Anthem Arrogantly Refuses Audit Processes. Twice.

Fred's HeadRecently, I took a bunch of heat for writing that Anthem was right not to encrypt. My point was that the application encryption is just one of several security measures that add up to a security posture, and that we needed to wait until we got more information before condemning Anthem for a poor security posture.

A security posture is the combination of an organization’s overall security philosophy as well as the specific security steps that the organization takes as a result of that philosophy. Basically the type of posture taken shows whether an organization takes security and privacy seriously, or prefers a “window dressing” approach. I argued that simply knowing that the database in question did not have encryption was not enough detail to assess the Anthem security posture.

Well we have more evidence now, and its not looking good for Anthem.

Recently GovInfoSecurity reported that Anthem has again refused the OIG the ability to scan its network. OIG prefers to perform it’s own vulnerability assessments, so that it does not have to rely on the organizations internal assessments.

This is not the first time this has happened. When Anthem was called “WellPoint” it refused a request from OIG to scan, according to the OIG’s report at the time. OIG stands for Office of Inspector General and is essentially the “generic audit arm” of the US government. They are responsible for ensuring that government contractors are complying with regulations, and Anthem has an important contract to process medical claims for Federal Employees.

Here is what OIG had to say about this issue in September of 2013, the first time that Anthem refused its audit process:

This performance audit was conducted in accordance with generally accepted government auditing standards (GAS) issued by the Comptroller General of the United States, except for specific applicable requirements that were not followed. There was one element of our audit in which WellPoint applied external interference with the application of audit procedures, resulting in our inability to fully comply with the GAS requirement of independence.

We routinely use our own automated tools to evaluate the configuration of a sample of computer servers. When we requested to conduct this test at WellPoint, we were informed that a corporate policy prohibited external entities from connecting to the WellPoint network. In an effort to meet our audit objective, we attempted to obtain additional information from WellPoint, but the Plan was unable to provide satisfactory evidence that it has ever had a program in place to routinely monitor the configuration of its servers (see the “Configuration Compliance Auditing” section on page 9 for additional details.)

As a result of the scope limitation on our audit work and WellPoint’s inability to provide additional supporting documentation, we are unable to independently attest that WellPoint’s computer servers maintain a secure configuration.

Just months before, in July of 2013 Anthem (as WellPoint) had just payed 1.7 Million dollars for a HIPAA violation. That fine was the result of an investigation that found that Athem had not:

  • adequately implement policies and procedures for authorizing access to the on-line application database
  • perform an appropriate  technical evaluation in response to a software upgrade to its information systems
  • have technical  safeguards in place to verify the person or entity seeking access to electronic protected health information maintained in its application database.

Vulnerability scanning is intended, among other things, to detect exactly these kinds of problems.

Anthem felt, in 2013, that even though it just had a massive breach, that it was in a position to deny OIG the capacity to verify Anthem’s claims about its own network. Now, in 2015, Anthem has just had a second massive breach, and has again indicated to OIG that is has a “corporate policy” that again prevents OIG from conducting a vulnerability scan as part of its independent audit. Quoting the OIG spokesperson featured in the GovInfoSecurity piece:

“we attempted to schedule a new IT audit of Anthem for this summer. Anthem recently informed us that, once again, it will not permit our auditors to perform our standard vulnerability scans and configuration compliance tests. Again, the reason cited is ‘corporate policy.'”

I have just been defending the notion that Anthem might have been doing the right thing, and that perhaps it was just the victim of a really clever hacker team. As you can imagine, when you say things like this on the Interwebs, you get a flock of people saying “If you are defending Anthem you really don’t care about patient privacy…” etc etc. My only point at the time was “We really need more evidence before we publicly condemn an organization for deprioritizing patient privacy.”

Well the evidence is in.

The notion that Anthem thinks its corporate policies trump the public’s ability to make sure they are doing their job as a Federal contractor was arrogant in 2013, when it just had one massive breach. Now this organization believes that its “corporate policies” still exempt it from scrutiny? I am aghast. Really, I should be coding right now, but instead I am writing this. I am a fairly jaded healthcare/security professional, and I thought I had seen it all. This takes the cake. Seriously, WTF?

I can only think of a few examples of this kind of bold, unfiltered, unapologetic raw arrogance. But instead of causing scenes at music award shows, the arrogance of Anthem has damaged hundreds of thousands of people more than once.

Anthems should be given a brief opportunity to rethink its policy on this issue, and assuming it does not immediately see the error of its ways its government contract should be put up for new bids from other organizations. I think we might be able to location some other health insurance company that has a less inflated respect for their own “corporate policies”.

Fred Trotter is a technology columnist with THCB. He is the founder at Careset. You can learn more about his work at the DocGraph project.

2 replies »

  1. Full disclosure: Our family is one of those that may be affected by the Anthem breach.

    Great to see that Fred can be persuaded to adopt a broader point of view 😉

    That was really my only intent with the rebuttal to his first article (referencing Anthem data encryption).

    In that rebuttal, I argued the same point that he is now making forcefully – that security is far more than just a technology (like encryption). It’s an entire “culture” of security (Fred references this as a “posture” – but it’s largely the same thing).

    In this case – I couldn’t agree more with Fred. Anthem’s refusal to allow OIG scanning rights (to assess vulnerabilities) is appalling and clearly designed to protect their (significant) financial liability in the many legal cases stacking up against them.

    As Fred also references, this is clearly a pattern at Anthem (formerly) Wellpoint because the OIG has asked for scanning rights before – and they were also denied previously.

    This pattern goes well beyond just OIG and scanning rights too. In 2013, Wellpoint (now Anthem) paid $1.7 million in fines to HHS for leaving “data accessible over the internet” for about 5 months (Oct 2009 to Mar of 2010).


    Clearly the Anthem network is a security nightmare – and it may well be time for the U.S. Attorney General (assuming she’s finally confirmed) to start sharpening her legal charges against this reckless behavior. Clearly the threat of mult-million dollar fines aren’t enough.

  2. “Now this organization believes that its “corporate policies” still exempt it from scrutiny?”

    One word: Subpoena.

    Maybe they think they have enough money to buy off (and seal) the lawsuits they will surely get hit with.

    We’ll see.