oversight

Audit of Information Systems General and Application Controls at Aetna, Inc.

Published by the Office of Personnel Management, Office of Inspector General on 2013-03-18.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                                                     U.S. OFFICE OF PERSONNEL MANAGEMENT
                                                           OFFICE OF THE INSPECTOR GENERAL
                                                                            OFFICE OF AUDITS



                                   Final Audit Report

  Subject:




               AUDIT OF INFORMATION SYSTEMS
            GENERAL AND APPLICATION CONTROLS AT
                         AETNA INC.


                                            Report No. 1C-22-00-12-065

                                            Date:               March 18, 2013




                                                          --CAUTION--
This audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit
report may contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available
under the Freedom of Information Act and made available to the public on the OIG webpage, caution needs to be exercised before
releasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy.
                                                       Audit Report



              FEDERAL EMPLOYEES HEALTH BENEFITS PROGRAM
                     CONTRACTS 2900, 2867, 2914 & 1766
                                                         AETNA INC.
                            PLAN CODES 22 / JN / 2X / JC / HF / JR / 2U
                                            WQ / C3 / HY / P1 / P3 / UB
                                        HARTFORD, CONNECTICUT



                                            Report No. 1C-22-00-12-065
                                                                03/18/13
                                            Date:




                                                                                             ________________________
                                                                                             Michael R. Esser
                                                                                             Assistant Inspector General
                                                                                               for Audits


                                                          --CAUTION--
This audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit
report may contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available
under the Freedom of Information Act and made available to the public on the OIG webpage, caution needs to be exercised before
releasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy.
                                   Executive Summary



          FEDERAL EMPLOYEES HEALTH BENEFITS PROGRAM
                 CONTRACTS 2900, 2867, 2914 & 1766
                                         AETNA INC.
                    PLAN CODES 22 / JN / 2X / JC / HF / JR / 2U
                                WQ / C3 / HY / P1 / P3 / UB
                             HARTFORD, CONNECTICUT



                               Report No. 1C-22-00-12-065

                               Date:          03/18/13



This final report discusses the results of our audit of general and application controls over the
information systems at Aetna Inc. (Aetna or Plan). Aetna has two separate plans that service
federal employees: a Health Maintenance Organization plan (HMO) referred to as “Open
Access” and an individual practice plan with a consumer driven health plan option and a high
deductible health plan option referred to as the “HealthFund.”

Our audit focused on the claims processing applications used to adjudicate Federal Employees
Health Benefits Program (FEHBP) claims for Aetna, as well as the various processes and
information technology (IT) systems used to support these applications. We documented
controls in place and opportunities for improvement in each of the areas below.

Security Management
Aetna has established a series of IT policies and procedures to create an awareness of IT security
at the Plan. We also verified that Aetna has adequate human resources policies related to the
security aspects of hiring, training, transferring, and terminating employees.




                                                  i
Access Controls
Aetna has implemented numerous controls to grant and remove physical access to its data center,
as well as logical controls to protect sensitive information. We also noted various controls over
physical access to the data centers, as well as the method for encrypting emails containing
sensitive information.

Network Security
Aetna has developed thorough network security policies and procedures around its entire
operating environment. We also noted numerous hardening controls around the internal network
and that Aetna conducts routine configuration reviews. Aetna’s incident response policies and
procedures are comprehensive and utilize software packages for incident correlation.

Configuration Management
Aetna has developed formal policies and procedures that provide guidance to ensure that system
software is appropriately configured and updated, as well as for controlling system software
configuration changes. However, we noted several weaknesses in Aetna’s configuration
management program related to system configuration auditing and vulnerability scanning
methodology. Aetna is working to implement the necessary changes for the identified
vulnerabilities.

Contingency Planning
We reviewed Aetna’s business continuity plans and concluded that they contained the key
elements suggested by relevant guidance and publications. We also determined that these
documents are reviewed and updated on a periodic basis.

Claims Adjudication
Aetna has implemented many controls in its claims adjudication process to ensure that FEHBP
claims are processed accurately. However, we noted several weaknesses in Aetna’s claims
application controls.

Health Insurance Portability and Accountability Act (HIPAA)
Nothing came to our attention that caused us to believe that Aetna is not in compliance with the
HIPAA security, privacy, and national provider identifier regulations.




                                                ii
                                                                Contents
                                                                                                                                             Page
Executive Summary ......................................................................................................................... i
 I. Introduction ............................................................................................................................... 1
     Background ............................................................................................................................... 1
     Objectives ................................................................................................................................. 1
     Scope ......................................................................................................................................... 2
     Methodology ............................................................................................................................. 2
     Compliance with Laws and Regulations................................................................................... 3
 II. Audit Findings and Recommendations .................................................................................... 4
      A. Security Management ........................................................................................................ 4
      B. Access Controls .................................................................................................................. 4
      C. Network Security................................................................................................................ 4
      D. Configuration Management ............................................................................................... 5
      E. Contingency Planning ........................................................................................................ 9
      F. Claims Adjudication ......................................................................................................... 10
      G. Health Insurance Portability and Accountability Act ...................................................... 14
 III. Major Contributors to This Report ....................................................................................... 16
     Appendix: Aetna’s December 19, 2012 response to the draft audit report issued October 31,
               2012.
                                       I. Introduction

This draft report details the findings, conclusions, and recommendations resulting from the audit
of general and application controls over the information systems responsible for processing
Federal Employees Health Benefits Program (FEHBP) claims by Aetna Inc. (Aetna or Plan).

The audit was conducted pursuant to FEHBP contracts CS 2900, CS 2867, CS 2914, and CS
1766; 5 U.S.C. Chapter 89; and 5 Code of Federal Regulations (CFR) Chapter 1, Part 890. The
audit was performed by the U.S. Office of Personnel Management’s (OPM) Office of the
Inspector General (OIG), as established by the Inspector General Act of 1978, as amended.

Background
The FEHBP was established by the Federal Employees Health Benefits Act (the Act), enacted on
September 28, 1959. The FEHBP was created to provide health insurance benefits for federal
employees, annuitants, and qualified dependents. The provisions of the Act are implemented by
OPM through regulations codified in Title 5, Chapter 1, Part 890 of the CFR. Health insurance
coverage is made available through contracts with various carriers that provide service benefits,
indemnity benefits, or comprehensive medical services.

This was our second audit of Aetna’s general and application controls. The first audit was
conducted in 2001, and all recommendations from that audit were closed prior to the start of the
current audit. We also reviewed Aetna’s compliance with the Health Insurance Portability and
Accountability Act (HIPAA).

All Aetna personnel that worked with the auditors were helpful and open to ideas and
suggestions. They viewed the audit as an opportunity to examine practices and to make changes
or improvements as necessary. Their positive attitude and helpfulness throughout the audit was
greatly appreciated.

Objectives
The objectives of this audit were to evaluate controls over the confidentiality, integrity, and
availability of FEHBP data processed and maintained in Aetna’s IT environment.
We accomplished these objectives by reviewing the following areas:
 •   Security management;
 •   Access controls;
 •   Configuration management;
 •   Segregation of duties;
 •   Contingency planning;
 •   Application controls specific to Aetna’s claims processing systems; and,
 •   HIPAA compliance.




                                                  1
Scope
Thi s performance audit was co nducted in accorda nce with gene rally acc epte d gove rnment
audi ting standa rds issued by the Co mptroller General of the United States. Accordingly, we
obta ined an understanding of Ae tna 's intern al co ntrols through interviews and observations, as
we ll as inspec tion of various doc uments, includi ng information technology and other re lated
organizational polic ies and procedures. Thi s understanding of Aetna 's interna l controls was used
in planning the audi t by de termining the extent of compliance testing and other auditing
pro cedures necessary to verify that the internal co ntro ls we re properly designed , placed in
operation, and effec tive.

Ae tna has two separate plans that servi ce fed eral employee s : a Health Ma intena nce Orga niza tion
plan (HM O) referred to as "Open Access" and an individual practice plan with a co nsumer
drive n health plan option and a high deductib le health plan option re ferre d to as the
"Hea lthfund ."

The scope of thi s audi t ce ntered on the informati on systems used by Ae tna to process medical
insur ance cla im s for FEHBP members, with a primary focus on the cla im~
a licati ons. Two se ara te s stems are used to process cla ims at Ae tna : _
                                  s stem adiudica tes cla ims for the Open Access plan and the
                                                      adj udica tes cla im s for the Healthfund . The
busin ess processes reviewed are primaril y located in Aetna 's Hartford . Connecticut facilities.

The on-site portion of thi s audi t wa s perfonned in Jul y and Augu st of 20 12. We co mpleted
additional audi t work before and after the on-site visit at our office in Wa shington, D .C. The
findi ngs , recommendations, and conclusions outlined in thi s rep ort are based on the status of
information system general and applica tion contro ls in place at Ae tna as of Sep tember 20 12.

In co nducting our audit, we relied to varyi ng degrees on computer-ge ne rated da ta provided by
Ae tna . Due to time co nstra ints, we did not verify the reliabili ty of the da ta used to co mplete
some of our audi t steps but we de termi ned tha t it wa s adequate to achie ve our audit obj ectives.
However, whe n our objective wa s to assess computer-gene rated da ta, we co mpleted audit steps
necessary to obtain evidence that the da ta was valid and reliabl e.

Methodologv

In co nducting thi s review we:

•	   Gathe red documen tation and co nducted intervi ews;
•	   Revi ewed Ae tna 's business structur e and environment ;
•	   Performed a risk assessment of Aetna ' s informati on systems environmen t and applica tions,
     and prep ared an audit program based on the assessment and the Go ve nunent Acc ountability
     Office ' s (GAO) Federal Information System Controls Audit Ma nua l (FISCAM); and,
•	   Conducted va rious co mpliance tests to de term ine the extent to which established co ntro ls and
     pro cedures are functioning as intended . As appro pr iate, we used j udgmenta l sampling in
     completing our compliance testing.



                                                   2
Various laws, regulations, and industry standards were used as a guide to evaluating Aetna’s
control structure. These criteria include, but are not limited to, the following publications:
•   Title 48 of the Code of Federal Regulations;
•   Office of Management and Budget (OMB) Circular A-130, Appendix III;
•   OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of
    Personally Identifiable Information;
•   Information Technology Governance Institute’s CobiT: Control Objectives for Information
    and Related Technology;
•   GAO’s FISCAM;
•   National Institute of Standards and Technology’s Special Publication (NIST SP) 800-12,
    Introduction to Computer Security;
•   NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information
    Technology Systems;
•   NIST SP 800-30, Risk Management Guide for Information Technology Systems;
•   NIST SP 800-34, Contingency Planning Guide for Information Technology Systems;
•   NIST SP 800-41, Guidelines on Firewalls and Firewall Policy;
•   NIST SP 800-53 Revision 3, Recommended Security Controls for Federal Information
    Systems and Organizations;
•   NIST SP 800-61, Computer Security Incident Handling Guide;
•   NIST SP 800-66 Revision 1, An Introductory Resource Guide for Implementing the HIPAA
    Security Rule; and,
•   HIPAA Act of 1996.

Compliance with Laws and Regulations
In conducting the audit, we performed tests to determine whether Aetna’s practices were
consistent with applicable standards. While generally compliant, with respect to the items tested,
Aetna was not in complete compliance with all standards as described in the “Audit Findings and
Recommendations” section of this report.




                                                3
                     II. Audit Findings and Recommendations

A. Security Management
  The security management component of this audit involved the examination of the policies and
  procedures that are the foundation of Aetna’s overall IT security controls. We evaluated Aetna’s
  ability to develop security policies, manage risk, assign security-related responsibility, and
  monitor the effectiveness of various system-related controls.

  Aetna has implemented a series of formal policies and procedures that comprise its security
  management program. Aetna’s Information Security Committee is responsible for creating,
  reviewing, editing, and disseminating IT security policies. Aetna has also developed a thorough
  risk management methodology, and has procedures to document, track, and mitigate or accept
  identified risks. We also reviewed Aetna’s human resources policies and procedures related to
  hiring, training, transferring, and terminating employees.

  Nothing came to our attention to indicate that Aetna does not have an adequate security
  management program.

B. Access Controls
  Access controls are the policies, procedures, and techniques used to prevent or detect
  unauthorized physical or logical access to sensitive resources.

  We examined the physical access controls at Aetna’s headquarters building and its data centers.
  We also examined the logical controls protecting sensitive data on Aetna’s network environment
  and claims processing applications.

  The access controls observed during this audit include, but are not limited to:
  •   Procedures for appropriately granting physical access to facilities and data centers;
  •   Procedures for revoking access to data centers for terminated employees;
  •   Procedures for removing Windows/network access for terminated employees; and,
  •   Controls to monitor and filter email and Internet activity.

  Nothing came to our attention to indicate that Aetna has not implemented adequate controls
  related to access controls.

C. Network Security
  Network security includes the policies and controls used to prevent or monitor unauthorized
  access, misuse, modification, or denial of a computer network and network-accessible resources.

  Aetna has documented thorough and complete network infrastructure diagrams. Aetna has
  implemented a comprehensive firewall architecture in its network, and conducts routine
  configuration reviews of these devices. Aetna’s incident response policies and procedures are
  comprehensive, and they have utilized software packages for incident correlation.

                                                   4
  Nothing came to our attention to indicate that Aetna does not have an adequate network security
  program .

D. Configuration l\lanagement
  Aetna uses two clai ms adjudication app lications to process FEHBP cla ims: _       for the Open
  Acc ess plan and .      for the Healthfund. These applications are housed in a mainframe
  environme nt. We eva luated Aetna ' s management of the configuration of the mainfram es and the
  support ing                  environme nt and determined that the following controls were in
  place:
  •   Documented and approved server and workstation builds;
  •   Controls for mon itorin g privileged user act ivity on the operating platform ; and,
  •   Thorou gh change management procedures for system software and hardware.

  The sections below doc ument areas for improvement re lated to Aetna 's configura tion

  management controls.


  1. Routine System C onfigur at ion Auditing

      Aetna maintain s an approved baseline configuration for its mainframe security software. In
      the fieldwork phase of our audit, we found that routine compliance audit ing was not a forma l
      process and wa s not documented w ithin Aetna ' s security policie s and procedure s. Since
      then, Aetna has implem ented a formal process for routine mainframe system configu ration
      auditing and has doc umented the procedure s within an approved security policy.

      Aetna utili zes an approved standard build for all                       Before a
      is moved from the test enviro mne nt to produ ction , a one-time review is conducted to ensure
      configuration settings are compliant with the anorooved build. However , there is currently no
      ongo ing/ro utine comp liance chec k to ensure          onfigurations continue to remain in
      comp liance with approved build sheets after           impl ement ation.

      NIST SP 800-53 Revision 3 states that an organization must monitor and contro l changes to
      the configura tion settings in acco rdance with organizational policies and procedures.
      FISCA1v1 also requ ires that current configuration information be routinely monitored for
      accuracy. Monitoring should address the baseline and operational configuration of the
      hardware, software, and firm ware that comprise the information system .

      Failure to routine ly monitor the system configuration increases the risk the system may not
      meet security and performance requir ements define d in the established documentation .




      0_
      Recommendation 1
      We recommend that Aetna impl ement a methodology to routine ly monitor the configura tion
                          to the approved build document ation.



                                                     5

   Aetna Respom;e:
   "A etna will implem ent a methodology that includes:
       • Establish configuration baselines
       • Schedule scans to determine deviation from baseline
       • Establish a risk based approach for remediation ofconfiguration deviations

   Closure ETA : kJallagemellt has presented all issue closure pian by 01/31/2013._


   DIG Reply:
   As pa rt of the audit resolution process, we recomme nd that Aetna provide OPM ' s Healthcare
   and Insurance Office (HID) with evidence that configuration baselines have been established,
   scans have been conducted, and deviations have been remediated.

2. Vulnerability Scanning

   a. Full-scope Vulnerability Sca nn in g
      Aetna conducts per iodic vulnerability scans on its information systems using automated
      tools, and contracts a third party vendor to conduct external scans. Aetna scans several
      s ecific                   on a weeki basis, but ani scans the rema inder
                                                                                    on an
                                                                                 erstand that it
      may be unreasonable for Aetna to frequently scan its entire environment. However, we
      were not able to independently confirm whether                  had ever bee n subject to
      previous vulnerability scans .




      Recommendation 2
      \Ve recommend that Aetna implement a process to conduct routine vulnerability scans on
      its entire _ enviromne nt.

      Aetna Response:
      "Aetna currently utilizes a risk based approach ill supp ort ofcompleting vuln erability
      assessm ents byfocusing its scanning resources to high risk environments. A s a result,
      th ese environments are scanned with sigulflcant rigor by both Aetna and externally
      contracted partners. Currently, Aetna 's int ernal trusted network is sub iected to anuuat
      and ad hoc assessm ents that scan                                            and provide
      results with remediation advice to the system owners responsible for remediation.


                                               6

   To evolve A etna's strategic vulnerability management program in 2012, the investm ent
  of deploying a scanning technology f ram ework across th e enterp rise was achieved.
  Aetna's strategic vision ofits vulnerability managem ent program furth er evolved in
  2012 due to the integration effort ofthe scanning infrastructure into the IT GR C
  (Governance, Risk and Comp liance) tool. Integrating vuln erability scan results into
  th e IT GR C tool will provide increased risk managem ent oversight/or remediation and
  prioritization. This new vulnerability managem ent program will establish a strategic
  foundation f or finding s management and remediation workflow by p roviding data to
  assess and deploy tim ely patches across the enterprise... This accomplishment will
  allow/or the management ofmore frequent scanning and drive tim ely imp lementation
  ofsystem patches.

   Aetna will implem ent a m ethodology that includes:
   •	 Aetna has contin ue d to exp and its vulnerability managem ent program to oth er
      en viron ments with the solutio n ill place as 0/1/31/201[3].
   •	 To complete the migration ofits strate ic l'ulllerability managem ent program,
      Aetna is sch eduled to include all                 within the Internal Trusted network
                      "
   DIG Reply:
   As pa rt of the audit resolution process, we recomme nd that Aetn a provide OPM ' s lila
   with evidence that vulnerab ility scans are routinely conducted on the entire .
   environment.

b.	 System Patching
   Aetna has documented
   of am


   FISCAM states that " Software should be scanned and u
   known vulnerabilities."

                                                Flaws discovered during security
   assessments, continuous monitoring, incident response activities, or information system
   error handling, are also addressed expedi tiously."

   Although the servers we scanned are rotected b firewalls and other
   technolo .es,
                                                                          tlililiiiil
                                               sensitive information could be stolen.

   Re commendation 3




                                            7

   Aetna Respom;e:
   "A etna will continue to evolve its enterprise vulnerability management program,
   enabling more stringent oversight and connnuuication with system oWllers on
   vuln erabilityfindings and remediation expectations.

   A etna will implement a methodology that includes:
   •	 R eview ofcurr~ patching process to identify gaps
   •	 Refinement o ~ tchillg pro cess
   •	 Post-implementation scan to ensure successf ul completion ofupgrades



   DIG Replv:
   As pa rt of the audit resolution process, we reco mme nd that Aetna rovide OPM ' s HID
   with evidence of its im roved methodolo to ensure that                       are installed
   with appropriate

c.	 Noncu r r ent Softw are
   The results of our vulnerability scans indi cated that            s contai ned uoncurreut
   software applications that were no longer support ed by the vendors and may have know n
   security vulnerabilities.

   FISCA1v1 states that "Procedures should ensure that only current software releases are
   installed in information systems . Noncurrent software may be vulnerable to malicious
   code such as viruses and worms."

   Fail ure to promptly remove outdated software increases the risk of a successful malicious
   attack on the information system .

   Recommendation 4
   We recommend that Aetna implement a methodology to e~ent and
   support ed versions of system software are installed on t h e _

   A etna Respom;e:
   "A etna will implem ent a methodology that includes:
   •	 Review ofcurr~ software patching pro cess to identify gaps
   •	 R efinement o~twarepatching pro cess
   •	 Schedule ofscans
   •	 Establish a risk based approach for remediation ofnou-current and unsupported
       software

   Closure ETA: Management has submitted an issue closure plan by 01/31/2013.
   Closure target date was presented as part ofth e closure plan,"

                                           8

         DIG Reply:
         As part of the audit resolution process, we recommend that Aetna provide OP1.1's HID
         with evidence of its improved methodology to e~ent and supported
         versions of system software are installed a ll the _

      d. Unnecessary Applications
         The results of om vulne rab ili   scans indi cated that               contained third-party
         applica tions                             that were not likely essential to the fun ctionality
         of that serv er.

         NIST SP 800 -53 Revision 3 states that the orga niza tion should configu re the information
         system to provide only essential capabilities. An organization should also revi ew the
         information system to identify and elimina te unnecessary functions.

         Installing unnecessary software to an information system can increase the amount of
         exposed vulnerabilities and methods an intrud er can use to gain unauthorized acce ss to
         the system.

         Recommendation 5
         We recommend that Aetna revi ew i t~lfi gurati on to ensure that only
         necessary software is installed on its _

         Aetna Response:

         "Aetna will implement a methodology that includes:

         • Schedule ofscans to identify unnecessary software installations
         • Establish a risk based approach for removal ofunnecessary sof tware.

         Closure ETA: Management has presented all issue closure piau by 01/31/2013.
         Closure target date was presented as part ofthe closure plan."

         DIG Replv:
         As part of the audit resolution process, we reco mme nd that Aetna provide OPM ' s lila
         with evidence ~hodology to ensure that only necessary softw are is
         installed on its _

E. Contingency Planning
  We reviewed the following elements of Aetna ' s contingency planning pro gram to determi ne
  whether controls were in place to prevent or minimize inrenuptions to business operations when
  disastrou s events occur :
  •   Disaster response plan;
  •   Business continuity plan for data center opera tions;
  •   Business continuity plans for claims pro cessing operations and claim s support;
  •   Disaster recovery plan tests conduc ted in conjunction with the altemate data center; and,
                                                    9
  •	 Emergency response procedures and training.

  We determined that the service continuity documentation contained the critical elements
  suggested by NIST SP 800-34, “Contingency Planning Guide for IT Systems.” Aetna has
  identified and prioritized the systems and resources that are critical to business operations, and
  has developed detailed procedures to recover those systems and resources.

  Nothing came to our attention to indicate that Aetna has not implemented adequate controls
  related to contingency planning.

F. Claims Adjudication
  The following sections detail our review of the applications and business processes supporting
  Aetna’s claims adjudication process.

  1.	 Application Configuration Management
     We evaluated the policies and procedures governing application development and change
     control of Aetna’s claims processing systems.

     Aetna has implemented policies and procedures related to application configuration
     management, and has adopted a system development life cycle methodology that IT
     personnel follow during routine software modifications. We observed the following controls
     related to testing and approvals of software modifications:
     •	 Aetna has adopted practices that allow modifications to be tracked throughout the change
        process;
     •	 Code, unit, system, and quality testing are all conducted in accordance with industry
        standards; and,
     •	 Aetna uses a business unit independent from the software developers to move the code
        between development and production environments to ensure adequate segregation of
        duties.

    Nothing came to our attention to indicate that Aetna has not implemented adequate controls
    related to the application configuration management process.

  2.	 Claims Processing System
     We evaluated the input, processing, and output controls associated with Aetna’s claims
     processing systems. We determined that Aetna has implemented policies and procedures to
     help ensure that:
     •	 Paper claims that are received in the mail room are tracked to ensure timely processing;
     •	 Claims are monitored as they are processed through the systems with real time tracking
        of the system’s performance; and,
     •	 Claims scheduled for payment are actually paid.

     Nothing came to our attention to indicate that Aetna has not implemented adequate controls
     over the claims processing system.
                                                   10
3. Enrollment
   We evaluated Aetna’s procedures for managing its database of member enrollment data.
   Electronic enrollment data is processed weekly and paper files are processed daily. Aetna
   has a reconciliation process to ensure all data that was sent to the plan was received and
   processed.

   Nothing came to our attention to indicate that Aetna has not implemented adequate controls
   over the enrollment process.

4. Debarment
   Aetna has adequate procedures for updating its claim processing systems with debarred
   provider information and routinely audits its debarment database for accuracy.

   Aetna downloads the OPM OIG debarment list every month and compares the data to its
   provider database. Debarred providers that are a direct match to the debarment list are
   automatically terminated from the provider database. A manual review is conducted for all
   partial matches to ensure that all debarred providers are appropriately terminated.

   Nothing came to our attention to indicate that Aetna has not implemented adequate controls
   over the debarment process.

5. Special Investigations and Fraud
   We evaluated the Aetna policies and procedures governing special investigations and fraud.
   We determined that Aetna has substantial policies and procedures in place to detect, manage,
   and report fraud.

   Nothing came to our attention to indicate that Aetna has not implemented adequate controls
   over its special investigations and fraud unit.

6. Application Controls Testing
   We conducted a test on Aetna’s claims adjudication applications to validate the systems’
   processing controls. The exercise involved processing test claims designed with inherent
   flaws and evaluating the manner in which Aetna’s systems adjudicated the claims. Test
   claims were submitted to the         system for the Open Access plan and          for the
   HealthFund.

   Our test results indicate that both systems have controls and system edits in place to identify
   the following scenarios:
   • Invalid members and providers;
   • Member eligibility;
   • Gender;
   • Timely filing; and,
   • Catastrophic maximum.


                                                11
The sections below document oppo rtunities for imp rovement related to Aetna ' s claim s
application controls.

a. Benefit Structure Inconsistency
   We submitted test cla ims into _ for                           The claims were
   processed and a $ 15 dollar copay was applied . However. according to the Aetna Open
   Acc ess 20 12 benefit brochure , the copay for _                should be $35 . Aetna
   confirmed that the copay amo unt was loade d ~ctly, but only for th e
   state of Delaware, and has since correc ted the error.

   We also entered two test claims for a               within the same year. Both of
   these cla ims were processed ~ever, the Aetna Open Access 20 12 benefit
   brochure restricts coverage ot _      to one time per year.

   Recommendation 6
   \Ve recommend that Aetna conduct a review o~ setting s to ensure the application
   properly refl ects the benefits defined in the Aetna Open Access benefit brochure.

   Aetna Response:
   "Going forward, when Aetna is notified of a new state mandate the HillO Product
   Admin team will be sent a list of all groups with plans in that particular state. The
   team will scan the list for the federal plans and remove them from the list.
   III the unlikely instance that a plan participant would receive more tlmn olle _
                   ill a year, due to system limitations, Aetna 's H,UO system does not have
   the ability to limit to thisfrequen~l the planned migration offof Hi.110 to
   A etna's strategic claim platform _           there is 1I0t anticipated inve stment in
   enhancements to the legacy platform."

   DIG Reply:
   We believe that the recommendation should remain open until Aetna provide s OPM 's
   HIO with evidence that the _ has been upd ated to correc t the defi~r that the
   plan has success fully migrated all FEHBP claims processing activity to _

b. Provider/Procedure Inconsistency
   We entered test claims for ~rul ing a

   and _       Despite the fa~r is not licensed to

   claim was processed without enco untering any edit s.


   We also entered test claim s for a ~erforulin                                  Aga in, the
   claim s were inappropriately p roc~ and                            systems without
   enco unteri ng any edits.

   Aetna stated that its system s are not configured to compare the _ to the
                          to identi fy inconsistencies. Aetna assume~
                                            12
   provider is billing a service,                                      and that they are indeed
   actively licensed in that state. Aetna’s Special Investigations Unit is responsible for
   detecting instances of providers who are billing                                    . While
   we acknowledge that a medical doctor legally can perform any medical procedure
                                             ), the providers in our test claims were not
   medical doctors.

   Although Aetna’s SIU is tasked with detecting instances of providers billing outside the
   scope of their license, this process can be improved by utilizing preventive controls
   within the claims processing system.

   Recommendation 7
   We recommend that Aetna make the appropriate system modifications to prevent
   medically inconsistent claims from processing.

   Aetna Response:
   “Aetna has carefully reviewed this issue and based on a significantly extensive activity
   to implement such a solution for what would [be] considered a highly unlikely event,
   Aetna will continue to place reliance on the downstream SIU process.”

   OIG Reply:
   We disagree with Aetna’s position and continue to recommend that Aetna modify its
   claims processing system to prevent medically inconsistent claims from processing. We
   believe that preventive medical editing controls are much more efficient and effective
   than reactive controls, such as relying on the SIU to recoup inappropriately billed claims.

c. Procedure Code Billing Guidelines Not Enforced
   We entered two separate test claims for                                    with multiple
   service dates within a span of 30 days. All of these services were paid without
   encountering edits in           However, according to the American Medical Association,
   this procedure code is only allowed to be billed once every 30 days.         was able to
   recognize the procedure code inconsistency and appropriately denied all but one claim
   line that occurred within the 30 day time span.

   Recommendation 8
   We recommend that Aetna make the appropriate system modification to enforce proper
   procedure code billing guidelines.

   Aetna Response:
   “A system enhancement was implemented November 10, 2012 which is now denying
   services for this scenario. Evidence has been provided to the OIG to demonstrate
   closure.”



                                            13
         OIG Reply:
         The evidence provided by Aetna in response to the draft audit report indicates that the
         Plan has made the appropriate system modification to enforce proper procedure code
         billing guidelines; no further action is required.

     d. Near Duplicate
         We submitted two separate test claims into         with an identical patient, procedure
         code, diagnosis code, date of service and billed amounts; the only difference between the
         two claims was the provider. These claims processed without encountering any edits and
         paid both providers the same amount.

         Due to the similarity of these claims, we expected the second claim to be deferred by a
         suspected duplicate edit so that a claims processor could determine if the claim was
         submitted correctly.

         Recommendation 9
         We recommend that Aetna implement controls to prevent near duplicate claims from
         processing.

         Aetna Response:
         •   “A recommendation for revision to our duplicate editing logic will be presented
             internally to our policy area for review.
         •   The recommendation will be presented to the policy council at their March
             meeting. Target date: 3/30/13
         •   Any additional management action plans will be reviewed with the OIG based upon
             the review committees decision.”

         OIG Reply:
         As part of the audit resolution process, we recommend that Aetna provide OPM’s HIO
         with evidence that the claims processing system has been modified to prevent near
         duplicate claims from processing.

G. Health Insurance Portability and Accountability Act
  We reviewed Aetna’s efforts to maintain compliance with the security and privacy standards of
  HIPAA.

  Aetna has implemented a series of IT security policies and procedures to adequately address the
  requirements of the HIPAA security rule. Aetna has also developed a series of privacy policies
  and procedures that directly addresses all requirements of the HIPAA privacy rule. Aetna
  reviews its HIPAA privacy and security policies annually and updates when necessary. Aetna
  has designated a Privacy Official who has the responsibility of ensuring compliance with HIPAA
  Privacy and Security policies. Each year, all employees must complete Aetna’s “Business


                                                 14
Conduct and Integrity” training course. This training encompasses HIPAA regulations as well as
general compliance.

Nothing came to our attention that caused us to believe that Aetna is not in compliance with the
various requirements of HIPAA regulations.




                                               15
                    III. Major Contributors to This Report

This audit report was prepared by the U.S. Office of Personnel Management, Office of Inspector
General, Information Systems Audits Group. The following individuals participated in the audit
and the preparation of this report:
•                  , Group Chief
•                     , Senior Team Leader
•                        , Auditor-In-Charge
•               , Lead IT Auditor
•                   , IT Auditor




                                               16
                                              Appendix


                                                                               Aet na Inc.

                                                                               151 Farmington Avenue

                                                                               Hartford, CT 06156



                                                                               - " Manager
                                                                               Aetna Information Systems




.-
December 19 , 20 12



Infonnation Systems Aud its Group
U.S. Office of Inspector Gene ral

1900 E Street, NW - Room 6400

W ashington, D.C. 204 15-1100


RE: Aetna 's respon se to Draft Report No .1 C-22-00- 12-065



        Aetna submits the following response to the above-referenced Draft Aud it Report issued by the
Office of Person nel Ma nagement (O PM) Office of the Inspe ctor General (D IG) unde r the Federal
Employees Health Benefits Program (FEHBP) . The aud it covered the gene ral and applicati on controls
over the automated claims processing systems and other computer-based systems at Aetna .

          Enclosed you will find two copies of the Draft Repo rt. The first attachment is labeled "Aetna's
Co mments to the Draft Report" and the second attachment is labeled "Proposed Redact ions" . Aetna has
responded to all of a lG's recommendations and has included a proposed timetable fo r completion in the
first attachment. The second attachment includes Aet na's response to the Draft Report with prop osed



                                                                                              at_
redactions. Aet na respectfully requests a lG to implement the prop osed redactions prior to the Final
Report's posting on the a lG website under the Freedom of Information Act.

        If you have an questions or concerns about our respon se, please feel to contact me



Sincerely,




                          , Senior Vice Pres ident, Aetna Federal Plans

                   ret, nfonnation Systems Audits Group

               nderwr iting Head of Aetna Federal Plans

Recommendation 1
Aetna will implement a methodology that includes:
       • Establish configuration baselines
       • Schedule scans to determine deviation from baseline
       • Establish a risk based approach for remediation of configuration deviations

Closure ETA: Management has presented an issue closure plan by 01/31/2013.
1

Recommendation 2
Aetna currently utilizes a risk based approach in support of completing vulnerability assessments by
focusing its scanning resources to high risk environments. As a result, these environments are scanned
with significant rigor by both Aetna and externally contracted partners. Currently, Aetna’s internal trusted
network is subjected to annual and ad hoc assessments that scan a sample of Aetna’s
and provide results with remediation advice to the system owners responsible for remediation.
To evolve Aetna’s strategic vulnerability management program in 2012, the investment of deploying a
scanning technology framework across the enterprise was achieved. Aetna’s strategic vision of its
vulnerability management program further evolved in 2012 due to the integration effort of the scanning
infrastructure into the IT GRC (Governance, Risk and Compliance) tool. Integrating vulnerability scan
results into the IT GRC tool will provide increased risk management oversight for remediation and
prioritization. This new vulnerability management program will establish a strategic foundation for findings
management and remediation workflow by providing data to assess and deploy timely patches across the
enterprise... This accomplishment will allow for the management of more frequent scanning and drive
timely implementation of system patches.
Aetna will implement a methodology that includes:
          • Aetna has continued to expand its vulnerability management program to other environments
              with the solution in place as of 1/31/201[3].
          • To complete the migration of its strategic vulnerability management program, Aetna is
              scheduled to include all                 within the Internal Trusted network by

Recommendation 3
Aetna will continue to evolve its enterprise vulnerability management program, enabling more stringent
oversight and communication with system owners on vulnerability findings and remediation expectations.

    Aetna will implement a methodology that includes:
        • Review of current                   patching process to identify gaps
        • Refinement of                   patching process
        • Post-implementation scan to ensure successful completion of upgrades

Closure ETA:

Recommendation 4
Aetna will implement a methodology that includes:
       • Review of current                      software patching process to identify gaps
       • Refinement of                      software patching process
       • Schedule of scans
       • Establish a risk based approach for remediation of non-current and unsupported software

Closure ETA: Management has submitted an issue closure plan by 01/31/2013. Closure target date
was presented as part of the closure plan.
Recommendation 5
Aetna will implement a methodology that includes:
       • Schedule of scans to identify unnecessary software installations
       • Establish a risk based approach for removal of unnecessary software.

Closure ETA: Management has presented an issue closure plan by 01/31/2013. Closure target date was
presented as part of the closure plan.

Recommendation 6
Going forward, when Aetna is notified of a new state mandate the HMO Product Admin team will be sent
a list of all groups with plans in that particular state. The team will scan the list for the federal plans and
remove them from the list.

In the unlikely instance that a plan participant would receive more than one routine mammogram in a
year, due to system limitations, Aetna’s HMO system does not have the ability to limit to this frequency.
With the planned migration off of HMO to Aetna’s                                    there is not anticipated
investment in enhancements to the legacy platform.

Recommendation 7
Aetna has carefully reviewed this issue and based on a significantly extensive activity to implement such
a solution for what would is considered a highly unlikely event, Aetna will continue to place reliance on the
downstream SIU process.

Recommendation 8
A system enhancement was implemented November 10, 2012 which is now denying services for this
scenario. Evidence has been provided to the OIG to demonstrate closure.

Recommendation 9
        •   A recommendation for revision to our duplicate editing logic will be presented internally to our
            policy area for review.
        •   The recommendation will be presented to the policy council at their March meeting. Target
            date: 3/30/13
        •   Any additional management action plans will be reviewed with the OIG based upon the
            review committees decision.