Anthem Refuses Government IT Security Audit
In February this year, Anthem Inc., was hit by a massive HIPAA breach which potentially exposed the data of up to 80 million plan members; however according to a recent statement issued by associate counsel to the Inspector General at OIG, Susan L. Ruge, the insurer has refused to undergo a government IT security audit.
The US Office of Personnel Management (OPM) Office of the Inspector General (OIG) conducts audits of healthcare organizations participating in the Federal Employees Health Benefits Program (FEHBP) to identify security vulnerabilities, and following such a massive breach, the OIG was keen to determine whether Anthem had any server misconfigurations or other security vulnerabilities that could potentially be exploited in a malicious cyberattack. Ruge said that the audits help OIG “form an opinion on the organization’s overall process to securely configure its computers.”
The purpose of this government IT security audit is not to identify all areas where a company has failed to address security concerns, but to assess key areas where hackers could potentially gain access to computer systems. The OIG conducts these audits using automated vulnerability scans and by conducting configuration compliance audits, but Anthem refused its standard IT security tests claiming they contravened company policy.
Ruge said “in an effort to meet our audit objective, we attempted to obtain additional information about Anthem’s own internal practices for performing this type of work. However, Anthem provided us with conflicting statements about its procedures, and ultimately was unable to provide satisfactory evidence that it has ever had a program in place to routinely monitor the configuration of its servers.”
This is not the first time the company has been hit by a major data breach, and neither is it the first time OIG auditors have met with resistance. According to an OPM report, during the last audit, Anthem – then under the name of Wellpoint Inc.,- hampered OIG’s ability “to perform adequate testing” in its FEHBP audits by refusing the necessary access to its systems.
The report issued by the OIG claimed that “As a result of this scope limitation and WellPoint’s inability to provide additional supporting documentation, we are unable to independently attest that WellPoint’s computer servers maintain a secure configuration,” The report also said that the company “had not implemented technical controls to prevent rogue devices from connecting to its network.” From the access given, the OIG audit found HIPAA Privacy and Security Rules had not been broken.
Ruge said “Carriers are required to cooperate with OIG audits under the FEHBP contract,”. She also confirmed that the audits are not voluntary.
After the issues experienced with Wellpoint in 2013, the OIG amended the FEHBP contract with language that it was believed that would provide auditors with access to the relevant data on a small proportion of the company’s servers; however again the company has taken issue with the wording of the contract.
In the words of Ruge, “[Anthem Inc] has interpreted this new language in such a way to continue to allow them to refuse to provide us access to their systems”.
In response to the refusal the OIG is working on a solution. Ruge said “We contacted OPM after Anthem’s recent refusal and OPM is taking steps to secure our access rights.”
Office for Civil Rights HIPAA Breach Investigation
Last year the Department of Health and Human Services’ Office for Civil Rights alleged that Wellpoint was at fault for the 2009/2010 data breach which exposed the electronic health information of 612,402 individuals and settled with the insurer for $1.7M. That breach was caused by an unsecured server that allowed individuals information to be accessible via the internet.
The OCR determined that Wellpoint had not:
- adequately implement policies and procedures for authorizing access to the database,
- performed an appropriate technical evaluation after its information systems underwent a software upgrade and
- put in place technical safeguards that verify everyone seeking access to the data.
The OCR has already announced that it is looking into the matter to determine if HIPAA Privacy Rules have been violated.