Following a recent data breach that may have exposed the personal information of as many as 80 million current and former customers and employees, health insurance provider Anthem has refused to allow the federal Office of Personnel Management’s Office of the Inspector General (OIG) to conduct vulnerability scans of its systems, GovInfoSecurity reports.
Anthem also refused to allow the OIG to conduct similar vulnerability scans in 2013.
The OIG told GovInfoSecurity that Anthem refused to permit it to conduct “standard vulnerability scans and configuration compliance tests.”
“What we had attempted to schedule for the summer of 2015 was a sort of ‘partial audit’ — what we call a ‘limited scope audit’ — that would have consisted only of the work we were prevented from conducting in 2013,” a OIG spokeswoman told GovInfoSecurity. “So this is the second time that Anthem has refused to permit us to perform our standard vulnerability scans and configuration compliance tests.”
The OIG regularly audits health insurers that provide health plans to federal employees, but insurers aren’t required to cooperate with those audits. “Anthem recently informed us that, once again, it will not permit our auditors to perform our standard vulnerability scans and configuration compliance tests,” the OIG said in a statement. “Again, the reason cited is ‘corporate policy.’
“We have conducted vulnerability scans and configuration compliance tests at numerous health insurance carriers without incident,” the OIG added. “We do not know why Anthem refuses to cooperate with the OIG.”
Notably, when Anthem refused to allow OIG’s audit in 2013, “we were informed that a a corporate policy prohibited external entities from connecting to the Anthem network,” the OIG stated.
“In an effort to meet our audit objective, we attempted to obtain additional information about Anthem’s own internal practices for performing this type of work,” the OIG added. “However, Anthem provided us with conflicting statements about its procedures, and ultimately was unable to provide satisfactory evidence that it has ever had a program in place to routinely monitor the configuration of its servers.”
In 2013, the OIG said, “our final audit report stated that we were unable to independently attest that Anthem’s computer servers maintain a secure configuration.”
Pwnie Express Infosec Ranger Jayson E. Street told eSecurity Planet that Anthem’s actions regarding the OIG’s audit requests were a huge mistake. “Turning down the OIG doesn’t change the fact that companies still get audited, but instead of cleanly formatted findings to help improve security, attackers’ audits end with breach notifications,” he said.
“Companies need to do their security due diligence before and after breaches happen, and the way Anthem’s leadership team has handled this is negligent,” Street added. “They can act like ostriches with their heads stuck in the sand, but even ostriches have to come up for air, and when they do, they’ll need to be held accountable.”