Anthem “refused to cooperate” with US regulators attempting to conduct vulnerability scans and configuration tests on its IT systems.
The Inspector General of US Office of Personnel Management’s (OPM) recently attempted to schedule a security audit of the health insurance giant.
This was in the wake of Anthem’s massive data breach that exposed sensitive data on nearly 80 million customers – and non-customers, it later turned out.
Because Anthem provides insurance coverage to federal employees, the OPM’s Office of the Inspector General (OIG) is entitled to request to audit the company, but the company is allowed to decline.
Anthem turned down the OIG’s request, citing corporate policy against allowing third parties to connect to its network.
Anthem also apparently stopped OIG inspectors from performing vulnerability scans and configuration tests during a 2013 audit, when the insurer was known as WellPoint.
At that time, the OIG audit of WellPoint’s data security found some problems with the company’s access controls and configuration management, and made recommendations for improvements that WellPoint indicated it was addressing.
However, the OIG report said WellPoint could not provide evidence that it had ever conducted a vulnerability scan on certain servers containing federal data.
As the OIG stated in its 2013 report:
We routinely use our own automated tools to evaluate the configuration of a sample of computer servers. When we requested to conduct this test at WellPoint, we were informed that a corporate policy prohibited external entities from connecting to the WellPoint network. In an effort to meet our audit objective, we attempted to obtain additional information from WellPoint, but the Plan was unable to provide satisfactory evidence that it has ever had a program in place to routinely monitor the configuration of its servers.
Now, a year-and-a-half after the OIG report, it’s uncertain if Anthem has in place a system for conducting vulnerability scans and server configuration testing that were recommended by the OIG.
Would a complete OIG audit have led to WellPoint/Anthem having in place the sort of security that would have prevented the 2015 breach?
There’s no way to know what might have happened, of course, but it’s still worth asking why Anthem’s servers were not subject to routine vulnerability testing.
Anthem told the Financial Times [registration required] that giving full access to the OIG auditors would have required turning off its antivirus software and could have caused system outages.
The US inspectors say they attempted to schedule for the summer of 2015 the tests they were unable to perform in 2013, but Anthem again said, “No, thanks.”
Other health insurers have allowed the same standard tests without incident, the OIG said:
We have conducted vulnerability scans and configuration compliance tests at numerous health insurance carriers without incident. We do not know why Anthem refuses to co-operate with the OIG.
The OIG may yet get its way, as it works with OPM to further amend Anthem’s contract with the federal government, which could force Anthem to cooperate.
In the meantime, Anthem is working with a private security company to “evaluate our systems and identify solutions based on the evolving landscape,” as the company’s CEO said in a letter announcing the data breach last month.
Ironically, it looks as though the corporate policy that was strong enough to keep a third party like the OIG out of Anthem’s network was no match for the crooks who got in and made off with close to 100 million customer records.
Image of stethoscope on computer keyboard courtesy of Gajus / Shutterstock.com.
9 comments on “US regulator says Anthem “refuses to cooperate” in security audit”
I sent info into Anthem three weeks ago to start the process they offered to assist in monitoring my credit and medical info that WAS STOLEN. And now, they seem to have abandoned ANY EFFORT to assist their customers who’s’ info was stolen. They indicated they wanted to help. It was a PR stunt AND A LIE.
Having followed this story, here are some thoughts I’ve had regarding my own medical data. I am by no means up-to-date with where IT is at with the NHS at the moment, so these musings aren’t really anchored in anything solid. Maybe someone who works with IT in the NHS can reply an put me more in the picture.
Surely it’s fair to say the the NHS is one of the world’s larger health care providers, with highly sensitive and personal medical information on something like 65 million Brittons.
The NHS’s track record with IT isn’t the greatest, and I wonder how easy a hack would be to pull off, or easy to notice.
My £0.02 –
Two mitigating factors I can think of might be:
1) From relatives who have worked in the NHS over the last 30 odd years, I understand that historically, NHS IT has been a patchwork of regionally and functionally different systems – though that may be changing now – and so one hack probably couldn’t expose all the data on all the people.
2) As there are no banking details, (since the NHS is paid for by the tax payer), there’s sensitive medical data which would be of interest to advertisers, but presumably nothing that could easily expose us to risk of identity theft.
Am I on the right track, do you think?
The NHS is indeed massive (one of the world’s biggest employers, behind only Walmart and the US and Chinese militaries, if Wikipedia is to be believed).
I think you’re probably right about the diversity of systems at the moment – they’re working to unify things though, building a giant central system which will do away with the “problem” of a single breach only leaking a subset of the data they hold (see http://www.nhs.uk/NHSEngland/thenhs/records/healthrecords/Pages/care-data.aspx ).
As for #2, I’d say the data held by our doctors is not only medically sensitive but contains all manner of excellent ID theft fodder – even just info on what you’ve been treated for can give some obvious insights into what you get up to, let alone all the standard personal info needed to keep track of patients.
Bank records are a bad thing to lose, but not the only data you don’t want bad guys knowing.
In the US there are three reasons to be concerned about breaches in medical data by hackers:
1) As John Hawes mentioned, there is often enough data in medical files for identity theft.
2) With access to medical insurance data, hackers can submit bogus claims and be reimbursed for medical treatment that never happened.
3) Information from bogus claims gets mixed in with your real medical treatment causing doctors to misdiagnose. (Intern: Abdominal pains? We can rule out appendicitis because the medical records show he had it removed last year…)
A proposal would be for the OIG to contact the hackers that did gain access to the Anthem System and then connect anyway. After years of protecting my own online identity and data BC/BS gave it away.
It’s interesting that allowing an audit by OIG would ‘have required turning off its antivirus software and could have caused system outages’ but apparently the crooks had no problems. Perhaps they need a different AV vendor?
Their letter and process is pathetic! This is clearly low-bid and no credit score monitoring is even included. What a bunch of losers. Customers were violated and they worry about expense surrounding their #### up! They don’t get it.
Once again it is proven that “Bad Guys can always be counted to break the rules”! Entities following the rules don’t attempt to gain access and politely ask if they can check to see if their data is safe. When told they may not, they meekly say, okay, and move along. It’s ALWAYS about money. If you don’t like having your pocket picked, spend more on maintaining the security of said wallet. Sadly, it’s a proven fact that when there is any type of a budget crunch, the IT department takes the first hit, so why in the world would we expect a company to tell shareholders, “Sorry, we don’t have a dividend this quarter because we spent it on protecting your data!”
Vulnerability scans and pen tests done correctly pose no threat to a company’s data. The fact that they refuse to cooperate tells me that they have many more problems than they would like anyone to know about. Worried about public perception a whole lot more than customer data. Pathetic senior leadership .CYA carries the day!