U.S. OFFICE OF PERSONNEL MANAGEMENT OFFICE OF THE INSPECTOR GENERAL OFFICE OF AUDITS Audit of Information Systems General and Application Controls at Group Health Cooperative and KPS Health Plans Rep o rt Numbe r 1C-54-00-14-061 M ay18,2015 --CAUTION - This audit r epot·t has been distributed to Federal officials who are n sponsible for the administration of the audited program. T his audit report may contain pt·opl'ietat·y data which is protected by Federal l aw (18 U.S.C. 1905). Therefot·e, while this audit report is available undet· the Freedom of Information Act and made available to the public on t he OIG webpage (http:lhmmv.opm.govl our-iu spector-geuernl), caution needs t o be exer cised before releasing the t·epot·t to the general public as it may contain proprietary information that was redacted from the publicly distributed copy. EXECUTIVE SUMMARY Audit ofInformation Systems General and Application Controls at Group Health Cooperative and KPS Health Plans Repot·t ~o 1C-54-00-14-061 :\lay 18, 2015 Background What Did We Find? Group Health Cooperative (GHC) and KPS Our audit at GHC and KPS detennined that: Health Plans (K.PS) contract with the U.S. • GHC has established an adequate security management program. Office of Personnel Management (OPM) as • GHC and KPS have implemented controls to prevent unauthorized logical part ofthe Federal Employees Health access to its systems. However, we noted the following areas of concem Benefits Program (FEHBP). KPS is a related to GHC's physical access controls: wholly ov.rned subsidiary of GHC, and the o Physical acce ss controls over general facility access could be improved, companies share several IT resources and and policies and procedures. o Physical access controls over data center access could be improved. • We noted several areas of concem related to GHC 's and KPS ' network Why Did W e C onduct the Audit? security controls: The objectives of this audit were to o A patch management policy is in place, but our test w ork indicated that evaluate controls over the confidentiality, patches are not being implemented in a timely manner; integrity, and availability of FEHBP data o A methodology is not in place to ensure that unsuppmt ed or out-of-date p rocessed and maintained in GHC 's and software is not utilized; KPS ' infonnation technology o Several servers were configured in an insecure manner; and environment. o KPS does not have a fmmal firewall management policy. • GHC has not developed fmmal configuration policies/baselines for all What Did Wt> Audit? operating platfmms used in its environment. Fmthennore, GHC does not audit its configuration settings against documented baseline configurations. The scope of this audit centered on the • GHC's and KPS ' business continuity and disaster recovery plans contain infonnation systems used by GHC and KPS the key elements suggested by relevant guidance and publications. to process medical insurance claims for • GHC has documented system development lifecycle procedures, however, FEHBP members, with a primary focus on the procedures are only guidelines and are not required for all system the claims adjudication applications. changes. • GHC and KPS have implemented many controls in their claims adjudication p rocesses to ensure that FEHBP clairns are processed accurately. However, we noted several opportunities for improvement in GHC's and KPS ' claims applicat ion controls . Michael R. Esser Assistant Inspector General for Audits ABBREVIATIONS CFR Code of Federal Regulations FEHBP Federal Employees Health Benefits Program FISCAM Federal Information System Controls Audit Manual GAO U.S. Government Accountability Office GHC Group Health Cooperative IT Information Technology HIO Healthcare and Insurance Office HIPAA Health Insurance Portability and Accountability Act KPS KPS Health Plans NIST National Institute of Standards and Technology SDLC System Development Life Cycle SP Special Publication OIG Office of the Inspector General OMB U.S. Office of Management and Budget OPM U.S. Office of Personnel Management ii TABLE OF CONTENTS Page EXECUTIVE SUMMARY ........................................................................................................... i ABBREVIATIONS ....................................................................................................................... ii I. BACKGROUND ................................................................................................................ 1 II. OBJECT IVES, SCOPE, AND METHODOLOGY ........................................................2 III. AUDIT FINDING S AND RECO MMENDATIONS.......................................................5 A. Secm·ity Managernent ...................................................................................................5 B. Access Controls .............................................................................................................5 C. Network Secm·ity ...........................................................................................................8 D. Configm·ation Management ......................................................................................... 12 E. Contingency Planning.................................................................................................. 14 F. Claims Adjudication .................................................................................................... 15 G. Health Insm ance Poriability Accmmtability Act.. ....................................................... 24 IV. MAJOR C ONTRIBUTORS TO TillS REPORT ...........................................................25 APPENDIX: The Plans ' March 30, 2015 response to the draft audit rep01i, issued January 29, 2015 . ...................................................................................................26 REPORT FRAUD, WAST E, AND MISMANAGEMENT ......................................................33 I. BACKGROUND This final rep01t details the findings, conclusions, and recommendations resulting from the audit of general and application controls over the inf01mation systems responsible for processing Federal Employees Health Benefits Program (FEHBP) claims by Group Health Cooperative (GHC) and KPS Health Plans (KPS). The audit was conducted pursuant to FEHBP contracts CS 1043 and CS 1767; 5 U.S .C. Chapter 89; and 5 Code of Federal Regulations (CFR) Chapter 1, Pa11890. The audit was perf01med by th e U.S. Office of Personnel Management's (OPM) Office of th e Inspector General (OIG), as established by the Inspector General Act of 1978, as amended. The FEHBP was established by the Federal Employees Health Benefits Act, enacted on September 28, 1959. The FEHBP was created to provide health insurance benefits for federal employees, annuitants, and qualified dependents . The provisions of the Act are implemented by OPM through regulations codified in Title 5, Chapter 1, Pa11890 of the CFR. Health insurance coverage is made available through contracts with various caniers that provide service benefits, indernnity benefits, or comprehensive medical services. This was our first audit of GHC's and KPS ' inf01mation technology (IT) general and application controls . We also reviewed GHC's and KPS' compliance with the Health Insurance Portability and Accmmtability Act (HIPAA) . We chose to review these two distinct health plans in one audit because KPS is a wholly owned subsidiary of GHC, and the companies shar·e several IT resources and policies and procedures. All GHC and KPS personnel that worked with the auditors were helpful and open to ideas and suggestions. They viewed the audit as an opporhmity to examine practices and to make changes or improvements as necessary. Their positive attitude and helpfulness throughout the audit was greatly appreciated. 1 Rep01t No. 1C-54-00-14-061 II. OBJECTIVES, SCOPE, AND METHODOLOGY Objective The objectives of this audit were to evaluate conu·ols over the confidentiality, integrity, and availability ofFEHBP data processed and maintained in GHC and KPS ' IT environments. We accomplished these objectives by reviewing the following areas: • Secmity management; • Access conu·ols; • Network Secmity; • Configmation management; • Segregation of duties; • Contingency planning; • Application conu·ols specific to GHC ' s and KPS ' claims processing system; and • HIPAA compliance. Scope and Methodology This perfonnance audit was conducted in accordance with generally accepted govemment auditing standards issued by the Compu·oller General of the United States. Accordingly, we obtained an understanding ofGHC 's and KPS ' intemal conu·ols through interviews and observations, as well as inspection of various documents, including infonnation technology and oth er related organizational policies and procedmes. This lmderstanding of GHC 's and KPS ' intemal conu·ols was used in planning the audit by determining the extent of compliance testing and other auditing procedmes necessaty to verify that the intemal conu·ols were properly designed, placed in operation, and effective. The scope of this audit centered on the inf01mation systems used by GHC and KPS to process medical insmance claims for FEHBP members, with a primaty focus on the claims adjudication applications. GHC claims m·e processed through a claims adjudication system managed intemally by the organization . KPS licenses its claims application from a third party vendor, - · The business processes reviewed m·e primm·ily located in Tukwila and Bremerton, Washington. The on-site p01iion of this audit was perf01med from October through November of2014. We completed additional audit work before and after the on-site visit at om office in Washington, D .C. The findings, recommendations, and conclusions outlined in this rep01i are based on the status of infonnation system general and application conu·ols in place at GHC and KPS as of November 2014. 2 Rep01i No. 1C-54-00-14-061 In conducting our audit, we relied to varying degrees on computer-generated data provided by GHC and KPS. Due to time constraints, we did not verify the reliability of the data used to complete some of our audit steps, but we determined that it was adequate to achieve our audit objectives. However, when our objective was to assess computer-generated data, we completed audit steps necessary to obtain evidence that the data was valid and reliable. In conducting this audit we: Gathered documentation and conducted interviews; Reviewed GHC’s and KPS’ business structure and environment; Performed a risk assessment of GHC’s and KPS’ information systems environment and applications, and prepared an audit program based on the assessment and the U.S. Government Accountability Office’s (GAO) Federal Information System Controls Audit Manual (FISCAM); and, Conducted various compliance tests to determine the extent to which established controls and procedures are functioning as intended. As appropriate, we used judgmental sampling in completing our compliance testing. Various laws, regulations, and industry standards were used as a guide to evaluating GHC’s and KPS’ control structure. These criteria include, but are not limited to, the following publications: Title 48 of the CFR; Office of Management and Budget (OMB) Circular A-130, Appendix III; OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information; Information Technology Governance Institute’s CobiT: Control Objectives for Information and Related Technology; GAO’s FISCAM; National Institute of Standards and Technology’s Special Publication (NIST SP) 800-12, Introduction to Computer Security; NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems; NIST SP 800-30 Revision 1, Guide for Conducting Risk Assessments; NIST SP 800-34 Revision 1, Contingency Planning Guide for Federal Information Systems; NIST SP 800-41, Guidelines on Firewalls and Firewall Policy; NIST SP 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations; NIST SP 800-61, Computer Security Incident Handling Guide; NIST SP 800-66 Revision 1, An Introductory Resource Guide for Implementing the HIPAA Security Rule; and, HIPAA Act of 1996. 3 Report No. 1C-54-00-14-061 Compliance with Laws and Regulations In conducting the audit, we performed tests to determine whether GHC’s and KPS’ practices were consistent with applicable standards. While generally compliant, with respect to the items tested, GHC and KPS were not in complete compliance with all standards, as described in section III of this report. 4 Report No. 1C-54-00-14-061 III. AUDIT FINDINGS AND RECOMMENDATIONS A. Security Management The security management component of this audit involved the examination of the policies and procedures that are the fmmdation of GHC maintains a GHC's overall IT security conu·ols. We evaluated GHC 's ability to series of thorough IT develop security policies, manage risk, assign security-related security policies and responsibility, and monitor the effectiveness of various system-related procedures. conu·ols. KPS has adopted and enforces the IT policies established by GHC. GHC has implemented a series of fonnal policies and procedures that comprise its security management program. The GHC Chieflnfonnation Security Officer is responsible for creating, reviewing, editing, and disseminating IT security policies. GHC has developed a thorough risk management methodology, and has procedures to document, u·ack, and mitigate or accept identified risk. We also reviewed GHC ' s human resources policies and procedures related to hiring, u·aining, u·ansfening, and tenninating employees. Nothing came to our attention to indicate that GHC does not have an adequate security management program. B. Access Controls Access conu·ols are the policies, procedures, and techniques used to prevent or detect unauthorized physical or logical access to sensitive resources. We examined the physical access conu·ols of GHC's and KPS' facilities and data centers. We also examined the logical conu·ols protecting sensitive data on GHC's network environment and claims processing related applications. The access conu·ols observed during this audit include, but are not limited to: • Procedures for appropriately granting, revoking, and routinely auditing physical access to secure areas; • Procedures for granting, adj usting, and auditing user access; and • Procedures for removing network and application access for tenninated employees. The following section documents opporhmities for improvement related to GHC 's physical access conu·ols. 5 Rep01i No. 1C-54-00-14-061 1. Facility Access Most GHC facility entrances ar e protected by either a locked door requiring an access badge or a security guar d stationed at the enu·ance. However, we n n<~ Pn~TPil at various times during business hours. GHC FISCAM states that "Access to facilities should be limited to personnel having a legitimate need for access to perf01m their duties." Physical conu·ols vmy , but include: manual door or cipher key locks, magnetic door locks that require the use of elecu·onic keycards, biomeu·ics authentication, security guards, photo IDs, entry logs, and elecu·onic and visual surveillance systems. FISCAM also states that " By obtaining physical access to computer facilities and equipment, an individual could (1) obtain access to te1minals or telecommlmications equipment that provide input into the computer, (2) obtain access to confidential or sensitive inf01mation on magnetic or printed media, (3) substitute lmauthorized data or progrmns, or (4) steal or inflict malicious dmnage on computer equipment and software." We did not observe any opportunities for improvement related to fa cility access at any KPS facilities. Recommendation 1 We recommend that GHC reassess its facilities' physical access management an d implement conu·ols that will ensure proper physical security. GHC Response: "Procedural changes have been deployed to eliminate gaps in lobby coverage. Further enhancements are being planned and will be deployed by 51112015 to assure the posted security has better visual access to ID badges when persons enter through GH lobby areas. Policy and training currently conveys the expectation that • . Improvement to verbiage on the badge, access policy and related training is being developed and will be deployed by 51112015 to reinforce the expectation that all person s utilize badges for secure buildings and spaces. This will create a policy violation for II 6 Rep01i No. 1C-54-00-14-06 1 OIGReply: As part of th e audit resolution process, we recommend that GHC provide OPM's Healthcare and Insurance Office (HIO) with evidence th at it has adequately implemented this recommendation . This statement also applies to all subsequent recommendations in this rep01i that GHC and KPS agree to implement. 2. Access to Data Center The GHC data center has elecu·onic car d readers to conu·ol physical access. However, we expect all FEHBP conu·actors to Physical access controls also have multi-factor authentication at data center enu·ances. at GHC 's data center GHC has stated that they ar e in th e process of moving their could be improved. primruy data center from the office complex location in - , Washington to an other facility with improved conu·ols . GHC should ensure that the new facility contains the following common access conu·ols that we typically see at other FEHBP catTier facilities: • Multi-factor auth entication to enter th e computer room (e.g., pin code or biomeu·ic device in addition to an access cru·d); • Failure to implement adequate physical access conu·ols increases the risk that unauthorized individuals can gain access to the GHC data centers and the sensitive IT resources and confidential data they contain. NIST SP 800-53 Revision 4, "Security an d Privacy Controls for Federal Information Systems an d Organizations," provides guidance for adequately conu·olling physical access to inf01m ation systems containing sensitive data. We did not observe any opp01iunities for improvement related to facility access at the KPS data center. Recommendation 2 We recommend that GHC reassess its data centers' physical access m anagement and implement conu·ols that will ensure proper physical security. At a minimum, GHC should implement multi-factor authentication at data center enu·an ces. GHC R esponse: "Group H ealth is primary data center, provided by data center designer, owner and operator, 7 Rep01i No. 1C-54-00-14-061 . provides multiple levels of physical and logical security for Group Health’s data center environment including: - On-site security personnel 24 hours per day, 7 days per week - Secure perimeter security setbacks, berms and fencing with intrusion detection - Secure access checkpoint - CCTV throughout campus - Mantraps at building entrance - Biometrics To gain access to the Group Health data servers in the new data center environment, C. Network Security Network security includes the policies and controls used to prevent or monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources. We evaluated GHC’s and KPS’ network security program and also independently performed several automated vulnerability scans and compliance audits performed on GHC and KPS/ operating platforms during this audit. We noted the following opportunities for improvement related to network security controls. 1. Vulnerabilities Identified in Scans System Patching GHC has documented vulnerability management policies and procedures that establish timeframes for remediating weaknesses. However, the results of our vulnerability scans indicate that all critical patches, service packs, and hot fixes are not implemented in a timely manner. also conducts periodic vulnerability scanning on the technical environment supporting KPS. However, the results of our vulnerability scans on this environment also indicate that all critical patches, service packs, and hot fixes are not implemented in a timely manner. FISCAM states that “Software should be scanned and updated frequently to guard against known vulnerabilities.” NIST SP 800-53 Revision 4 states that the Plan must identify, report, and correct information system flaws and install security-relevant software and firmware updates promptly. Failure to promptly install important updates increases the risk that vulnerabilities will not be remediated and sensitive information could be stolen. 8 Report No. 1C-54-00-14-061 Recommendation 3 We recommend that GHC implement procedures and controls to ensure that production servers are updated with appropriate patches, service packs, and hotfixes on a timely basis. GHC Response: “Group Health has established a monthly vulnerability scanning process that looks for the existence of current software and patches per its baseline. Group Health has revised the operating system patching process and schedule to ensure monthly scanning will detect all current patches in the month they are released from the vendor. Group Health has also revised the technology platform used to deploy updates, conforming to industry best practices for efficient, effective patch deployment, as well as reporting. A comprehensive plan for remediating production systems will be completed and validated by scans scheduled for 06/01/2015.” Recommendation 4 We recommend that KPS require to implement procedures and controls to ensure that production servers are updated with appropriate patches, service packs, and hotfixes on a timely basis. KPS Response: “ represents that all servers in this environment will be replaced and put on a regular monthly patch schedule by 4/30/15. is completing a planned migration of all physical servers to and bringing all operating systems up to and using for automated patching on a regularly scheduled basis. All systems will then be placed on a lifecycle with plans to upgrade as soon as new OS/app versions are validated by QA.” Noncurrent software The results of the vulnerability scans of GHC and KPS/ also indicated that several servers contained noncurrent software applications that were no longer supported by the vendors, and have known security vulnerabilities. FISCAM states that “Procedures should ensure that only current software releases are installed in information systems. Noncurrent software may be vulnerable to malicious code such as viruses and worms.” 9 Report No. 1C-54-00-14-061 Failure to promptly remove outdated software increases the risk of a successful malicious attack on the information system. Recommendation 5 We recommend that GHC implement a process to ensure that only current and supported versions of software applications are installed on the production servers. GHC Response: “Leveraging the monthly vulnerability scanning and other IT processes and tools, Group Health will develop a process to remediate out of date or no longer supported software on production servers by 3/31/2015. Group Health will also create a Plan to remediate, complete with timeline and completion date by 06/30/2015. The final completion date will be delivered as a component of the implementation plan itself by 06/30/2015.” Recommendation 6 We recommend that KPS require implement a process to ensure that only current and supported versions of software applications are installed on the production servers. KPS Response: “ represents that all servers in this environment will be replaced and put on a regular monthly patch schedule by 4/30/15. is completing a planned migration of all physical servers to and bringing all operating systems up to and using for automated patching on a regularly scheduled basis. All systems will then be placed on a lifecycle with plans to upgrade as soon as new OS/app versions are validated by QA.” Insecure Operating System Configuration The results of the vulnerability scans also indicated that several GHC and servers contained insecure configurations that could allow hackers or unprivileged users to . We were subsequently provided evidence that GHC has since remediated this vulnerability. NIST SP 800-53 Revision 4 states that the Plan must scan for vulnerabilities in the information system and hosted applications, analyze the reports, and remediate legitimate vulnerabilities. Failure to remediate vulnerabilities increases the risk that hackers could exploit system weaknesses for malicious purposes. 10 Report No. 1C-54-00-14-061 Recommendation 7 We recommend that KPS require to remediate the specific technical weaknesses outlined in the vulnerability scanning audit inquiry issued during the audit. KPS Response: “All servers in this environment will be replaced and put on a regular monthly patch schedule by the 4/30/15 date. is completing a planned migration of all physical servers to and bringing all operating systems up to and using for automated patching on a regularly scheduled basis. All systems will then be placed on a lifecycle with plans to upgrade as soon as new OS/app versions are validated by QA.” 2. Firewall Management has implemented firewalls to help secure the network environment supporting KPS. However, a firewall configuration/hardening policy has not been developed. also has procedures in place to document and track firewall changes. However, there is no routine review of firewall settings because there are no approved settings to which to compare the actual settings. NIST SP 800-41 Revision 1 states that “A firewall policy dictates how firewalls should handle network traffic for specific IP addresses and address ranges, protocols, applications, and content types (e.g., active content) based on the organization’s information security policies. . . . The policy should also include specific guidance on how to address changes to the rule set.” Failure to implement a thorough firewall configuration policy and continuously manage the devices’ settings increases the organization’s exposure to insecure traffic and vulnerabilities. We did not observe any opportunities for improvement related to GHC’s firewall management methodology. Recommendation 8 We recommend that KPS require that document a formal firewall management policy. KPS Response: “ represents that it is revising its firewall management policies and will have an approved policy in place by 04/30/2015. and have both been installed with full automation expected to be completed by the end of 4/30/15. Once 11 Report No. 1C-54-00-14-061 automation is complete,- will be conducting full reviews at least twice per year to ensure compliance with the established policy." Recommendation 9 We recommend that KPS require t h a t - implement a process to conduct routine configuration reviews on its network firewalls to ensure perfonnance and security optimization, as defined by the firewall management policy. KPS Response: KPS provided the same response as for recommendation 8. D. Configuration Management The GHC claims processing application is . The system includes many supp01i ing applications and system interfaces. Additional supp01iing applications ar e hosted in data centers owned and operated by GHC. We evaluated GHC's management of th e configuration of these platf01ms and dete1mined that the following controls were in place: • Documented build standards and procedures; and • Thorough change management procedures for system software. KPS ' claims processing system is hosted and maintained b y -. The claims processing application is housed in a distributed server environment. We evaluated configuration management of the claims processing system and dete1mined that the following controls were in place: • Documented configuration baselines; and • Thorough change management procedures for system software. The sections below document areas for improvement related to GHC 's a n d - ' configuration management controls. 1. Baseline Configurations GHC has created build standards and procedures for deploying new servers and databases. However, during the fieldwork phase GHC has not of this audit, GHC had not documented baseline configurations documented baseline for all operating platf01ms used by the organization. A baseline configuration is a f01mally approved policy or standard outlining how to securely configure an operating platf01m. We were subsequently provided evidence that baseline policies are in the --configurations for its process of being created for several operating platforms using Center for Intemet Security standards. We were told that full implementation of the baselines is scheduled for Febmruy 2015. 12 Rep01i No. 1C-54-00-1 4-061 NIST SP 800-53 Revision 4 states that an organization must develop, document, and maintain a current baseline configuration of the information system. Failure to establish approved system configuration settings increases the risk the system may not meet performance requirements defined by the organization. has documented adequate baseline configurations for the operating platforms supporting KPS. Recommendation 10 We recommend that GHC document approved baseline configurations for all . GHC Response: “Group Health has incorporated baseline configuration standards into the new production build image; such that all new production builds adhere to the desired configuration outcome. In addition, all new production are also built with installed to help ensure the desired configuration state is maintained over time. Existing production will be brought into compliance of the baseline security configuration standards by September 31, 2015.” 2. Configuration Compliance Auditing As noted above, GHC does not maintain approved operating platform secure configuration baselines for its . Therefore, GHC cannot effectively audit the system’s security settings (i.e., there are no approved settings to which to compare the actual settings). We were told that GHC is in the process of implementing tools to assist with configuration compliance auditing on existing , which will be complete in February 2015. has created baseline configuration policies for its servers and databases that process claims data. However, it does not routinely audit its configurations to ensure compliance. has recently completed the installation of two tools that will allow it to review system configurations. However, full automation of these tools is not planned until the first quarter of 2015. NIST SP 800-53 Revision 4 states that an organization must monitor and control changes to the configuration settings in accordance with organizational policies and procedures. 13 Report No. 1C-54-00-14-061 FISCAM requires cmTent configuration inf01mation to be routinely monitored for accuracy. Monitoring should address the baseline and operational configuration of the hardware, software, and fnmware that comprise the infonnation system. Failure to implement a thorough configuration compliance auditing program increases the risk that insecurely configured servers exist undetected, creating a potential gateway for malicious vnu s and hacking activity that could lead to data breaches. Recommendation 11 We recommend that GHC routinely audit all server, database, and mainframe security configuration settings to ensure they are in compliance with approved baselines. GHC Response: "All new production are currently built w i t h - installed to help ensure the desired configuration state is maintained over time. All existing production will be retrofitted w i t h - by " Recommendation 12 We recommend that KPS requn·e- to routinely audit all server and database security configuration settings to ensure they are in compliance with the approved baselines. KPS Response: '- represents that it is revising its configuration management policy and will have an approved policy in place b y - . have both been installed with full automation expected to be completed by the end Once automation is complete,- will be conducting full reviews at least twice per year to ensure they comply with the established policy. - continues with ongoing change management procedures with respect to evaluations and approval ofall applicable configuration changes for specific devices." E. Contingency Planning We reviewed the following elements of GHC 's and KPS ' contingency planning programs to dete1mine whether controls were in place to prevent or minimize intenuptions to business operations when disastrous events occur: • Disaster recove1y plan; • Business continuity plan; • Disaster recove1y plan tests; and • Emergency response procedures. 14 Rep01i No. 1C-54-00-14-061 We detennined that the service continuity documentation contained the critical elements suggested by NIST SP 800-34 Revision 1, "Contingency Planning Guide for Federal Infon nation Systems." GHC and KPS have identified and prioritized th e systems and resources that ar e critical to business operations, an d have developed detailed procedures to recover those systems and resources. N othing came to our attention to indicate that GHC or KPS have not implemented adequate controls related to contingency planning. F. Claims Adjudication The following sections detail our review of the applications an d business processes supp01iing the GHC and KPS claims adjudication process. The following sections addr ess both the GHC claims system , - , and th e KPS claims system hosted by - . 1. Application Configuration Management We evaluated the policies and procedures goveming application development and change control ofGHC 's and KPS ' claims processing systems. KPS and - have documented system development life cycle (SDLC) procedures th at IT personnel follow during routine softwar e modifications. All changes require approval and undergo testing prior to migration to the production environment. We do not have any concem s regar ding KPS' application configuration man agem ent process. GHC has also implemented procedures related to application GHC 's SDLC configuration management, and has adopted an SDLC process is not methodology. However, these SDLC procedures ar e "guidelines" enforced on all and ar e not required for all application changes. We were told that application changes. a new SDLC methodology will be implemented in the future that will specify ce1iain required items for medium to large system implem entations . NIST SP 800-53 Revision 4, states that an organization must man age the infonnation systems using a system development life cycle that incmporates infon nation security considerations. Failure to enforce the SDLC procedure for all application changes increases the risk that changes could be m ade that ar e not approved an d not adequately tested. This could increase the risk that defective or malicious code could be introduced into the production environment without m anagement's knowledge. Recommendation 13 We recommend that GHC update its SDLC policy to require all application changes go through the documented SDLC process. 15 Rep01i No. 1C-54-00-14-061 GHC Response: “Group Health will update the Change Management Policy to require all updates to the application portfolio to follow the SDLC process. In addition, Group Health has updated the SDLC process and related reference and training materials. Throughout 2015, system implementations will go through a more robust Phase Gate Review process, tracking/monitoring tools and instructions on what steps and artifacts of the SDLC are required based on the type of project and risk profile Group Health expect that these changes should be fully implemented by 12/31/2015.” 2. Claims Processing System We evaluated the input, processing, and output controls associated with the GHC and KPS claims processing systems. We determined that GHC and KPS have implemented policies and procedures to help ensure that: GHC paper claims that are received in the mail room are tracked to ensure timely processing; Claims are monitored as they are processed through the systems with real time tracking of the system’s performance; and, Claims scheduled for payment are actually paid. While on-site at the KPS facility in Bremerton, Washington, we observed that incoming mail was not logged before being transferred to another location for processing. Failure to log incoming mail increases the risk that claims or checks could get lost during shipment. We subsequently received evidence that KPS has since remediated the weakness by implementing mail logging procedures. Nothing else came to our attention to indicate that GHC or KPS have not implemented adequate controls over its claims processing systems. 3. Enrollment We evaluated GHC’s and KPS’ procedures for managing their databases of member enrollment data. Enrollment information is received electronically or in paper format and entered into the claims processing system. Enrollment transactions are audited weekly to ensure information is entered accurately. We do not have any concerns regarding GHC’s or KPS’ enrollment policies and procedures. 4. Debarment GHC and KPS have adequate procedures for updating their claims processing systems with debarred provider information. GHC and KPS download the OPM OIG debarment list every 16 Report No. 1C-54-00-14-061 month and make the appropriate updates to the provider databases. Any claim submitted for a debarred provider is flagged by GHC and KPS to prevent claims submitted by that provider from being processed successfully during the claims adjudication processes. Nothing came to our attention to indicate that GHC or KPS have not implemented adequate controls over the debarment process. 5. Application Controls Testing We conducted tests on both GHC’s and KPS’ claims processing applications to validate the systems’ claims adjudication controls. The exercise involved processing test claims designed with inherent flaws and evaluating the manner in which the systems processed and adjudicated the claims. The test results from GHC and KPS are documented separately below. Group Health Cooperative Our test results indicate that the GHC system has controls and edits in place to identify the following scenarios: Exact duplicate claims; Gender / Procedure inconsistency; Facility / Procedure inconsistency; Invalid place of service; Catastrophic maximum; Eligibility; Surgeon / Assistant surgeon; Coordination of benefits; Bundling charges; and Timely Filing. The sections below document opportunities for improvement related to GHC’s claims application controls. a. Medical Editing Our claims testing exercise identified several scenarios where the GHC claims processing system failed to detect medical inconsistencies. For each of the following scenarios, a test claim was processed and paid without encountering any edits detecting the inconsistency: 17 Report No. 1C-54-00-14-061 • • The examples outlined above merely represent a small number of medically inconsistent scenarios that could be detected by comprehensive medical edits in the system. It is not intended to be an all-inclusive list, and GHC's eff01is to address this fmding should be focused on a comprehensive medical edit solution. Failure to detect these system weaknesses increases the risk that benefits are being paid for procedures that were not actually perf01m ed. Recommendation 14 We recommend that GHC implement comprehensive medical edits in its claims adjudication application. GHC R esponse: "Group H ealth is improving the adjudication process by implementing the following medical edit updates: 18 Rep01i No. 1C-54-00-14-061 OIG Reply: While the process may detect and deny some forms of inconsistencies, we believe that an would increase the likelihood of detecting and suspending these types of claims from processing. Therefore we continue to recommend that GHC implement comprehensive medical edits in its claims adjudication application. b. Patient History Our claims testing exercise identified several scenarios where the GHC claims processing did not adequately compare current claims to a patient’s historical claims. For each of the following scenarios, a test claim was processed and paid without encountering any edits detecting the issue: o o o Due to the potential fraudulent nature of this scenario, we expected the system to suspend these claims for further review; however, no edit was generated by the system. Failure to detect duplicate claims or member history inconsistencies increases the risk that fraudulent or erroneous claims are paid. Recommendation 15 We recommend GHC ensure the appropriate system modifications to ensure that claims are compared against historical claims data to identify potential duplicates. GHC Response: “Group Health is improving the adjudication process by implementing the following system modifications: 19 Report No. 1C-54-00-14-061 c. Benefit Structure Our claims testing exercise identified a scenario where the GHC claims processing system failed to apply the FEHBP benefit structure con ectly. • Timely filing (Professional & Facility) - the GHC claims processing system is not appropriately following the timely filing limit outlined in the FEHBP brochure. According the brochure, claims must be submitted by December 31 of the year after the year you received the service. Cunently, GHC only allows one year from the end of the date of service to submit a claim, while OPM allows lmtil the end of the calendar year after the year of the date of service. We received evidence after the fieldwork phase of the audit indicating that GHC has since resolved this issue. The filing limit has been updated so that for FEHB members the timely filing limit is extended until the end of the year following the year when services were provided. KPS Health Plans Our test results indicate that the system has conu·ols and edits in place to identify the following scenarios: • Exact duplicate claims; • Gender I Procedure inconsistency; • Facility I Procedure inconsistency; • Invalid place of service; • Catasu·ophic maximum; 20 Rep01i No. 1C-54-00-14-061 Eligibility; Surgeon / Assistant surgeon; Coordination of benefits; and Bundling charges. The following section documents opportunities for improvement related to KPS' claims application controls: a. Medical Editing Our claims testing exercise identified several scenarios where the KPS claims processing system failed to detect medical inconsistencies. For each of the following scenarios, a test claim was processed and paid without encountering any edits detecting the inconsistency: The examples outlined above merely represent a small number of medically inconsistent scenarios that could be detected by comprehensive medical edits in the system. It is not intended to be an all-inclusive list, and KPS’ efforts to address this finding should be focused on a comprehensive medical edit solution. Failure to detect these medical inconsistencies increases the risk that benefits are being paid for procedures that were not actually performed. Recommendation 16 We recommend that KPS work with to implement comprehensive medical edits in its claims adjudication application. KPS Response: “KPS and are working to improve the adjudication process by implementing the following medical edit updates: 21 Report No. 1C-54-00-14-061 b. Benefit Structure Our claims testing exercise identified scenarios where the KPS claims processing system failed to detect benefit stmcture inconsistencies. For each of the following scenarios, a test claim was processed and paid without encmmtering any edits detecting the inconsistency: • • Timely filing (Professional & Facility) - KPS' claims processing system is not appropriately following the timely filing limit. According the FEHBP brochure, claims must be submitted by December 31 of the year after the year you received the service. Cunently, KPS is only allowing for one year from the end of the date of service to submit a claim; and • Failure to ensure the claims processing system is conectly following the benefit stm cture increases the risk that claims are being incon ectly paid. Recommendation 17 We recommend that KPS work with - to implement the appropriate system modifications to ensure that claims are being appropriately processed according to the benefit stmcture. KPS Response: "KPS is improving the adjudication process by implementing the following system modifications: 22 Rep01i No. 1C -54-00-14-061 Timely Filing (Professional and Facility) Due to the variables in the number of days for timely filing, KPS modified the system with a 365-day timely filing indicator and a new report to verify that claims to potentially be denied due to the timely filing limitation are in fact beyond the timely filing limit. This will be a pre-check-run report. KPS re-tested claims after the change in the timely filing criterion and results were as expected. Report is currently in development and expected completion date is 04/01/2015 c. Patient History Our claims testing exercise identified several scenarios where the KPS claims processing did not adequately compare current claims to a patient’s historical claims. For the following scenarios, a test claim was processed and paid without encountering any edits detecting the issue: o o Failure to detect patient history issues increases the risk that fraudulent or erroneous claims are paid. Recommendation 18 We recommend that KPS work with to ensure the appropriate system modifications are made to prevent claims with patient history issues from processing. KPS Response: “KPS is improving the adjudication process by implementing the following system modification: 23 Report No. 1C-54-00-14-061 G. Health Insurance Portability and Accountability Act We reviewed GHC 's and KPS' eff01is to maintain complian ce with the security and privacy standards of HIPAA. GHC created and m aintains the HIPAA policies and procedures that KPS enforces. GHC has implemented a collection ofiT security policies and procedures to address the requirements of the HIPAA security mle. GHC has also developed a series of privacy policies and procedures that address requirements of the HIPAA privacy mle. GHC reviews its HIPAA privacy and security policies annually and updates when necessruy. The GHC legal office oversees all HIPAA activities, and publishes and maintains c01porate policies. Privacy and security training is provided periodically to all employees. Nothing came to our attention to indicate that GHC is not in compliance with the vru·ious requirements of HIPAA regulations. 24 Rep01i No. 1C-54-00-14-061 IV. MAJOR CONTRIBUTORS TO THIS REPORT Information Systems Audit Group , Auditor-In-Charge , IT Auditor , IT Auditor , IT Auditor ______________________________________________________________________________ , Group Chief 25 Report No. 1C-54-00-14-061 Appendix @ GroupHealthe Date: 03/30/2015 To: - - - -· U.S. Office of Personnel Management From: ~xecutive Vice President; Health Plan Division, Group Health Cooperative and Jim Page, KPS President; KPS Health Plans Re: GHC & KPS Health Plan IT General and Application Controls Audit 2014; findings and recommendations This memorandum is provided in response to find ings and recommendations noted on OIG's draft audit report issued on 01/29/2015. Group Health Cooperative and KPS have reviewed the OIG's findings and recommendations and provide the following response. Recommendation 1- Facility Access for GHC We recommend that GHC reassess its facilities' physical access management and implement controls that will ensure proper physical security. Comment: Procedural changes have been deployed to eliminate gaps in lobby coverage. Further enhancements are being planned and will be deployed by 51112015 to assure the posted security has better visual access to 10 badges when persons enter through GH lobby areas. Recommendation 2 - Access to Data Center for GHC We recommend that GHC reassess its data centers' physical access management and implement controls that will ensure proper physical security. At a minimum, GHC should implement multi-factor authentication at data center entrances. provides multiple levels of physical including: - On-site security personnel 24 hours per day, 7 days per week - Secure perimeter security setbacks, berms and fencing with intrusion detection - Secure access checkpoint - CCTV throughout campus - Mantraps at building entrance - Biometrics 26 Rep01i No. 1C-54-00- 14-061 Recommendation 3- Network Security- System Patching for GHC We recommend that GHC implement procedures and controls to ensure that production servers are updated with appropriate patches, service packs, and hotfixes on a timely basis. Comment: Group Health has established a monthly vulnerability scanning process that looks for the existence of current software and patches per its baseline. Group Health has revised the operating system patching process and schedule to ensure monthly scanning will detect all current patches in the month they are released from the vendor. Group Health has also revised the technology platform used to deploy updates, conforming to industry best practices for efficient, effective patch deployment, as well as reporting. A comprehensive plan for remediating production systems will be completed and validated by scans scheduled for 0610112015. implement procedures and controls to with appropriate patches, service packs, Comment:- - represents that all servers in this environment will be replaced and put onT~f!!rcf?'??wnthly patch schedule b 4130115. is a planned migration of all servers to operating systems up to patching on a All on a lifecycle with plans to upgrade as soon as new OS/app versions are validated by QA Recommendation 5- Network Security- Non-Current Software for GHC We recommend that GHC implement a process to ensure that only current and supported versions of software applications are installed on the production servers. Comment: Leveraging the monthly vulnerability scanning and other IT processes and tools, Group Health will develop a - ocess to remediate out of date or no longer supported software on production servers by 313112015. Group Health will also create a Plan to remediate, comp e e with timeline and completion date by 0613012015. The final completion date will be delivered as a component of the implementation plan itself by 0613012015. implement a process to ensure that only applications are installed on the Comment:- - represents that all servers in this environment will be replaced and put onT~f!!rcf?'??wnthly patch schedule by the 4130115 date. is a planned migration of all servers to all operating systems up automated patching be 27 Rep01i No. 1C-54-00- 14-061 placed on a lifecyc/e with plans to upgrade as soon as new OS!app versions are validated by QA Recommendation 7- Network Security- Insecure Operating System Configuration for KPS We recommend that KPS r e q u i r e - - to remediate the specific technical weaknesses outlined in the v~scanning audit inquiry issued during the audit. Comment: All servers in this environment will be replaced and put on a regular monthly patch schedule by the 4130115 date. is completing a planned migration of all servers to and operating systems up to- rrr.tn.:. l'i:>rt patching on a regrJf!!J!y All on a lifecyc/e with plans to upgrade as soon as new OS!app versions are validated by QA We recommend that KPS require t h a t - - implement a process to conduct routine configuration reviews on i~rewalls to ensure performance and security optimization, as defined by the firewall management policy. Comment:- - represents that it is revising its firewall management will have a~policy in place by 0 413012015. have both been installed with full au-omation ex ected to 5. Once automation is complete, will be conducting full reviews at least twice per year to ensure compliance WI e established policy. Comment: ~~ rou Health has incorporated baseline configuration standards into the new production build image; such that all new production builds adhere to the desired con tguration outcome. In addition, all new are a/so built with - installed to help ensure the desired configuration tained over time. Existing production . will be brought into compliance of the baseline security configuration standafi s y September 31, 2015. Recommendation 11 - Configuration Management- Configuration Compliance Auditing for GHC We recommend that GHC routinely audit all server, database, and mainframe security configuration settings to ensure they are in compliance with approved baselines. Comment: All new production - servers are currently built with - installed to help ensure the desired con tgura ton state is maintained over time. ex1s mg production - servers will be retrofitted with - b 28 Rep01i No. 1C-54-00- 14-061 Recommendation 12 - Configuration Management- Configuration Compliance Auditing for KPS We recommend that KPS r e q u i r e - - to routinely audit all server and database security configuration setting~they are in compliance with the approved baselines. Recommendation 13 -Application Configuration Management for GHC We recommend that GHC update its SDLC policy to require all application changes go through the documented SDLC process. Comment: Group Health will update the Change Management Policy to require all updates to the application portfolio to follow the SDLC process. In addition, Group Health has updated the SDLC process and related reference and training materials. Throughout 2015, system implementations will go through a more robust Phase Gate Review process, tracking/monitoring tools and instructions on what steps and artifacts of the SDLC are required based on the type of project and risk profile Group Health expect that these changes should be fully implemented by 1213112015. Recommendation 14- Claims Adjudication- Medical Editing for GHC We recommend that GHC implement comprehensive medical edits in its claims adjudication application. Comment: Group Health is improving the adjudication process by implementing the following medical edit updates: 29 Rep01i No. 1C-54-00- 14-061 Recommendation 15- Claims Adjudication - Patient History for GHC We recommend GHC ensure the appropriate system modifications to ensure that claims are compared against historical claims data to identify potential duplicates. Comment: Group Health is improvin g the adjudication process by implementin g the following system modifications: Comment: KPS and- - are working to improve the adjudication process by implementing the fo~ical edit updates: 30 Rep01i No. 1C-54-00- 14-061 to implement the appropriate system g appropriately processing according to Comment: KPS is improving the adjudication process by implementing the following system modifications: Timely Filing (Professional and Facility) • Due to the variables in the number of days for timely filing, KPS modified the system with a 365-day timely filing indicator and a new report to verify that claims to potentially be denied due to the timely filing limitation are in fact beyond the timely filing limit. This will be a pre-check-run report. KPS re-tested claims after the change in the timely filing criterion and results were as expected. Report is currently in development and expected completion date is 0410112015 ensure the appropriate system patient history issues from processing. Comment: KPS is improving the adjudication process by implementing the following system modification: Member History • • is configured to pend professional claims for the same scenario but not hosp1 a/ claims. A request for a new pre-check run report to capture data prior to fin~ion of hospital claims for this type of scenario has been submitted to- - with a completion date of0410112015. If you have any questions or concerns, please let us know. Robert O'Brien, Executive Vice President Health Plan Division, Group Health Cooperative fLu~ 31 Rep01i No. 1C-54-00- 14-061 Jim Page, KPS President KPS Health Plans 32 Report No. 1C-54-00-14-061 Report Fraud, Waste, and Mismanagement Fraud, waste, and mismanagement in Government concerns everyone: Office of the Inspector General staff, agency employees, and the general public. We actively solicit allegations of any inefficient and wasteful practices, fraud, and mismanagement related to OPM programs and operations. You can report allegations to us in several ways: By Internet: http://www.opm.gov/our-inspector-general/hotline-to- report-fraud-waste-or-abuse By Phone: Toll Free Number: (877) 499-7295 Washington Metro Area: (202) 606-2423 By Mail: Office of the Inspector General U.S. Office of Personnel Management 1900 E Street, NW Room 6400 Washington, DC 20415-1100 33 Report No. 1C-54-00-14-061
Audit of Information Systems General and Application Controls at Group Health Cooperative and KPS Health Plans
Published by the Office of Personnel Management, Office of Inspector General on 2015-05-18.
Below is a raw (and likely hideous) rendition of the original report. (PDF)