audit resolution process, we reco mme nd that Aetna provide OPM ' s lila
with evidence ~hodology to ensure that only necessary softw are is
installed on its _
E. Contingency Planning
We reviewed the following elements of Aetna ' s contingency planning pro gram to determi ne
whether controls were in place to prevent or minimize inrenuptions to business operations when
disastrou s events occur :
• Disaster response plan;
• Business continuity plan for data center opera tions;
• Business continuity plans for claims pro cessing operations and claim s support;
• Disaster recovery plan tests conduc ted in conjunction with the altemate data center; and,
9
• Emergency response procedures and training.
We determined that the service continuity documentation contained the critical elements
suggested by NIST SP 800-34, “Contingency Planning Guide for IT Systems.” Aetna has
identified and prioritized the systems and resources that are critical to business operations, and
has developed detailed procedures to recover those systems and resources.
Nothing came to our attention to indicate that Aetna has not implemented adequate controls
related to contingency planning.
F. Claims Adjudication
The following sections detail our review of the applications and business processes supporting
Aetna’s claims adjudication process.
1. Application Configuration Management
We evaluated the policies and procedures governing application development and change
control of Aetna’s claims processing systems.
Aetna has implemented policies and procedures related to application configuration
management, and has adopted a system development life cycle methodology that IT
personnel follow during routine software modifications. We observed the following controls
related to testing and approvals of software modifications:
• Aetna has adopted practices that allow modifications to be tracked throughout the change
process;
• Code, unit, system, and quality testing are all conducted in accordance with industry
standards; and,
• Aetna uses a business unit independent from the software developers to move the code
between development and production environments to ensure adequate segregation of
duties.
Nothing came to our attention to indicate that Aetna has not implemented adequate controls
related to the application configuration management process.
2. Claims Processing System
We evaluated the input, processing, and output controls associated with Aetna’s claims
processing systems. We determined that Aetna has implemented policies and procedures to
help ensure that:
• Paper claims that are received in the mail room are tracked to ensure timely processing;
• Claims are monitored as they are processed through the systems with real time tracking
of the system’s performance; and,
• Claims scheduled for payment are actually paid.
Nothing came to our attention to indicate that Aetna has not implemented adequate controls
over the claims processing system.
10
3. Enrollment
We evaluated Aetna’s procedures for managing its database of member enrollment data.
Electronic enrollment data is processed weekly and paper files are processed daily. Aetna
has a reconciliation process to ensure all data that was sent to the plan was received and
processed.
Nothing came to our attention to indicate that Aetna has not implemented adequate controls
over the enrollment process.
4. Debarment
Aetna has adequate procedures for updating its claim processing systems with debarred
provider information and routinely audits its debarment database for accuracy.
Aetna downloads the OPM OIG debarment list every month and compares the data to its
provider database. Debarred providers that are a direct match to the debarment list are
automatically terminated from the provider database. A manual review is conducted for all
partial matches to ensure that all debarred providers are appropriately terminated.
Nothing came to our attention to indicate that Aetna has not implemented adequate controls
over the debarment process.
5. Special Investigations and Fraud
We evaluated the Aetna policies and procedures governing special investigations and fraud.
We determined that Aetna has substantial policies and procedures in place to detect, manage,
and report fraud.
Nothing came to our attention to indicate that Aetna has not implemented adequate controls
over its special investigations and fraud unit.
6. Application Controls Testing
We conducted a test on Aetna’s claims adjudication applications to validate the systems’
processing controls. The exercise involved processing test claims designed with inherent
flaws and evaluating the manner in which Aetna’s systems adjudicated the claims. Test
claims were submitted to the system for the Open Access plan and for the
HealthFund.
Our test results indicate that both systems have controls and system edits in place to identify
the following scenarios:
• Invalid members and providers;
• Member eligibility;
• Gender;
• Timely filing; and,
• Catastrophic maximum.
11
The sections below document oppo rtunities for imp rovement related to Aetna ' s claim s
application controls.
a. Benefit Structure Inconsistency
We submitted test cla ims into _ for The claims were
processed and a $ 15 dollar copay was applied . However. according to the Aetna Open
Acc ess 20 12 benefit brochure , the copay for _ should be $35 . Aetna
confirmed that the copay amo unt was loade d ~ctly, but only for th e
state of Delaware, and has since correc ted the error.
We also entered two test claims for a within the same year. Both of
these cla ims were processed ~ever, the Aetna Open Access 20 12 benefit
brochure restricts coverage ot _ to one time per year.
Recommendation 6
\Ve recommend that Aetna conduct a review o~ setting s to ensure the application
properly refl ects the benefits defined in the Aetna Open Access benefit brochure.
Aetna Response:
"Going forward, when Aetna is notified of a new state mandate the HillO Product
Admin team will be sent a list of all groups with plans in that particular state. The
team will scan the list for the federal plans and remove them from the list.
III the unlikely instance that a plan participant would receive more tlmn olle _
ill a year, due to system limitations, Aetna 's H,UO system does not have
the ability to limit to thisfrequen~l the planned migration offof Hi.110 to
A etna's strategic claim platform _ there is 1I0t anticipated inve stment in
enhancements to the legacy platform."
DIG Reply:
We believe that the recommendation should remain open until Aetna provide s OPM 's
HIO with evidence that the _ has been upd ated to correc t the defi~r that the
plan has success fully migrated all FEHBP claims processing activity to _
b. Provider/Procedure Inconsistency
We entered test claims for ~rul ing a
and _ Despite the fa~r is not licensed to
claim was processed without enco untering any edit s.
We also entered test claim s for a ~erforulin Aga in, the
claim s were inappropriately p roc~ and systems without
enco unteri ng any edits.
Aetna stated that its system s are not configured to compare the _ to the
to identi fy inconsistencies. Aetna assume~
12
provider is billing a service, and that they are indeed
actively licensed in that state. Aetna’s Special Investigations Unit is responsible for
detecting instances of providers who are billing . While
we acknowledge that a medical doctor legally can perform any medical procedure
), the providers in our test claims were not
medical doctors.
Although Aetna’s SIU is tasked with detecting instances of providers billing outside the
scope of their license, this process can be improved by utilizing preventive controls
within the claims processing system.
Recommendation 7
We recommend that Aetna make the appropriate system modifications to prevent
medically inconsistent claims from processing.
Aetna Response:
“Aetna has carefully reviewed this issue and based on a significantly extensive activity
to implement such a solution for what would [be] considered a highly unlikely event,
Aetna will continue to place reliance on the downstream SIU process.”
OIG Reply:
We disagree with Aetna’s position and continue to recommend that Aetna modify its
claims processing system to prevent medically inconsistent claims from processing. We
believe that preventive medical editing controls are much more efficient and effective
than reactive controls, such as relying on the SIU to recoup inappropriately billed claims.
c. Procedure Code Billing Guidelines Not Enforced
We entered two separate test claims for with multiple
service dates within a span of 30 days. All of these services were paid without
encountering edits in However, according to the American Medical Association,
this procedure code is only allowed to be billed once every 30 days. was able to
recognize the procedure code inconsistency and appropriately denied all but one claim
line that occurred within the 30 day time span.
Recommendation 8
We recommend that Aetna make the appropriate system modification to enforce proper
procedure code billing guidelines.
Aetna Response:
“A system enhancement was implemented November 10, 2012 which is now denying
services for this scenario. Evidence has been provided to the OIG to demonstrate
closure.”
13
OIG Reply:
The evidence provided by Aetna in response to the draft audit report indicates that the
Plan has made the appropriate system modification to enforce proper procedure code
billing guidelines; no further action is required.
d. Near Duplicate
We submitted two separate test claims into with an identical patient, procedure
code, diagnosis code, date of service and billed amounts; the only difference between the
two claims was the provider. These claims processed without encountering any edits and
paid both providers the same amount.
Due to the similarity of these claims, we expected the second claim to be deferred by a
suspected duplicate edit so that a claims processor could determine if the claim was
submitted correctly.
Recommendation 9
We recommend that Aetna implement controls to prevent near duplicate claims from
processing.
Aetna Response:
• “A recommendation for revision to our duplicate editing logic will be presented
internally to our policy area for review.
• The recommendation will be presented to the policy council at their March
meeting. Target date: 3/30/13
• Any additional management action plans will be reviewed with the OIG based upon
the review committees decision.”
OIG Reply:
As part of the audit resolution process, we recommend that Aetna provide OPM’s HIO
with evidence that the claims processing system has been modified to prevent near
duplicate claims from processing.
G. Health Insurance Portability and Accountability Act
We reviewed Aetna’s efforts to maintain compliance with the security and privacy standards of
HIPAA.
Aetna has implemented a series of IT security policies and procedures to adequately address the
requirements of the HIPAA security rule. Aetna has also developed a series of privacy policies
and procedures that directly addresses all requirements of the HIPAA privacy rule. Aetna
reviews its HIPAA privacy and security policies annually and updates when necessary. Aetna
has designated a Privacy Official who has the responsibility of ensuring compliance with HIPAA
Privacy and Security policies. Each year, all employees must complete Aetna’s “Business
14
Conduct and Integrity” training course. This training encompasses HIPAA regulations as well as
general compliance.
Nothing came to our attention that caused us to believe that Aetna is not in compliance with the
various requirements of HIPAA regulations.
15
III. Major Contributors to This Report
This audit report was prepared by the U.S. Office of Personnel Management, Office of Inspector
General, Information Systems Audits Group. The following individuals participated in the audit
and the preparation of this report:
• , Group Chief
• , Senior Team Leader
• , Auditor-In-Charge
• , Lead IT Auditor
• , IT Auditor
16
Appendix
Aet na Inc.
151 Farmington Avenue
Hartford, CT 06156
- " Manager
Aetna Information Systems
.-
December 19 , 20 12
Infonnation Systems Aud its Group
U.S. Office of Inspector Gene ral
1900 E Street, NW - Room 6400
W ashington, D.C. 204 15-1100
RE: Aetna 's respon se to Draft Report No .1 C-22-00- 12-065
Aetna submits the following response to the above-referenced Draft Aud it Report issued by the
Office of Person nel Ma nagement (O PM) Office of the Inspe ctor General (D IG) unde r the Federal
Employees Health Benefits Program (FEHBP) . The aud it covered the gene ral and applicati on controls
over the automated claims processing systems and other computer-based systems at Aetna .
Enclosed you will find two copies of the Draft Repo rt. The first attachment is labeled "Aetna's
Co mments to the Draft Report" and the second attachment is labeled "Proposed Redact ions" . Aetna has
responded to all of a lG's recommendations and has included a proposed timetable fo r completion in the
first attachment. The second attachment includes Aet na's response to the Draft Report with prop osed
at_
redactions. Aet na respectfully requests a lG to implement the prop osed redactions prior to the Final
Report's posting on the a lG website under the Freedom of Information Act.
If you have an questions or concerns about our respon se, please feel to contact me
Sincerely,
, Senior Vice Pres ident, Aetna Federal Plans
ret, nfonnation Systems Audits Group
nderwr iting Head of Aetna Federal Plans
Recommendation 1
Aetna will implement a methodology that includes:
• Establish configuration baselines
• Schedule scans to determine deviation from baseline
• Establish a risk based approach for remediation of configuration deviations
Closure ETA: Management has presented an issue closure plan by 01/31/2013.
1
Recommendation 2
Aetna currently utilizes a risk based approach in support of completing vulnerability assessments by
focusing its scanning resources to high risk environments. As a result, these environments are scanned
with significant rigor by both Aetna and externally contracted partners. Currently, Aetna’s internal trusted
network is subjected to annual and ad hoc assessments that scan a sample of Aetna’s
and provide results with remediation advice to the system owners responsible for remediation.
To evolve Aetna’s strategic vulnerability management program in 2012, the investment of deploying a
scanning technology framework across the enterprise was achieved. Aetna’s strategic vision of its
vulnerability management program further evolved in 2012 due to the integration effort of the scanning
infrastructure into the IT GRC (Governance, Risk and Compliance) tool. Integrating vulnerability scan
results into the IT GRC tool will provide increased risk management oversight for remediation and
prioritization. This new vulnerability management program will establish a strategic foundation for findings
management and remediation workflow by providing data to assess and deploy timely patches across the
enterprise... This accomplishment will allow for the management of more frequent scanning and drive
timely implementation of system patches.
Aetna will implement a methodology that includes:
• Aetna has continued to expand its vulnerability management program to other environments
with the solution in place as of 1/31/201[3].
• To complete the migration of its strategic vulnerability management program, Aetna is
scheduled to include all within the Internal Trusted network by
Recommendation 3
Aetna will continue to evolve its enterprise vulnerability management program, enabling more stringent
oversight and communication with system owners on vulnerability findings and remediation expectations.
Aetna will implement a methodology that includes:
• Review of current patching process to identify gaps
• Refinement of patching process
• Post-implementation scan to ensure successful completion of upgrades
Closure ETA:
Recommendation 4
Aetna will implement a methodology that includes:
• Review of current software patching process to identify gaps
• Refinement of software patching process
• Schedule of scans
• Establish a risk based approach for remediation of non-current and unsupported software
Closure ETA: Management has submitted an issue closure plan by 01/31/2013. Closure target date
was presented as part of the closure plan.
Recommendation 5
Aetna will implement a methodology that includes:
• Schedule of scans to identify unnecessary software installations
• Establish a risk based approach for removal of unnecessary software.
Closure ETA: Management has presented an issue closure plan by 01/31/2013. Closure target date was
presented as part of the closure plan.
Recommendation 6
Going forward, when Aetna is notified of a new state mandate the HMO Product Admin team will be sent
a list of all groups with plans in that particular state. The team will scan the list for the federal plans and
remove them from the list.
In the unlikely instance that a plan participant would receive more than one routine mammogram in a
year, due to system limitations, Aetna’s HMO system does not have the ability to limit to this frequency.
With the planned migration off of HMO to Aetna’s there is not anticipated
investment in enhancements to the legacy platform.
Recommendation 7
Aetna has carefully reviewed this issue and based on a significantly extensive activity to implement such
a solution for what would is considered a highly unlikely event, Aetna will continue to place reliance on the
downstream SIU process.
Recommendation 8
A system enhancement was implemented November 10, 2012 which is now denying services for this
scenario. Evidence has been provided to the OIG to demonstrate closure.
Recommendation 9
• A recommendation for revision to our duplicate editing logic will be presented internally to our
policy area for review.
• The recommendation will be presented to the policy council at their March meeting. Target
date: 3/30/13
• Any additional management action plans will be reviewed with the OIG based upon the
review committees decision.
Audit of Information Systems General and Application Controls at Aetna, Inc.
Published by the Office of Personnel Management, Office of Inspector General on 2013-03-18.
Below is a raw (and likely hideous) rendition of the original report. (PDF)