U.S. OFFICE OF PERSONNEL MANAGEMENT OFFICE OF THE INSPECTOR GENERAL OFFICE OF AUDITS Final Audit Report Subject: AUDIT OF INFORMATION SYSTEMS GENERAL AND APPLICATION CONTROLS AT PREMERA BLUE CROSS Report No. l A-10-70-14-007 Date: November 28, 2014 --CAUTION-­ This audit rtport has betn distributed to Ftdtral officials who ire responslblt for the 1dmloistr1tion of the audited prognm. ThU audit report may contain pro prlc11 ry data which iJ protected by Fedenl law (18 U.S.C. 1905). Tbectforc, while this audlt report is available under the Frttdom of Information Act and made available to the public on the OlG wcbpagc, caution needs to be tJerciaed before releasing the report to the general public u It may contain proprietary information that was redacted from the publicly distribuled copy. UNITED STATES OFFICE OF PERSONNEL MANAGEMENT Washington. DC 20415 Office of the Inspector General Audit Report FEDERAL EMPLOYEES HEALTH BENEFITS PROGRAM CONTRACT 1039 PREMERA BLUE CROSS PLAN CODES 10/11 MOUNTLAKE TERRACE, WASHINGTON Report No. lA-10-70-14-007 Date: Novembe r 28 , 2014 Michael R. Esser Assistant Inspector General for Audits --CAUTION- Tbis 1udlt report bu been distributed to Feclen.I officWJ wbo ire responsible ror the administration of the audited program. This audit report may contain proprietary data wblcb ii protected by Federal law (18 U.S.C. 1905). Tbertlorc, wbllc tbls 1ucllt report ii available under tbe Freedom of l oform1tion Ad ud made available to the public oo the OIG webpagc, caution needs to be cxcrcl1cd before relcasl og the report to the ceoeral public aa It may contain proprietary infor mation tb1t was reucted from tbc publicly distributed copy. www.opm.cov www.usajoba.gov UNITED STATES OFFICE OF PERSONNEL MANAGEMENT Washing to n, DC 20415 Office of the ln~pector General Executive Summary FEDERAL EMPLOYEES HEALTH BENEFITS PROGRAM CONTRACT 1039 PREMERA BLUE CROSS PLAN CODES 10/11 MOUNTLAKE TERRACE, WASHINGTON Report No. lA-10-70-14-007 Date: November 28 , 2014 Tills final report discusses the results of our audit of general and application controls over the information systems at Premera Blue Cross (Premera or Plan). Our audit focused on the claims processing applications used to adjudicate Federal Employees Health Benefits Program (FEHBP) claims for Premera, as well as the various processes and information technology systems used to support these applications. We documented the controls in place and opportunities for improvement in each of the areas below. Security Management Nothing came to our attention to indicate that Premera does not have an adequate security management program. Access Controls Premera has implemented controls to grant or prevent physical access to its data center, as well as logical controls to protect sensitive information. However, Premera's data center did not contain controls we typically observe at similar facilities, such as multi-factor authentication and piggybacking prevention. Since the issuance of the draft report Premera has installed multi- i wwl!t.opm.gov www.usajobs.cov factor authentication, but has yet to implement piggybacking prevention. We also noted a weakness related to the password history configuration settings. Network Security Premera has implemented a thorough incident response and network security program. However, we noted several areas of concern related to Premera' s network security controls: • A patch management policy is in place, but current scans show that patches are not being implemented in a timely manner; • A methodology is not in place to ensure that unsupported or out-of-date software is not utiJized; • Insecure server configurations were identified in a vulnerability scan. Configuration Management Premera has developed formal policies and procedures that provide guidance to ensure that system software is appropriately configured, updated, and changes are controlled. However, Premera has not documented formal baseline configurations that detail the approved settings for its server operating systems, and therefore cannot effectively audit its security configuration settings. Contingency Planning We reviewed Premera' s business continuity and disaster recovery plans and concluded that they contained the key elements suggested by relevant guidance and publications. However, Premera does not perform a complete disaster recovery test for all information systems. Claims Adjudication Premera has implemented many controls in its claims adjudication process to ensure that FEHBP claims are processed accurately. However, we noted several weaknesses in Premera's claims application controls. Health Insurance Portability and Accountability Act CHIPAA) Nothing came to our attention that caused us to believe that Premera is not in compliance with the HIPAA security, privacy, and national provider identifier regulations. 11 Contents Page Executive Summary ........................................................................................................................ . i I. Introduction .......................................... .................... ................................................................. l Background ........................................ .......... ... ............... ......... ... ...... ...................................... ... l Objectives ................................................................................................................................. l Scope ......................................................................................................................................... l Methodology ............................................................................................................................. 2 Compliance with Laws and Regulations ................................................................................... 3 II. Audit Findings and Recommendations ..................................................................................... 4 A. Security Management .......................................................................................................... 4 B. Access Controls ..................................... .. ....... ........................ ... .. ......... ...................... ..... ..... 4 C. Network Security ................... ........ .................... .. .......................... ....................................... 6 D. Configuration Management ................................................................................................. 8 E. Contingency Planning ...................... .................................................................................... 9 F. Claims Adjudication ........................................................................................................... 11 G. Health Insurance Portability and Accountability Act ........................................................ 14 III.Major Contributors to This Report ...... ..... .................................... ... ................ .. ...................... 15 Appendix: Premera Blue Cross's June 30, 2014 response to the draft audit report issued April 17, 2014 I. Introduction This final report details the findings, conclusions, and recommendations resulting from the audit of general and application controls over the information systems responsible for processi ng Federal Employees Health Benefits Program (FEHBP) claims by Premera Blue Cross (Premera or Plan). The audit was conducted pursuant to FEHBP contract CS 1039; 5 U.S.C. Chapter 89; and 5 Cod.e of Federal Regulations (CFR) Chapter I, Part 890. The audit was performed by the U.S. Office of Personnel Management's (OPM) Office of the Inspector General (OIG), as established by the Inspector General Act of 1978, as amended. Background The FEHBP was established by the Federal Employees Health Benefits Act (the Act), enacted on September 28, 1959. The FEHBP was created to provide health insurance benefits for federal employees, annuitants, and qualified dependents. The provisions ofthe Act are implemented by OPM through regulations codified in Title 5, Chapter 1, Part 890 of the CFR. Health insurance coverage is made available through contracts with various carriers that provide service benefits, indemnity benefits, or comprehensive medical services. All Premera personnel that worked with the aud itors were helpful and open to ideas and suggestions. They viewed the audit as an opportunity to examine practices and to make changes or improvements as necessary. Their positive attitude and helpfulness throughout the audit was greatly appreciated. This was our first audit of the security controls at Premera. We discussed the results of our audit with Premera representatives at an exit conference. Objectives The objectives of this audit were to evaluate controls over the confidentiality, integrity, and availability of FEHBP data processed and maintained in Premera's information technology (11) environment. We accomplished these objectives by reviewing the following areas: • • • • • • • Security management; Access controls; Configuration management; Segregation of duties; Contingency planning; Application controls specific to Premera's claims processing systems; and HIPAA compliance. Scope This performance audit was conducted in accordance with generally accepted government auditing standards issued by the Comptroller General of the United States. Accordingly, we obtained an understanding of Premera's internal controls through interviews and observations, as well as inspection ofvarious documents, including IT and other related organizational policies and procedures. This understanding of Premera' s internal controls was used in planning the audit by determining the extent of compliance testing and other auditing procedures necessary to verify that the internal controls were properly designed, placed in operation, and effective. Premera has a nationwide fee-for-service plan sponsored by the BlueCross and BlueShield Federal Employee Program (FEP). The scope of this audit centered on the information systems used by Premera to process medical insurance claims for FEHBP members, with a primary focus on the cJaims adjudication applications. Premera processes FEP claims through its local system and then through FEP Direct, the BlueCross BlueShield Association ' s (BCBSA) nationwide claims adjudication system. The business processes reviewed are primarily located in Premera' s Mountlake Terrace, Washington facilities. The on-site portion of this audit was performed in January and February of2014. We completed additional audit work before and after the on-site visit at our office in Washington, D.C. The findings, recommendations, and conclusions outlined in this report are based on the status of information system general and application controls in place at Premera as ofMarch 2014. In conducting our audit, we relied to varying degrees on computer-generated data provided by Premera. Due to time constraints, we did not verify the reliability of the data used to complete some of our audit steps but we determined that it was adequate to achieve our audit objectives. However, when our objective was to assess computer-generated data, we completed audit steps necessary to obtain evidence that the data was valid and reliable. Methodology ln conducti ng this review we: • Gathered documentation and conducted interviews; • Reviewed Premera's business structure and environment; • Performed a risk assessment of Premera's information systems environment and applications, and prepared an audit program based on the assessment and the Government AccountabiUty Office's (GAO) Federal Information System Controls Audit Manual (FISCAM); and • Conducted various compliance tests to determine the extent to which established controls and procedures are functioning as intended. As appropriate, we used judgmental sampling in completing our compliance testing. Various laws, regulations, and industry standards were used as a guide to evaluating Premera's control structure. These criteria include, but are not limited to, the folJowing publications: • Title 48 of the Code of Federal Regulations; • Office of Management and Budget (OMB) Circular A-130, Appendix III; • OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information; 2 • Information Technology Governance Institute' s COBIT: Control Objectives for Information and Related Technology; • GAO' s FISCAM; • National Institute of Standards and Technology's Special Publication (NIST SP) 800-1 2, fntroduction to Computer Security; • NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems; • NIST SP 800-30 Revision I , Guide for Conducting Risk Assessments; • N IST SP 800-34 Revision 1, Contingency Planning Guide for Information Technology Systems; • N IST SP 800-41Revision1 , Guidelines on Firewalls and Firewall Policy; • NIST SP 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations; • NIST SP 800-61 Revision 2, Computer Security Incident Handling Guide; • NIST SP 800-66 Revision 1, An Introductory Resource Guide for Implementing the HJPAA Security Rule; and • HIPAA Act of 1996. Compliance with Laws and Regulations In conducting the audit, we performed tests to determine whether Premera's practices were consistent with applicable standards. While generally compliant, with respect to the items tested, Premera was not in complete compliance with all standards as described in the "Audit Findings and Recommendations" section of this report. 3 II. Audit Findings and Recommendations A. Security Management The security management component of this audit involved an examination of the policies and procedures that are the foundation of Premera's overall IT security controls. We evaluated Premera's ability to develop security policies, manage risk, assign security-related responsibility, and monitor the effectiveness of various system-related controls. Premera has implemented a series of formal policies and procedures that comprise its security management program. Premera has also developed a thorough risk management methodology. Premera conducts routine enterprise-wide risk assessments, which has allowed the Plan to document, track, and mitigate or accept identified risks in a timely manner. We also reviewed Premera' s human resources policies and procedures related to hiring, training, transferring, and terminating employees. Nothing came to our attention to indicate that Premera does not have an adequate security management program. B. Access Controls Access controls are the policies, procedures, and techniques used to prevent or detect unauthorized physical or logical access to sensitive resources. We examined the physical access controls at Premera's facilities and data center located in Mountlake Terrace, Washington. We also examined the logical controls protecting sensitive data in Premera's network environment and claims processing applications. The access controls observed during this audit include, but are not limited to: • • • • • Procedures for appropriately granting physical access to facilities and data centers; Procedures for revoking access to facilities and data centers for terminated employees; Procedures for removing-/network access for terminated employees; Controls to monitor and filter email and Internet activity; and Procedures for recertifying employees' access to systems and applications. However, the following section documents opportunities for improvement related to Premera's physical and logical access controls. 1. Facility and Data Center Physical Access Controls The physical access controls in Premera' s data center could be improved. The Premera facilities we visited use electronic card readers to contror access to the buildings. However, Premera's data center did not contain controls that we typically observe at similar facilities, including: 4 • Multi-factor authentication to enter the computer room (e.g,. cipher lock or biometric device in addition to an access card); and • Piggybacking prevention controls at the computer room entrance (e.g., alarm that sounds if more than one person walks past a sensor for each access card that is swiped or a turnstile that only allows one person to enter per card swjpe). Failure to implement adequate physical access controls increases the risk that unauthorized individuals can gain access to Premera's data center and the sensitive resources and data it contains. NIST SP 800-53 Revision 4 provides guidance for adequately controlling physical access to information systems containing sensitive data (see control PE-3, Physical Access Control). Recommendation 1 We recommend that Premera improve the physical access controls at its data center. At a rninimwn, the computer room entrance should require multi-factor authentication and have controls to prevent piggybacking. Premera Response: "In response to this recomme11dation, Premera has installed a multi.factor authentication key pad requirb1g staffto enter a unique pin number. .•• Premera previously had the following controls in place: • Restricted badge access to limited person11el who have manageme11t approval/or Data Center access. • Visitor sign in at the main receptio11 in building 4, as well as at the Data Center by authorized Data Ce11ter personnel with badge access. • Video camera surveillance triggered by motion detectors at the Data Center door. The camera data is monitored by security personnel. " OIG Reply: The evidence provided by Premera in response to the draft audit report indicates that the Plan has implem ented multi~ factor authentication. However, the Plan has not implemented controls to prevent piggybacking. As part ofthe audit resolution process, we recommend Premera provide OPM' s Healthcare and Insurance Office (HIO) with evidence that it has adequately implemented this recommendation in regards to piggybacking prevention. 2. Password History Configuration Premera has implemented a corporate password policy that is applicable to all infonnation system s on the network. However, we performed automated configuration compliance scans that indicated that several systems did not limit the time between password changes. This configuration would allow users to circumvent Premera' s password history requirement by changing their password multiple times within a short time period and then reuse their initial password. 5 Recommendation 2 We recommend that Premera reconfigure its information systems to ensure compliance with the corporate approved password policy. Premera Respo11se: "In response to this recommendation, Premera agrees to investigate and remediate as appropriate by December 31, 2014." OIG Reply: As part of the audit resolution process, we recommend that Premera provide OPM's HlO with evidence that it has adequately implemented this recommendation. This statement also applies to all subsequent recommendations in this audit report that the Plan agrees to implement. C. Network Security Network security includes the policies and controls used to prevent or monitor W1authorized access, misuse, modification, or denial of a computer network and network·accessible resources. Prcmera has implemented a thorough incident response and network security program. We worked with Premera employees to conduct automated vulnerability scans on a sample of servers and databases. We noted several opportunities for improvement related to Premera's network security controls. 1. System Patching Premera bas documented patch management policies and procedures. However, the results of the vulnerability scans indicate that critical patches, service packs, and hot fixes are not always implemented in a timely manner. FISCAM states that "Software should be scanned and updated frequently to guard against known vulnerabilities." NIST SP 800-53 Revision 4 states that organizations must identify, report, and correct information system flaws and install security-relevant software and firmware updates promptly. Failure to prompUy install important updates increases the risk that vulnerabilities will not be remediated and sensitive data could be breached. Recommendation 3 We recommend that Premera implement procedures and controls to ensure that production servers are updated with appropriat e patches, service packs, and hotfixes on a timely basis. Premera Response: "In response to this recomme11dation, Premera agrees to implement proced11res and controlsfor appropriate deployment ofservice packs and hotfues by December 3 J, 2014. 6 However, Premera respectfi1/ly disagrees with the section ofthe recommendation related to patches as it believes deployment ofcritical security patches is in compliance with the documented patch management policy provided to the OPMA udit Staffin Information request 13. " OIG Reply: The results of the vulnerability scans performed during the fieldwork phase of this audit indicated that Premera was not in compliance with its policy for deploying patches within a specific timeframe based on criticality. As part of the audit resolution process, we recommend that Premera provide OPM's HIO with evidence that it has adequately implemented this recommendation. 2. Noncurrcnt Software The results of the vulnerability scans indicated that several servers contained noncurrent software applications that were no longer supported by the vendors and have known security vulnerabilities. FISCAM states that "Procedures should ensure that only current software releases are installed in information systems. Noncurrent software may be vulnerable to malicious code such as viruses and worms." Failure to promptly remove outdated software increases the risk of a successful malicious attack on the infonnation system . Recommendation 4 We recommend that Premera implement a methodology to ensure that only current and supported versions of system software are installed in its network environment. Premera Response: "Jn response to this recommendation, Premera agrees to investigate noted (A udit Inquiry 04) applications in the environment to ensure compatibility and supportability and will remediate appropriately by December 31, 2014." 3. Insecure Operating System Configuration The results of the vulnerability scans also indicated that several servers contained insecure configurations that could allow hackers or unprivileged users to insert code that would result in privilege escalation. The escalated privileges could grant the hackers unauthorized access to sensitive and proprietary information. NIST SP 800-53 Revision 4 states that the Plan must scan for vulnerabilities in the information system and hosted applications, analyze the reports, and remediate legitimate vulnerabilities. Failure to remedjate vulnerabilities increases the risk that hackers could exploit system weaknesses for malicious purposes. 7 Recommendation S We recommend that Premera remediate the specific technical weaknesses outlined in the vulnerability scanning audit inquiry issued during the audit. Premera Respon.'ie: "In response to this recommendation, Premera agrees to investigate the noted technical weaknesses (Audit b1quiry 04), and wil/ remediate appropriately by December 31, 2014." D. Configuration Management Premera's claims processing application is a commercial product from This application is housed . The platform includes many supporting applications and system interfaces. We evaluated Premera's management of the configuration of the system software hosting and determined that the following controls were in place: • • • Documented corporate configuration policies and procedures; Approved mainframe configuration baselines; and Thorough change management procedures for system software. The sections below document areas for improvement related to Premera's configuration management controls. 1. Server and Database Baseline Configurations Premera has created a corporate configuration policy to establish configuration management responsibilities within its IT functional areas. However, Premera has not created baseline configurations for its NIST SP 800-53 Revision 4 states that an organization must develop, document, and maintain a current baseline configuration of the information system. NIST SP 800-53 Revision 4 also states that an organization must monitor and control changes to the configuration settings in accordance with organizational policies and procedures. FISCAM requires current configuration information to be routinely monitored for accuracy. Monitoring should analyze the baseline and current configuration of the hardware, software, and firmware that comprise the information system. Premera cannot effectively audit its server and database security settings without an approved baseline, as a baseline configuration is the benchmark for comparison. Failure to establish and routinely monitor approved system configuration settings increases the risk the system may not meet performance and security requirements defined by the organization. 8 Recommendation 6 We recommend that Premera document approved baseline configurations for all versions of those platfonns utilized in its network environment. Premera Response: "In response to this recommendation, Premera agrees to establish baseline configuration documentation/or all supported by December 31, 2014.,, Recommendation 7 We recommend that Premera routinely audit all security configuration settings to ensure they are in compliance with the approved baseline. Premera Response: "In response to this recommendation, Premera agrees to remediate appropriately to ensure compliance with approved and documented baselines by December 31, 2014." E. Contingency Planning We reviewed the following elements of Premera's contingency planning program to detennine whether controls were in place to prevent or minimize interruptions to business operations when disastrous events occur: • • • • • Disaster response plan; Business continuity plan for data center operations; Business continuity plans for claims processing operations and claims support; Disaster recovery plan tests conducted in conjunction with an alternate data center; and Emergency response procedures and training. We detennined that the service continuity docwnentation contained the critical elements suggested by NIST SP 800-34 Revision 1, Contingency Planning Guide for Federal Infonnation Systems. Premera has identified and prioritized the systems and resources that are critical to business operations, and has developed detailed procedures to recover those systems and resources. However, Premera's contingency planning program could be improved. Premera does not perform a complete disaster recovery test for all information systems. The Plan conducts an annual busjness impac.t anaJysjs and assjgns a critfoajjty fa•r from one to four for aJJ appJk.atfons (one being the most critical). However, only applications in tiers one and two are subject to annual disaster recovery testing; tiers three and four are not subject to routine testing. FISCAM states that "Testing contingency plans is essential to determining whether they will function as intended in an emergency situation. . . . The most useful scenarios involve simulating a disaster situation to test overall service continuity." 9 Failure to perform annual disaster recovery tests on all applications decreases the likelihood that Premera will be able to completely restore operations in the event of a disaster. Premera also does not have a contract in pJace to guarantee generator fuel delivery in the event of a prolonged power outage at its primary data center. The Plan has a back-up generator and enough fuel on-site to sustain data center operations for approximately three days. Any outage Jasting longer than three days would require additional fuel from an outside source. We were infonned that Premera has "preferred" customer status with its fuel vendor; however, this status does not guarantee delivery priority over other companies that may also be "preferred" customers. NIST SP 800-53 Revision 4 states that an organization should provide "a long-term alternate power supply for the information system that is . .. Capable of maintaining minimally ... required operational capability .. . in the event of an extended loss of the primary power source." Failure to ensure a long-term power capability increases the risk of data loss and inhibits the plans ability to meet contractually obligated minimum service levels. Recommendation 8 We recommend that Prem era implement a methodology to ensure that alJ applications are subject to routine disaster recovery testing. Premera Response: "Premera respectfully disagrees with this recommendation as i1 believes that the recomme1tdation is focused on Preml!ra's low impact systems (Le., Tier 3 and 4 systems). The strategy and solutio11 f or the recovery ofTier 3 and 4 applications and services, include reg ularly scheduled data replication/o r availability at the recovery fa cility with build f ollowing the declaration ofa major event or disaster. In addition, on an annual basis, the solution, restoration and recovery procedures ofselected Tier 3 and 4 applications and services will be exercised via stand-alone tests to validate recoverability within their defined R TO (recovery time objectives). Tabletop reviews will be performedfollowin.g the development or revisions of recovery documents. Premera believes we meet the NIS T SP 800-34 Section 3.5.3 guidance which states 'for Low impact systems, a tabletop exercise at an organization-defined frequency is sufjicieflt.' Please see information request 2 sectio11 7.2 (TT Disaster R ecovery Plan) provided to the OPM A udit staff. " OIG Reply: We have reviewed documentation provided, and agree that it outlines procedures on how to perform disaster recovery testing for low impact systems. However, this documentation is not 10 sufficient evidence to indicate routine disaster recovery testing of these systems has actually occurred. As part of the audit resolution process, we recommend that Premera p rovide OPM 1 s HIO with evidence of routine disaster recovery testing for low impact systems. Recommendation 9 We recommend that Premera reevaluate its fuel delivery situation and detennine if a contract with a fuel vendor would improve its disaster recovery program. Premera Respo11se: "In response to this recomme11dation, Premera has obtained a m em orandumfrom ourfuel vendor acknowledging that Prem era has p riority delivery as a Preferred Customer. " OIG Reply: The evidence provided by Premera in response to the draft audit report indicates that the Plan is recognized as a priority along with hospitals and other healthcare facilities in the event of an emergency; no further action is required. F. Claims Adjudication The following sections detail our review of the applications and business processes supporting Premera' s claims adjudication process. Premera processes all FEP claims through its local system and then through the BCBSA's FE P Direct nationwide claims adjudication system. 1. A pplication C onfiguration M anagement We evaluated the policies and procedures governing application development and change control of Premera' s claims processing systems. Premera has implemented policies and procedures related to application configuration manage ment, and has also adopted a system development life cycle methodology that IT personnel follow during routine software modifications. We observed the fo llowing controls related to testing and approvals of software modifications: • Premera has adopted practices that allow modjfications to be tracked throughout the change process; • Code, unit, system, and quality testing are all conducted in accordance with industry standards; and • Premera uses a business unit independent from the software developers to move the code between development and production environments to ensure adequate segregation of duties . Nothing crune to our attention to indicate that Premera has not implemented adequate controls related to the application configuration management process. 11 2. Claims Processing System We evaluated the input, processing, and output controls associated with Premera's claims processing system. We have determined the following controls are in place over Premera's claims adjudication system: • Routine audits are conducted on Premera's front-end scanning vendor for incoming paper claims; • Claims are monitored as they are processed through the systems with real time tracking of the system's performance; and • Claims output files are fully reconciled. Nothing came to our attention to indicate that Premera has not implemented adequate controls over the claims processing system. 3. Debarment Premera has adequate procedures for updating its claims system with debarred provider information. Premera receives the OPM OIG debarment list every month and makes the appropriate updates to the FEP Direct claims processing system. Any claim submitted for a debarred provider is flagged by Premera to adjudicate through the OPM OIG debarment process to include initial notification, a 15 day grace period, and then denial. Nothing came to our attention to indicate that Premera has not implemented adequate controls over the debannent process. 4. Application Controls Testing We conducted a test on Premera's claims adjudication application to validate the system's claims processing controls. The exercise involved processing test claims designed with inherent flaws and evaluating the manner in which the and FEP Direct systems processed and adjudicated the claims. All claims are pre-priced i n - and adjudicated in FEP Direct. Our test results indicate that the system has controls and edits in place to identify the following scenarios: • • • • • • Member eligibility; Coordination of benefits; Bundling charges; Overlapping hospital stays; Timely filing; and Chiropractic benefits. The sections below document opportunities for improvement related to Premera's claims application controls. 12 Medical Editing Our claims testing exercise identified several scenarios where Premera's claims system failed to detect medical inconsistencies. For each of the following scenarios, a test claim was processed and paid without encountering any edits detecting the inconsistency: • Diagnosis I Procedure - claims were submitted for procedures where the diagnose codes corresponded to a • Provider I Procedure - claims were submitted for a and a performing • Place of Service I Procedure - a claim was submitted for a performed in a • I Procedure Inconsistency - a claim was submitted for a receIVill~; and • Member Age I Procedure Inconsistency - a claim was submitted for a -- Failure to detect these system weaknesses increases the risk that benefits are being paid for procedures that were not actually performed. The BCBSA has a long standing corrective plan in place to incrementally implement medical edits into FEP Direct. The current monthly update from BCBSA to OPM indicated that a new release for FEP Direct is scheduled for April of 2014. These controls will be evaluated again during subsequent audits of the FEP Direct system. Duplicate Claims Two separate test claims were processed for the same patient, procedure code, diagnosis code, service date and billed amounts, but using different providers. Due to the potential fraudulent nature of this scenario, we expected the system to suspend these claims for further review; however, no edit was generated by the system. Failure to detect potentially duplicate claims increases the risk that fraudulent or erroneous claims are paid. Recommendation 10 We recommend that Premera ensure the appropriate system modifications are made to prevent duplicate claims from processing without proper verification. Premera Response: "In response to this recommendation, the Plan submitted the enhancement requests to the FEP Operations Center on March 6, 2014 and copies were sent to the OPM OIG Audit Staffon Marcil 19, 2014 (folder name was Test Claim Follow-up). See Attachment E, Request# 20141648 and 20141651. The Plan will provide an update on this recommendation once feedback on the request is received." 13 OIG Reply: As part ofthe audit resolution process, we recommend that Premera provide OPM's HIO with evidence when the response from the FEP Operations Center to the request has been received. G. Health Insurance Portability and Accountability Act We reviewed Premera' s efforts to maintain compliance with the security and privacy standards of HIPAA. Premera has implemented a series of IT security policies and procedures to adequately address the requirements of the HIPAA security rule. Premera has also developed a series of privacy policies and procedures that directly addresses all requirements of the HIPAA privacy rule. Premera reviews its HIPAA privacy and security policies annually and updates when necessary. Premera' s Privacy Office oversees all HIPAA activities, and helps develop, publish, and maintain corporate policies. Each year, all employees must complete compliance training which encompasses HIPAA regulations as well as general compliance. Nothing came to our attention to indicate that Premera is not in compliance with the various requirements of HIPAA regulations. 14 ID. Major Contributors to This Report This audit report was prepared by the U.S. Office of Personnel Management, Office of Inspector General , Information Systems Audits Group. The following individuals participated in the audit and the preparation of this report; • • • Lead IT Auditor • • • IT Auditor IT Auditor 15 Appendix •• BlueCross BlueShield Association June 30, 2014 Group Chief Claims & IT Audits Group, U.S. Office of Personnel Management 1900 E Street, Room 6400 Washington, D.C. 20415-1100 An Aasoclatlon of Independent Blue CroM and Bh1e Shield Plnns Federal Employee Program 1310 G Street, N.W. Washington, D .C. 20005 202.942.1000 Fax 202.942. l 125 Reference: OPM DRAFT AUDIT REPORT Premera Blue Cross IT Audit Plan Code 430 Audit Report Number 1A-10-70-14-007 (Dated Aprll 17, 2014 and received April 18, 2014) The following represents the Plan's response as it relates to the recommendations included in the draft report. Note: Premera is requesting wording changes to clarify or correct information in the draft report as indicated in Attachment A. A. Security Controls No Recommendations B. Access Controls 1. Facility and Data Center Physical Access Controls Recommendation 1 We recommend that Premera improve the physical access controls at its data center. At a minimum, the computer room entrance should require multi-factor authentication and have controls to prevent piggybacking. Plan Response In response to this recommendation, Premera has installed a multi-factor authentication key pad requiring staff to enter a unique pin number. Please see Attachments Band C. Premera previously had the following controls in place: • Restricted badge access to limited personnel who have management approval for Data Center access. Appendix Mr. Premera Blue Cross Page 2 of 5 • Visitor sign in at the main reception in building 4, as well as at the Data Center by authorized Data Center personnel with badge access. • Video camera surveillance triggered by motion detectors at the Data Center door. The camera data is monitored by security personnel. 2. Password Configuration Settings Recommendation 2 We recommend that Premera reconfigure its information systems to ensure compliance with the corporate approved password policy. Plan Response In response to this recommendation, Premera agrees to investigate and remediate as appropriate by December 31, 2014. C. Network Security 1. System Patching Recommendation 3 We recommend that Premera implement procedures and controls to ensure that production servers are installed with appropriate patches, service packs, and hotfixes on a timely basis. Plan Response In response to this recommendation, Premera agrees to implement procedures and controls for appropriate deployment of service packs and hotfixes by December 31, 2014. However, Premera respectfully disagrees with the section of the recommendation related to patches as it believes deployment of critical security patches is in compliance with the documented patch management policy provided to the OPM Audit Staff in Information request 13. 2. Noncurrent Software Recommendation 4 We recommend that Premera implement a methodology to ensure that only current Appendix Mr.. - . . . Pre~s Page 3 of 5 and supported versions of system software are installed in its network environment. Plan Response In response to this recommendation, Premera agrees to investigate noted (Audit Inquiry 04) applications in the environment to ensure compatibility and supportability and will remediate appropriately by December 31, 2014. 3. Insecure operating system configuration Recommendation 5 We recommend that Premera remediate the specific technical weaknesses outlined in the vulnerability scanning audit inquiry issued during the audit. Plan Response In response to this recommendation, Premera agrees to investigate the noted technical weaknesses (Audit Inquiry 04 ), and will remediate appropriately by December 31, 2014. D. Configuration Management 1. Server and Database Baseline Configurations Recommendation 6 We recommend that Premera document approved baseJine configurations for aJJ versions of those platforms utmzed in its network environment. Plan Response In response to this recommendation, Premera a configuration documentation for all supported by December 31, 2014. Recommendation 7 We recommend that Premera routinely audit all security configurations settings to ensure they are in compliance with the approved baseline. Appendix Mr. Premera Blue Cross Page 4 of 5 Plan Response: In response to this recommendation, Premera agrees to remediate appropriately to ensure compliance with approved and documented baselines by December 31, 2014. E. Contingency Planning 1. Contingency Planning Recommendation 8 We recommend that Premera implement a methodology to ensure that all applications are subject to routine disaster recovery testing. Plan Response Premera respectfully disagrees with this recommendation as it believes that the recommendation is focused on Premera's low impact systems (i.e., Tier 3 and 4 systems). The strategy and solution for the recovery of Tier 3 and 4 applications and services, include regularly scheduled data replication for availability at the recovery facility with build following the declaration of a major event or disaster. In addition, on an annual basis, the solution, restoration and recovery procedures of selected Tier 3 and 4 applications and services will be exercised via stand-alone tests to validate recoverability within their defined RTO (recovery time objectives). Tabletop reviews will be performed following the development or revisions of recovery documents. Premera believes we meet the NIST SP 800-34 Section 3.5.3 guidance which states "for low impact systems, a tabletop exercise at an organization-defined frequency is sufficient." Please see information request 2 section 7.2 (IT Disaster Recovery Plan) provided to the OPM Audit staff. Recommendation 9 We recommend that Premera reevaluate its fuel delivery situation and determine if a contract with a fuel vendor would improve its disaster recovery program. Appendix Mr. Premera Blue Cross Page 5 of 5 Plan Response In response to this recommendation, Premera has obtained a memorandum from our fuel vendor acknowledging that Premera has priority delivery as a Preferred Customer. See Attachment D F. Claims Adjudication 1. Application Controls Testing - Duplicate Claims Recommendatjon 10 We recommend that Premera ensure the appropriate system modifications are made to prevent duplicate claims from processing without proper verification. Plan Response In response to this recommendation, the Plan submitted the enhancement requests to the FEP Operations Center on March 6, 2014 and copies were sent to the OPM OIG Audit Staff on March 19, 2014 {folder name was Test Claim Follow-up). See Attachment E, Request# 20141648 and 20141651 . The Plan will provide an update on this recommendation once feedback on the request is received. Thank you for the opportunity to provide an update to the Final Report. If you have any uestions in the interim, please contact at .or at Sincerely, , CISA, CRSA Managing Director, FEP Program Assurance Attachments cc: