Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Audits

Does Anthem Have an Excuse for Declining a Security Audit?

Health insurance giant Anthem was criticized last week after reports emerged that it had declined a security audit from the Office of Personnel Management’s Office of Inspector General (OPM OIG). Some experts speculated that Anthem might have had good reasons to refuse the assessment.

Health insurance giant Anthem was criticized last week after reports emerged that it had declined a security audit from the Office of Personnel Management’s Office of Inspector General (OPM OIG). Some experts speculated that Anthem might have had good reasons to refuse the assessment.

OPM’s OIG contacted Anthem to propose a “partial scope audit” of its systems after the insurance company’s massive data breach earlier this year, according to a statement OPM’s OIG provided to HealthcareInfoSecurity.com last week.

The data breach originally impacted 78 million customers, but it now appears to also include between 8.8 million to 18.8 million Blue Cross Blue Shield customers who used their insurance in states Anthem has operations. Reports show OIG audited Anthem back in September 2013 and found the carrier wasn’t conducting vulnerability scans and did not have controls in place to stop unauthorized systems from connecting to the network. Since then, the company has declined audits, citing “corporate policy” reasons.

“We have conducted vulnerability scans and configuration compliance tests at numerous health insurance carriers without incident,” OIG, which performs audits at health insurance carriers providing benefits to federal employees, wrote in the statement, “We do not know why Anthem refuses to cooperate with the OIG.”

One possibility may just be pure logistics. Incident response and recovery are costly and time-consuming activities. Anthem may be unwilling to deal with an assessment while still dealing with the aftermath of the breach, some experts suggested. “If I were Anthem, perhaps the last thing I would want while I’m trying to rush to fix the issues revealed by their breach is to have to host strangers who will further tax my staff and create more meetings when I need action,” said Jonathan Sander, strategy and research officer for STEALTHbits Technologies. “Lack of evidence is not evidence of something lacking, and all Anthem’s refusal of the Office of Personnel Management’s Office of Inspector General audit creates is a lack of evidence.”

Refusing the OIG audit “doesn’t look good” for Anthem since hiding behind corporate policy makes it look like Anthem is hiding something, Rick Holland, a principal analyst with Forrester’s security and risk management practice, told SecurityWeek. If the insurance provider was concerned about pulling internal resources away from activities related to incident response, it should have just said that instead of simply referring to policy.

However, consistently refusing the OIG in the years since may work in Anthem’s favor, since suddenly refusing the limited audit “would have looked far worse,” he said.

“Anthem has handled this breach relatively well up until this point,” Holland said, beginning with how the carrier discovered and reported the breach and how the CEO provided a timely public statement. Perception management is critical after a breach, and Anthem is “starting to fumble.” Another thing to consider is that Anthem already is aware of the issues. The earlier OIG audit found deficiencies in Anthem’s systems, and it’s quite possible the investigation since the breach has uncovered other issues.

Advertisement. Scroll to continue reading.

“Many organizations simply don’t want to go through the hassle of an audit just to be told about security issues they’re already aware of,” Lucas Zaichkowsky, Enterprise Defense Architect at Resolution1 Security, told SecurityWeek. He dismissed concerns over potential system outages triggered by the scans or having to disable antivirus software for the duration of the assessment. Auditors are flexible and regularly work with companies to avoid impacting critical systems, he noted.

There is an “unfortunate trend” of organizations setting up audits and penetration tests so that they pass, Holland said. However, defining success as getting positive results means these audits are no longer a true assessment of the organization’s risk.

The fact that Anthem was able to repeatedly refuse OIG highlights a bigger problem than what may or may not be lacking in the insurance provider’s infrastructure. “The OIG not having the ability to actually force Anthem to comply illustrates that optional mandates aren’t mandates,” Holland said.

As soon as Anthem refused to allow OIG to scan its systems, the watchgroup should have disclosed this as a public service to Anthem customers, said Philip Lieberman, president of Lieberman Software. The rules have to be changed so that OIG can “make these failures to comply a matter of public record so that citizens could protect themselves,” he said.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Audits

Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Application Security

Cisco's enterprise-facing Webex video conferencing and messaging utility monitors the microphone at all times, even when the user's microphone is muted in the software,...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Audits

The PCI Security Standards Council (SSC), the organization that oversees the Payment Card Industry Data Security Standard (PCI DSS), this week announced the release...

Application Security

Security researchers at Google’s Project Zero have picked apart one of the most notorious in-the-wild iPhone exploits and found a never-before-seen hacking roadmap that...

Application Security

Microsoft’s security patching machine hummed into overdrive Tuesday with the release of fixes for at least 97 documented software vulnerabilities, including a zero-day that’s...