| |
Good morning, Mr.
Chairman. I am Joseph E. Vengrin, Assistant Inspector General for Audit
Operations and Financial Statement Activities of the Department of Health and
Human Services. With me today is Ed Meyers, Director, Information Systems Audits
and Advanced Techniques. We share the Committee’s concerns regarding the
security of Government information systems, and we appreciate the opportunity to
testify on the vulnerability of Medicare claim processing systems.
In conducting annual
audits of the Health Care Financing Administration (HCFA) financial statements,
which are required by the Government Management Reform Act of 1994, we contract
with independent public accounting (IPA) firms to express an opinion on the
financial statements and report on internal control deficiencies. As part of the
body of work underpinning these audits, the IPA firms perform various internal
control tests of the Medicare program, including its automated systems. The
purpose of these tests is to determine the nature, timing, and extent of audit
procedures to be performed during each year’s audit.
Strong internal
controls over Medicare systems are essential to ensure the integrity,
confidentiality, and reliability of critical data and to reduce the risk of
errors, fraud, and other illegal acts. However, since fiscal year (FY) 1996,
when we first began the financial statement audits, we have noted continuing
material internal control weaknesses in the systems, particularly those operated
by contractors. Material weaknesses are defined as serious deficiencies in
internal controls that can lead to material misstatements of amounts reported in
subsequent financial statements unless corrective actions are taken. Also, such
weaknesses could allow (1) unauthorized access to and disclosure of sensitive
information, (2) malicious changes that could interrupt data processing or
destroy data files, (3) improper Medicare payments, or (4) disruption of
critical operations. My statement today will summarize the significant problems
noted in the FY 2000 financial statement audit.
Medicare Automated
Systems
By way of
background, the Medicare program provides health insurance for 39.5 million
elderly and disabled Americans at a cost of about $215 billion in FY 2000. The
program is administered by HCFA, the largest component of the Department of
Health and Human Services. Medicare services are provided through either
fee-for-service arrangements or managed care plans.
HCFA relies on
extensive computerized operations at both its central office and contractor
sites to administer the Medicare program and to process and account for Medicare
expenditures. The HCFA central office systems maintain administrative data, such
as Medicare enrollment, eligibility, and paid claims data, and process all
payments to health care providers for managed care. The fee-for-service claim
processing system, the Department’s most complex and decentralized system, is
operated with the help of more than 50 contractors located throughout the
country. There are two types of contractors: Intermediaries process claims from
institutions, such as hospitals and skilled nursing facilities, filed under Part
A of the Medicare program, while carriers process Part B claims from other
health care providers, such as physicians and medical equipment suppliers. These
contractors and their data centers use several "shared" systems to
process and pay provider claims. Currently, each intermediary uses one of two
shared systems, and each carrier uses one of four shared systems. All of the
shared systems interface with HCFA’s Common Working File system to obtain
authorization to pay claims and to coordinate Medicare Part A and Part B
benefits. This fee-for-service network processed over 890 million claims
totaling $173.6 billion during FY 2000.
Generally, Medicare
claim processing begins when a health care provider submits a claim to a
contractor. The claim is entered into a shared system which captures, edits, and
prices the claim. Once the claim has passed all shared system edits and has been
priced, it is submitted to the Common Working File for validation, verification
of beneficiary eligibility, and payment authorization.
Systems Control
Weaknesses
As we have
previously reported, the underlying internal control environment for Medicare
claim processing operations needs substantial improvement. Our FY 2000 audit
identified numerous weaknesses in general controls, which involve access
controls, entity-wide security programs, application development and program
change controls, segregation of duties, operating system software, and service
continuity. General controls affect the integrity of all applications operating
within a single data processing facility and are critical to ensuring the
reliability, confidentiality, and availability of data.
Of 124 general
control weaknesses identified, 115 were found at the sampled Medicare contractor
sites and 9 were found at the HCFA central office. About 80 percent of these
weaknesses involved three types of controls: access controls, entity-wide
security programs, and systems software.
Access Controls
Access controls
ensure that critical systems assets are physically safeguarded, that logical
(e.g., electronic) access to sensitive computer programs and data is granted
only when authorized and appropriate, and that only authorized staff and
computer processes access sensitive data in an appropriate manner. Weaknesses in
such controls can compromise the integrity of program data and increase the risk
that data may be inappropriately used and/or disclosed.
Access control
weaknesses represented the largest problem area. The most widespread weaknesses
concerned administration of the controls themselves. At several contractors,
passwords were not properly administered, systems security software was not
implemented effectively, or access privileges were not reviewed frequently
enough to ensure their continuing validity. We also reported that controls did
not effectively prevent access to sensitive data. For instance, computer
programmers and other technical support staff had inappropriate access to the
data files used in the fee-for-service claim process, such as beneficiary
history files. Under these conditions, the Common Working File system was
vulnerable to inappropriate use.
At some contractors,
programmers had inappropriate access to system logs; this provided an
opportunity to conceal improper actions and obviated the logs’ effectiveness
as "detect" controls. At one contractor, the computer operator could
override installation system security precautions when restarting the mainframe
computer system. We also noted weaknesses in controls over access to sensitive
facilities and media within those facilities. For example, at one contractor,
inappropriate individuals had access to the computer center’s command post. At
another, the computer production control area was not secured during normal
business hours.
Penetration Tests. As
part of their assessment of access controls, IPA firms performed low-level
internal and external penetration testing at eight Medicare contractor sites.
The purpose of this testing was to identify real and postulated security risks
to, and vulnerabilities of, the information systems. A variety of common
penetration testing procedures revealed additional access control risks at
certain contractor sites. When dial-up connections were made, computer systems
permitted an excessive number of failed remote access log-in attempts before
disconnection and disclosed more information about themselves than necessary. In
addition, inadequate password protections permitted unauthorized access to
certain computer systems, and insufficient controls over print output queues
permitted unauthorized "read" access to sensitive data. Such
weaknesses increase the risk of unauthorized remote access to sensitive Medicare
systems and data.
Entity-Wide Security
Programs
Entity-wide security
programs ensure that security threats are identified, risks are assessed,
control techniques are developed, and management oversight is applied to ensure
the overall effectiveness of security measures. These programs typically include
policies on how and which sensitive duties should be separated to avoid
conflicts of interest and stipulate what types of background checks are needed
during the hiring process. Entity-wide security programs afford management the
opportunity to provide appropriate direction and oversight of the design,
development, and operation of critical systems controls. Inadequacies in these
programs can result in inadequate access controls and software change controls
affecting mission-critical operations.
We reported that
several contractor sites lacked fully documented, comprehensive entity-wide
security plans that addressed all aspects of an adequate security program.
Inadequate risk assessments, a lack of comprehensive security awareness
programs, and inadequate policies were among the weaknesses noted at the
contractors. At the HCFA central office, we found no security assessment of, or
security plans for, significant application systems; insufficient security
oversight of the Medicare contractors; no formal process to remove system access
of terminated HCFA employees and contractors; and deficiencies in the management
review and approval process.
Systems Software
Controls
Systems software
controls help to prevent unauthorized individuals from using software to read,
modify, or delete critical information and programs. Systems software is a set
of programs designed to operate and control the processing activities of
computer equipment. Generally, it supports a variety of applications that may
run on the same computer hardware. Some systems software can change data and
programs on files without leaving an audit trail.
Weaknesses in
systems software controls related to managing routine changes to the software to
ensure their appropriate implementation and configuring operating system
controls to ensure their effectiveness. Such problems could weaken critical
controls over access to sensitive Medicare data files and operating system
programs.
Shared System
Weaknesses
Since FY 1997, we
have reported that the Medicare data centers have inappropriate access to the
source code of the Fiscal Intermediary Shared System, which is used by certain
Medicare contractors. This unresolved weakness was expanded this year to include
the Common Working File system, which all shared systems use to obtain
authorization to pay claims. Access to source code renders the Medicare claim
processing system vulnerable to abuse, such as the implementation of
unauthorized programs and the implementation of local changes to shared system
programs. While HCFA requires contractors to restrict local changes to emergency
situations, local changes are often not subjected to the same controls that
exist in the standard change control process.
Conclusions
In summary, we
remain concerned that inadequate internal controls over Medicare operations
leave the program vulnerable to loss of funds, unauthorized access to and
disclosure of sensitive medical information, malicious changes that could
interrupt data processing or destroy data files, improper payments, or
disruption of critical operations. Further, because of weaknesses in the
contractors’ entity-wide security structures, HCFA has no assurance that
information systems controls are adequate and operating effectively. While all
of these weaknesses are troubling, we do not know whether the resulting
vulnerabilities have been exploited in terms of compromised medical information,
fictitious Medicare claims, diversion of taxpayer dollars, or some other type of
fraud or abuse by an "insider" or a hacker.
What most concerns
us are the continuing problems identified in access and entity-wide security
controls. HCFA must ensure that Medicare contractors develop corrective action
plans that not only address identified weaknesses but also attempt to determine
the fundamental causes of the weaknesses. Among the efforts planned and underway
by HCFA is an improved corrective action process. We expect that HCFA’s
testimony will fully address that process, as well as other short- and long-term
actions to shore up information systems controls. We urge HCFA to sustain its
focus on these critical internal controls. Furthermore, HCFA and the Medicare
contractors should routinely conduct penetration testing to ensure the integrity
of their information technology environment.
We in the Office of
Inspector General will continue to work with HCFA to overcome the persistent
risks to the security of the Medicare program. For example, as required by the
Government Information Security Reform Act (GISRA) of 2000, we have begun an independent
evaluation of HCFA’s security program. Our evaluation will incorporate the
results of several efforts: the internal control testing conducted during our
annual financial statement audits, our ongoing work to ensure compliance with
Presidential Decision Directive 63, our additional work focused on access and
entity-wide security controls at selected Medicare contractors, information
systems reviews (known as Statement on Audit Standards 70 examinations)
conducted by IPA firms under contract with HCFA, and other security assessments
performed by consultants for HCFA.
I will be happy to discuss the
extent of our GISRA work, as well as any other matters, in response to your
questions.
|
|
