U.S. OFFICE OF PERSONNEL MANAGEMENT
OFFICE OF THE INSPECTOR GENERAL
OFFICE OF AUDITS
Audit of Information Systems General and Application Controls
at Group Health Cooperative and KPS Health Plans
Rep o rt Numbe r 1C-54-00-14-061
M ay18,2015
--CAUTION -
This audit r epot·t has been distributed to Federal officials who are n sponsible for the administration of the audited program. T his audit report may
contain pt·opl'ietat·y data which is protected by Federal l aw (18 U.S.C. 1905). Therefot·e, while this audit report is available undet· the Freedom of
Information Act and made available to the public on t he OIG webpage (http:lhmmv.opm.govl our-iu spector-geuernl), caution needs t o be exer cised
before releasing the t·epot·t to the general public as it may contain proprietary information that was redacted from the publicly distributed copy.
EXECUTIVE SUMMARY
Audit ofInformation Systems General and Application Controls at Group Health Cooperative
and KPS Health Plans
Repot·t ~o 1C-54-00-14-061 :\lay 18, 2015
Background What Did We Find?
Group Health Cooperative (GHC) and KPS Our audit at GHC and KPS detennined that:
Health Plans (K.PS) contract with the U.S. • GHC has established an adequate security management program.
Office of Personnel Management (OPM) as • GHC and KPS have implemented controls to prevent unauthorized logical
part ofthe Federal Employees Health access to its systems. However, we noted the following areas of concem
Benefits Program (FEHBP). KPS is a related to GHC's physical access controls:
wholly ov.rned subsidiary of GHC, and the o Physical acce ss controls over general facility access could be improved,
companies share several IT resources and and
policies and procedures. o Physical access controls over data center access could be improved.
• We noted several areas of concem related to GHC 's and KPS ' network
Why Did W e C onduct the Audit? security controls:
The objectives of this audit were to
o A patch management policy is in place, but our test w ork indicated that
evaluate controls over the confidentiality,
patches are not being implemented in a timely manner;
integrity, and availability of FEHBP data
o A methodology is not in place to ensure that unsuppmt ed or out-of-date
p rocessed and maintained in GHC 's and
software is not utilized;
KPS ' infonnation technology
o Several servers were configured in an insecure manner; and
environment.
o KPS does not have a fmmal firewall management policy.
• GHC has not developed fmmal configuration policies/baselines for all
What Did Wt> Audit? operating platfmms used in its environment. Fmthennore, GHC does not
audit its configuration settings against documented baseline configurations.
The scope of this audit centered on the • GHC's and KPS ' business continuity and disaster recovery plans contain
infonnation systems used by GHC and KPS the key elements suggested by relevant guidance and publications.
to process medical insurance claims for
• GHC has documented system development lifecycle procedures, however,
FEHBP members, with a primary focus on
the procedures are only guidelines and are not required for all system
the claims adjudication applications.
changes.
• GHC and KPS have implemented many controls in their claims
adjudication p rocesses to ensure that FEHBP clairns are processed
accurately. However, we noted several opportunities for improvement in
GHC's and KPS ' claims applicat ion controls .
Michael R. Esser
Assistant Inspector General
for Audits
ABBREVIATIONS
CFR Code of Federal Regulations
FEHBP Federal Employees Health Benefits Program
FISCAM Federal Information System Controls Audit Manual
GAO U.S. Government Accountability Office
GHC Group Health Cooperative
IT Information Technology
HIO Healthcare and Insurance Office
HIPAA Health Insurance Portability and Accountability Act
KPS KPS Health Plans
NIST National Institute of Standards and Technology
SDLC System Development Life Cycle
SP Special Publication
OIG Office of the Inspector General
OMB U.S. Office of Management and Budget
OPM U.S. Office of Personnel Management
ii
TABLE OF CONTENTS
Page
EXECUTIVE SUMMARY ........................................................................................................... i
ABBREVIATIONS ....................................................................................................................... ii
I. BACKGROUND ................................................................................................................ 1
II. OBJECT IVES, SCOPE, AND METHODOLOGY ........................................................2
III. AUDIT FINDING S AND RECO MMENDATIONS.......................................................5
A. Secm·ity Managernent ...................................................................................................5
B. Access Controls .............................................................................................................5
C. Network Secm·ity ...........................................................................................................8
D. Configm·ation Management ......................................................................................... 12
E. Contingency Planning.................................................................................................. 14
F. Claims Adjudication .................................................................................................... 15
G. Health Insm ance Poriability Accmmtability Act.. ....................................................... 24
IV. MAJOR C ONTRIBUTORS TO TillS REPORT ...........................................................25
APPENDIX: The Plans ' March 30, 2015 response to the draft audit rep01i, issued
January 29, 2015 . ...................................................................................................26
REPORT FRAUD, WAST E, AND MISMANAGEMENT ......................................................33
I. BACKGROUND
This final rep01t details the findings, conclusions, and recommendations resulting from the audit
of general and application controls over the inf01mation systems responsible for processing
Federal Employees Health Benefits Program (FEHBP) claims by Group Health Cooperative
(GHC) and KPS Health Plans (KPS).
The audit was conducted pursuant to FEHBP contracts CS 1043 and CS 1767; 5 U.S .C. Chapter
89; and 5 Code of Federal Regulations (CFR) Chapter 1, Pa11890. The audit was perf01med by
th e U.S. Office of Personnel Management's (OPM) Office of th e Inspector General (OIG), as
established by the Inspector General Act of 1978, as amended.
The FEHBP was established by the Federal Employees Health Benefits Act, enacted on
September 28, 1959. The FEHBP was created to provide health insurance benefits for federal
employees, annuitants, and qualified dependents . The provisions of the Act are implemented by
OPM through regulations codified in Title 5, Chapter 1, Pa11890 of the CFR. Health insurance
coverage is made available through contracts with various caniers that provide service benefits,
indernnity benefits, or comprehensive medical services.
This was our first audit of GHC's and KPS ' inf01mation technology (IT) general and application
controls . We also reviewed GHC's and KPS' compliance with the Health Insurance Portability
and Accmmtability Act (HIPAA) . We chose to review these two distinct health plans in one
audit because KPS is a wholly owned subsidiary of GHC, and the companies shar·e several IT
resources and policies and procedures.
All GHC and KPS personnel that worked with the auditors were helpful and open to ideas and
suggestions. They viewed the audit as an opporhmity to examine practices and to make changes
or improvements as necessary. Their positive attitude and helpfulness throughout the audit was
greatly appreciated.
1 Rep01t No. 1C-54-00-14-061
II. OBJECTIVES, SCOPE, AND METHODOLOGY
Objective
The objectives of this audit were to evaluate conu·ols over the confidentiality, integrity, and
availability ofFEHBP data processed and maintained in GHC and KPS ' IT environments. We
accomplished these objectives by reviewing the following areas:
• Secmity management;
• Access conu·ols;
• Network Secmity;
• Configmation management;
• Segregation of duties;
• Contingency planning;
• Application conu·ols specific to GHC ' s and KPS ' claims processing system; and
• HIPAA compliance.
Scope and Methodology
This perfonnance audit was conducted in accordance with generally accepted govemment
auditing standards issued by the Compu·oller General of the United States. Accordingly, we
obtained an understanding ofGHC 's and KPS ' intemal conu·ols through interviews and
observations, as well as inspection of various documents, including infonnation technology and
oth er related organizational policies and procedmes. This lmderstanding of GHC 's and KPS '
intemal conu·ols was used in planning the audit by determining the extent of compliance testing
and other auditing procedmes necessaty to verify that the intemal conu·ols were properly
designed, placed in operation, and effective.
The scope of this audit centered on the inf01mation systems used by GHC and KPS to process
medical insmance claims for FEHBP members, with a primaty focus on the claims adjudication
applications. GHC claims m·e processed through a claims adjudication system managed
intemally by the organization . KPS licenses its claims application from a third party vendor,
- · The business processes reviewed m·e primm·ily located in Tukwila and Bremerton,
Washington.
The on-site p01iion of this audit was perf01med from October through November of2014. We
completed additional audit work before and after the on-site visit at om office in Washington,
D .C. The findings, recommendations, and conclusions outlined in this rep01i are based on the
status of infonnation system general and application conu·ols in place at GHC and KPS as of
November 2014.
2 Rep01i No. 1C-54-00-14-061
In conducting our audit, we relied to varying degrees on computer-generated data provided by
GHC and KPS. Due to time constraints, we did not verify the reliability of the data used to
complete some of our audit steps, but we determined that it was adequate to achieve our audit
objectives. However, when our objective was to assess computer-generated data, we completed
audit steps necessary to obtain evidence that the data was valid and reliable.
In conducting this audit we:
Gathered documentation and conducted interviews;
Reviewed GHC’s and KPS’ business structure and environment;
Performed a risk assessment of GHC’s and KPS’ information systems environment and
applications, and prepared an audit program based on the assessment and the U.S.
Government Accountability Office’s (GAO) Federal Information System Controls Audit
Manual (FISCAM); and,
Conducted various compliance tests to determine the extent to which established controls and
procedures are functioning as intended. As appropriate, we used judgmental sampling in
completing our compliance testing.
Various laws, regulations, and industry standards were used as a guide to evaluating GHC’s and
KPS’ control structure. These criteria include, but are not limited to, the following publications:
Title 48 of the CFR;
Office of Management and Budget (OMB) Circular A-130, Appendix III;
OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of
Personally Identifiable Information;
Information Technology Governance Institute’s CobiT: Control Objectives for Information
and Related Technology;
GAO’s FISCAM;
National Institute of Standards and Technology’s Special Publication (NIST SP) 800-12,
Introduction to Computer Security;
NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information
Technology Systems;
NIST SP 800-30 Revision 1, Guide for Conducting Risk Assessments;
NIST SP 800-34 Revision 1, Contingency Planning Guide for Federal Information Systems;
NIST SP 800-41, Guidelines on Firewalls and Firewall Policy;
NIST SP 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems
and Organizations;
NIST SP 800-61, Computer Security Incident Handling Guide;
NIST SP 800-66 Revision 1, An Introductory Resource Guide for Implementing the HIPAA
Security Rule; and,
HIPAA Act of 1996.
3 Report No. 1C-54-00-14-061
Compliance with Laws and Regulations
In conducting the audit, we performed tests to determine whether GHC’s and KPS’ practices
were consistent with applicable standards. While generally compliant, with respect to the items
tested, GHC and KPS were not in complete compliance with all standards, as described in
section III of this report.
4 Report No. 1C-54-00-14-061
III. AUDIT FINDINGS AND RECOMMENDATIONS
A. Security Management
The security management component of this audit involved the
examination of the policies and procedures that are the fmmdation of GHC maintains a
GHC's overall IT security conu·ols. We evaluated GHC 's ability to series of thorough IT
develop security policies, manage risk, assign security-related security policies and
responsibility, and monitor the effectiveness of various system-related procedures.
conu·ols. KPS has adopted and enforces the IT policies established by
GHC.
GHC has implemented a series of fonnal policies and procedures that comprise its security
management program. The GHC Chieflnfonnation Security Officer is responsible for creating,
reviewing, editing, and disseminating IT security policies. GHC has developed a thorough risk
management methodology, and has procedures to document, u·ack, and mitigate or accept
identified risk. We also reviewed GHC ' s human resources policies and procedures related to
hiring, u·aining, u·ansfening, and tenninating employees.
Nothing came to our attention to indicate that GHC does not have an adequate security
management program.
B. Access Controls
Access conu·ols are the policies, procedures, and techniques used to prevent or detect
unauthorized physical or logical access to sensitive resources.
We examined the physical access conu·ols of GHC's and KPS' facilities and data centers. We
also examined the logical conu·ols protecting sensitive data on GHC's network environment and
claims processing related applications.
The access conu·ols observed during this audit include, but are not limited to:
• Procedures for appropriately granting, revoking, and routinely auditing physical access to
secure areas;
• Procedures for granting, adj usting, and auditing user access; and
• Procedures for removing network and application access for tenninated employees.
The following section documents opporhmities for improvement related to GHC 's physical
access conu·ols.
5 Rep01i No. 1C-54-00-14-061
1. Facility Access
Most GHC facility entrances ar e protected by either a locked door requiring an access badge
or a security guar d stationed at the enu·ance. However, we n n<~ Pn~TPil
at various times during business hours. GHC
FISCAM states that "Access to facilities should be limited to personnel having a legitimate
need for access to perf01m their duties." Physical conu·ols vmy , but include: manual door or
cipher key locks, magnetic door locks that require the use of elecu·onic keycards, biomeu·ics
authentication, security guards, photo IDs, entry logs, and elecu·onic and visual surveillance
systems.
FISCAM also states that " By obtaining physical access to computer facilities and equipment,
an individual could (1) obtain access to te1minals or telecommlmications equipment that
provide input into the computer, (2) obtain access to confidential or sensitive inf01mation on
magnetic or printed media, (3) substitute lmauthorized data or progrmns, or (4) steal or inflict
malicious dmnage on computer equipment and software."
We did not observe any opportunities for improvement related to fa cility access at any KPS
facilities.
Recommendation 1
We recommend that GHC reassess its facilities' physical access management an d implement
conu·ols that will ensure proper physical security.
GHC Response:
"Procedural changes have been deployed to eliminate gaps in lobby coverage. Further
enhancements are being planned and will be deployed by 51112015 to assure the posted
security has better visual access to ID badges when persons enter through GH lobby areas.
Policy and training currently conveys the expectation that
• . Improvement to verbiage on the badge, access policy and related training is being
developed and will be deployed by 51112015 to reinforce the expectation that all person s
utilize badges for secure buildings and spaces. This will create a policy violation for II
6 Rep01i No. 1C-54-00-14-06 1
OIGReply:
As part of th e audit resolution process, we recommend that GHC provide OPM's Healthcare
and Insurance Office (HIO) with evidence th at it has adequately implemented this
recommendation . This statement also applies to all subsequent recommendations in this
rep01i that GHC and KPS agree to implement.
2. Access to Data Center
The GHC data center has elecu·onic car d readers to conu·ol
physical access. However, we expect all FEHBP conu·actors to Physical access controls
also have multi-factor authentication at data center enu·ances. at GHC 's data center
GHC has stated that they ar e in th e process of moving their could be improved.
primruy data center from the office complex location in
- , Washington to an other facility with improved conu·ols . GHC should ensure that the
new facility contains the following common access conu·ols that we typically see at other
FEHBP catTier facilities:
• Multi-factor auth entication to enter th e computer room (e.g., pin code or biomeu·ic device
in addition to an access cru·d);
•
Failure to implement adequate physical access conu·ols increases the risk that unauthorized
individuals can gain access to the GHC data centers and the sensitive IT resources and
confidential data they contain. NIST SP 800-53 Revision 4, "Security an d Privacy Controls
for Federal Information Systems an d Organizations," provides guidance for adequately
conu·olling physical access to inf01m ation systems containing sensitive data.
We did not observe any opp01iunities for improvement related to facility access at the KPS
data center.
Recommendation 2
We recommend that GHC reassess its data centers' physical access m anagement and
implement conu·ols that will ensure proper physical security. At a minimum, GHC should
implement multi-factor authentication at data center enu·an ces.
GHC R esponse:
"Group H ealth is
primary data center, provided by data center designer, owner and operator,
7 Rep01i No. 1C-54-00-14-061
. provides multiple levels of physical and logical
security for Group Health’s data center environment including:
- On-site security personnel 24 hours per day, 7 days per week
- Secure perimeter security setbacks, berms and fencing with intrusion detection
- Secure access checkpoint
- CCTV throughout campus
- Mantraps at building entrance
- Biometrics
To gain access to the Group Health data servers in the new data center environment,
C. Network Security
Network security includes the policies and controls used to prevent or monitor unauthorized
access, misuse, modification, or denial of a computer network and network-accessible resources.
We evaluated GHC’s and KPS’ network security program and also independently performed
several automated vulnerability scans and compliance audits performed on GHC and
KPS/ operating platforms during this audit. We noted the following opportunities for
improvement related to network security controls.
1. Vulnerabilities Identified in Scans
System Patching
GHC has documented vulnerability management policies and procedures that establish
timeframes for remediating weaknesses. However, the results of our vulnerability scans
indicate that all critical patches, service packs, and hot fixes are not implemented in a timely
manner.
also conducts periodic vulnerability scanning on the technical environment
supporting KPS. However, the results of our vulnerability scans on this environment also
indicate that all critical patches, service packs, and hot fixes are not implemented in a timely
manner.
FISCAM states that “Software should be scanned and updated frequently to guard against
known vulnerabilities.” NIST SP 800-53 Revision 4 states that the Plan must identify,
report, and correct information system flaws and install security-relevant software and
firmware updates promptly.
Failure to promptly install important updates increases the risk that vulnerabilities will not be
remediated and sensitive information could be stolen.
8 Report No. 1C-54-00-14-061
Recommendation 3
We recommend that GHC implement procedures and controls to ensure that production
servers are updated with appropriate patches, service packs, and hotfixes on a timely basis.
GHC Response:
“Group Health has established a monthly vulnerability scanning process that looks for the
existence of current software and patches per its baseline.
Group Health has revised the operating system patching process and schedule to ensure
monthly scanning will detect all current patches in the month they are released from the
vendor. Group Health has also revised the technology platform used to deploy updates,
conforming to industry best practices for efficient, effective patch deployment, as well as
reporting.
A comprehensive plan for remediating production systems will be completed and validated
by scans scheduled for 06/01/2015.”
Recommendation 4
We recommend that KPS require to implement procedures and controls to ensure
that production servers are updated with appropriate patches, service packs, and hotfixes on a
timely basis.
KPS Response:
“ represents that all servers in this environment will be replaced and put on a
regular monthly patch schedule by 4/30/15. is completing a planned migration
of all physical servers to and bringing all operating systems up to
and using for automated patching on a
regularly scheduled basis. All systems will then be placed on a lifecycle with plans to
upgrade as soon as new OS/app versions are validated by QA.”
Noncurrent software
The results of the vulnerability scans of GHC and KPS/ also indicated that several
servers contained noncurrent software applications that were no longer supported by the
vendors, and have known security vulnerabilities.
FISCAM states that “Procedures should ensure that only current software releases are
installed in information systems. Noncurrent software may be vulnerable to malicious code
such as viruses and worms.”
9 Report No. 1C-54-00-14-061
Failure to promptly remove outdated software increases the risk of a successful malicious
attack on the information system.
Recommendation 5
We recommend that GHC implement a process to ensure that only current and supported
versions of software applications are installed on the production servers.
GHC Response:
“Leveraging the monthly vulnerability scanning and other IT processes and tools, Group
Health will develop a process to remediate out of date or no longer supported software on
production servers by 3/31/2015. Group Health will also create a Plan to
remediate, complete with timeline and completion date by 06/30/2015. The final
completion date will be delivered as a component of the implementation plan itself by
06/30/2015.”
Recommendation 6
We recommend that KPS require implement a process to ensure that only current
and supported versions of software applications are installed on the production servers.
KPS Response:
“ represents that all servers in this environment will be replaced and put on a
regular monthly patch schedule by 4/30/15. is completing a planned migration
of all physical servers to and bringing all operating systems up to
and using for automated patching on a
regularly scheduled basis. All systems will then be placed on a lifecycle with plans to
upgrade as soon as new OS/app versions are validated by QA.”
Insecure Operating System Configuration
The results of the vulnerability scans also indicated that several GHC and servers
contained insecure configurations that could allow hackers or unprivileged users to
. We were subsequently
provided evidence that GHC has since remediated this vulnerability.
NIST SP 800-53 Revision 4 states that the Plan must scan for vulnerabilities in the
information system and hosted applications, analyze the reports, and remediate legitimate
vulnerabilities. Failure to remediate vulnerabilities increases the risk that hackers could
exploit system weaknesses for malicious purposes.
10 Report No. 1C-54-00-14-061
Recommendation 7
We recommend that KPS require to remediate the specific technical weaknesses
outlined in the vulnerability scanning audit inquiry issued during the audit.
KPS Response:
“All servers in this environment will be replaced and put on a regular monthly patch
schedule by the 4/30/15 date. is completing a planned migration of all physical
servers to and bringing all operating systems up to
and using for automated patching on a regularly scheduled
basis. All systems will then be placed on a lifecycle with plans to upgrade as soon as new
OS/app versions are validated by QA.”
2. Firewall Management
has implemented firewalls to help secure the network environment supporting
KPS. However, a firewall configuration/hardening policy has not been developed.
also has procedures in place to document and track firewall changes. However,
there is no routine review of firewall settings because there are no approved settings to which
to compare the actual settings.
NIST SP 800-41 Revision 1 states that “A firewall policy dictates how firewalls should
handle network traffic for specific IP addresses and address ranges, protocols, applications,
and content types (e.g., active content) based on the organization’s information security
policies. . . . The policy should also include specific guidance on how to address changes to
the rule set.”
Failure to implement a thorough firewall configuration policy and continuously manage the
devices’ settings increases the organization’s exposure to insecure traffic and vulnerabilities.
We did not observe any opportunities for improvement related to GHC’s firewall
management methodology.
Recommendation 8
We recommend that KPS require that document a formal firewall management
policy.
KPS Response:
“ represents that it is revising its firewall management policies and will have an
approved policy in place by 04/30/2015. and have both been
installed with full automation expected to be completed by the end of 4/30/15. Once
11 Report No. 1C-54-00-14-061
automation is complete,- will be conducting full reviews at least twice per year
to ensure compliance with the established policy."
Recommendation 9
We recommend that KPS require t h a t - implement a process to conduct routine
configuration reviews on its network firewalls to ensure perfonnance and security
optimization, as defined by the firewall management policy.
KPS Response:
KPS provided the same response as for recommendation 8.
D. Configuration Management
The GHC claims processing application is . The system
includes many supp01i ing applications and system interfaces. Additional supp01iing applications
ar e hosted in data centers owned and operated by GHC. We evaluated GHC's management of
th e configuration of these platf01ms and dete1mined that the following controls were in place:
• Documented build standards and procedures; and
• Thorough change management procedures for system software.
KPS ' claims processing system is hosted and maintained b y -. The claims processing
application is housed in a distributed server environment. We evaluated
configuration management of the claims processing system and dete1mined that the following
controls were in place:
• Documented configuration baselines; and
• Thorough change management procedures for system software.
The sections below document areas for improvement related to GHC 's a n d - '
configuration management controls.
1. Baseline Configurations
GHC has created build standards and procedures for deploying
new servers and databases. However, during the fieldwork phase
GHC has not
of this audit, GHC had not documented baseline configurations documented baseline
for all operating platf01ms used by the organization. A baseline
configuration is a f01mally approved policy or standard outlining
how to securely configure an operating platf01m. We were
subsequently provided evidence that baseline policies are in the
--configurations for its
process of being created for several operating platforms using Center for Intemet Security
standards. We were told that full implementation of the baselines is scheduled for Febmruy
2015.
12 Rep01i No. 1C-54-00-1 4-061
NIST SP 800-53 Revision 4 states that an organization must develop, document, and
maintain a current baseline configuration of the information system.
Failure to establish approved system configuration settings increases the risk the system may
not meet performance requirements defined by the organization.
has documented adequate baseline configurations for the operating platforms
supporting KPS.
Recommendation 10
We recommend that GHC document approved baseline configurations for all
.
GHC Response:
“Group Health has incorporated baseline configuration standards into the new production
build image; such that all new production builds adhere to the desired
configuration outcome. In addition, all new production are also built with
installed to help ensure the desired configuration state is maintained over time.
Existing production will be brought into compliance of the baseline security
configuration standards by September 31, 2015.”
2. Configuration Compliance Auditing
As noted above, GHC does not maintain approved operating platform secure configuration
baselines for its . Therefore, GHC cannot effectively audit
the system’s security settings (i.e., there are no approved settings to which to compare the
actual settings). We were told that GHC is in the process of implementing tools to assist with
configuration compliance auditing on existing , which will be complete in February
2015.
has created baseline configuration policies for its servers and databases that
process claims data. However, it does not routinely audit its configurations to ensure
compliance. has recently completed the installation of two tools that will allow it
to review system configurations. However, full automation of these tools is not planned until
the first quarter of 2015.
NIST SP 800-53 Revision 4 states that an organization must monitor and control changes to
the configuration settings in accordance with organizational policies and procedures.
13 Report No. 1C-54-00-14-061
FISCAM requires cmTent configuration inf01mation to be routinely monitored for accuracy.
Monitoring should address the baseline and operational configuration of the hardware,
software, and fnmware that comprise the infonnation system.
Failure to implement a thorough configuration compliance auditing program increases the
risk that insecurely configured servers exist undetected, creating a potential gateway for
malicious vnu s and hacking activity that could lead to data breaches.
Recommendation 11
We recommend that GHC routinely audit all server, database, and mainframe security
configuration settings to ensure they are in compliance with approved baselines.
GHC Response:
"All new production are currently built w i t h - installed to help
ensure the desired configuration state is maintained over time. All existing production
will be retrofitted w i t h - by "
Recommendation 12
We recommend that KPS requn·e- to routinely audit all server and database
security configuration settings to ensure they are in compliance with the approved baselines.
KPS Response:
'- represents that it is revising its configuration management policy and will
have an approved policy in place b y - . have both been
installed with full automation expected to be completed by the end Once
automation is complete,- will be conducting full reviews at least twice per year
to ensure they comply with the established policy.
- continues with ongoing change management procedures with respect to
evaluations and approval ofall applicable configuration changes for specific devices."
E. Contingency Planning
We reviewed the following elements of GHC 's and KPS ' contingency planning programs to
dete1mine whether controls were in place to prevent or minimize intenuptions to business
operations when disastrous events occur:
• Disaster recove1y plan;
• Business continuity plan;
• Disaster recove1y plan tests; and
• Emergency response procedures.
14 Rep01i No. 1C-54-00-14-061
We detennined that the service continuity documentation contained the critical elements
suggested by NIST SP 800-34 Revision 1, "Contingency Planning Guide for Federal Infon nation
Systems." GHC and KPS have identified and prioritized th e systems and resources that ar e
critical to business operations, an d have developed detailed procedures to recover those systems
and resources.
N othing came to our attention to indicate that GHC or KPS have not implemented adequate
controls related to contingency planning.
F. Claims Adjudication
The following sections detail our review of the applications an d business processes supp01iing
the GHC and KPS claims adjudication process. The following sections addr ess both the GHC
claims system , - , and th e KPS claims system hosted by - .
1. Application Configuration Management
We evaluated the policies and procedures goveming application development and change
control ofGHC 's and KPS ' claims processing systems.
KPS and - have documented system development life cycle (SDLC) procedures
th at IT personnel follow during routine softwar e modifications. All changes require approval
and undergo testing prior to migration to the production environment. We do not have any
concem s regar ding KPS' application configuration man agem ent process.
GHC has also implemented procedures related to application GHC 's SDLC
configuration management, and has adopted an SDLC process is not
methodology. However, these SDLC procedures ar e "guidelines" enforced on all
and ar e not required for all application changes. We were told that application changes.
a new SDLC methodology will be implemented in the future that
will specify ce1iain required items for medium to large system implem entations .
NIST SP 800-53 Revision 4, states that an organization must man age the infonnation
systems using a system development life cycle that incmporates infon nation security
considerations. Failure to enforce the SDLC procedure for all application changes increases
the risk that changes could be m ade that ar e not approved an d not adequately tested. This
could increase the risk that defective or malicious code could be introduced into the
production environment without m anagement's knowledge.
Recommendation 13
We recommend that GHC update its SDLC policy to require all application changes go
through the documented SDLC process.
15 Rep01i No. 1C-54-00-14-061
GHC Response:
“Group Health will update the Change Management Policy to require all updates to the
application portfolio to follow the SDLC process. In addition, Group Health has updated
the SDLC process and related reference and training materials.
Throughout 2015, system implementations will go through a more robust Phase Gate
Review process, tracking/monitoring tools and instructions on what steps and artifacts of
the SDLC are required based on the type of project and risk profile Group Health expect
that these changes should be fully implemented by 12/31/2015.”
2. Claims Processing System
We evaluated the input, processing, and output controls associated with the GHC and KPS
claims processing systems. We determined that GHC and KPS have implemented policies
and procedures to help ensure that:
GHC paper claims that are received in the mail room are tracked to ensure timely
processing;
Claims are monitored as they are processed through the systems with real time tracking
of the system’s performance; and,
Claims scheduled for payment are actually paid.
While on-site at the KPS facility in Bremerton, Washington, we observed that incoming mail
was not logged before being transferred to another location for processing. Failure to log
incoming mail increases the risk that claims or checks could get lost during shipment. We
subsequently received evidence that KPS has since remediated the weakness by
implementing mail logging procedures.
Nothing else came to our attention to indicate that GHC or KPS have not implemented
adequate controls over its claims processing systems.
3. Enrollment
We evaluated GHC’s and KPS’ procedures for managing their databases of member
enrollment data. Enrollment information is received electronically or in paper format and
entered into the claims processing system. Enrollment transactions are audited weekly to
ensure information is entered accurately. We do not have any concerns regarding GHC’s or
KPS’ enrollment policies and procedures.
4. Debarment
GHC and KPS have adequate procedures for updating their claims processing systems with
debarred provider information. GHC and KPS download the OPM OIG debarment list every
16 Report No. 1C-54-00-14-061
month and make the appropriate updates to the provider databases. Any claim submitted for
a debarred provider is flagged by GHC and KPS to prevent claims submitted by that provider
from being processed successfully during the claims adjudication processes.
Nothing came to our attention to indicate that GHC or KPS have not implemented adequate
controls over the debarment process.
5. Application Controls Testing
We conducted tests on both GHC’s and KPS’ claims processing applications to validate the
systems’ claims adjudication controls. The exercise involved processing test claims designed
with inherent flaws and evaluating the manner in which the systems processed and
adjudicated the claims. The test results from GHC and KPS are documented separately
below.
Group Health Cooperative
Our test results indicate that the GHC system has controls and edits in place to identify the
following scenarios:
Exact duplicate claims;
Gender / Procedure inconsistency;
Facility / Procedure inconsistency;
Invalid place of service;
Catastrophic maximum;
Eligibility;
Surgeon / Assistant surgeon;
Coordination of benefits;
Bundling charges; and
Timely Filing.
The sections below document opportunities for improvement related to GHC’s claims
application controls.
a. Medical Editing
Our claims testing exercise identified several scenarios where the GHC claims processing
system failed to detect medical inconsistencies. For each of the following scenarios, a
test claim was processed and paid without encountering any edits detecting the
inconsistency:
17 Report No. 1C-54-00-14-061
•
•
The examples outlined above merely represent a small number of medically inconsistent
scenarios that could be detected by comprehensive medical edits in the system. It is not
intended to be an all-inclusive list, and GHC's eff01is to address this fmding should be
focused on a comprehensive medical edit solution.
Failure to detect these system weaknesses increases the risk that benefits are being paid
for procedures that were not actually perf01m ed.
Recommendation 14
We recommend that GHC implement comprehensive medical edits in its claims
adjudication application.
GHC R esponse:
"Group H ealth is improving the adjudication process by implementing the following
medical edit updates:
18 Rep01i No. 1C-54-00-14-061
OIG Reply:
While the process may detect and deny some forms of
inconsistencies, we believe that an
would increase the likelihood of detecting and suspending these types of claims from
processing. Therefore we continue to recommend that GHC implement comprehensive
medical edits in its claims adjudication application.
b. Patient History
Our claims testing exercise identified several scenarios where the GHC claims processing
did not adequately compare current claims to a patient’s historical claims. For each of
the following scenarios, a test claim was processed and paid without encountering any
edits detecting the issue:
o
o
o
Due to the potential fraudulent nature of this scenario, we expected the system to suspend
these claims for further review; however, no edit was generated by the system. Failure to
detect duplicate claims or member history inconsistencies increases the risk that
fraudulent or erroneous claims are paid.
Recommendation 15
We recommend GHC ensure the appropriate system modifications to ensure that claims
are compared against historical claims data to identify potential duplicates.
GHC Response:
“Group Health is improving the adjudication process by implementing the following
system modifications:
19 Report No. 1C-54-00-14-061
c. Benefit Structure
Our claims testing exercise identified a scenario where the GHC claims processing
system failed to apply the FEHBP benefit structure con ectly.
• Timely filing (Professional & Facility) - the GHC claims processing system is not
appropriately following the timely filing limit outlined in the FEHBP brochure.
According the brochure, claims must be submitted by December 31 of the year after
the year you received the service. Cunently, GHC only allows one year from the end
of the date of service to submit a claim, while OPM allows lmtil the end of the
calendar year after the year of the date of service.
We received evidence after the fieldwork phase of the audit indicating that GHC has
since resolved this issue. The filing limit has been updated so that for FEHB members
the timely filing limit is extended until the end of the year following the year when
services were provided.
KPS Health Plans
Our test results indicate that the system has conu·ols and edits in place to identify the
following scenarios:
• Exact duplicate claims;
• Gender I Procedure inconsistency;
• Facility I Procedure inconsistency;
• Invalid place of service;
• Catasu·ophic maximum;
20 Rep01i No. 1C-54-00-14-061
Eligibility;
Surgeon / Assistant surgeon;
Coordination of benefits; and
Bundling charges.
The following section documents opportunities for improvement related to KPS' claims
application controls:
a. Medical Editing
Our claims testing exercise identified several scenarios where the KPS claims processing
system failed to detect medical inconsistencies. For each of the following scenarios, a
test claim was processed and paid without encountering any edits detecting the
inconsistency:
The examples outlined above merely represent a small number of medically inconsistent
scenarios that could be detected by comprehensive medical edits in the system. It is not
intended to be an all-inclusive list, and KPS’ efforts to address this finding should be
focused on a comprehensive medical edit solution.
Failure to detect these medical inconsistencies increases the risk that benefits are being
paid for procedures that were not actually performed.
Recommendation 16
We recommend that KPS work with to implement comprehensive medical
edits in its claims adjudication application.
KPS Response:
“KPS and are working to improve the adjudication process by
implementing the following medical edit updates:
21 Report No. 1C-54-00-14-061
b. Benefit Structure
Our claims testing exercise identified scenarios where the KPS claims processing system
failed to detect benefit stmcture inconsistencies. For each of the following scenarios, a
test claim was processed and paid without encmmtering any edits detecting the
inconsistency:
•
• Timely filing (Professional & Facility) - KPS' claims processing system is not
appropriately following the timely filing limit. According the FEHBP brochure,
claims must be submitted by December 31 of the year after the year you received the
service. Cunently, KPS is only allowing for one year from the end of the date of
service to submit a claim; and
•
Failure to ensure the claims processing system is conectly following the benefit stm cture
increases the risk that claims are being incon ectly paid.
Recommendation 17
We recommend that KPS work with - to implement the appropriate system
modifications to ensure that claims are being appropriately processed according to the
benefit stmcture.
KPS Response:
"KPS is improving the adjudication process by implementing the following system
modifications:
22 Rep01i No. 1C -54-00-14-061
Timely Filing (Professional and Facility)
Due to the variables in the number of days for timely filing, KPS modified the
system with a 365-day timely filing indicator and a new report to verify that claims
to potentially be denied due to the timely filing limitation are in fact beyond the
timely filing limit. This will be a pre-check-run report. KPS re-tested claims after
the change in the timely filing criterion and results were as expected. Report is
currently in development and expected completion date is 04/01/2015
c. Patient History
Our claims testing exercise identified several scenarios where the KPS claims processing
did not adequately compare current claims to a patient’s historical claims. For the
following scenarios, a test claim was processed and paid without encountering any edits
detecting the issue:
o
o
Failure to detect patient history issues increases the risk that fraudulent or erroneous
claims are paid.
Recommendation 18
We recommend that KPS work with to ensure the appropriate system
modifications are made to prevent claims with patient history issues from processing.
KPS Response:
“KPS is improving the adjudication process by implementing the following system
modification:
23 Report No. 1C-54-00-14-061
G. Health Insurance Portability and Accountability Act
We reviewed GHC 's and KPS' eff01is to maintain complian ce with the security and privacy
standards of HIPAA. GHC created and m aintains the HIPAA policies and procedures that KPS
enforces.
GHC has implemented a collection ofiT security policies and procedures to address the
requirements of the HIPAA security mle. GHC has also developed a series of privacy policies
and procedures that address requirements of the HIPAA privacy mle. GHC reviews its HIPAA
privacy and security policies annually and updates when necessruy. The GHC legal office
oversees all HIPAA activities, and publishes and maintains c01porate policies. Privacy and
security training is provided periodically to all employees.
Nothing came to our attention to indicate that GHC is not in compliance with the vru·ious
requirements of HIPAA regulations.
24 Rep01i No. 1C-54-00-14-061
IV. MAJOR CONTRIBUTORS TO THIS REPORT
Information Systems Audit Group
, Auditor-In-Charge
, IT Auditor
, IT Auditor
, IT Auditor
______________________________________________________________________________
, Group Chief
25 Report No. 1C-54-00-14-061
Appendix
@
GroupHealthe
Date: 03/30/2015
To: - - - -· U.S. Office of Personnel Management
From: ~xecutive Vice President; Health Plan Division, Group Health Cooperative and
Jim Page, KPS President; KPS Health Plans
Re: GHC & KPS Health Plan IT General and Application Controls Audit 2014;
findings and recommendations
This memorandum is provided in response to find ings and recommendations noted on OIG's draft audit
report issued on 01/29/2015. Group Health Cooperative and KPS have reviewed the OIG's findings and
recommendations and provide the following response.
Recommendation 1- Facility Access for GHC
We recommend that GHC reassess its facilities' physical access management and implement
controls that will ensure proper physical security.
Comment: Procedural changes have been deployed to eliminate gaps in lobby coverage. Further
enhancements are being planned and will be deployed by 51112015 to assure the posted
security has better visual access to 10 badges when persons enter through GH lobby areas.
Recommendation 2 - Access to Data Center for GHC
We recommend that GHC reassess its data centers' physical access management and
implement controls that will ensure proper physical security. At a minimum, GHC should
implement multi-factor authentication at data center entrances.
provides multiple levels of physical
including:
- On-site security personnel 24 hours per day, 7 days per week
- Secure perimeter security setbacks, berms and fencing with intrusion detection
- Secure access checkpoint
- CCTV throughout campus
- Mantraps at building entrance
- Biometrics
26 Rep01i No. 1C-54-00- 14-061
Recommendation 3- Network Security- System Patching for GHC
We recommend that GHC implement procedures and controls to ensure that production
servers are updated with appropriate patches, service packs, and hotfixes on a timely
basis.
Comment: Group Health has established a monthly vulnerability scanning process that
looks for the existence of current software and patches per its baseline.
Group Health has revised the operating system patching process and schedule to
ensure monthly scanning will detect all current patches in the month they are released
from the vendor. Group Health has also revised the technology platform used to deploy
updates, conforming to industry best practices for efficient, effective patch deployment,
as well as reporting.
A comprehensive plan for remediating production systems will be completed and
validated by scans scheduled for 0610112015.
implement procedures and controls to
with appropriate patches, service packs,
Comment:- - represents that all servers in this environment will be replaced
and put onT~f!!rcf?'??wnthly patch schedule b 4130115. is a
planned migration of all servers to operating
systems up to
patching on a All on a lifecycle
with plans to upgrade as soon as new OS/app versions are validated by QA
Recommendation 5- Network Security- Non-Current Software for GHC
We recommend that GHC implement a process to ensure that only current and supported
versions of software applications are installed on the production servers.
Comment: Leveraging the monthly vulnerability scanning and other IT processes and
tools, Group Health will develop a - ocess to remediate out of date or no longer
supported software on production servers by 313112015. Group Health will
also create a Plan to remediate, comp e e with timeline and completion date by
0613012015. The final completion date will be delivered as a component of the
implementation plan itself by 0613012015.
implement a process to ensure that only
applications are installed on the
Comment:- - represents that all servers in this environment will be replaced
and put onT~f!!rcf?'??wnthly patch schedule by the 4130115 date. is
a planned migration of all servers to all
operating systems up
automated patching be
27 Rep01i No. 1C-54-00- 14-061
placed on a lifecyc/e with plans to upgrade as soon as new OS!app versions are
validated by QA
Recommendation 7- Network Security- Insecure Operating System Configuration for
KPS
We recommend that KPS r e q u i r e - - to remediate the specific technical
weaknesses outlined in the v~scanning audit inquiry issued during the
audit.
Comment: All servers in this environment will be replaced and put on a regular monthly
patch schedule by the 4130115 date. is completing a planned migration of all
servers to and operating systems up to-
rrr.tn.:. l'i:>rt patching on a regrJf!!J!y
All on a lifecyc/e with plans to upgrade as
soon as new OS!app versions are validated by QA
We recommend that KPS require t h a t - - implement a process to conduct
routine configuration reviews on i~rewalls to ensure performance and
security optimization, as defined by the firewall management policy.
Comment:- - represents that it is revising its firewall management
will have a~policy in place by 0 413012015. have
both been installed with full au-omation ex ected to 5.
Once automation is complete, will be conducting full reviews at least twice
per year to ensure compliance WI e established policy.
Comment: ~~ rou Health has incorporated baseline configuration standards into the new
production build image; such that all new production builds adhere to the
desired con tguration outcome. In addition, all new are a/so built with
- installed to help ensure the desired configuration tained over time.
Existing production . will be brought into compliance of the baseline security
configuration standafi s y September 31, 2015.
Recommendation 11 - Configuration Management- Configuration Compliance Auditing
for GHC
We recommend that GHC routinely audit all server, database, and mainframe security
configuration settings to ensure they are in compliance with approved baselines.
Comment: All new production - servers are currently built with - installed
to help ensure the desired con tgura ton state is maintained over time. ex1s mg
production - servers will be retrofitted with - b
28 Rep01i No. 1C-54-00- 14-061
Recommendation 12 - Configuration Management- Configuration Compliance Auditing
for KPS
We recommend that KPS r e q u i r e - - to routinely audit all server and database
security configuration setting~they are in compliance with the approved
baselines.
Recommendation 13 -Application Configuration Management for GHC
We recommend that GHC update its SDLC policy to require all application changes go
through the documented SDLC process.
Comment: Group Health will update the Change Management Policy to require all
updates to the application portfolio to follow the SDLC process. In addition, Group Health
has updated the SDLC process and related reference and training materials.
Throughout 2015, system implementations will go through a more robust Phase Gate
Review process, tracking/monitoring tools and instructions on what steps and artifacts of
the SDLC are required based on the type of project and risk profile Group Health expect
that these changes should be fully implemented by 1213112015.
Recommendation 14- Claims Adjudication- Medical Editing for GHC
We recommend that GHC implement comprehensive medical edits in its claims
adjudication application.
Comment: Group Health is improving the adjudication process by implementing the
following medical edit updates:
29 Rep01i No. 1C-54-00- 14-061
Recommendation 15- Claims Adjudication - Patient History for GHC
We recommend GHC ensure the appropriate system modifications to ensure that claims
are compared against historical claims data to identify potential duplicates.
Comment: Group Health is improvin g the adjudication process by implementin g the
following system modifications:
Comment: KPS and- - are working to improve the adjudication process by
implementing the fo~ical edit updates:
30 Rep01i No. 1C-54-00- 14-061
to implement the appropriate system
g appropriately processing according to
Comment: KPS is improving the adjudication process by implementing the following
system modifications:
Timely Filing (Professional and Facility)
• Due to the variables in the number of days for timely filing, KPS modified the
system with a 365-day timely filing indicator and a new report to verify that claims
to potentially be denied due to the timely filing limitation are in fact beyond the
timely filing limit. This will be a pre-check-run report. KPS re-tested claims after
the change in the timely filing criterion and results were as expected. Report is
currently in development and expected completion date is 0410112015
ensure the appropriate system
patient history issues from processing.
Comment: KPS is improving the adjudication process by implementing the following
system modification:
Member History
• • is configured to pend professional claims for the same scenario but not
hosp1 a/ claims. A request for a new pre-check run report to capture data prior to
fin~ion of hospital claims for this type of scenario has been submitted
to- - with a completion date of0410112015.
If you have any questions or concerns, please let us know.
Robert O'Brien, Executive Vice President
Health Plan Division, Group Health Cooperative
fLu~
31 Rep01i No. 1C-54-00- 14-061
Jim Page, KPS President
KPS Health Plans
32 Report No. 1C-54-00-14-061
Report Fraud, Waste, and
Mismanagement
Fraud, waste, and mismanagement in
Government concerns everyone: Office of
the Inspector General staff, agency
employees, and the general public. We
actively solicit allegations of any inefficient
and wasteful practices, fraud, and
mismanagement related to OPM programs
and operations. You can report allegations
to us in several ways:
By Internet: http://www.opm.gov/our-inspector-general/hotline-to-
report-fraud-waste-or-abuse
By Phone: Toll Free Number: (877) 499-7295
Washington Metro Area: (202) 606-2423
By Mail: Office of the Inspector General
U.S. Office of Personnel Management
1900 E Street, NW
Room 6400
Washington, DC 20415-1100
33 Report No. 1C-54-00-14-061
Audit of Information Systems General and Application Controls at Group Health Cooperative and KPS Health Plans
Published by the Office of Personnel Management, Office of Inspector General on 2015-05-18.
Below is a raw (and likely hideous) rendition of the original report. (PDF)