Testimony
Joseph E. Vengrin
Assistant Inspector General for Audit Operations
and Financial Statement Activities

May 23, 2001

Office of Inspector General
Department of Health and Human Services

In conducting annual audits of the Health Care Financing Administration (HCFA) financial statements, which are required by the Government Management Reform Act of 1994, we contract with independent public accounting (IPA) firms to express an opinion on the financial statements and report on internal control deficiencies. As part of the body of work underpinning these audits, the IPA firms perform various internal control tests of the Medicare program, including its automated systems. The purpose of these tests is to determine the nature, timing, and extent of audit procedures to be performed during each year's audit.

Strong internal controls over Medicare systems are essential to ensure the integrity, confidentiality, and reliability of critical data and to reduce the risk of errors, fraud, and other illegal acts. However, since fiscal year (FY) 1996, when we first began the financial statement audits, we have noted continuing material internal control weaknesses in the systems, particularly those operated by contractors. Material weaknesses are defined as serious deficiencies in internal controls that can lead to material misstatements of amounts reported in subsequent financial statements unless corrective actions are taken. Also, such weaknesses could allow (1) unauthorized access to and disclosure of sensitive information, (2) malicious changes that could interrupt data processing or destroy data files, (3) improper Medicare payments, or (4) disruption of critical operations. My statement today will summarize the significant problems noted in the FY 2000 financial statement audit.

By way of background, the Medicare program provides health insurance for 39.5 million elderly and disabled Americans at a cost of about $215 billion in FY 2000. The program is administered by HCFA, the largest component of the Department of Health and Human Services. Medicare services are provided through either fee-for-service arrangements or managed care plans.

HCFA relies on extensive computerized operations at both its central office and contractor sites to administer the Medicare program and to process and account for Medicare expenditures. The HCFA central office systems maintain administrative data, such as Medicare enrollment, eligibility, and paid claims data, and process all payments to health care providers for managed care. The fee-for-service claim processing system, the Department's most complex and decentralized system, is operated with the help of more than 50 contractors located throughout the country. There are two types of contractors: Intermediaries process claims from institutions, such as hospitals and skilled nursing facilities, filed under Part A of the Medicare program, while carriers process Part B claims from other health care providers, such as physicians and medical equipment suppliers. These contractors and their data centers use several "shared" systems to process and pay provider claims. Currently, each intermediary uses one of two shared systems, and each carrier uses one of four shared systems. All of the shared systems interface with HCFA's Common Working File system to obtain authorization to pay claims and to coordinate Medicare Part A and Part B benefits. This fee-for-service network processed over 890 million claims totaling $173.6 billion during FY 2000.

Generally, Medicare claim processing begins when a health care provider submits a claim to a contractor. The claim is entered into a shared system which captures, edits, and prices the claim. Once the claim has passed all shared system edits and has been priced, it is submitted to the Common Working File for validation, verification of beneficiary eligibility, and payment authorization.

As we have previously reported, the underlying internal control environment for Medicare claim processing operations needs substantial improvement. Our FY 2000 audit identified numerous weaknesses in general controls, which involve access controls, entity-wide security programs, application development and program change controls, segregation of duties, operating system software, and service continuity. General controls affect the integrity of all applications operating within a single data processing facility and are critical to ensuring the reliability, confidentiality, and availability of data.

Of 124 general control weaknesses identified, 115 were found at the sampled Medicare contractor sites and 9 were found at the HCFA central office. About 80 percent of these weaknesses involved three types of controls: access controls, entity-wide security programs, and systems software.

Access Controls

Access controls ensure that critical systems assets are physically safeguarded, that logical (e.g., electronic) access to sensitive computer programs and data is granted only when authorized and appropriate, and that only authorized staff and computer processes access sensitive data in an appropriate manner. Weaknesses in such controls can compromise the integrity of program data and increase the risk that data may be inappropriately used and/or disclosed.

Access control weaknesses represented the largest problem area. The most widespread weaknesses concerned administration of the controls themselves. At several contractors, passwords were not properly administered, systems security software was not implemented effectively, or access privileges were not reviewed frequently enough to ensure their continuing validity. We also reported that controls did not effectively prevent access to sensitive data. For instance, computer programmers and other technical support staff had inappropriate access to the data files used in the fee-for-service claim process, such as beneficiary history files. Under these conditions, the Common Working File system was vulnerable to inappropriate use.

At some contractors, programmers had inappropriate access to system logs; this provided an opportunity to conceal improper actions and obviated the logs' effectiveness as "detect" controls. At one contractor, the computer operator could override installation system security precautions when restarting the mainframe computer system. We also noted weaknesses in controls over access to sensitive facilities and media within those facilities. For example, at one contractor, inappropriate individuals had access to the computer center's command post. At another, the computer production control area was not secured during normal business hours.

Penetration Tests. As part of their assessment of access controls, IPA firms performed low-level internal and external penetration testing at eight Medicare contractor sites. The purpose of this testing was to identify real and postulated security risks to, and vulnerabilities of, the information systems. A variety of common penetration testing procedures revealed additional access control risks at certain contractor sites. When dial-up connections were made, computer systems permitted an excessive number of failed remote access log-in attempts before disconnection and disclosed more information about themselves than necessary. In addition, inadequate password protections permitted unauthorized access to certain computer systems, and insufficient controls over print output queues permitted unauthorized "read" access to sensitive data. Such weaknesses increase the risk of unauthorized remote access to sensitive Medicare systems and data.

Entity-Wide Security Programs

Entity-wide security programs ensure that security threats are identified, risks are assessed, control techniques are developed, and management oversight is applied to ensure the overall effectiveness of security measures. These programs typically include policies on how and which sensitive duties should be separated to avoid conflicts of interest and stipulate what types of background checks are needed during the hiring process. Entity-wide security programs afford management the opportunity to provide appropriate direction and oversight of the design, development, and operation of critical systems controls. Inadequacies in these programs can result in inadequate access controls and software change controls affecting mission-critical operations.

We reported that several contractor sites lacked fully documented, comprehensive entity-wide security plans that addressed all aspects of an adequate security program. Inadequate risk assessments, a lack of comprehensive security awareness programs, and inadequate policies were among the weaknesses noted at the contractors. At the HCFA central office, we found no security assessment of, or security plans for, significant application systems; insufficient security oversight of the Medicare contractors; no formal process to remove system access of terminated HCFA employees and contractors; and deficiencies in the management review and approval process.

Systems Software Controls

Systems software controls help to prevent unauthorized individuals from using software to read, modify, or delete critical information and programs. Systems software is a set of programs designed to operate and control the processing activities of computer equipment. Generally, it supports a variety of applications that may run on the same computer hardware. Some systems software can change data and programs on files without leaving an audit trail.

Weaknesses in systems software controls related to managing routine changes to the software to ensure their appropriate implementation and configuring operating system controls to ensure their effectiveness. Such problems could weaken critical controls over access to sensitive Medicare data files and operating system programs.

Shared System Weaknesses

Since FY 1997, we have reported that the Medicare data centers have inappropriate access to the source code of the Fiscal Intermediary Shared System, which is used by certain Medicare contractors. This unresolved weakness was expanded this year to include the Common Working File system, which all shared systems use to obtain authorization to pay claims. Access to source code renders the Medicare claim processing system vulnerable to abuse, such as the implementation of unauthorized programs and the implementation of local changes to shared system programs. While HCFA requires contractors to restrict local changes to emergency situations, local changes are often not subjected to the same controls that exist in the standard change control process.

In summary, we remain concerned that inadequate internal controls over Medicare operations leave the program vulnerable to loss of funds, unauthorized access to and disclosure of sensitive medical information, malicious changes that could interrupt data processing or destroy data files, improper payments, or disruption of critical operations. Further, because of weaknesses in the contractors' entity-wide security structures, HCFA has no assurance that information systems controls are adequate and operating effectively. While all of these weaknesses are troubling, we do not know whether the resulting vulnerabilities have been exploited in terms of compromised medical
information, fictitious Medicare claims, diversion of taxpayer dollars, or some other type of fraud or abuse by an "insider" or a hacker.

What most concerns us are the continuing problems identified in access and entity-wide security controls. HCFA must ensure that Medicare contractors develop corrective action plans that not only address identified weaknesses but also attempt to determine the fundamental causes of the weaknesses. Among the efforts planned and underway by HCFA is an improved corrective action process. We expect that HCFA's testimony will fully address that process, as well as other short- and long-term actions to shore up information systems controls. We urge HCFA to sustain its focus on these critical internal controls. Furthermore, HCFA and the Medicare contractors should routinely conduct penetration testing to ensure the integrity of their information technology environment.

We in the Office of Inspector General will continue to work with HCFA to overcome the persistent risks to the security of the Medicare program. For example, as required by the Government Information Security Reform Act (GISRA) of 2000, we have begun an independent evaluation of HCFA's security program. Our evaluation will incorporate the results of several efforts: the internal control testing conducted during our annual financial statement audits, our ongoing work to ensure compliance with Presidential Decision Directive 63, our additional work focused on access and entity-wide security controls at selected Medicare contractors, information systems reviews (known as Statement on Audit Standards 70 examinations) conducted by IPA firms under contract with HCFA, and other security assessments performed by consultants for HCFA.

I will be happy to discuss the extent of our GISRA work, as well as any other matters, in response to your questions.