The data warehouse that holds health insurance claims records for the Office of Personnel Management is operating with outdated security plans and is not meeting various monitoring requirements, an inspector’s general report found.
OPM’s Health Claims Data Warehouse serves as the IT repository for the claims records and administrative data associated with the Federal Employees Health Benefits Program, which provides health benefits for 8.3 million federal employees, retirees and beneficiaries.
An IG audit of the HCDW’s IT security controls found that while many elements are in compliance with Office of Management and Budget policy, others fall far short.
Auditors found that required continuous monitoring reports were not issued, and that neither the system’s contingency plan to mitigate service disruption nor the plan of action and milestones for addressing 22 outstanding system weaknesses had been updated since 2015.
OPM has also failed to remove the credentials of several nonessential personnel who retained privileged access to HCDW servers, despite that access being deemed unnecessary.
The agency has also not put in place technical controls to prevent users from accessing HCDW servers remotely or conducted penetration testing of the system.
One of the system’s servers was also excluded from OPM’s vulnerability scanning procedures, potentially leaving the HCDW open to security breaches, the report said.
Auditors also found that the HCDW was still listed as “in development” in its 2015 System Security Plan, a phase typically designated for systems not widely used. But the HCDW has been in routine use, or production, since October 2016, requiring a reevaluation of its authority to operate.
As a result, auditors found that 52 of the 343 security controls were deemed “not applicable” in the system’s security assessment plan and report, raising concerns that they were not correctly applied.
“The assessors did not clarify why these controls were considered ‘Not Applicable’ to the HCDW assessment,” the IG said. “This demonstrates the strong possibility that additional controls may have been identified incorrectly and more weaknesses exist than the assessment identified.”
The IG made 12 recommendations, two of which were redacted for security reasons, about how to improve the HCDW’s security controls.
OPM officials concurred with nine recommendations. They partially concurred with a recommendation to limit remote access, saying that the security documentation regarding remote access needed to be updated to reflect new controls. OPM’s responses to two other recommendations were redacted.