Recently, I took a bunch of heat for writing that Anthem was right not to encrypt. My point was that the application encryption is just one of several security measures that add up to a security posture, and that we needed to wait until we got more information before condemning Anthem for a poor security posture.
A security posture is the combination of an organization’s overall security philosophy as well as the specific security steps that the organization takes as a result of that philosophy. Basically the type of posture taken shows whether an organization takes security and privacy seriously, or prefers a “window dressing” approach. I argued that simply knowing that the database in question did not have encryption was not enough detail to assess the Anthem security posture.
Well we have more evidence now, and its not looking good for Anthem.
Recently GovInfoSecurity reported that Anthem has again refused the OIG the ability to scan its network. OIG prefers to perform it’s own vulnerability assessments, so that it does not have to rely on the organizations internal assessments.
This is not the first time this has happened. When Anthem was called “WellPoint” it refused a request from OIG to scan, according to the OIG’s report at the time. OIG stands for Office of Inspector General and is essentially the “generic audit arm” of the US government. They are responsible for ensuring that government contractors are complying with regulations, and Anthem has an important contract to process medical claims for Federal Employees.
Here is what OIG had to say about this issue in September of 2013, the first time that Anthem refused its audit process:
This performance audit was conducted in accordance with generally accepted government auditing standards (GAS) issued by the Comptroller General of the United States, except for specific applicable requirements that were not followed. There was one element of our audit in which WellPoint applied external interference with the application of audit procedures, resulting in our inability to fully comply with the GAS requirement of independence.
We routinely use our own automated tools to evaluate the configuration of a sample of computer servers. When we requested to conduct this test at WellPoint, we were informed that a corporate policy prohibited external entities from connecting to the WellPoint network. In an effort to meet our audit objective, we attempted to obtain additional information from WellPoint, but the Plan was unable to provide satisfactory evidence that it has ever had a program in place to routinely monitor the configuration of its servers (see the “Configuration Compliance Auditing” section on page 9 for additional details.)
As a result of the scope limitation on our audit work and WellPoint’s inability to provide additional supporting documentation, we are unable to independently attest that WellPoint’s computer servers maintain a secure configuration.
Just months before, in July of 2013 Anthem (as WellPoint) had just payed 1.7 Million dollars for a HIPAA violation. That fine was the result of an investigation that found that Athem had not:
- adequately implement policies and procedures for authorizing access to the on-line application database
- perform an appropriate technical evaluation in response to a software upgrade to its information systems
- have technical safeguards in place to verify the person or entity seeking access to electronic protected health information maintained in its application database.
Vulnerability scanning is intended, among other things, to detect exactly these kinds of problems.
Anthem felt, in 2013, that even though it just had a massive breach, that it was in a position to deny OIG the capacity to verify Anthem’s claims about its own network. Now, in 2015, Anthem has just had a second massive breach, and has again indicated to OIG that is has a “corporate policy” that again prevents OIG from conducting a vulnerability scan as part of its independent audit. Quoting the OIG spokesperson featured in the GovInfoSecurity piece:
“we attempted to schedule a new IT audit of Anthem for this summer. Anthem recently informed us that, once again, it will not permit our auditors to perform our standard vulnerability scans and configuration compliance tests. Again, the reason cited is ‘corporate policy.'”
I have just been defending the notion that Anthem might have been doing the right thing, and that perhaps it was just the victim of a really clever hacker team. As you can imagine, when you say things like this on the Interwebs, you get a flock of people saying “If you are defending Anthem you really don’t care about patient privacy…” etc etc. My only point at the time was “We really need more evidence before we publicly condemn an organization for deprioritizing patient privacy.”
Well the evidence is in.
The notion that Anthem thinks its corporate policies trump the public’s ability to make sure they are doing their job as a Federal contractor was arrogant in 2013, when it just had one massive breach. Now this organization believes that its “corporate policies” still exempt it from scrutiny? I am aghast. Really, I should be coding right now, but instead I am writing this. I am a fairly jaded healthcare/security professional, and I thought I had seen it all. This takes the cake. Seriously, WTF?
I can only think of a few examples of this kind of bold, unfiltered, unapologetic raw arrogance. But instead of causing scenes at music award shows, the arrogance of Anthem has damaged hundreds of thousands of people more than once.
Anthems should be given a brief opportunity to rethink its policy on this issue, and assuming it does not immediately see the error of its ways its government contract should be put up for new bids from other organizations. I think we might be able to location some other health insurance company that has a less inflated respect for their own “corporate policies”.