Security Experts:

Does Anthem Have an Excuse for Declining a Security Audit?

Health insurance giant Anthem was criticized last week after reports emerged that it had declined a security audit from the Office of Personnel Management's Office of Inspector General (OPM OIG). Some experts speculated that Anthem might have had good reasons to refuse the assessment.

OPM's OIG contacted Anthem to propose a "partial scope audit" of its systems after the insurance company's massive data breach earlier this year, according to a statement OPM’s OIG provided to last week.

The data breach originally impacted 78 million customers, but it now appears to also include between 8.8 million to 18.8 million Blue Cross Blue Shield customers who used their insurance in states Anthem has operations. Reports show OIG audited Anthem back in September 2013 and found the carrier wasn’t conducting vulnerability scans and did not have controls in place to stop unauthorized systems from connecting to the network. Since then, the company has declined audits, citing "corporate policy" reasons.

“We have conducted vulnerability scans and configuration compliance tests at numerous health insurance carriers without incident,” OIG, which performs audits at health insurance carriers providing benefits to federal employees, wrote in the statement, “We do not know why Anthem refuses to cooperate with the OIG.”

One possibility may just be pure logistics. Incident response and recovery are costly and time-consuming activities. Anthem may be unwilling to deal with an assessment while still dealing with the aftermath of the breach, some experts suggested. "If I were Anthem, perhaps the last thing I would want while I’m trying to rush to fix the issues revealed by their breach is to have to host strangers who will further tax my staff and create more meetings when I need action," said Jonathan Sander, strategy and research officer for STEALTHbits Technologies. "Lack of evidence is not evidence of something lacking, and all Anthem’s refusal of the Office of Personnel Management’s Office of Inspector General audit creates is a lack of evidence."

Refusing the OIG audit "doesn't look good" for Anthem since hiding behind corporate policy makes it look like Anthem is hiding something, Rick Holland, a principal analyst with Forrester's security and risk management practice, told SecurityWeek. If the insurance provider was concerned about pulling internal resources away from activities related to incident response, it should have just said that instead of simply referring to policy.

However, consistently refusing the OIG in the years since may work in Anthem's favor, since suddenly refusing the limited audit "would have looked far worse," he said.

"Anthem has handled this breach relatively well up until this point," Holland said, beginning with how the carrier discovered and reported the breach and how the CEO provided a timely public statement. Perception management is critical after a breach, and Anthem is "starting to fumble." Another thing to consider is that Anthem already is aware of the issues. The earlier OIG audit found deficiencies in Anthem's systems, and it's quite possible the investigation since the breach has uncovered other issues.

"Many organizations simply don't want to go through the hassle of an audit just to be told about security issues they're already aware of," Lucas Zaichkowsky, Enterprise Defense Architect at Resolution1 Security, told SecurityWeek. He dismissed concerns over potential system outages triggered by the scans or having to disable antivirus software for the duration of the assessment. Auditors are flexible and regularly work with companies to avoid impacting critical systems, he noted.

There is an "unfortunate trend" of organizations setting up audits and penetration tests so that they pass, Holland said. However, defining success as getting positive results means these audits are no longer a true assessment of the organization's risk.

The fact that Anthem was able to repeatedly refuse OIG highlights a bigger problem than what may or may not be lacking in the insurance provider's infrastructure. "The OIG not having the ability to actually force Anthem to comply illustrates that optional mandates aren't mandates," Holland said.

As soon as Anthem refused to allow OIG to scan its systems, the watchgroup should have disclosed this as a public service to Anthem customers, said Philip Lieberman, president of Lieberman Software. The rules have to be changed so that OIG can "make these failures to comply a matter of public record so that citizens could protect themselves,” he said.

view counter
Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.