Anthem accused of avoiding further embarrassment by refusing audit

Anthem Inc., the nation’s second largest health insurer, has refused a request for an IT Security audit citing corporate policy. This is the second time the organization has refused an audit request from the Office of Personnel Management’s (OPM) inspector general.

The last time Anthem was audited was in 2013, when the company was known as WellPoint. The OPM report says that the inspector general discovered nothing “to indicate that WellPoint does not have an adequate security management program.”

However, in statements to the media, an OPM spokesperson said that the insurer had refused an audit that would’ve been scheduled this summer, the first since their breach was disclosed.

Anthem’s refusal cited corporate policy. The Financial Times expands on Anthem’s refusal with a report stating the company told the OPM that an audit would require them to disable anti-Virus software, which in turn would trigger outages on their IT systems.

“We have conducted vulnerability scans and configuration compliance tests at numerous health insurance carriers without incident. We do not know why Anthem refuses to cooperate with the OIG [Office of the Inspector General],” the spokesperson added.

Moreover, the 2013 results were due to limited scope and audit work, as well as Anthem’s inability to provide additional supporting documentation. This, considering the limits and missing details, is why the OPM really couldn’t offer anything else other than the published conclusion.

“Insurers providing services to Federal employees should be subject to security audits by the government, and they shouldn’t have a choice in the matter,” commented Tim Erlin, the Director of Product Management, Security and IT Risk Strategist for Tripwire.

“There’s an existing model of oversight in place today between the Centers for Medicare and Medicaid Services and their third party contractors with similar requirements. While no model of oversight and audit is perfect, it is possible to establish a system and improve it iteratively in partnership with private industry. Without facts to the contrary, it’s hard not to interpret the motivation behind Anthem’s refusal as an attempt to avoid embarrassment.”

Anthem offered corporate customers a brief timeline of events via internal memos. According to those disclosures, sometime on or before December 10, 2014, someone compromised an Anthem database. The compromise remained undetected until January 27, 2015, when a database administrator who noticed his credentials being used to run a query that he didn’t initiate.

In February, Anthem disclosed the breach. To date, the incident is said to have impacted 78.8 million people based on the company’s public disclosures. The source of the breach is believed to be a Phishing attack, which granted those responsible for the incident the credentials needed to access various systems from at least five employees.

“The breach at Anthem speaks to the leadership of Anthem and their perspective on the safety and well-being of their customers. As with most failed security scenarios, the core problem is not technology, but is in fact a lack of leadership and culture,” commented Philip Lieberman, the president of Lieberman Software.

“The refusal to allow the OIG to scan their systems should have been a warning flag that OIG should have publicly published as a public service to Anthem customers. My hope would be that the Executive Branch will modify the rules of engagement for the OIG so as to allow them to make these failures to comply a matter of public record so that citizens could protect themselves.”

However, Anthem isn’t without its supporters. Jonathan Sander, strategy and research officer for STEALTHbits Technologies, said that a lack of evidence isn’t evidence of something lacking.

Anthem’s refusal of the OPM audit request creates a lack of evidence, and nothing more.

“If I were Anthem, perhaps the last thing I would want while I’m trying to rush to fix the issues revealed by their breach is to have to host strangers who will further tax my staff and create more meetings when I need action. It’s interesting that the audit performed earlier has the OIG saying Anthem didn’t have any clues about deficiencies. It only serves to show how complex security and compliance are. They’re complex issues on their own, their relationship is complex, and their execution is extremely complex.”

Where do you stand on the issue? Should Anthem have an audit performed? Would an audit even matter at this point?