Anthem “refused to cooperate” with US regulators attempting to conduct vulnerability scans and configuration tests on its IT systems.
The Inspector General of US Office of Personnel Management’s (OPM) recently attempted to schedule a security audit of the health insurance giant.
Because Anthem provides insurance coverage to federal employees, the OPM’s Office of the Inspector General (OIG) is entitled to request to audit the company, but the company is allowed to decline.
Anthem turned down the OIG’s request, citing corporate policy against allowing third parties to connect to its network.
Anthem also apparently stopped OIG inspectors from performing vulnerability scans and configuration tests during a 2013 audit, when the insurer was known as WellPoint.
At that time, the OIG audit of WellPoint’s data security found some problems with the company’s access controls and configuration management, and made recommendations for improvements that WellPoint indicated it was addressing.
However, the OIG report said WellPoint could not provide evidence that it had ever conducted a vulnerability scan on certain servers containing federal data.
As the OIG stated in its 2013 report:
We routinely use our own automated tools to evaluate the configuration of a sample of computer servers. When we requested to conduct this test at WellPoint, we were informed that a corporate policy prohibited external entities from connecting to the WellPoint network. In an effort to meet our audit objective, we attempted to obtain additional information from WellPoint, but the Plan was unable to provide satisfactory evidence that it has ever had a program in place to routinely monitor the configuration of its servers.
Now, a year-and-a-half after the OIG report, it’s uncertain if Anthem has in place a system for conducting vulnerability scans and server configuration testing that were recommended by the OIG.
Would a complete OIG audit have led to WellPoint/Anthem having in place the sort of security that would have prevented the 2015 breach?
There’s no way to know what might have happened, of course, but it’s still worth asking why Anthem’s servers were not subject to routine vulnerability testing.
Anthem told the Financial Times [registration required] that giving full access to the OIG auditors would have required turning off its antivirus software and could have caused system outages.
The US inspectors say they attempted to schedule for the summer of 2015 the tests they were unable to perform in 2013, but Anthem again said, “No, thanks.”
Other health insurers have allowed the same standard tests without incident, the OIG said:
We have conducted vulnerability scans and configuration compliance tests at numerous health insurance carriers without incident. We do not know why Anthem refuses to co-operate with the OIG.
The OIG may yet get its way, as it works with OPM to further amend Anthem’s contract with the federal government, which could force Anthem to cooperate.
In the meantime, Anthem is working with a private security company to “evaluate our systems and identify solutions based on the evolving landscape,” as the company’s CEO said in a letter announcing the data breach last month.
Ironically, it looks as though the corporate policy that was strong enough to keep a third party like the OIG out of Anthem’s network was no match for the crooks who got in and made off with close to 100 million customer records.