Anthem not cooperating with audit process
Despite a cyberattack that impacted almost 80 million people, Anthem is not complying with a security audit from the U.S. Office of Personnel Management's Inspector General.
Anthem participates in the Federal Employees Health Benefits Program (FEHBP), which provides health benefits to civilian government employees, administered by the Office of Personnel Management (OPM). The OPM Office of the Inspector General (OIG) oversees the program which includes audits of participating insurance companies.
A routine component of the audit process is the performance of automated vulnerability scans and configuration compliance audits on samples of computer servers designed to identify security vulnerabilities and misconfigurations that could become the source of cyberattacks.
Anthem is refusing to participate in this audit process due to its "corporate policy."
“After the recent breach was announced, we attempted to schedule a new IT audit of Anthem for this summer,” according to a written statement from Susan L. Ruge, associate counsel to the Inspector General at OIG. “We have conducted vulnerability scans and configuration compliance tests at numerous health insurance carriers without incident,” Ruge said. “We do not know why Anthem refuses to cooperate with the OIG.”
Anthem has a history of noncompliance with these audits. Ruge said Anthem imposed restrictions on auditors attempting an IT security audit in 2013 which prevented them from adequately testing the company. “When we requested to perform this test at Anthem, we were informed that a corporate policy prohibited external entities from connecting to the Anthem network,” said Ruge. “In an effort to meet our audit objective, we attempted to obtain additional information about Anthem’s own internal practices for performing this type of work. However, Anthem provided us with conflicting statements about its procedures, and ultimately was unable to provide satisfactory evidence that it has ever had a program in place to routinely monitor the configuration of its servers.”
The final audit report led to warnings that "failure to routinely review elevated user activity increases the risk that malicious activity could go undetected and sensitive informaiton could be compromised." OPM also amended the FEHBP contract to allow a certain degree of auditor access. The FEHBP contract requires carriers to cooperate with OIG audits and past problems with Anthem led the organization to modify its contract.
Gaining access to Anthem's systems remains a work in progress.
Editor
Editor Beth earned a bachelor’s degree in journalism and master’s in health communication. She has worked in hospital, academic and publishing settings over the past 20 years. Beth joined TriMed in 2005, as editor of CMIO and Clinical Innovation + Technology. When not covering all things related to health IT, she spends time with her husband and three children.