Anthem Refuses Full IT Security AuditWatchdog Agency Says Insurer Won't Allow Vulnerability Scans
A federal watchdog agency says Anthem Inc. has refused to allow it to conduct vulnerability scans of the health insurer's systems in the wake of its recent massive data breach affecting 78.8 million individuals. Anthem also refused to allow scans by the same agency in 2013 (see: Why 'Adaptive Defense' Is Critical).
The Office of Personnel Management's Office of Inspector General, in a statement provided to Information Security Media Group, says Anthem has refused to allow the agency to perform "standard vulnerability scans and configuration compliance tests" this summer, as requested by the OIG. The health insurer also refused to allow the OIG to conduct those vulnerability tests in 2013 as part of an IT security audit that was performed by the agency on its systems.
"What we had attempted to schedule for the summer of 2015 was a sort of 'partial audit' - what we call a 'limited scope audit' - that would have consisted only of the work we were prevented from conducting in 2013," an OIG spokeswoman explains. "So this is the second time that Anthem has refused to permit us to perform our standard vulnerability scans and configuration compliance tests."
OPM's OIG performs a variety of audits on health insurers that provide health plans to federal employees under the Federal Employee Health Benefits Program, or FEHBP. Under the standard FEHBP contract that OPM has with insurers, however, insurers are not mandated to cooperate with security audits, the OIG spokeswoman tells ISMG. Sometimes, however, amendments are made to insurers' federal contracts to specifically require the full audits, she says. In fact, the OIG is now seeking such an amendment to Anthem's FEHBP contract, she adds.
The OIG says in a statement that after the recent breach was announced by Anthem, "we attempted to schedule a new IT audit of Anthem for this summer. Anthem recently informed us that, once again, it will not permit our auditors to perform our standard vulnerability scans and configuration compliance tests. Again, the reason cited is 'corporate policy.'"
In its statement, the OIG also notes: "We have conducted vulnerability scans and configuration compliance tests at numerous health insurance carriers without incident. We do not know why Anthem refuses to cooperate with the OIG."
Anthem did not respond to ISMG's request for comment.
In January 2013, when the OIG initiated an IT security audit, Anthem imposed restrictions that prevented auditors from adequately testing whether it appropriately secured its computer information systems, according to the agency's statement.
"One of our standard IT audit steps is to perform automated vulnerability scans and configuration compliance audits on a small sample of an organization's computer servers. These scans are designed to identify security vulnerabilities and misconfigurations that could be exploited in a malicious cyber-attack," the OIG says.
The agency says its objective in conducting scans "is not to identify every vulnerability that exists in a technical environment, but rather to form an opinion on the organization's overall process to securely configure its computers."
When the OIG requested to perform this test at Anthem in 2013, "we were informed that a corporate policy prohibited external entities from connecting to the Anthem network," the agency said.
"In an effort to meet our audit objective, we attempted to obtain additional information about Anthem's own internal practices for performing this type of work," the OIG says regarding the 2013 audit. "However, Anthem provided us with conflicting statements about its procedures, and ultimately was unable to provide satisfactory evidence that it has ever had a program in place to routinely monitor the configuration of its servers."
Although Anthem refused to allow OIG auditors to conduct the vulnerability testing, the insurer did allow the watchdog agency to conduct an information systems general and application control audit in 2013.
Among the findings of that more general 2013 audit, OIG found that Anthem, formerly known as Wellpoint, "has established a series of IT policies and procedures to create an awareness of IT security at the plan. We also verified that WellPoint has adequate human resources policies related to the security aspects of hiring, training, transferring, and terminating employees," according to the OIG audit report released in September 2013.
That more limited audit report also said in summary: "Nothing came to our attention to indicate that WellPoint does not have an adequate security management program."
However, the OIG says in its March 4 statement, "As a result of the scope limitation on our audit work and Anthem's inability to provide additional supporting documentation, our final audit report stated that we were unable to independently attest that Anthem's computer servers maintain a secure configuration."
After the 2013 partial audit, the OIG says it contacted OPM management about its concerns regarding auditors' limited access to Anthem systems. "After discussions with our office, OPM amended the FEHBP contract to allow a certain degree of auditor access. Since that time, this provision has proven to be insufficient, and we are currently working with OPM to further amend the contract."