After hack, Anthem refuses security scan by federal benefits agency

Despite a recent breach of its security system that put the personal health information of millions at risk, one of the nation’s largest health insurers has refused for the second time to allow the Office of Inspector General (OIG) at the Office of Personnel Management (OPM) to assess its system for vulnerabilities. According to HealthcareInfoSecurity.com and other sources, the OIG contacted Anthem after its recent announcement to arrange to perform “standard vulnerability scans and configuration compliance tests.” Anthem refused, citing corporate policy.

Massive breach

Anthem, Inc., formerly known as WellPoint, disclosed in February 2015 that it had experienced a “sophisticated external cyber-attack” on its system. Estimates of the number of people whose information may have been compromised are upwards of 80 million.

Previous audit

Health insurers whose plans are available to federal employees contract with OPM to do so. The OPM audits contractors for compliance with requirements, including the requirements for information security. In 2013, the OPM OIG sought to perform a routine audit of WellPoint’s information security system. At that time, Anthem refused to allow the auditors to access the system to review the configuration of its servers, citing corporate policy. WellPoint did not provide any information to show that it monitored the configuration of its servers.

In its report, the OIG found that WellPoint: (1) did not regularly monitor the activity logs of administrators for inappropriate or unusual activity, but reviewed them only when a problem was discovered; (2) failed to maintain control over physical access to the building; (3) had no controls in place to prevent “rogue devices” from connecting to its network; (4) did not routinely scan all servers for vulnerabilities; (5) did not monitor the configuration of its servers and compare them with an approved baseline; and (6) did not comply with its own password requirements. The report noted that the password issue had been resolved and that WellPoint had made plans to address several other issues, including physical access to the building.