Anthem Healthcare initially earned brownie points with security professionals by publicly disclosing a major data breach well before they were obligated to do so. However, now it's been revealed that Anthem refused to allow the U.S. Office of Personnel Management's Office of the Inspector General (OIG) to conduct vulnerability scans and compliance tests post-breach.
According to a story in the Financial Times (registration required), Anthem did allow OIG to complete an audit on them in September 2013, which found that the healthcare agency did not conduct routine vulnerability scans and did not put sufficient controls in place to prevent rogue devices from connecting to the network.
After that, Anthem denied OIG access for another audit. OIG told FT:
OIG said Anthem had told them that it was denying access because of a policy that prohibited external entities from connecting to its network. Anthem recently reiterated that auditors would not be permitted to conduct vulnerability scans.
Anthem said giving the auditors full access would have required turning off its antivirus software and could have caused outages in its system. Anthem provided an alternate vulnerability management programme as a substitute.
Opinions on the matter are mixed. “As with most failed security scenarios, the core problem is not technology, but is in fact a lack of leadership and culture," says Philip Lieberman, president of Lieberman Software. "The refusal to allow the OIG to scan their systems should have been a warning flag that OIG should have publicly published as a public service to Anthem customers. My hope would be that the Executive Branch will modify the rules of engagement for the OIG so as to allow them to make these failures to comply a matter of public record so that citizens could protect themselves.”
Jonathan Sander, strategy and research officer for STEALTHbits Technologies on the other hand, says, "Lack of evidence is not evidence of something lacking, and all Anthem’s refusal of the [OIG] audit creates is a lack of evidence. If I were Anthem, perhaps the last thing I would want while I’m trying to rush to fix the issues revealed by their breach is to have to host strangers who will further tax my staff and create more meetings when I need action. It’s interesting that the audit performed earlier has the OIG saying Anthem didn’t have any clues about deficiencies. It only serves to show how complex security and compliance are. They're complex issues on their own, their relationship is complex, and their execution is extremely complex.”
As healthcare lawyer Matt Fisher tweeted:
No win situation for #Anthem. Govt agency says refused risk assessment. Would you want govt to do one? http://t.co/mUf5NBLbnb #HIPAA— Matt Fisher (@Matt_R_Fisher) March 5, 2015