Anthem Refuses to Comply with Government IT Security Audit
Despite suffering a recent hacking attack that left the personal information of nearly 80 million people vulnerable to identity theft, health insurer Anthem Inc. is refusing to comply with a security audit from the U.S. Office of Personnel Managements Inspector General.
Anthem (previously named WellPoint Inc.) participates in the Federal Employees Health Benefits Program (FEHBP)a system of "managed competition" through which employee health benefits are provided to civilian government employees and annuitants of the U.S. governmentwhich is administered by the Office of Personnel Management (OPM).
As part of its oversight responsibilities, the OPM Office of the Inspector General (OIG) conducts audits of health insurance companies that participate in the FEHBP, including conducting information technology security audits. One of the OIGs standard IT audit steps is to perform automated vulnerability scans and configuration compliance audits on a small sample of an organizations computer servers designed to identify security vulnerabilities and misconfigurations that could be exploited in a malicious cyberattack. However, Anthem refused to comply with the audit citing corporate policy as the reason.
After the recent breach was announced, we attempted to schedule a new IT audit of Anthem for this summer, according to a written statement from Susan L. Ruge, associate counsel to the Inspector General at OIG. But, Anthem recently informed OIG that it will not permit the agencys auditors to perform their standard vulnerability scans and configuration compliance tests.
We have conducted vulnerability scans and configuration compliance tests at numerous health insurance carriers without incident, Ruge said. We do not know why Anthem refuses to cooperate with the OIG.
Yet, this isnt the first time Anthem has refused to cooperate with such an audit. According to Ruge, in January of 2013, OIG initiated an IT security audit in which Anthem imposed restrictions preventing auditors from adequately testing whether the health insurer appropriately secured its computer systems.
When we requested to perform this test at Anthem, we were informed that a corporate policy prohibited external entities from connecting to the Anthem network, said Ruge. In an effort to meet our audit objective, we attempted to obtain additional information about Anthems own internal practices for performing this type of work. However, Anthem provided us with conflicting statements about its procedures, and ultimately was unable to provide satisfactory evidence that it has ever had a program in place to routinely monitor the configuration of its servers.
In a September 2013 final audit report, OIG stated that that they were unable to independently attest that Anthems computer servers maintain a secure configuration and concluded that while the company configured its servers to record the activity of privileged users (i.e., system administrators) these event logs generated by these servers are only reviewed retroactively if a problem has been reported or detected and that failure to routinely review elevated user activity increases the risk that malicious activity could go undetected and sensitive information could be compromised.
As a result, OPM amended the FEHBP contract to allow a certain degree of auditor access. Since that time, this provision alone has proven to be insufficient, and we are currently working with OPM to address the issue, according to Ruge, who emphasizes that audits are not voluntary.
Carriers are required to cooperate with OIG audits under the FEHBP contract, she said. However, there are certain steps in an IT security audit that require access to carriers' IT systems. Anthem refused to provide the necessary access in 2013 and the FEHBP contract at that time did not have language that required it to provide OIG auditors such access. After the problems we had with Anthem in 2013, OPM modified the FEHBP contract.
Nevertheless, Anthem has interpreted this new language in such a way to continue to allow them to refuse to provide us access to their systems, Ruge added. We contacted OPM after Anthem's recent refusal and OPM is taking steps to secure our access rights.
Tim Erlin, director of product management for IT security solutions vendor Tripwire, argues that insurers providing services to federal employees should be subject to security audits by the government, and they shouldnt have a choice in the matter.
Anthem declined to respond to a request from Health Data Management to provide comment for this article.