oversight

Audit of Information Systems General and Application Controls at Group Health Cooperative and KPS Health Plans

Published by the Office of Personnel Management, Office of Inspector General on 2015-05-18.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

         U.S. OFFICE OF PERSONNEL MANAGEMENT 

            OFFICE OF THE INSPECTOR GENERAL 

                     OFFICE OF AUDITS 





        Audit of Information Systems General and Application Controls
              at Group Health Cooperative and KPS Health Plans

                                            Rep o rt Numbe r 1C-54-00-14-061 

                                                       M ay18,2015 





                                                              --CAUTION -­
This audit r epot·t has been distributed to Federal officials who are n sponsible for the administration of the audited program. T his audit report may
contain pt·opl'ietat·y data which is protected by Federal l aw (18 U.S.C. 1905). Therefot·e, while this audit report is available undet· the Freedom of
Information Act and made available to the public on t he OIG webpage (http:lhmmv.opm.govl our-iu spector-geuernl), caution needs t o be exer cised
before releasing the t·epot·t to the general public as it may contain proprietary information that was redacted from the publicly distributed copy.
                  EXECUTIVE SUMMARY 

         Audit ofInformation Systems General and Application Controls at Group Health Cooperative
                                         and KPS Health Plans
Repot·t ~o 1C-54-00-14-061                                                                                            :\lay 18, 2015


 Background                                      What Did We Find?
 Group Health Cooperative (GHC) and KPS          Our audit at GHC and KPS detennined that:
 Health Plans (K.PS) contract with the U.S.      • 	 GHC has established an adequate security management program.
 Office of Personnel Management (OPM) as         • 	 GHC and KPS have implemented controls to prevent unauthorized logical
 part ofthe Federal Employees Health                 access to its systems. However, we noted the following areas of concem
 Benefits Program (FEHBP). KPS is a                  related to GHC's physical access controls:
 wholly ov.rned subsidiary of GHC, and the           o 	 Physical acce ss controls over general facility access could be improved,
 companies share several IT resources and                 and
 policies and procedures.                            o 	 Physical access controls over data center access could be improved.
                                                 • 	 We noted several areas of concem related to GHC 's and KPS ' network
 Why Did W e C onduct the Audit?                     security controls:
 The objectives of this audit were to 
              o 	 A patch management policy is in place, but our test w ork indicated that
 evaluate controls over the confidentiality, 
            patches are not being implemented in a timely manner;
 integrity, and availability of FEHBP data 
         o 	 A methodology is not in place to ensure that unsuppmt ed or out-of-date
 p rocessed and maintained in GHC 's and 
                software is not utilized;
 KPS ' infonnation technology 
                      o 	 Several servers were configured in an insecure manner; and
 environment. 
                                      o 	 KPS does not have a fmmal firewall management policy.
                                                 • 	 GHC has not developed fmmal configuration policies/baselines for all
 What Did Wt> Audit?                                 operating platfmms used in its environment. Fmthennore, GHC does not
                                                     audit its configuration settings against documented baseline configurations.
 The scope of this audit centered on the         • 	 GHC's and KPS ' business continuity and disaster recovery plans contain
 infonnation systems used by GHC and KPS             the key elements suggested by relevant guidance and publications.
 to process medical insurance claims for
                                                 • 	 GHC has documented system development lifecycle procedures, however,
 FEHBP members, with a primary focus on
                                                     the procedures are only guidelines and are not required for all system
 the claims adjudication applications.
                                                     changes.
                                                 • 	 GHC and KPS have implemented many controls in their claims
                                                     adjudication p rocesses to ensure that FEHBP clairns are processed
                                                     accurately. However, we noted several opportunities for improvement in
                                                     GHC's and KPS ' claims applicat ion controls .




 Michael R. Esser
Assistant Inspector General
for Audits
         ABBREVIATIONS

CFR      Code of Federal Regulations
FEHBP    Federal Employees Health Benefits Program
FISCAM   Federal Information System Controls Audit Manual
GAO      U.S. Government Accountability Office
GHC      Group Health Cooperative
IT       Information Technology
HIO      Healthcare and Insurance Office
HIPAA    Health Insurance Portability and Accountability Act
KPS      KPS Health Plans
NIST     National Institute of Standards and Technology
SDLC     System Development Life Cycle
SP       Special Publication
OIG      Office of the Inspector General
OMB      U.S. Office of Management and Budget
OPM      U.S. Office of Personnel Management




                    ii
                                      TABLE OF CONTENTS 



                                                                                                                       Page
EXECUTIVE SUMMARY ........................................................................................................... i 


ABBREVIATIONS ....................................................................................................................... ii 


I.        BACKGROUND ................................................................................................................ 1 


II.       OBJECT IVES, SCOPE, AND METHODOLOGY ........................................................2 


III.      AUDIT FINDING S AND RECO MMENDATIONS.......................................................5 

          A. Secm·ity Managernent ...................................................................................................5 

          B. Access Controls .............................................................................................................5 

          C. Network Secm·ity ...........................................................................................................8 

          D. Configm·ation Management ......................................................................................... 12 

          E. Contingency Planning.................................................................................................. 14 

          F. Claims Adjudication .................................................................................................... 15 

          G. Health Insm ance Poriability Accmmtability Act.. ....................................................... 24 


IV. MAJOR C ONTRIBUTORS TO TillS REPORT ...........................................................25 


APPENDIX: The Plans ' March 30, 2015 response to the draft audit rep01i, issued 

          January 29, 2015 . ...................................................................................................26 


REPORT FRAUD, WAST E, AND MISMANAGEMENT ......................................................33 

                              I. BACKGROUND 



This final rep01t details the findings, conclusions, and recommendations resulting from the audit
of general and application controls over the inf01mation systems responsible for processing
Federal Employees Health Benefits Program (FEHBP) claims by Group Health Cooperative
(GHC) and KPS Health Plans (KPS).

The audit was conducted pursuant to FEHBP contracts CS 1043 and CS 1767; 5 U.S .C. Chapter
89; and 5 Code of Federal Regulations (CFR) Chapter 1, Pa11890. The audit was perf01med by
th e U.S. Office of Personnel Management's (OPM) Office of th e Inspector General (OIG), as
established by the Inspector General Act of 1978, as amended.

The FEHBP was established by the Federal Employees Health Benefits Act, enacted on
September 28, 1959. The FEHBP was created to provide health insurance benefits for federal
employees, annuitants, and qualified dependents . The provisions of the Act are implemented by
OPM through regulations codified in Title 5, Chapter 1, Pa11890 of the CFR. Health insurance
coverage is made available through contracts with various caniers that provide service benefits,
indernnity benefits, or comprehensive medical services.

This was our first audit of GHC's and KPS ' inf01mation technology (IT) general and application
controls . We also reviewed GHC's and KPS' compliance with the Health Insurance Portability
and Accmmtability Act (HIPAA) . We chose to review these two distinct health plans in one
audit because KPS is a wholly owned subsidiary of GHC, and the companies shar·e several IT
resources and policies and procedures.

All GHC and KPS personnel that worked with the auditors were helpful and open to ideas and
suggestions. They viewed the audit as an opporhmity to examine practices and to make changes
or improvements as necessary. Their positive attitude and helpfulness throughout the audit was
greatly appreciated.




                                                1                           Rep01t No. 1C-54-00-14-061
  II. OBJECTIVES, SCOPE, AND METHODOLOGY 



Objective
The objectives of this audit were to evaluate conu·ols over the confidentiality, integrity, and
availability ofFEHBP data processed and maintained in GHC and KPS ' IT environments. We
accomplished these objectives by reviewing the following areas:
• Secmity management;
• Access conu·ols;
• Network Secmity;
• Configmation management;
• Segregation of duties;
• Contingency planning;
• Application conu·ols specific to GHC ' s and KPS ' claims processing system; and
• HIPAA compliance.

Scope and Methodology
This perfonnance audit was conducted in accordance with generally accepted govemment
auditing standards issued by the Compu·oller General of the United States. Accordingly, we
obtained an understanding ofGHC 's and KPS ' intemal conu·ols through interviews and
observations, as well as inspection of various documents, including infonnation technology and
oth er related organizational policies and procedmes. This lmderstanding of GHC 's and KPS '
intemal conu·ols was used in planning the audit by determining the extent of compliance testing
and other auditing procedmes necessaty to verify that the intemal conu·ols were properly
designed, placed in operation, and effective.

The scope of this audit centered on the inf01mation systems used by GHC and KPS to process
medical insmance claims for FEHBP members, with a primaty focus on the claims adjudication
applications. GHC claims m·e processed through a claims adjudication system managed
intemally by the organization . KPS licenses its claims application from a third party vendor,
-          · The business processes reviewed m·e primm·ily located in Tukwila and Bremerton,
Washington.

The on-site p01iion of this audit was perf01med from October through November of2014. We
completed additional audit work before and after the on-site visit at om office in Washington,
D .C. The findings, recommendations, and conclusions outlined in this rep01i are based on the
status of infonnation system general and application conu·ols in place at GHC and KPS as of
November 2014.




                                                2                          Rep01i No. 1C-54-00-14-061
In conducting our audit, we relied to varying degrees on computer-generated data provided by 

GHC and KPS. Due to time constraints, we did not verify the reliability of the data used to 

complete some of our audit steps, but we determined that it was adequate to achieve our audit 

objectives. However, when our objective was to assess computer-generated data, we completed 

audit steps necessary to obtain evidence that the data was valid and reliable. 


In conducting this audit we: 

 Gathered documentation and conducted interviews; 

 Reviewed GHC’s and KPS’ business structure and environment; 

 Performed a risk assessment of GHC’s and KPS’ information systems environment and 

    applications, and prepared an audit program based on the assessment and the U.S.
    Government Accountability Office’s (GAO) Federal Information System Controls Audit
    Manual (FISCAM); and,
		 Conducted various compliance tests to determine the extent to which established controls and
    procedures are functioning as intended. As appropriate, we used judgmental sampling in
    completing our compliance testing.

Various laws, regulations, and industry standards were used as a guide to evaluating GHC’s and 

KPS’ control structure. These criteria include, but are not limited to, the following publications: 

 Title 48 of the CFR; 

 Office of Management and Budget (OMB) Circular A-130, Appendix III; 

 OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of 

   Personally Identifiable Information;
 Information Technology Governance Institute’s CobiT: Control Objectives for Information
   and Related Technology;
 GAO’s FISCAM;
 National Institute of Standards and Technology’s Special Publication (NIST SP) 800-12,
   Introduction to Computer Security;
 NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information
   Technology Systems;
 NIST SP 800-30 Revision 1, Guide for Conducting Risk Assessments;
 NIST SP 800-34 Revision 1, Contingency Planning Guide for Federal Information Systems;
 NIST SP 800-41, Guidelines on Firewalls and Firewall Policy;
 NIST SP 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems
   and Organizations;
 NIST SP 800-61, Computer Security Incident Handling Guide;
 NIST SP 800-66 Revision 1, An Introductory Resource Guide for Implementing the HIPAA
   Security Rule; and,
 HIPAA Act of 1996.



                                                 3	                           Report No. 1C-54-00-14-061
Compliance with Laws and Regulations
In conducting the audit, we performed tests to determine whether GHC’s and KPS’ practices
were consistent with applicable standards. While generally compliant, with respect to the items
tested, GHC and KPS were not in complete compliance with all standards, as described in
section III of this report.




                                               4                           Report No. 1C-54-00-14-061
  III. AUDIT FINDINGS AND RECOMMENDATIONS 



A. Security Management
  The security management component of this audit involved the
  examination of the policies and procedures that are the fmmdation of      GHC maintains a
  GHC's overall IT security conu·ols. We evaluated GHC 's ability to        series of thorough IT
  develop security policies, manage risk, assign security-related           security policies and
  responsibility, and monitor the effectiveness of various system-related   procedures.
  conu·ols. KPS has adopted and enforces the IT policies established by 

  GHC. 


  GHC has implemented a series of fonnal policies and procedures that comprise its security
  management program. The GHC Chieflnfonnation Security Officer is responsible for creating,
  reviewing, editing, and disseminating IT security policies. GHC has developed a thorough risk
  management methodology, and has procedures to document, u·ack, and mitigate or accept
  identified risk. We also reviewed GHC ' s human resources policies and procedures related to
  hiring, u·aining, u·ansfening, and tenninating employees.

  Nothing came to our attention to indicate that GHC does not have an adequate security 

  management program. 


B. Access Controls
  Access conu·ols are the policies, procedures, and techniques used to prevent or detect
  unauthorized physical or logical access to sensitive resources.

  We examined the physical access conu·ols of GHC's and KPS' facilities and data centers. We
  also examined the logical conu·ols protecting sensitive data on GHC's network environment and
  claims processing related applications.

  The access conu·ols observed during this audit include, but are not limited to:
  • 	 Procedures for appropriately granting, revoking, and routinely auditing physical access to
      secure areas;
  • 	 Procedures for granting, adj usting, and auditing user access; and
  • 	 Procedures for removing network and application access for tenninated employees.

  The following section documents opporhmities for improvement related to GHC 's physical
  access conu·ols.




                                                  5	                          Rep01i No. 1C-54-00-14-061
1. Facility Access
   Most GHC facility entrances ar e protected by either a locked door requiring an access badge
   or a security guar d stationed at the enu·ance. However, we n n<~ Pn~TPil
                                                    at various times during business hours. GHC




   FISCAM states that "Access to facilities should be limited to personnel having a legitimate
   need for access to perf01m their duties." Physical conu·ols vmy , but include: manual door or
   cipher key locks, magnetic door locks that require the use of elecu·onic keycards, biomeu·ics
   authentication, security guards, photo IDs, entry logs, and elecu·onic and visual surveillance
   systems.

   FISCAM also states that " By obtaining physical access to computer facilities and equipment,
   an individual could (1) obtain access to te1minals or telecommlmications equipment that
   provide input into the computer, (2) obtain access to confidential or sensitive inf01mation on
   magnetic or printed media, (3) substitute lmauthorized data or progrmns, or (4) steal or inflict
   malicious dmnage on computer equipment and software."

   We did not observe any opportunities for improvement related to fa cility access at any KPS
   facilities.

   Recommendation 1
   We recommend that GHC reassess its facilities' physical access management an d implement
   conu·ols that will ensure proper physical security.

   GHC Response: 

   "Procedural changes have been deployed to eliminate gaps in lobby coverage. Further 

   enhancements are being planned and will be deployed by 51112015 to assure the posted 

   security has better visual access to ID badges when persons enter through GH lobby areas. 


   Policy and training currently conveys the expectation that
   •      . Improvement to verbiage on the badge, access policy and related training is being
   developed and will be deployed by 51112015 to reinforce the expectation that all person s
   utilize badges for secure buildings and spaces. This will create a policy violation for  II




                                                6                            Rep01i No. 1C-54-00-14-06 1
   OIGReply:
   As part of th e audit resolution process, we recommend that GHC provide OPM's Healthcare
   and Insurance Office (HIO) with evidence th at it has adequately implemented this
   recommendation . This statement also applies to all subsequent recommendations in this
   rep01i that GHC and KPS agree to implement.

2. Access to Data Center
   The GHC data center has elecu·onic car d readers to conu·ol
   physical access. However, we expect all FEHBP conu·actors to Physical access controls
   also have multi-factor authentication at data center enu·ances.        at GHC 's data center
   GHC has stated that they ar e in th e process of moving their          could be improved.
   primruy data center from the office complex location in
   -         , Washington to an other facility with improved conu·ols . GHC should ensure that the
   new facility contains the following common access conu·ols that we typically see at other
   FEHBP catTier facilities:
    • 	 Multi-factor auth entication to enter th e computer room (e.g., pin code or biomeu·ic device
        in addition to an access cru·d);
   •



   Failure to implement adequate physical access conu·ols increases the risk that unauthorized
   individuals can gain access to the GHC data centers and the sensitive IT resources and
   confidential data they contain. NIST SP 800-53 Revision 4, "Security an d Privacy Controls
   for Federal Information Systems an d Organizations," provides guidance for adequately
   conu·olling physical access to inf01m ation systems containing sensitive data.

   We did not observe any opp01iunities for improvement related to facility access at the KPS
   data center.

   Recommendation 2
   We recommend that GHC reassess its data centers' physical access m anagement and
   implement conu·ols that will ensure proper physical security. At a minimum, GHC should
   implement multi-factor authentication at data center enu·an ces.

   GHC R esponse:
   "Group H ealth is
   primary data center, provided by data center designer, owner and operator,




                                                 7	                          Rep01i No. 1C-54-00-14-061
                                         .       provides multiple levels of physical and logical
     security for Group Health’s data center environment including:
     - On-site security personnel 24 hours per day, 7 days per week
     - Secure perimeter security setbacks, berms and fencing with intrusion detection
     - Secure access checkpoint
     - CCTV throughout campus
     - Mantraps at building entrance
     - Biometrics
     To gain access to the Group Health data servers in the new data center environment,




C. Network Security
  Network security includes the policies and controls used to prevent or monitor unauthorized
  access, misuse, modification, or denial of a computer network and network-accessible resources.

  We evaluated GHC’s and KPS’ network security program and also independently performed
  several automated vulnerability scans and compliance audits performed on GHC and
  KPS/            operating platforms during this audit. We noted the following opportunities for
  improvement related to network security controls.

  1. Vulnerabilities Identified in Scans
     System Patching
     GHC has documented vulnerability management policies and procedures that establish
     timeframes for remediating weaknesses. However, the results of our vulnerability scans
     indicate that all critical patches, service packs, and hot fixes are not implemented in a timely
     manner.

                  also conducts periodic vulnerability scanning on the technical environment
     supporting KPS. However, the results of our vulnerability scans on this environment also
     indicate that all critical patches, service packs, and hot fixes are not implemented in a timely
     manner.

     FISCAM states that “Software should be scanned and updated frequently to guard against
     known vulnerabilities.” NIST SP 800-53 Revision 4 states that the Plan must identify,
     report, and correct information system flaws and install security-relevant software and
     firmware updates promptly.

     Failure to promptly install important updates increases the risk that vulnerabilities will not be
     remediated and sensitive information could be stolen.



                                                   8                            Report No. 1C-54-00-14-061
Recommendation 3
We recommend that GHC implement procedures and controls to ensure that production
servers are updated with appropriate patches, service packs, and hotfixes on a timely basis.

GHC Response: 

“Group Health has established a monthly vulnerability scanning process that looks for the 

existence of current software and patches per its baseline. 


Group Health has revised the operating system patching process and schedule to ensure 

monthly scanning will detect all current patches in the month they are released from the 

vendor. Group Health has also revised the technology platform used to deploy updates, 

conforming to industry best practices for efficient, effective patch deployment, as well as 

reporting. 


A comprehensive plan for remediating production systems will be completed and validated 

by scans scheduled for 06/01/2015.” 


Recommendation 4
We recommend that KPS require                to implement procedures and controls to ensure
that production servers are updated with appropriate patches, service packs, and hotfixes on a
timely basis.

KPS Response:
“             represents that all servers in this environment will be replaced and put on a
regular monthly patch schedule by 4/30/15.                is completing a planned migration
of all physical servers to           and bringing all           operating systems up to
                           and using                        for automated patching on a
regularly scheduled basis. All systems will then be placed on a lifecycle with plans to
upgrade as soon as new OS/app versions are validated by QA.”

Noncurrent software
The results of the vulnerability scans of GHC and KPS/             also indicated that several
servers contained noncurrent software applications that were no longer supported by the
vendors, and have known security vulnerabilities.

FISCAM states that “Procedures should ensure that only current software releases are
installed in information systems. Noncurrent software may be vulnerable to malicious code
such as viruses and worms.”




                                            9                           Report No. 1C-54-00-14-061
Failure to promptly remove outdated software increases the risk of a successful malicious
attack on the information system.

Recommendation 5
We recommend that GHC implement a process to ensure that only current and supported
versions of software applications are installed on the production servers.

GHC Response:
“Leveraging the monthly vulnerability scanning and other IT processes and tools, Group
Health will develop a process to remediate out of date or no longer supported software on
production            servers by 3/31/2015. Group Health will also create a Plan to
remediate, complete with timeline and completion date by 06/30/2015. The final
completion date will be delivered as a component of the implementation plan itself by
06/30/2015.”

Recommendation 6
We recommend that KPS require                implement a process to ensure that only current
and supported versions of software applications are installed on the production servers.

KPS Response:
“             represents that all servers in this environment will be replaced and put on a
regular monthly patch schedule by 4/30/15.                is completing a planned migration
of all physical servers to           and bringing all           operating systems up to
                           and using                        for automated patching on a
regularly scheduled basis. All systems will then be placed on a lifecycle with plans to
upgrade as soon as new OS/app versions are validated by QA.”

Insecure Operating System Configuration
The results of the vulnerability scans also indicated that several GHC and             servers
contained insecure configurations that could allow hackers or unprivileged users to

                                                                      . We were subsequently
provided evidence that GHC has since remediated this vulnerability.

NIST SP 800-53 Revision 4 states that the Plan must scan for vulnerabilities in the
information system and hosted applications, analyze the reports, and remediate legitimate
vulnerabilities. Failure to remediate vulnerabilities increases the risk that hackers could
exploit system weaknesses for malicious purposes.




                                            10                           Report No. 1C-54-00-14-061
   Recommendation 7
   We recommend that KPS require                  to remediate the specific technical weaknesses
   outlined in the vulnerability scanning audit inquiry issued during the audit.

   KPS Response: 

   “All servers in this environment will be replaced and put on a regular monthly patch 

   schedule by the 4/30/15 date.              is completing a planned migration of all physical
   servers to            and bringing all           operating systems up to
             and using                       for automated patching on a regularly scheduled
   basis. All systems will then be placed on a lifecycle with plans to upgrade as soon as new
   OS/app versions are validated by QA.”

2.	 Firewall Management
                 has implemented firewalls to help secure the network environment supporting
    KPS. However, a firewall configuration/hardening policy has not been developed.
                 also has procedures in place to document and track firewall changes. However,
    there is no routine review of firewall settings because there are no approved settings to which
    to compare the actual settings.

   NIST SP 800-41 Revision 1 states that “A firewall policy dictates how firewalls should
   handle network traffic for specific IP addresses and address ranges, protocols, applications,
   and content types (e.g., active content) based on the organization’s information security
   policies. . . . The policy should also include specific guidance on how to address changes to
   the rule set.”

   Failure to implement a thorough firewall configuration policy and continuously manage the
   devices’ settings increases the organization’s exposure to insecure traffic and vulnerabilities.

   We did not observe any opportunities for improvement related to GHC’s firewall 

   management methodology. 


   Recommendation 8
   We recommend that KPS require that                  document a formal firewall management
   policy.

   KPS Response:
   “             represents that it is revising its firewall management policies and will have an
   approved policy in place by 04/30/2015.                    and            have both been
   installed with full automation expected to be completed by the end of 4/30/15. Once




                                                11 	                         Report No. 1C-54-00-14-061
     automation is complete,- will be conducting full reviews at least twice per year
     to ensure compliance with the established policy."

     Recommendation 9
     We recommend that KPS require t h a t - implement a process to conduct routine
     configuration reviews on its network firewalls to ensure perfonnance and security
     optimization, as defined by the firewall management policy.

     KPS Response: 

     KPS provided the same response as for recommendation 8. 


D. Configuration Management
  The GHC claims processing application is                                        . The system
  includes many supp01i ing applications and system interfaces. Additional supp01iing applications
  ar e hosted in data centers owned and operated by GHC. We evaluated GHC's management of
  th e configuration of these platf01ms and dete1mined that the following controls were in place:
  • 	 Documented build standards and procedures; and
  • 	 Thorough change management procedures for system software.

  KPS ' claims processing system is hosted and maintained b y -. The claims processing 

  application is housed in a distributed server environment. We evaluated­

  configuration management of the claims processing system and dete1mined that the following 

  controls were in place: 

  • 	 Documented configuration baselines; and
  • 	 Thorough change management procedures for system software.

  The sections below document areas for improvement related to GHC 's a n d - ' 

  configuration management controls. 


  1. 	 Baseline Configurations 

       GHC has created build standards and procedures for deploying 

       new servers and databases. However, during the fieldwork phase 
 GHC has not
       of this audit, GHC had not documented baseline configurations         documented baseline
       for all operating platf01ms used by the organization. A baseline
       configuration is a f01mally approved policy or standard outlining
       how to securely configure an operating platf01m. We were
       subsequently provided evidence that baseline policies are in the
                                                                           --configurations for its




       process of being created for several operating platforms using Center for Intemet Security
       standards. We were told that full implementation of the baselines is scheduled for Febmruy
       2015.


                                                  12 	                        Rep01i No. 1C-54-00-1 4-061
   NIST SP 800-53 Revision 4 states that an organization must develop, document, and 

   maintain a current baseline configuration of the information system. 


   Failure to establish approved system configuration settings increases the risk the system may
   not meet performance requirements defined by the organization.

              has documented adequate baseline configurations for the operating platforms
   supporting KPS.

   Recommendation 10
   We recommend that GHC document approved baseline configurations for all                  

                        .


   GHC Response:
   “Group Health has incorporated baseline configuration standards into the new production
         build image; such that all new production          builds adhere to the desired
   configuration outcome. In addition, all new production           are also built with
           installed to help ensure the desired configuration state is maintained over time.

   Existing production        will be brought into compliance of the baseline security 

   configuration standards by September 31, 2015.” 


2.	 Configuration Compliance Auditing
    As noted above, GHC does not maintain approved operating platform secure configuration
    baselines for its                                     . Therefore, GHC cannot effectively audit
    the system’s security settings (i.e., there are no approved settings to which to compare the
    actual settings). We were told that GHC is in the process of implementing tools to assist with
    configuration compliance auditing on existing            , which will be complete in February
    2015.

                has created baseline configuration policies for its servers and databases that
   process claims data. However, it does not routinely audit its configurations to ensure
   compliance.                has recently completed the installation of two tools that will allow it
   to review system configurations. However, full automation of these tools is not planned until
   the first quarter of 2015.

   NIST SP 800-53 Revision 4 states that an organization must monitor and control changes to
   the configuration settings in accordance with organizational policies and procedures.




                                                13 	                          Report No. 1C-54-00-14-061
     FISCAM requires cmTent configuration inf01mation to be routinely monitored for accuracy.
     Monitoring should address the baseline and operational configuration of the hardware,
     software, and fnmware that comprise the infonnation system.

     Failure to implement a thorough configuration compliance auditing program increases the
     risk that insecurely configured servers exist undetected, creating a potential gateway for
     malicious vnu s and hacking activity that could lead to data breaches.

     Recommendation 11
     We recommend that GHC routinely audit all server, database, and mainframe security
     configuration settings to ensure they are in compliance with approved baselines.

     GHC Response:
     "All new production                    are currently built w i t h - installed to help
     ensure the desired configuration state is maintained over time. All existing production
                      will be retrofitted w i t h - by                     "

     Recommendation 12
     We recommend that KPS requn·e-                 to routinely audit all server and database
     security configuration settings to ensure they are in compliance with the approved baselines.

     KPS Response:
     '-            represents that it is revising its configuration management policy and will
     have an approved policy in place b y - .                                      have both been
     installed with full automation expected to be completed by the end              Once
     automation is complete,- will be conducting full reviews at least twice per year
     to ensure they comply with the established policy.

     -          continues with ongoing change management procedures with respect to
     evaluations and approval ofall applicable configuration changes for specific devices."

E. Contingency Planning
  We reviewed the following elements of GHC 's and KPS ' contingency planning programs to
  dete1mine whether controls were in place to prevent or minimize intenuptions to business
  operations when disastrous events occur:
  • Disaster recove1y plan;
  • Business continuity plan;
  • Disaster recove1y plan tests; and
  • Emergency response procedures.




                                                 14                          Rep01i No. 1C-54-00-14-061
  We detennined that the service continuity documentation contained the critical elements
  suggested by NIST SP 800-34 Revision 1, "Contingency Planning Guide for Federal Infon nation
  Systems." GHC and KPS have identified and prioritized th e systems and resources that ar e
  critical to business operations, an d have developed detailed procedures to recover those systems
  and resources.

  N othing came to our attention to indicate that GHC or KPS have not implemented adequate
  controls related to contingency planning.

F. 	Claims Adjudication
  The following sections detail our review of the applications an d business processes supp01iing
  the GHC and KPS claims adjudication process. The following sections addr ess both the GHC
  claims system , -      , and th e KPS claims system hosted by -            .

  1. 	 Application Configuration Management
       We evaluated the policies and procedures goveming application development and change
       control ofGHC 's and KPS ' claims processing systems.

     KPS and -              have documented system development life cycle (SDLC) procedures
     th at IT personnel follow during routine softwar e modifications. All changes require approval
     and undergo testing prior to migration to the production environment. We do not have any
     concem s regar ding KPS' application configuration man agem ent process.

     GHC has also implemented procedures related to application            GHC 's SDLC
     configuration management, and has adopted an SDLC                     process is not
     methodology. However, these SDLC procedures ar e "guidelines"         enforced on all
     and ar e not required for all application changes. We were told that  application changes.
     a new SDLC methodology will be implemented in the future that
     will specify ce1iain required items for medium to large system implem entations .

     NIST SP 800-53 Revision 4, states that an organization must man age the infonnation
     systems using a system development life cycle that incmporates infon nation security
     considerations. Failure to enforce the SDLC procedure for all application changes increases
     the risk that changes could be m ade that ar e not approved an d not adequately tested. This
     could increase the risk that defective or malicious code could be introduced into the
     production environment without m anagement's knowledge.

     Recommendation 13
     We recommend that GHC update its SDLC policy to require all application changes go
     through the documented SDLC process.



                                                 15 	                         Rep01i No. 1C-54-00-14-061
   GHC Response: 

   “Group Health will update the Change Management Policy to require all updates to the 

   application portfolio to follow the SDLC process. In addition, Group Health has updated 

   the SDLC process and related reference and training materials. 


   Throughout 2015, system implementations will go through a more robust Phase Gate 

   Review process, tracking/monitoring tools and instructions on what steps and artifacts of 

   the SDLC are required based on the type of project and risk profile Group Health expect 

   that these changes should be fully implemented by 12/31/2015.” 


2. Claims Processing System
   We evaluated the input, processing, and output controls associated with the GHC and KPS
   claims processing systems. We determined that GHC and KPS have implemented policies
   and procedures to help ensure that:
    GHC paper claims that are received in the mail room are tracked to ensure timely
       processing;
    Claims are monitored as they are processed through the systems with real time tracking
       of the system’s performance; and,
    Claims scheduled for payment are actually paid.

   While on-site at the KPS facility in Bremerton, Washington, we observed that incoming mail
   was not logged before being transferred to another location for processing. Failure to log
   incoming mail increases the risk that claims or checks could get lost during shipment. We
   subsequently received evidence that KPS has since remediated the weakness by
   implementing mail logging procedures.

   Nothing else came to our attention to indicate that GHC or KPS have not implemented
   adequate controls over its claims processing systems.

3.		 Enrollment
     We evaluated GHC’s and KPS’ procedures for managing their databases of member
     enrollment data. Enrollment information is received electronically or in paper format and
     entered into the claims processing system. Enrollment transactions are audited weekly to
     ensure information is entered accurately. We do not have any concerns regarding GHC’s or
     KPS’ enrollment policies and procedures.

4.		 Debarment
     GHC and KPS have adequate procedures for updating their claims processing systems with
     debarred provider information. GHC and KPS download the OPM OIG debarment list every



                                              16 	                        Report No. 1C-54-00-14-061
   month and make the appropriate updates to the provider databases. Any claim submitted for
   a debarred provider is flagged by GHC and KPS to prevent claims submitted by that provider
   from being processed successfully during the claims adjudication processes.

   Nothing came to our attention to indicate that GHC or KPS have not implemented adequate
   controls over the debarment process.

5. Application Controls Testing
   We conducted tests on both GHC’s and KPS’ claims processing applications to validate the
   systems’ claims adjudication controls. The exercise involved processing test claims designed
   with inherent flaws and evaluating the manner in which the systems processed and
   adjudicated the claims. The test results from GHC and KPS are documented separately
   below.

   Group Health Cooperative
   Our test results indicate that the GHC system has controls and edits in place to identify the 

   following scenarios:


    Exact duplicate claims; 

    Gender / Procedure inconsistency; 

    Facility / Procedure inconsistency; 

    Invalid place of service; 

    Catastrophic maximum;


    Eligibility; 

    Surgeon / Assistant surgeon; 

    Coordination of benefits; 

    Bundling charges; and 

    Timely Filing. 


   The sections below document opportunities for improvement related to GHC’s claims


   application controls. 


   a. Medical Editing
      Our claims testing exercise identified several scenarios where the GHC claims processing
      system failed to detect medical inconsistencies. For each of the following scenarios, a
      test claim was processed and paid without encountering any edits detecting the
      inconsistency:
      




                                                17                           Report No. 1C-54-00-14-061
•
•

The examples outlined above merely represent a small number of medically inconsistent
scenarios that could be detected by comprehensive medical edits in the system. It is not
intended to be an all-inclusive list, and GHC's eff01is to address this fmding should be
focused on a comprehensive medical edit solution.

Failure to detect these system weaknesses increases the risk that benefits are being paid
for procedures that were not actually perf01m ed.

Recommendation 14
We recommend that GHC implement comprehensive medical edits in its claims
adjudication application.

GHC R esponse: 

"Group H ealth is improving the adjudication process by implementing the following 

medical edit updates: 





                                        18                           Rep01i No. 1C-54-00-14-061
   	



   	




   OIG Reply:
   While the                        process may detect and deny some forms of
                        inconsistencies, we believe that an
   would increase the likelihood of detecting and suspending these types of claims from
   processing. Therefore we continue to recommend that GHC implement comprehensive
   medical edits in its claims adjudication application.

b.		 Patient History
     Our claims testing exercise identified several scenarios where the GHC claims processing
     did not adequately compare current claims to a patient’s historical claims. For each of
     the following scenarios, a test claim was processed and paid without encountering any
     edits detecting the issue:
     
         o	



   	
        o	
        o	

   Due to the potential fraudulent nature of this scenario, we expected the system to suspend
   these claims for further review; however, no edit was generated by the system. Failure to
   detect duplicate claims or member history inconsistencies increases the risk that
   fraudulent or erroneous claims are paid.

   Recommendation 15
   We recommend GHC ensure the appropriate system modifications to ensure that claims
   are compared against historical claims data to identify potential duplicates.

   GHC Response: 

   “Group Health is improving the adjudication process by implementing the following 

   system modifications:






                                           19 	                        Report No. 1C-54-00-14-061
c. 	 Benefit Structure
     Our claims testing exercise identified a scenario where the GHC claims processing
     system failed to apply the FEHBP benefit structure con ectly.
     • 	 Timely filing (Professional & Facility) - the GHC claims processing system is not
         appropriately following the timely filing limit outlined in the FEHBP brochure.
         According the brochure, claims must be submitted by December 31 of the year after
         the year you received the service. Cunently, GHC only allows one year from the end
         of the date of service to submit a claim, while OPM allows lmtil the end of the
         calendar year after the year of the date of service.

   We received evidence after the fieldwork phase of the audit indicating that GHC has 

   since resolved this issue. The filing limit has been updated so that for FEHB members 

   the timely filing limit is extended until the end of the year following the year when 

   services were provided. 


KPS Health Plans
Our test results indicate that the system has conu·ols and edits in place to identify the
following scenarios:
• 	 Exact duplicate claims;
• 	 Gender I Procedure inconsistency;
• 	 Facility I Procedure inconsistency;
• 	 Invalid place of service;
• 	 Catasu·ophic maximum;


                                              20 	                         Rep01i No. 1C-54-00-14-061
   Eligibility; 

   Surgeon / Assistant surgeon; 

   Coordination of benefits; and 

   Bundling charges. 


The following section documents opportunities for improvement related to KPS' claims


application controls: 


a. Medical Editing
   Our claims testing exercise identified several scenarios where the KPS claims processing
   system failed to detect medical inconsistencies. For each of the following scenarios, a
   test claim was processed and paid without encountering any edits detecting the
   inconsistency:
   

    

    


    The examples outlined above merely represent a small number of medically inconsistent
    scenarios that could be detected by comprehensive medical edits in the system. It is not
    intended to be an all-inclusive list, and KPS’ efforts to address this finding should be
    focused on a comprehensive medical edit solution.

    Failure to detect these medical inconsistencies increases the risk that benefits are being
    paid for procedures that were not actually performed.

    Recommendation 16
    We recommend that KPS work with                   to implement comprehensive medical
    edits in its claims adjudication application.

    KPS Response: 

    “KPS and              are working to improve the adjudication process by 

    implementing the following medical edit updates: 





                                              21                          Report No. 1C-54-00-14-061
b. 	 Benefit Structure
     Our claims testing exercise identified scenarios where the KPS claims processing system
     failed to detect benefit stmcture inconsistencies. For each of the following scenarios, a
     test claim was processed and paid without encmmtering any edits detecting the
     inconsistency:
   •

   • 	 Timely filing (Professional & Facility) - KPS' claims processing system is not
       appropriately following the timely filing limit. According the FEHBP brochure,
       claims must be submitted by December 31 of the year after the year you received the
       service. Cunently, KPS is only allowing for one year from the end of the date of
       service to submit a claim; and
   •

   Failure to ensure the claims processing system is conectly following the benefit stm cture
   increases the risk that claims are being incon ectly paid.

   Recommendation 17
   We recommend that KPS work with - to implement the appropriate system
   modifications to ensure that claims are being appropriately processed according to the
   benefit stmcture.

   KPS Response: 

   "KPS is improving the adjudication process by implementing the following system 

   modifications: 





                                            22 	                         Rep01i No. 1C -54-00-14-061
   	


   Timely Filing (Professional and Facility)
   		 Due to the variables in the number of days for timely filing, KPS modified the
       system with a 365-day timely filing indicator and a new report to verify that claims
       to potentially be denied due to the timely filing limitation are in fact beyond the
       timely filing limit. This will be a pre-check-run report. KPS re-tested claims after
       the change in the timely filing criterion and results were as expected. Report is
       currently in development and expected completion date is 04/01/2015



   	


c.	 Patient History
    Our claims testing exercise identified several scenarios where the KPS claims processing
    did not adequately compare current claims to a patient’s historical claims. For the
    following scenarios, a test claim was processed and paid without encountering any edits
    detecting the issue:
    
        o	
        o	

   Failure to detect patient history issues increases the risk that fraudulent or erroneous
   claims are paid.

   Recommendation 18
   We recommend that KPS work with                 to ensure the appropriate system
   modifications are made to prevent claims with patient history issues from processing.

   KPS Response: 

   “KPS is improving the adjudication process by implementing the following system 

   modification: 




   	




                                            23 	                          Report No. 1C-54-00-14-061
G. Health Insurance Portability and Accountability Act
  We reviewed GHC 's and KPS' eff01is to maintain complian ce with the security and privacy
  standards of HIPAA. GHC created and m aintains the HIPAA policies and procedures that KPS
  enforces.

  GHC has implemented a collection ofiT security policies and procedures to address the
  requirements of the HIPAA security mle. GHC has also developed a series of privacy policies
  and procedures that address requirements of the HIPAA privacy mle. GHC reviews its HIPAA
  privacy and security policies annually and updates when necessruy. The GHC legal office
  oversees all HIPAA activities, and publishes and maintains c01porate policies. Privacy and
  security training is provided periodically to all employees.

  Nothing came to our attention to indicate that GHC is not in compliance with the vru·ious
  requirements of HIPAA regulations.




                                                 24                          Rep01i No. 1C-54-00-14-061
  IV. MAJOR CONTRIBUTORS TO THIS REPORT

Information Systems Audit Group

                  , Auditor-In-Charge
               , IT Auditor
                     , IT Auditor
             , IT Auditor
______________________________________________________________________________

                , Group Chief




                                        25                  Report No. 1C-54-00-14-061
                                         Appendix 


       @

GroupHealthe


Date: 03/30/2015

To:   - - - -· U.S. Office of Personnel Management
From: ~xecutive Vice President; Health Plan Division, Group Health Cooperative and
      Jim Page, KPS President; KPS Health Plans

       Re: GHC & KPS Health Plan IT General and Application Controls Audit 2014;
                         findings and recommendations

This memorandum is provided in response to find ings and recommendations noted on OIG's draft audit
report issued on 01/29/2015. Group Health Cooperative and KPS have reviewed the OIG's findings and
recommendations and provide the following response.

Recommendation 1- Facility Access for GHC
We recommend that GHC reassess its facilities' physical access management and implement
  controls that will ensure proper physical security.

   Comment: Procedural changes have been deployed to eliminate gaps in lobby coverage. Further
     enhancements are being planned and will be deployed by 51112015 to assure the posted
     security has better visual access to 10 badges when persons enter through GH lobby areas.




Recommendation 2 - Access to Data Center for GHC
We recommend that GHC reassess its data centers' physical access management and
   implement controls that will ensure proper physical security. At a minimum, GHC should
   implement multi-factor authentication at data center entrances.



                                                   provides multiple levels of physical
                                                           including:
       - On-site security personnel 24 hours per day, 7 days per week
       - Secure perimeter security setbacks, berms and fencing with intrusion detection
       - Secure access checkpoint
       - CCTV throughout campus
       - Mantraps at building entrance
       - Biometrics




                                              26                          Rep01i No. 1C-54-00- 14-061
Recommendation 3- Network Security- System Patching for GHC
We recommend that GHC implement procedures and controls to ensure that production
  servers are updated with appropriate patches, service packs, and hotfixes on a timely
   basis.
      Comment: Group Health has established a monthly vulnerability scanning process that
      looks for the existence of current software and patches per its baseline.

      Group Health has revised the operating system patching process and schedule to
      ensure monthly scanning will detect all current patches in the month they are released
      from the vendor. Group Health has also revised the technology platform used to deploy
      updates, conforming to industry best practices for efficient, effective patch deployment,
      as well as reporting.

      A comprehensive plan for remediating production systems will be completed and
      validated by scans scheduled for 0610112015.


                                                   implement procedures and controls to
                                                   with appropriate patches, service packs,


      Comment:- - represents that all servers in this environment will be replaced
      and put onT~f!!rcf?'??wnthly patch schedule b 4130115.             is             a
      planned migration of all        servers to                                   operating
      systems up to
      patching on a                           All                           on a lifecycle
      with plans to upgrade as soon as new OS/app versions are validated by QA

Recommendation 5- Network Security- Non-Current Software for GHC
We recommend that GHC implement a process to ensure that only current and supported
   versions of software applications are installed on the production servers.

      Comment: Leveraging the monthly vulnerability scanning and other IT processes and
      tools, Group Health will develop a - ocess to remediate out of date or no longer
      supported software on production            servers by 313112015. Group Health will
      also create a Plan to remediate, comp e e with timeline and completion date by
      0613012015. The final completion date will be delivered as a component of the
      implementation plan itself by 0613012015.


                                                implement a process to ensure that only
                                                  applications are installed on the


      Comment:- - represents that all servers in this environment will be replaced
      and put onT~f!!rcf?'??wnthly patch schedule by the 4130115 date.      is
                 a planned migration of all        servers to                 all
               operating systems up
                automated patching                                                be


                                              27                          Rep01i No. 1C-54-00- 14-061
      placed on a lifecyc/e with plans to upgrade as soon as new OS!app versions are
      validated by QA

Recommendation 7- Network Security- Insecure Operating System Configuration for
   KPS
We recommend that KPS r e q u i r e - - to remediate the specific technical
   weaknesses outlined in the v~scanning audit inquiry issued during the
  audit.

      Comment: All servers in this environment will be replaced and put on a regular monthly
      patch schedule by the 4130115 date.              is completing a planned migration of all
              servers to           and                        operating systems up to- ­
                                                            rrr.tn.:. l'i:>rt patching on a regrJf!!J!y
                       All                             on a lifecyc/e with plans to upgrade as
      soon as new OS!app versions are validated by QA




We recommend that KPS require t h a t - - implement a process to conduct
   routine configuration reviews on i~rewalls to ensure performance and
  security optimization, as defined by the firewall management policy.

      Comment:- - represents that it is revising its firewall management
      will have a~policy in place by 0 413012015.                                            have
      both been installed with full au-omation ex ected to                                       5.
      Once automation is complete,                will be conducting full reviews at least twice
      per year to ensure compliance WI       e established policy.




       Comment: ~~   rou Health has incorporated baseline configuration standards into the new
      production           build image; such that all new production       builds adhere to the
       desired con tguration outcome. In addition, all new                    are a/so built with
      -         installed to help ensure the desired configuration            tained over time.

      Existing production .      will be brought into compliance of the baseline security
      configuration standafi s y September 31, 2015.

Recommendation 11 - Configuration Management- Configuration Compliance Auditing
   for GHC
We recommend that GHC routinely audit all server, database, and mainframe security
  configuration settings to ensure they are in compliance with approved baselines.

      Comment: All new production -            servers are currently built with -           installed
      to help ensure the desired con tgura ton state is maintained over time.         ex1s mg
      production -         servers will be retrofitted with -      b




                                                 28                             Rep01i No. 1C-54-00- 14-061
Recommendation 12 - Configuration Management- Configuration Compliance Auditing
   for KPS
We recommend that KPS r e q u i r e - - to routinely audit all server and database
  security configuration setting~they are in compliance with the approved
   baselines.




Recommendation 13 -Application Configuration Management for GHC
We recommend that GHC update its SDLC policy to require all application changes go
   through the documented SDLC process.

      Comment: Group Health will update the Change Management Policy to require all
      updates to the application portfolio to follow the SDLC process. In addition, Group Health
      has updated the SDLC process and related reference and training materials.

      Throughout 2015, system implementations will go through a more robust Phase Gate
      Review process, tracking/monitoring tools and instructions on what steps and artifacts of
      the SDLC are required based on the type of project and risk profile Group Health expect
      that these changes should be fully implemented by 1213112015.

Recommendation 14- Claims Adjudication- Medical Editing for GHC
We recommend that GHC implement comprehensive medical edits in its claims
  adjudication application.

      Comment: Group Health is improving the adjudication process by implementing the
      following medical edit updates:




                                              29                          Rep01i No. 1C-54-00- 14-061
Recommendation 15- Claims Adjudication - Patient History for GHC
We recommend GHC ensure the appropriate system modifications to ensure that claims
  are compared against historical claims data to identify potential duplicates.

      Comment: Group Health is improvin g the adjudication process by implementin g the
      following system modifications:




      Comment: KPS and- - are working to improve the adjudication process by
      implementing the fo~ical edit updates:




                                            30                         Rep01i No. 1C-54-00- 14-061
                                                    to implement the appropriate system
                                                    g appropriately processing according to


       Comment: KPS is improving the adjudication process by implementing the following
       system modifications:




       Timely Filing (Professional and Facility)
              • Due to the variables in the number of days for timely filing, KPS modified the
              system with a 365-day timely filing indicator and a new report to verify that claims
              to potentially be denied due to the timely filing limitation are in fact beyond the
              timely filing limit. This will be a pre-check-run report. KPS re-tested claims after
              the change in the timely filing criterion and results were as expected. Report is
              currently in development and expected completion date is 0410112015




                                                      ensure the appropriate system
                                                      patient history issues from processing.

       Comment: KPS is improving the adjudication process by implementing the following
       system modification:

       Member History
            • • is configured to pend professional claims for the same scenario but not
            hosp1 a/ claims. A request for a new pre-check run report to capture data prior to
            fin~ion of hospital claims for this type of scenario has been submitted
            to- - with a completion date of0410112015.


If you have any questions or concerns, please let us know.


Robert O'Brien, Executive Vice President
Health Plan Division, Group Health Cooperative


 fLu~

                                               31                           Rep01i No. 1C-54-00- 14-061
Jim Page, KPS President
KPS Health Plans




                          32   Report No. 1C-54-00-14-061
                                                                                 



               Report Fraud, Waste, and 

                   Mismanagement 

                        Fraud, waste, and mismanagement in
                     Government concerns everyone: Office of
                         the Inspector General staff, agency
                      employees, and the general public. We
                    actively solicit allegations of any inefficient
                          and wasteful practices, fraud, and
                     mismanagement related to OPM programs
                    and operations. You can report allegations
                                to us in several ways:


     By Internet:        http://www.opm.gov/our-inspector-general/hotline-to-
                         report-fraud-waste-or-abuse


      By Phone:          Toll Free Number:                  (877) 499-7295
                         Washington Metro Area:             (202) 606-2423


        By Mail:         Office of the Inspector General
                         U.S. Office of Personnel Management
                         1900 E Street, NW
                         Room 6400
                         Washington, DC 20415-1100
  
                                                                                 
                                                                                 




                                         33                                Report No. 1C-54-00-14-061