- Anthem, Inc. is reportedly refusing to comply with a data security audit from the US Office of Personnel Management (OPM) Office of the Inspector General (OIG).
Susan L. Ruge, associate counsel to the Inspector General at OIG, explained in a statement that after Anthem’s recent health data breach, OIG wanted to conduct a new IT security audit. However, Anthem will not allow the standard vulnerability scans and configuration compliance tests, according to Ruge.
The scans are meant to “identify security vulnerabilities and mis-configurations that could be exploited in a malicious cyber-attack,” Ruge said, as reported by Health Data Management. These audits are not designed to find all weak points that are in a technical environment. Instead, they are meant to help OIG “form an opinion on the organization’s overall process to securely configure its computers.”
“When we requested to perform this test at Anthem, we were informed that a corporate policy prohibited external entities from connecting to the Anthem network,” Ruge said. “In an effort to meet our audit objective, we attempted to obtain additional information about Anthem’s own internal practices for performing this type of work.”
Anthem also gave OIG conflicting statements about its procedures, Ruge explained. The insurer could not “show satisfactory evidence that it has ever had a program in place to routinely monitor the configuration of its servers.”
The OIG conducts audits of health insurance companies that participate in the Federal Employees Health Benefits Program (FEHBP). Previously known as WellPoint Inc., Anthem also limited OIG’s ability “to perform adequate testing” in specific servers containing Federal data, according to a Sep. 2013 report.
“As a result of this scope limitation and WellPoint’s inability to provide additional supporting documentation, we are unable to independently attest that WellPoint’s computer servers maintain a secure configuration,” the 2013 report stated.
Also in terms of network security, OIG reported that WellPoint had not implemented technical controls to prevent rogue devices from connecting to its network. The audit also found that the physical access controls to a specific facility the auditors visited could be improved. There were additionally noted weaknesses in WellPoint’s implementation of segregation of duties and privileged user monitoring.
Even so, OIG stated that in what it was able to access and investigate, there was no reason to “believe that WellPoint is not in compliance with the HIPAA security, privacy, and national provider identifier regulations.”
In early February, Anthem announced that one of its internal servers was hacked, exposing the personal information of nearly 80 million individuals. The information included names, dates of birth, medical IDs or Social Security numbers, street addresses, and email addresses. Moreover, employment information, some of which included income data, might also have been exposed.
After the large scale health data breach, Anthem has also been criticized for not encrypting its data. However, a spokesperson explained that the insurer encrypts personal data when it moves in or out of its database but not when it is stored.