The nation's second largest insurer is taking some flak for declining a second opinion on its information technology security.
In 2013, the Inspector General of the Office of Personnel Management, the agency overseeing the federal employee health benefits program, performed an audit of Anthem's IT security--albeit an incomplete one.
Anthem, then still known as WellPoint, serves about 4.5 million federal government workers in its Blue Cross plans, and the OPM Inspector General was doing a regular audit of Anthem's IT. While the insurer was lauded in some areas, its vulnerability could not be fully accessed because auditors were denied access to some of the company systems.
The OPM auditors typically use automated tools to document configurations of a sample of servers at federal health plan carriers, and then manually compare results to the company's approved baseline. "When we requested to conduct this test at WellPoint, we were informed that a corporate policy prohibited external entities from connecting to the WellPoint network," the OPM Inspector General wrote in a September 2013 report.
"In an effort to meet our audit objective, we attempted to obtain additional information about WellPoint's configuration compliance auditing program. We were initially provided a description of what appeared to be a thorough configuration compliance auditing program at WellPoint. However, when we requested documentation to support this description, WellPoint was unable to provide any evidence that a configuration compliance auditing program had ever been in place at the company."
With limited information, the OPM OIG determined that Anthem had "not implemented technical controls to prevent rogue devices from connecting to its network" and may have neglected to perform vulnerability scans on several servers with federal employee data. "As a result of this scope limitation and WellPoint's inability to provide additional supporting documentation, we are unable to independently attest that WellPoint's computer servers maintain a secure configuration."
More than a year later, Anthem's servers were hacked, possibly by cyber mercenaries with links to the Chinese military. The breach exposed data on some 80 million present and past customers, including employees like CEO Joseph Swedish.
Between IT remediation, identity monitoring, fraud prevention and and legal settlements or fines, the costs to Anthem and its investors could exceed $100 million. The company has already warned investors that the costs could go beyond its IT insurance policy.
But on the more immediate issue of closing any IT gaps remaining, the government is still trying to have a look at the servers, to no luck.
The OPM OIG said it asked the insurer to participate in a vulnerability scan this summer, but that Anthem is declining, again citing corporate policy, even though other insurers have agreed to similar auditing. (Anthem has not commented on the decision.)
Among the legions of data security firms following the Anthem breach, some argue that companies like Anthem may be doing more harm than good by rebuffing scrutiny by a federal Inspector General.
"Insurers providing services to federal employees should be subject to security audits by the government, and they shouldn't have a choice in the matter," said Tim Erlin, a risk strategist at Tripwire. " While no model of oversight and audit is perfect, it is possible to establish a system and improve it iteratively in partnership with private industry."